SARIF report import - unable to see source context?

Mikaciu · May 25, 2023, 2:01pm

Hello,

I’m using the Azure Pipelines to generate SARIF logs coming from three different tools : checkov, gitleaks and trivy. CodeAnalysisLogs.zip (4.4 KB)

Then, I import them using the sonar.sarifReportPaths property :
import_sarif_test.log (231.8 KB) ← please note this is a test run, where I import a single SARIF report, for debugging purposes.

When I look at my project in the SonarQube instance (running SonarQube Enterprise 10.0.68432), I can’t locate where in my source file the issue happened : the section “Where is the issue” only shows the project and not the file contents :

Can you reproduce this behaviour ? I don’t have it for other external tools report import, like ESLint.

Precision : I tried changing the runs[].results[].locations[].physicalLocation.artifactLocation.uri property to add absolute paths instead of paths relative to the project root, to no avail.

Thanks,

BR

Colin · May 26, 2023, 1:52pm

Hey there.

I’m having trouble finding the actual Scanner logs (where the analysis occurs and is pushed to SonarQube) in any of the logs you shared. Can you help me find them, or point me to them?

Mikaciu · May 31, 2023, 2:06pm

Hello @Colin !

My bad, I posted the first pipeline job which is irrelevant for this issue. There you go:

perform_sonarqube_analysis.zip (194.6 KB)

Thanks,
BR