# SARIF reports
You can import [Static Analysis Results Interchange Format (SARIF)](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) reports into SonarQube. The issues will be taken into account by SonarQube in the analysis report, but the rules corresponding to these issues will not be visible on the **Rules** page nor reflected in quality profiles. This means that the rules that raise external issues must be managed in your third-party tool.
## Import process
SonarQube manages the import of a SARIF issue as follows:
* It assigns the `CONVENTIONAL` Clean Code attribute and the `SECURITY` software quality to the issue.
* It manages the issue’s impact level on the software quality (security) as follows:
* If a SARIF `severity` field is provided at the rule level for the issue then the mapping below is used to retrieve the corresponding impact level.
| **Severity field in SARIF 2.1.0** | **Impact level in SonarQube** |
| --------------------------------- | ----------------------------- |
| error | HIGH |
| warning | MEDIUM |
| note | LOW |
| none | LOW |
* * Otherwise, the default MEDIUM impact level is applied.
See [introduction](https://docs.sonarsource.com/sonarqube-server/10.4/user-guide/clean-code/introduction "mention") for details about the Clean Code concepts mentioned above.
## Setting up the import
To set up the import of SARIF reports into SonarQube:
1. Prepare your SARIF report files according to the import file specifications below.
2. Use on the scanner side the [analysis-parameters](https://docs.sonarsource.com/sonarqube-server/10.4/analyzing-source-code/analysis-parameters "mention") `sonar.sarifReportPaths` to define the list of SARIF report files to be imported during your project analysis. This parameter accepts a comma-delimited list of paths.
## Import file specifications
The SARIF files must:
* Be UTF-8 file encoded.
* Comply with the [official SARIF format, version 2.1.0](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html).
### Mandatory fields
| **Field** | **Description** |
| ------------------------------- | ------------------------------------------------------------------------- |
| `version` | Must be set to "2.1.0". |
| `runs[].tool.driver.name` | Name of the tool that created the report. |
| `runs[].results[].message.text` | Message of the external issue. |
| `runs[].results[].ruleId` | Identifier of the corresponding rule in the tool that created the report. |
{% hint style="info" %}
If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).
{% endhint %}
### Optional fields
| **Field** | **Description** |
| ---------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `runs[].results[].locations[]` | SonarQube only uses the first item in the array. It must be a physical location. |
| `physicalLocation.artifactLocation.uri` | Path of the file concerned by the issue.
If no location is defined, the issue is raised at the project level.
|
| physicalLocation.region
| Text range concerned by the issue. Is defined by the following fields:
• startLine
• startColumn (optional)
• endLine (optional)
• endColumn (optional)
If startColumn, endLine, endColumn are not specified,SonarQube automatically retrieves the full coordinates of the line.
|
| `sarifLog.runs[].tool.driver.rules[].defaultConfiguration.level` | SonarQube uses this field to determine the issue’s impact level on security. |
| `sarifLog.runs[].tool.extensions[].rules[].defaultConfiguration.level` | SonarQube uses this field to determine the issue’s impact level on security if the driver field above is not used. |
{% hint style="warning" %}
The sarifLog.runs\[].results\[].level field which defines the issue’s severity will be ignored by SonarQube.
{% endhint %}
### Import file example
```css-79elbk
{
"version": "2.1.0",
"$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
"runs": [
{
"tool": {
"driver": {
"name": "a test linter",
"informationUri": "https://www….",
"version": "8.27.0"
}
},
"results": [
{
"level": "error",
"message": {
"text": "'toto' is assigned a value but never used."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
},
"region": {
"startLine": 1,
"startColumn": 5,
"endLine": 1,
"endColumn": 9
}
}
}
],
"ruleId": "no-unused-vars"
}
]
}
]
}
```