Duplicated SARIF reports on an Azure Pipelines windows agent

Hello, I’m having some trouble to handle SARIF reports with a multi-component dotnet project.

Technical context :

  • SQ Enterprise Version 9.8 (build 63668)
  • Azure pipelines running on a windows 2019 VMSS (Virtual Machine Scale Set), with the System.Debug variable set to true to increase verbosity
  • [EDIT 20230201 14:37 CST] : the issue also occurs on a Linux machine
  • Multi-project dotnet repo
  • The structure of the repo is composed of 8 .csproj files, some of which SonarQube detects as modules.

During the SonarQubeAnalyze@5 task, each of the found modules (the 8 dotnet projects + the main project) triggers an import of the SARIF report :

------------- Run sensors on module SonarTest.Dal.Tests
Sensor Import external issues report from SARIF file.
Unable to detect rules severity for issue detected by tool gitleaks, falling back to default rule severity: MAJOR
File C:\a\1\trivy_fs_analysis_report\leaks_tests_trivy.sarif: successfully imported 5 vulnerabilities spread in 1 runs. 0 failed run(s).
File C:\a\1\checkov_analysis_report\leaks_tests_checkov.sarif: successfully imported 2 vulnerabilities spread in 1 runs. 0 failed run(s).
File C:\a\1\gitleaks_analysis_report\leaks_tests_gitleaks.sarif: successfully imported 10 vulnerabilities spread in 1 runs. 0 failed run(s).
Sensor Import external issues report from SARIF file. (done) | time=16ms
[...]
------------- Run sensors on module Sandbox - Sandbox
Sensor Import external issues report from SARIF file.
Unable to detect rules severity for issue detected by tool gitleaks, falling back to default rule severity: MAJOR
File C:\a\1\trivy_fs_analysis_report\leaks_tests_trivy.sarif: successfully imported 5 vulnerabilities spread in 1 runs. 0 failed run(s).
File C:\a\1\checkov_analysis_report\leaks_tests_checkov.sarif: successfully imported 2 vulnerabilities spread in 1 runs. 0 failed run(s).
File C:\a\1\gitleaks_analysis_report\leaks_tests_gitleaks.sarif: successfully imported 10 vulnerabilities spread in 1 runs. 0 failed run(s).
Sensor Import external issues report from SARIF file. (done) | time=16ms

The consequence of this is that every vulnerability found in the reports are duplicated among all projects, hence adding (8 modules + 1 project) * (2 checkov issues + 10 gitleaks issues + 5 trivy issues) = 153 vulnerabilities :

Is there some setting I didn’t set that I should have ?

FYI, the monorepo parameter does not change anything there.

Thanks, have a nice day.


perform_sq_analysis.log (55.6 KB)
sarif_reports.zip (4.2 KB)

Hello @Mikaciu,

Thanks for your report.

I could indeed reproduce the problem, whenever a multi-module project is scanned, the sarif upload is triggered several time.

If all your Sarif reports are in a single folder, a workaround would be to use a relative path, rather than an absolute one. This way, only one of the analysis will be able to find the reports.

Example:
-Dsonar.sarifReportPaths=sarif/test.sarif
instead of
-Dsonar.sarifReportPaths=/full/path/to/sarif/test.sarif.

That being said, I have created a ticket to investigate & fix the problem. You can track it:[SONAR-18389] - Jira

Cheers,
Aurélien

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.