Start Free

External analyzer reports

How to set up the import for your project of issues generated by third-party analyzers that integrate with SonarQube.

The sections below explain, for each language, how to set up, for your project, the import of issue reports generated by external analyzers that integrate with SonarQube. To do so, you must define in SonarQube the paths to the import files. This can be done in the UI (except for the C family and Go analyzers) or by defining an analysis parameter on the CI/CD host.

See also Analysis parameters.

Ansible

You can integrate the following Ansible analyzer with SonarQube: ansible-lint.

To setup the import of issues generated by ansible-lint:

  1. Set up the generation of the reports by ansible-lint in SARIF format and their storing in dedicated import directory(ies). To do so, use the --sarif-file ansible-lint option.

  2. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > Ansible.

    3. In Ansible-Lint Sarif Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute. You can use path-matching patterns.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.ansible.ansible-lint.reportPaths .

See also Defining matching patterns #Defining matching patterns for files.

Apex

You can integrate the following Apex analyzer with SonarQube: PMD. Note that the format of PMD reports generated by sfdx-scanner does not seem to perfectly match the format used by PMD.

To setup the import of issues generated by PMD:

  1. Set up the generation of the reports by PMD and their storing in dedicated import directory(ies).

  2. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > Apex.

    3. In PMD Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.apex.pmd.reportPaths .

CloudFormation

You can integrate the following Cloudformation analyzer with SonarQube: AWS CloudFormation Linter.

To setup the import of issues generated by AWS CloudFormation Linter:

  1. Set up the generation of the reports by AWS CloudFormation Linter in JSON format and their storing in a dedicated import directory(ies).

  2. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > CloudFormation.

    3. In Cfn-Lint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.cloudformation.cfn-lint.reportPaths .

C/C++/Objective-C

You can integrate the following C/C++/Objective-C analyzers with SonarQube: Valgrind Memcheck and Valgrind Helgrind.

To setup the import of issues generated by Valgrind Memcheck or Helgrind:

  1. Set up the generation of the reports by Valgrind Memcheck or Helgrind in XML format and their storing in dedicated import directory(ies). To do so, use the Valgrind's XML output facility (--xml=yes).

  2. Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.cfamily.valgrind.reportsPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

C#

Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube so no properties exist to enable that behavior. Instead, properties are available to adjust the import and to stop importing those issues.

To disable the import

  1. In SonarQube, retrieve your project.

  2. Go to Project Settings > General Settings > External Analyzers > C#.

  3. Select the Ignore issues from external Roslyn analyzers option.

  4. Save.

Alternatively, set the sonar.cs.roslyn.ignoreIssues analysis parameter to true on the CI/CD host.

To adjust the import

  1. In SonarQube, retrieve your project.

  2. Go to Project Settings > General Settings > External Analyzers > C#.

  3. Adjust the parameters listed in the table below.

  4. Save.

Alternatively, set the corresponding sonar properties on the CI/CD host.

Parameter
Sonar property
Description

Rule categories associated with Bugs

sonar.cs.roslyn.bugCategories

Comma-delimited list of categories whose issues should be classified as Bugs in Standard Experience or Reliability issues in MQR mode.

Rule categories associated with Vulnerabilities

sonar.cs.roslyn.vulnerabilityCategories

Comma-delimited list of categories whose issues should be classified as Vulnerabilities issues in Standard Experience or Security in MQR mode.

Rule categories associated with Code Smells

sonar.cs.roslyn.codeSmellCategories

Comma-delimited list of categories whose issues should be classified as Code Smells in Standard Experience or Maintainability issues in MQR mode.

For information about the Standard Experience or MQR mode, see Standard Experience and MQR mode.

CSS

You can integrate the following CSS analyzer with SonarQube: Stylelint.

To setup the import of issues generated by Stylelint:

  1. Set up the generation of the reports by Stylelint and their storing in dedicated import directory(ies). Command example:

stylelint src/*.css --config stylelintconfig.json -f json > stylelint-report.json

  1. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > CSS.

    3. In Stylelint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.css.stylelint.reportPaths.

Docker

You can integrate the following Docker analyzers with SonarQube: Hadolint.

To setup the import of issues generated by Hadolint:

  1. Set up the generation of the reports by Hadolint in JSON or SonarQube format, and their storing in dedicated import directory(ies).

  2. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > Docker.

    3. In Hadolint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.docker.hadolint.reportPaths .

Go

You can integrate the following Go analyzers with SonarQube: Govet, GoLint, GoMetaLinter, golanci-lint, and gosec.

To setup the import of issues generated by Govet:

  1. Set up the generation of the reports by Govet and their storing in dedicated import directory(ies). Command example:

go vet 2> govet-report.out

  1. Set up the import of the generated report files by SonarQube by defining on the CI/CD host the analysis parameter sonar.go.govet.reportPaths with the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

Java

You can integrate the following Java analyzers with SonarQube: SpotBugs, FindSecBugs, FindBugs, PMD, and Checkstyle. The setup differs depending on whether you use Maven or not.

To setup the import of issues generated by SpotBugs, FindSecBugs, FindBugs, PMD, and Checkstyle if you use Maven:

  1. Open your pom.xml and in the section add the following plugins:

<plugin>
<groupId>org.apache.maven.plugins</groupId>
   <artifactId>maven-pmd-plugin</artifactId>
   <version> 3.10 . 0 </version>
</plugin>
<plugin>
   <groupId>com.github.spotbugs</groupId>
   <artifactId>spotbugs-maven-plugin</artifactId>
   <version> 3.1 . 1 </version>
   <configuration>
     <effort>Max</effort>
     <threshold>Low</threshold>
     <failOnError> true </failOnError>
     <includeFilterFile>${session.executionRootDirectory}/spotbugs-include.xml</includeFilterFile>
     <plugins>
       <plugin>
         <groupId>com.h3xstream.findsecbugs</groupId>
         <artifactId>findsecbugs-plugin</artifactId>
         <version>LATEST</version> <!-- Auto-update to the latest stable -->
       </plugin>
     </plugins>
   </configuration>
</plugin>

  1. Add or update the section with:

<properties>
<sonar.java.spotbugs.reportPaths>./target/spotbugsXml.xml</sonar.java.spotbugs.reportPaths>
  <sonar.java.pmd.reportPaths>./target/pmd.xml</sonar.java.pmd.reportPaths>`
  <sonar.java.checkstyle.reportPaths>./target/checkstyle-result.xml</sonar.java.checkstyle.reportPaths>
</properties>

  1. Execute the command below: 

mvn clean package spotbugs:spotbugs pmd:pmd checkstyle:checkstyle sonar:sonar

JavaScript/TypeScript

You can integrate the following JavaScript/TypeScript analyzer with SonarQube: ESLint.

To setup the import of issues generated by ESLint:

  1. Set up the generation of the reports by ESLint in JSON format, and their storing in dedicated import directory(ies). Command example:

eslint ./ -f json > eslint-report.json

  1. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > JavaScript/TypeScript.

    3. In ESLint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.eslint.reportPaths .

Kotlin

You can integrate the following Kotlin analyzers with SonarQube: AndroidLint, Detekt, and Ktlint.

To setup the import of issues generated by AndroidLint:

  1. Set up the generation of the reports by AndroidLint in XML format, and their storing in dedicated import directory(ies). Command example:

gradle lint or $ANDROID_HOME/tools/bin/lint --xml lint-results.xml path/to/project

  1. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > Android.

    3. In Android Lint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.androidLint.reportPaths .

PHP

You can integrate the following PHP analyzers with SonarQube: Psalm and PHPStan.

To setup the import of issues generated by Psalm:

  1. Set up the generation of the reports by Psalm in the SonarQube format, and their storing in dedicated import directory(ies). To do so, use the --output-format sonarqube Psalm option.

  2. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > PHP.

    3. In Psalm Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.php.psalm.reportPaths.

Python

You can integrate the following Python analyzers with SonarQube: Pylint, Bandit, Flake8, Mypy, and Ruff.

To setup the import of issues generated by Pylint:

  1. Set up the generation of the reports by Pylint, and their storing in dedicated import directory(ies). Use the use --output-format=parseable Pylint option Command example:

pylint <module_or_package> -r n  --output-format=parseable --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" > <report_file>

  1. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > Python.

    3. In Pylint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.python.pylint.reportPaths .

Ruby

You can integrate the following Ruby analyzer with SonarQube: Rubocop.

To setup the import of issues generated by Rubocop:

  1. Set up the generation of the reports by Rubocop, and their storing in dedicated import directory(ies). Command example:

rubocop --format json --out rubocop-report.json

  1. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > Ruby.

    3. In RuboCop Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.ruby.rubocop.reportPaths.

Scala

You can integrate the following Scala analyzers with SonarQube: Scalastyle and Scapegoat.

To setup the import of issues generated by Scalastyle or Scapegoat:

  1. Set up the generation of the XML reports in the Scalastyle format for both Scalastyle and Scapegoat. Setup also the storing of the generated report files in dedicated import directory(ies).

  2. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > Scala.

    3. In the corresponding field (Scalastyle Report Files or Scapegoat Report Files), enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the corresponding analysis parameter:

  • For Scalastyle : sonar.scala.scalastyle.reportPaths.

  • For Scapegoat: sonar.scala.scapegoat.reportPaths.

Swift

You can integrate the following Swift analyzer with SonarQube: Swiftlint.

To setup the import of issues generated by Swiftlint:

  1. Set up the generation of the reports by Swiftlint in JSON format, and their storing in dedicated import directory(ies). Command example:

swiftlint lint --reporter json > swiftlint.json

  1. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > Swift.

    3. In SwiftLint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.swift.swiftLint.reportPaths.

Terraform

You can integrate the following Terraform analyzer with SonarQube: TFLint.

To setup the import of issues generated by TFLint:

  1. Set up the generation of the reports by TFLint, and their storing in dedicated import directory(ies).

  2. Set up the import of the generated report files by SonarQube:

    1. In SonarQube, retrieve your project.

    2. Go to Project Settings > General Settings > External Analyzers > Terraform.

    3. In TFLint Report Files, enter the list of import directories or files. This parameter accepts a comma-delimited list of paths. A path definition is either relative to the sonar.projectBaseDir analysis parameter (which is by default the directory from which the analysis was started) or absolute.

    4. Save.

    Alternatively, define on the CI/CD host the analysis parameter sonar.terraform.tflint.reportPaths.

VB.NET

Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube so no properties exist to enable that behavior. Instead, properties are available to adjust the import and to stop importing those issues.

Roslyn issues with an error severity automatically fail the build, and it is not recommended to run the SonarScanner for .NET’s end step if the MSBuild step fails for any reason because it will result in an essentially empty analysis, which will close all outstanding issues in the project. See Configuring the scanner for .NET for more information.

To disable the import

  1. In SonarQube, retrieve your project.

  2. Go to Project Settings > General Settings > External Analyzers > VB.NET.

  3. Select the Ignore issues from external Roslyn analyzers option.

  4. Save.

Alternatively, set the sonar.vbnet.roslyn.ignoreIssues analysis parameter to true on the CI/CD host.

To adjust the import

  1. In SonarQube, retrieve your project.

  2. Go to Project Settings > General Settings > External Analyzers > C#.

  3. Adjust the parameters listed in the table below.

  4. Save.

Alternatively, set the corresponding sonar properties on the CI/CD host.

Parameter
Sonar property
Description

Rule categories associated with Bugs

sonar.vbnet.roslyn.bugCategories

Comma-delimited list of categories whose issues should be classified as Bugs in Standard Experience or Reliability issues in MQR mode.

Rule categories associated with Vulnerabilities

sonar.vbnet.roslyn.vulnerabilityCategories

Comma-delimited list of categories whose issues should be classified as Vulnerabilities issues in Standard Experience or Security in MQR mode.

Rule categories associated with Code Smells

sonar.vbnet.roslyn.codeSmellCategories

Comma-delimited list of categories whose issues should be classified as Code Smells in Standard Experience or Maintainability issues in MQR mode.

For information about the Standard Experience or MQR mode, see Standard Experience and MQR mode.

Related pages

About external issues Generic formatted reports SARIF reports Integration with external analyzers at instance level

PreviousAbout external issuesNextGeneric formatted reports

Last updated

Was this helpful?