This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

Importing third-party issues

This page lists analysis parameters related to the import of issues raised by external, third-party analyzers.

This page lists analysis parameters related to the import of issues raised by external, third-party analyzers. If your analyzer isn’t on this page, see the Generic issue import format for a generic way to import external issues.

SonarQube doesn’t run your external analyzers or generate reports. It only imports pre-generated reports. Below you’ll find language- and tool-specific analysis parameters for importing reports generated by external analyzers.

In the guides category of the SonarSource community forum you might find instructions on generating these reports.

Some properties support the following wildcards in paths. The remarks for properties that support wildcards will mention that fact. If the remarks do not say wildcards are supported, then they are not.:

Symbol

Meaning

?

a single character

*

any number of characters

**

any number of directories

Unless otherwise specified, the following properties accept both absolute paths and paths relative to the project root.

Language

Property

Remarks

Apex

sonar.apex.pmd.reportPaths

Comma-delimited list of paths to PMD Apex

CSS

sonar.css.stylelint.reportPaths

Comma-delimited list of paths to StyleLint.io reports

Go

sonar.go.govet.reportPaths

Comma-delimited list of paths to GoVet reports

Go

sonar.go.golint.reportPaths

Comma-delimited list of paths to GoLint reports

Go

sonar.go.gometalinter.reportPaths

Comma-delimited list of paths to GoMetaLinter reports

Go

sonar.go.golangci-lint.reportPaths

Comma-delimited list of paths to golangci-lint reports in checkstyle format (use --out-format checkstyle golangci-lint option)

Go

sonar.externalIssuesReportPaths

Comma-delimited list of paths to gosec reports in SonarQube format (use -fmt=sonarqube gosec option). Note: this property is the one from the Generic Issue Import Format

Java

sonar.java.spotbugs.reportPaths

Comma-delimited list of paths to reports from SpotBugs, FindSecBugs, or FindBugs

Java

sonar.java.pmd.reportPaths

Comma-delimited list of paths to reports from PMD

Java

sonar.java.checkstyle.reportPaths

Comma-delimited list of paths to reports from Checkstyle

JavaScript

sonar.eslint.reportPaths

Comma-delimited list of paths to JSON ESLint reports (use -f json ESLint option)

Kotlin

sonar.androidLint.reportPaths

Comma-delimited list of paths to AndroidLint reports

Kotlin

sonar.kotlin.detekt.reportPaths

Comma-delimited list of paths to Detekt reports

Kotlin

sonar.kotlin.ktlint.reportPaths

Comma-delimited list of paths to Ktlint reports

PHP

sonar.php.psalm.reportPaths

Comma-delimited list of paths to Psalm reports. Reports should be generated in the Generic Issue Format (run Psalm with the option --output-format sonarqube).

PHP

sonar.php.phpstan.reportPaths

Comma-delimited list of paths to PHPStan reports. Reports should be generated in the PHPStan JSON Output Format (use the PHPStan analyse command with the option --error-format=json).

Python

sonar.python.pylint.reportPaths

Comma-delimited list of paths to Pylint reports (use --output-format=parseablePylint option)

Python

sonar.python.bandit.reportPaths

Comma-delimited list of paths to Bandit reports

Python

sonar.python.flake8.reportPaths

Comma-delimited list of paths to Flake8 reports

Ruby

sonar.ruby.rubocop.reportPaths

Comma-delimited list of paths to Rubocop reports

Scala

sonar.scala.scalastyle.reportPaths

Comma-delimited list of paths to Scalastyle reports

Scala

sonar.scala.scapegoat.reportPaths

Comma-delimited list of paths to Scapegoat reports in the Scalastyle format

Swift

sonar.swift.swiftLint.reportPaths

Comma-delimited list of paths to SwiftLint reports in JSON format

TypeScript

sonar.typescript.tslint.reportPaths

Comma-delimited list of paths to TSLint reports in JSON format (use -t json TSLint option)

Notes on external .NET issues Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube so no properties exist to enable that behavior. Instead, properties are available to adjust the import and to stop importing those issues.

Note that Roslyn issues with an error severity automatically fail the build. We don’t recommend running the Scanner for MSBuild’s end step if the MSBuild step fails for any reason because it will result in an essentially empty analysis.

Language

Property

Remarks

C#

sonar.cs.roslyn.ignoreIssues

Set to true to disable import of external issues. Defaults to false.

C#

sonar.cs.roslyn.bugCategories``sonar.cs.roslyn.vulnerabilityCategories``sonar.cs.roslyn.codeSmellCategories

Comma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells.

VB.NET

sonar.vbnet.roslyn.ignoreIssues

Set to true to disable import of external issues. Defaults to false.

VB.NET

sonar.vbnet.roslyn.bugCategories``sonar.vbnet.roslyn.vulnerabilityCategories``sonar.vbnet.roslyn.codeSmellCategories

Comma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells.

Last updated

Was this helpful?