10.5 | Analyzing source code | Importing external issues | External analyzer reports

Was this page helpful?

On this page

Start Free

External analyzer reports

This page lists analysis parameters related to the import of issues raised by external, third-party analyzers. If your analyzer isn't on this page, see the generic issue import format for a generic way to import external issues. You can also import issues from SARIF reports.

SonarQube doesn't run your external analyzers or generate reports. It only imports pre-generated reports. Below you'll find language- and tool-specific analysis parameters for importing reports generated by external analyzers.

We recommend checking out the guides category of the SonarSource community forum, where you might find instructions on generating these reports.

Importing reports from third-party tools

Some properties support the following wildcards in paths. The remarks for properties that support wildcards will mention that fact. If the remarks do not say wildcards are supported, then they are not.:

SymbolMeaning
?a single character
*any number of characters
**any number of directories

List of properties

Unless otherwise specified, the following properties accept both absolute paths and paths relative to the project root.

LanguagePropertyRemarks
Apexsonar.apex.pmd.reportPathsComma-delimited list of paths to PMD Apex. Make sure the path in the PMD report matches the path used by analysis.

Note: The format of PMD reports generated by sfdx-scanner does not seem to perfectly match the format used by PMD. An alternative is to export to SARIF format instead of PMD.
Cloudformationsonar.cloudformation.cfn-lint.reportPathsComma-delimited list of paths to AWS CloudFormation Linter reports in JSON format
C/C++/Objective-C sonar.cfamily.valgrind.reportsPathsComma-delimited list of paths to Valgrind Memcheck and Helgrind XML reports
CSSsonar.css.stylelint.reportPathsComma-delimited list of paths to StyleLint.io reports
Dockersonar.docker.hadolint.reportPathsComma-delimited list of paths to Hadolint reports in JSON and `sonarqube` format
Gosonar.go.govet.reportPathsComma-delimited list of paths to GoVet reports
Gosonar.go.golint.reportPathsComma-delimited list of paths to GoLint reports
Gosonar.go.gometalinter.reportPathsComma-delimited list of paths to GoMetaLinter reports
Gosonar.go.golangci-lint.reportPathsComma-delimited list of paths to golangci-lint reports in checkstyle format (use --out-format checkstyle golangci-lint option).

Depending on how many issues you're importing, you might want to disable the max-issues-per-linter option in your golangci config file.
Gosonar.externalIssuesReportPathsComma-delimited list of paths to gosec reports in SonarQube format (use -fmt=sonarqube gosec option). Note: this property is the one from the Generic Issue Import Format
Javasonar.java.spotbugs.reportPathsComma-delimited list of paths to reports from SpotBugs, FindSecBugs, or FindBugs
Javasonar.java.pmd.reportPathsComma-delimited list of paths to reports from PMD
Javasonar.java.checkstyle.reportPathsComma-delimited list of paths to reports from Checkstyle
JavaScriptsonar.eslint.reportPathsComma-delimited list of paths to JSON ESLint reports (use -f json ESLint option)
Kotlinsonar.androidLint.reportPathsComma-delimited list of paths to AndroidLint reports
Kotlinsonar.kotlin.detekt.reportPathsComma-delimited list of paths to Detekt reports
Kotlinsonar.kotlin.ktlint.reportPathsComma-delimited list of paths to Ktlint reports
PHPsonar.php.psalm.reportPathsComma-delimited list of paths to Psalm reports. Reports should be generated in the Generic Issue Format (run Psalm with the option --output-format sonarqube).
PHPsonar.php.phpstan.reportPathsComma-delimited list of paths to PHPStan reports. Reports should be generated in the PHPStan JSON Output Format (use the PHPStan analyse command with the option --error-format=json).
Pythonsonar.python.pylint.reportPathsComma-delimited list of paths to Pylint reports (use --output-format=parseablePylint option)
Pythonsonar.python.bandit.reportPathsComma-delimited list of paths to Bandit reports
Pythonsonar.python.flake8.reportPathsComma-delimited list of paths to Flake8 reports
Pythonsonar.python.mypy.reportPathsComma-delimited list of paths to Mypy reports
Pythonsonar.python.ruff.reportPathsComma-delimited list of paths to Ruff reports. 
Rubysonar.ruby.rubocop.reportPathsComma-delimited list of paths to Rubocop reports
Scalasonar.scala.scalastyle.reportPathsComma-delimited list of paths to Scalastyle reports
Scalasonar.scala.scapegoat.reportPathsComma-delimited list of paths to Scapegoat reports in the Scalastyle format
Swiftsonar.swift.swiftLint.reportPathsComma-delimited list of paths to SwiftLint reports in JSON format
Terraformsonar.terraform.tflint.reportPathsComma-delimited list of paths to TFLint reports in JSON format
TypeScriptsonar.typescript.tslint.reportPathsComma-delimited list of paths to TSLint reports in JSON format (use -t json TSLint option)

External .NET issues

Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarQube therefore, no properties exist to enable that behavior. Instead, properties are available to adjust the import and to stop importing those issues.

LanguagePropertyRemarks
C#sonar.cs.roslyn.ignoreIssuesSet to true to disable import of external issues. Defaults to false.
C#sonar.cs.roslyn.bugCategoriessonar.cs.roslyn.vulnerabilityCategoriessonar.cs.roslyn.codeSmellCategoriesComma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells.
VB.NETsonar.vbnet.roslyn.ignoreIssuesSet to true to disable import of external issues. Defaults to false.
VB.NETsonar.vbnet.roslyn.bugCategoriessonar.vbnet.roslyn.vulnerabilityCategoriessonar.vbnet.roslyn.codeSmellCategoriesComma-delimited list of categories whose issues should be classified as Bugs, Vulnerabilities, or Code Smells.

Note that Roslyn issues with an error severity automatically fail the build. We don't recommend running the Scanner for MSBuild's end step if the MSBuild step fails for any reason because it will result in an essentially empty analysis.

External issue lifecycle

The lifecycle of external issues is identical to the lifecycle of internal issues. This means that you can resolve an external issue the same way you would resolve an internal issue. For details, see Issues.

Note that managing an external issue within SonarQube has no impact on its state in the external tool. For example, when you mark an issue as false positive in SonarQube, it is not reflected in the external tool.

Limitation

External issues have an important limitation. The activation of the rules that raise these issues cannot be managed within SonarQube. External rules are not visible on the Rules page or reflected in any quality profile.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License