Importing issues from SARIF reports

SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code.

SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code. All issues raised in a SARIF report will be considered vulnerabilities in SonarQube.

The imported SARIF files must comply with the official SARIF format, version 2.1.0.

Import

The Analysis parameters sonar.sarifReportPaths accepts a comma-delimited list of paths to SARIF reports. The reports must be UTF-8 file encoded.

Mandatory fields for SonarQube:

version - must be "2.1.0"
runs[].tool.driver.name - Name of the tool that created the report
runs[].results[].message.text - Message of the external issue
runs[].results[].ruleId - ID of the corresponding rule in the tool that created the report
runs[].results[].locations[] - SonarQube only uses the first item in the array. Must be a physical location
- physicalLocation.artifactLocation.uri - path of the file concerned by the issue
- physicalLocation.region - text range concerned by the issue, defined by the following fields:
  - startLine
  - startColumn (optional)
  - endLine (optional)
  - endColumn (optional)

If startColumn, endLine, endColumn are not specified, SonarQube automatically retrieves the full coordinates of the line.

If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).

Optional fields:

sarifLog.runs[].results[].level - severity of the issue. The following mapping applies:

SARIF 2.1.0

SonarQube severity

error

critical

warning

major

note

minor

none

info

empty or null

major (default)

Example

{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "a test linter",
          "informationUri": "https://www….",
          "version": "8.27.0"
        }
      },
      "results": [
        {
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endLine": 1,
                  "endColumn": 9
                }
              }
            }
          ],
          "ruleId": "no-unused-vars"
        }
      ]
    }
  ]
}

Limitations

There are a couple of limitations with importing SARIF issues:

You can’t manage them within SonarQube; for instance, there is no ability to mark them as False Positive.
You can’t manage the activation of the rules that raise these issues within SonarQube. External rules aren’t visible on the Rules page or reflected in quality profiles.

PreviousGeneric issue import format NextBackground tasks

Last updated 2 months ago

Was this helpful?