Sarif import report is not full

Dmitriy_Tishkin · June 26, 2024, 9:11am

I use SonarQube 10.5.1 CE deployed on Docker

When I import sarif report there are no all issues were imported. Sarif in attach.

The debug have only one error

08:52:05.315 INFO: Sensor Import external issues report from SARIF file.
08:52:05.315 DEBUG: Importing SARIF issues from './sarif_reports/appscreener.sarif'
08:52:05.328 WARN: Unable to detect rules severity for issue detected by tool appScreener, falling back to default rule severity: MEDIUM
08:52:05.338 WARN: Failed to import an issue raised by tool appScreener, error: -1 is not a valid line offset for a file
08:52:05.348 INFO: File ./sarif_reports/appscreener.sarif: 1 run(s) successfully imported (11 vulnerabilities in total).
08:52:05.348 INFO: Sensor Import external issues report from SARIF file. (done) | time=33ms

But sarif have more issues It’s not 11 it’s about 28 that sonarqube haven’t imported.
appscreener.json (50.7 KB)

Colin · June 26, 2024, 2:38pm

Hey there.

Unfortunately, we don’t have great logging when we fail to resolve file paths when importing the SARIF report (hopefully, this will Improve soon: SONAR-20659).

To debug further, I’d suggest sharing your full analysis logs. They’re already at the DEBUG level, which is great.

Dmitriy_Tishkin · June 27, 2024, 8:55am

No problem. Full log in attach.
sonarqube_logs.txt (110.8 KB)

Also sarif from this project:

with some addeded vulners. I made the new sarif for clear project in attach.
appscreener.json (47.6 KB)

Colin · July 2, 2024, 8:24am

Thanks for the excellent reproducer. I can confirm that I get 10 issues imported when I analyze the report with SonarQube.

I have the impression the issue is coming from this:

runs[].results[].locations[] SonarQube only uses the first item in the array. It must be a physical location.

I think appscreener may not be generating the report correctly. The 20+ issues I believe you’re expecting come from multiple locations reported. As noted in this tutorial:

Don’t use result.locations to specify the locations of multiple problems, even problems of the same kind, if they can be fixed independently. You might choose to fix some occurrences of the problem and not others, for example, if you know that some of the occurrences are in code that is slated for removal, or are false positives. Only put more than one element in result.locations if you have to fix all the locations at once.

If I’m correct, you should reach out to the vendor of appscreener.

Topic		Replies	Views
Trouble importing SARIF reports SonarQube Server / Community Build	9	2157	January 9, 2023
SARIF report import - unable to see source context? SonarQube Server / Community Build	12	1068	October 4, 2023
SARIF issue import not working as I expected SonarQube Server / Community Build sarif	10	605	February 7, 2025
SARIF import failing with sonar-scanner-cli:5.0.1 SonarQube Server / Community Build scanner , sarif	5	57	October 1, 2024
SonarCloud can import SARIF files to load external issues Announcements sarif	0	340	September 3, 2024

Sarif import report is not full

Related topics