9.9 | Analyzing source code | Importing external issues | Importing issues from SARIF reports

On this page

Import Example Limitations

Importing issues from SARIF reports

SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code. All issues raised in a SARIF report will be considered vulnerabilities in SonarQube.

The imported SARIF files must comply with the official SARIF format, version 2.1.0.

Import

The analysis parameter sonar.sarifReportPaths accepts a comma-delimited list of paths to SARIF reports. The reports must be UTF-8 file encoded.

Mandatory fields for SonarQube:

  • version - must be “2.1.0”
  • runs[].tool.driver.name - Name of the tool that created the report
  • runs[].results[].message.text - Message of the external issue
  • runs[].results[].ruleId - ID of the corresponding rule in the tool that created the report 
  • runs[].results[].locations[] - SonarQube only uses the first item in the array. Must be a physical location
    • physicalLocation.artifactLocation.uri - path of the file concerned by the issue
    • physicalLocation.region - text range concerned by the issue, defined by the following fields:
      • startLine
      • startColumn (optional)
      • endLine (optional)
      • endColumn (optional)

If startColumn, endLine, endColumn are not specified, SonarQube automatically retrieves the full coordinates of the line. 

Optional fields:

  • sarifLog.runs[].results[].level - severity of the issue. The following mapping applies:
SARIF 2.1.0SonarQube severity 
errorcritical
warningmajor
noteminor
noneinfo
empty  or nullmajor (default)

Example

{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "a test linter",
          "informationUri": "https://www….",
          "version": "8.27.0"
        }
      },
      "results": [
        {
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endLine": 1,
                  "endColumn": 9
                }
              }
            }
          ],
          "ruleId": "no-unused-vars"
        }
      ]
    }
  ]
}

Limitations

There are a couple of limitations with importing SARIF issues:

  • You can't manage them within SonarQube; for instance, there is no ability to mark them as False Positive.
  • You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License