On this page
Importing issues from SARIF reports
SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code. All issues raised in a SARIF report will be considered vulnerabilities in SonarQube.
The imported SARIF files must comply with the official SARIF format, version 2.1.0.
The analysis parameter
sonar.sarifReportPaths accepts a comma-delimited list of paths to SARIF reports. The reports must be UTF-8 file encoded.
Mandatory fields for SonarQube:
version: Must be “2.1.0”
runs.tool.driver.name: Name of the tool that created the report
runs.results.message.text: Message of the external issue
runs.results.ruleId: ID of the corresponding rule in the tool that created the report
runs.results.locations: SonarQube only uses the first item in the array. Must be a physical location
physicalLocation.artifactLocation.uri: Path of the file concerned by the issue
physicalLocation.region: Text range concerned by the issue, defined by the following fields:
endColumn are not specified, SonarQube automatically retrieves the full coordinates of the line.
If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).
sarifLog.runs.results.level- severity of the issue. The following mapping applies:
|SARIF 2.1.0||SonarQube severity|
There are a couple of limitations with importing SARIF issues:
- You can't manage them within SonarQube; for instance, there is no ability to mark them as False Positive.
- You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.
© 2008-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution-NonCommercial 3.0 United States License. SONARQUBE is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners.