SARIF import does not seems to take into account the uriBaseId

MonikaK · June 27, 2025, 10:04am

Hello

I’m using SonarQube 25.3.0.104237 and Sonar Scanner CLI 7.0.2.4839.

The uriBaseId is not taken into account when importing a SARIF report containing a rule violation at the issues level specified as

          "ruleId": "my rule",
          "level": "warning",
          "message": {
            "text": "my rule description"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "my_file.adb",
                  "uriBaseId": "file://C:/my_folder/"
                },
                "region": {
                  "startLine": 23,
                  "startColumn": 17,
                  "sourceLanguage": "Ada"
                }
              },
              "logicalLocations": [
                { "fullyQualifiedName": "input", "kind": "function" }
              ]
            }
          ],

The report is imported but no marker about the issue is available at the specified location in the given file.

This is not supported on your side ? If this is the case, will the relative paths to the uriBaseId supported in the further versions ?

Colin · June 30, 2025, 8:17am

Hey @MonikaK

Thanks for the report. Can you please provide a small sample project with a complete example of the valid SARIF report (just containing the one issue) where uriBaseId is not taken into account?

MonikaK · July 1, 2025, 8:40am

sdc.zip (1.3 MB)

Please find attached a sample project with one rule and one results.

In order to use it, please unfold under C:/gnatmail/gnathub/sdc_tuto/sdc. The sonar-project.properties is located under obj/gnathub/sonar folder and the SARIF file to be used is located under obj/gnatsas/sdc.sarif.
The uriBaseId is set in the results part as "URI_BASE_DIR" defined as

      "originalUriBaseIds": {
        "URI_BASE_DIR": {
          "uri": "file://C:/gnatmail/gnathub/sdc_tuto/sdc/",
          "description": {
            "text": "The absolute path to the directory specified with '--root DIR', or to the project directory otherwise."
          }
        }
      },`

No mapping on the source code of the rule violation is available on the code side expected to have it at line 191 in /commo/input.adb (as shown in the images)

Thanks in advance for your feedback!

Topic		Replies	Views
The "level" is not taken into account when importing a SARIF report SonarQube Server / Community Build sonarqube , sarif	8	26	July 3, 2025
SARIF issue import not working as I expected SonarQube Server / Community Build sarif	10	738	February 7, 2025
SARIF report issue - unable to see imported content SonarQube Server / Community Build sarif	16	542	August 27, 2024
Import Sarif report - source context not matching SonarQube Server / Community Build sarif , sonarqube-cloud	9	138	December 12, 2024
SARIF import failing with sonar-scanner-cli:5.0.1 SonarQube Server / Community Build scanner , sarif	5	84	October 1, 2024

SARIF import does not seems to take into account the uriBaseId

Related topics