Hello,
There is a problem when importing the sarif report for a .net solution. The vulnerability cannot be matched with the right file.
I would also like to point out that all csproj are imported into SonarCloud.
Your complaint is that the issues are raised at the directory/project level instead of on individual files?
Looking at the report you uploaded, it seems that the locations for all the issues in it are (somewhat ironically) on .csproj files. Other than raising the issues on the .csproj files, it’s not clear to me what you were expecting.
Thanks for raising this issue. Can you please share the verbose logs by adding the /d:"sonar.verbose=true" to the "SonarQubePrepare” or “SonarCloudPrepare” task’s extraProperties argument if you are using Azure DevOps
For example:
It should work with relative location, but we suspect there might be an issue depending on what we consider a base directory.
To validate this hypothesis, could you maybe try on your side with absolute URIs in the SARIF report and let us know?
Here is an example of some path that should work for you: file:///agent/_work/1/s/Up.France.Commercant.BO.Infrastructure/Up.France.Commercant.BO.Infrastructure.csproj