Import Sarif report - source context not matching

Hello,
There is a problem when importing the sarif report for a .net solution. The vulnerability cannot be matched with the right file.
I would also like to point out that all csproj are imported into SonarCloud.

Problem


devops.log (60.5 KB)

Environment

sarif.zip (1.5 KB)

Solution Structure

Thanks,
HF

Hi,

Your complaint is that the issues are raised at the directory/project level instead of on individual files?

Looking at the report you uploaded, it seems that the locations for all the issues in it are (somewhat ironically) on .csproj files. Other than raising the issues on the .csproj files, it’s not clear to me what you were expecting.

 
Ann

Hi,

what I’m looking for is to have issues on indexed files (csproj) and not on directories or the project name.

HF

my real question is: What value should I put in the URI field in my case ?

Hi,

Thanks for clarifying. I initially misunderstood your mention that the csproj files are imported.

I’ve flagged this for more expert eyes.

 
Ann

1 Like

Hi @Heni_Fazzani

Thanks for raising this issue. Can you please share the verbose logs by adding the /d:"sonar.verbose=true" to the "SonarQubePrepare” or “SonarCloudPrepare” task’s extraProperties argument if you are using Azure DevOps
For example:

- task: SonarCloudPrepare@3
    inputs:
      SonarCloud: 'sonarcloud'
      organization: 'foo'
      scannerMode: 'dotnet'
      projectKey: 'foo_sonar-scanning-someconsoleapp'
      projectName: 'sonar-scanning-someconsoleapp'
      extraProperties: |
        sonar.verbose=true

Thanks

1 Like

sonar.log (2.1 MB)
Hi @alexander.meseldzija ,

please find attached the requested file

thx
HF

Hello
Any news please ?

Hi @Heni_Fazzani, sorry for the delay.
I plan to look into this this week.

1 Like