Export to SARIF

Hello, I use Sonarqube in Azure Devops pipelines. I wanted to know if there was a way to export the scan report also in sarif format
Thank you

Hi,

Welcome to the community!

Enterprise Edition($$) offers some reports, but nothing in the SARIF format. Could you share why you want that format?

 
Thx,
Ann

Hi,
thank you,

It could be useful to aggregate the results of sonarqube together with those of other tools and export them or make them available using a standard. It could also be useful to exploit some viewers that are able to expose the results starting from a standard SARIF report.

For example, if I wanted to report the report details on azure devops I could use the AzDo plugin to display SARIF reports directly within the pipeline execution without having to refer to the tool. Or to provide a report in standard format directly at the end of the build.

At the moment we have an enterprise subscription and I think that providing this type of feature could still be something useful since it is a standard format

Thanks
Mario.

Hello,

Thanks for your answer. Since Sonar is the home of clean code, I would expect Sonar to be used as the central place where you load all the SARIF generated by other tools to have the big picture in one place on top of the issues raised by Sonar itself.

If we imagine that we provide a possibility to export Sonar’s findings as SARIF, how would you use it for real? What actions will developers take? I struggle to see the value. If you could help clarify your underlying needs, that would be awesome.

Thanks
Alex

Hi,
An example, as I said before, is to be able to view the SARIF report directly within azure devops (there is a plugin for viewing reports but it requires the SARIF format). At the moment in azure devops I can only view the quality gate report, in this way the developer would have the possibility of seeing a first report directly in the build summary page (not PR).
But also the possibility, for any reason, to share an export in a standard format.
An advanced tool like sonarqube I believe should still provide the possibility of exporting the results in a standard format without excluding it a priori. And this does not exclude the possibility of using sonarqube as a clean code center.
I believe that adding a feature like this is something useful and appreciated

Thanks
Bye

2 Likes

GitHub allows to import Sarif reports and displays their information in the GitHub UI. We’re also aggregating data from other services in GitHub as well. We would also like to be able to extract sarif reports from SonarQube.

3 Likes

I would like this for the exact reason Mnelli19 mentioned. I want developers to be able to take action on issues earlier in the development lifecycle, not just when a quality gate fails and stops a PR.

We have the same requirements, and we ended up writing our own SARIF exporter plugin, using the limited API that SonarQube exposes. It is working well enough, and we decided to release the project to the open source community:

The plugin itself is available for download in the releases section of the repository:

The export path is controlled by the sonar.sarif.output scanner property.

A few things to note:

  • The project is very raw; for example there is no test, nor documentation; we plan to improve that and of course, you are all welcome to contribute
  • The plugin relies on an extension point that has been deprecated years ago; we suspect that Sonar never removed it because they use it themselves
  • SonarQube APIs don’t expose the secondary locations of the issues, which means that we can’t export them to the SARIF report
  • SonarQube APIs don’t expose the list of rules that are registered in the server; which means that we construct the list of rules from the raised issues; the consequence is that the messages of the rules themselves are the messages of the issues

None of this is ideal, obviously.

One of my co-worker has started an initiative to build our own custom version of SonarQube, supercharged with some more powerful plugin APIs. Typically, our custom build expose the full set of rules, and the secondary locations to the plugins and a new ScannerSide extension point named “IssueAggregator”. It fuels our internal SARIF plugin, which is obviously more powerful than the one that we released publicly.

We plan to have this supercharged SQ build released as a public open source project at one point.

2 Likes