Importing issues from SARIF reports
SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code. All issues raised in a SARIF report will be considered vulnerabilities in SonarQube.
The imported SARIF files must comply with the official SARIF format, version 2.1.0.
The analysis parameter
sonar.sarifReportPaths accepts a comma-delimited list of paths to SARIF reports. The reports must be UTF-8 file encoded.
Mandatory fields for SonarQube:
version- must be “2.1.0”
runs.tool.driver.name- name of the tool that created the report
runs.results.message.text- message of the external issue
runs.results.ruleId- ID of the corresponding rule in the tool that created the report
If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).
runs.results.locations- SonarQube only uses the first item in the array. It must be a physical location
physicalLocation.artifactLocation.uri- path of the file concerned by the issue
physicalLocation.region- text range concerned by the issue, defined by the following fields:
endColumn are not specified, SonarQube automatically retrieves the full coordinates of the line.
If no location is defined, the issue is raised at the project level.
sarifLog.runs.results.level- severity of the issue. The following mapping applies:
|SARIF 2.1.0||SonarQube severity|
There are a couple of limitations with importing SARIF issues:
- You can't manage them within SonarQube; for instance, there is no ability to mark them as False Positive.
- You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.
© 2008-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution-NonCommercial 3.0 United States License. SONARQUBE is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners.