Importing issues from SARIF reports
On this page
SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code. All issues raised in a SARIF report will be considered vulnerabilities in SonarQube.
The imported SARIF files must comply with the official SARIF format, version 2.1.0.
Import
The analysis parameter sonar.sarifReportPaths
accepts a comma-delimited list of paths to SARIF reports. The reports must be UTF-8 file encoded.
Mandatory fields for SonarQube:
version
- must be “2.1.0”runs[].tool.driver.name
- name of the tool that created the reportruns[].results[].message.text
- message of the external issueruns[].results[].ruleId
- ID of the corresponding rule in the tool that created the report
If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).
Optional fields:
runs[].results[].locations[]
- SonarQube only uses the first item in the array. It must be a physical locationphysicalLocation.artifactLocation.uri
- path of the file concerned by the issuephysicalLocation.region
- text range concerned by the issue, defined by the following fields:startLine
startColumn
(optional)endLine
(optional)endColumn
(optional)
If startColumn
, endLine
, endColumn
are not specified, SonarQube automatically retrieves the full coordinates of the line.
If no location is defined, the issue is raised at the project level.
sarifLog.runs[].results[].level
- severity of the issue. The following mapping applies:
SARIF 2.1.0 | SonarQube severity |
error | critical |
warning | major |
note | minor |
none | info |
empty or null | major (default) |
Example
Limitations
There are a couple of limitations with importing SARIF issues:
- You can't manage them within SonarQube; for instance, there is no ability to mark them as False Positive.
- You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.
Was this page helpful?