On this page

ImportExampleLimitations

Importing issues from SARIF reports

SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code. All issues raised in a SARIF report will be considered vulnerabilities in SonarQube.

The imported SARIF files must comply with the official SARIF format, version 2.1.0.

Import

The analysis parameter sonar.sarifReportPaths accepts a comma-delimited list of paths to SARIF reports.

Mandatory fields for SonarQube:

  • version - must be “2.1.0”
  • runs[].tool.driver.name - name of the tool that created the report
  • runs[].results[].message.text - message of the external issue
  • sarifLog.runs[].results[].ruleId - ID of the corresponding rule in the tool that created the report 

Optional fields: 

  • runs[].results[].locations[] - SonarQube only uses the first item in the array. It must be a physical location
  • physicalLocation.artifactLocation.uri - path of the file concerned by the issue
  • physicalLocation.region - text range concerned by the issue, defined by the following fields:
    • startLine
    • startColumn (optional)
    • endLine (optional)
    • endColumn (optional)

If startColumn, endLine, endColumn are not specified, SonarQube automatically retrieves the full coordinates of the line. 

  • sarifLog.runs[].results[].level - severity of the issue. The following mapping applies:
SARIF 2.1.0SonarQube severity 
errorcritical
warningmajor
noteminor
noneinfo
empty  or nullmajor (default)

Example

{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "a test linter",
          "informationUri": "https://www….",
          "version": "8.27.0"
        }
      },
      "results": [
        {
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endLine": 1,
                  "endColumn": 9
                }
              }
            }
          ],
          "ruleId": "no-unused-vars"
        }
      ]
    }
  ]
}

Limitations

There are a couple of limitations with importing SARIF issues:

  • You can't manage them within SonarQube; for instance, there is no ability to mark them as False Positive.
  • You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.

© 2008-2022, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution-NonCommercial 3.0 United States License. SONARQUBE is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners.

Creative Commons License