SARIF report issue - unable to see imported content

wooch · May 6, 2024, 10:44am

SonarQube 10.3
I’m struggling with import SARIF report into SonarQube. I took an example from the documentation page and add some rules for testing.

{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "eslint",
          "informationUri": "https://www….",
          "version": "7.23.0",
          "rules": [
            {
              "id": "no-unsanitized/property",
              "defaultConfiguration": {
                "level": "error"
              },
              "shortDescription": {
                "text": "ESLint rule to disallow unsanitized property assignment"
              },
              "helpUri": "https://github.com/mozilla/eslint-plugin-no-unsanitized/tree/master/docs/rules/property.md",
              "properties": {
                "category": "possible-errors"
              }
            },
            {
              "id": "no-wildcard-postmessage/no-wildcard-postmessage",
              "defaultConfiguration": {
                "level": "error"
              },
              "shortDescription": {
                "text": "Flag Wildcard Targets in `postmessage`"
              }
            }
          ]
        }
      },
      "results": [
        {
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "myrepo/src/main.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 2
                }
              }
            }
          ],
          "ruleId": "no-unsanitized/property"
        }
      ]
    }
  ]
}

In the pipeline log I can see that it was imported:

INFO: ------------- Run sensors on project
INFO: Sensor Import external issues report from SARIF file.
INFO: File /var/vsts_agent/_work/178/drop/.gdn/msdo.sarif: 1 run(s) successfully imported (1 vulnerabilities in total).
INFO: Sensor Import external issues report from SARIF file. (done) | time=26ms

But there is no any information in the Sonarqube:

Any ideas what’s the problem?

ganncamp · May 7, 2024, 12:19pm

Hi,

Welcome to the community!

Could you add -Dsonar.verbose=true to your analysis command and post that log, please?

Thx,
Ann

wooch · May 7, 2024, 3:08pm

Hi,
that’s the thing that verbose/debug/trace doesn’t provide any additional information:

14:43:53.396 INFO: ------------- Run sensors on project
14:43:53.456 DEBUG: 'Generic Coverage Report' skipped because one of the required properties is missing
14:43:53.456 DEBUG: 'C#' skipped because there is no related file in current project
14:43:53.457 DEBUG: 'C# File Caching Sensor' skipped because there is no related file in current project
14:43:53.457 DEBUG: 'C# Tests Coverage Report Import' skipped because there is no related file in current project
14:43:53.458 DEBUG: '[Deprecated] C# Integration Tests Coverage Report Import' skipped because there is no related file in current project
14:43:53.458 DEBUG: 'C# Unit Test Results Import' skipped because there is no related file in current project
14:43:53.458 DEBUG: 'VB.NET' skipped because there is no related file in current project
14:43:53.459 DEBUG: 'VB.NET File Caching Sensor' skipped because there is no related file in current project
14:43:53.459 DEBUG: 'VB.NET Tests Coverage Report Import' skipped because there is no related file in current project
14:43:53.460 DEBUG: '[Deprecated] VB.NET Integration Tests Coverage Report Import' skipped because there is no related file in current project
14:43:53.460 DEBUG: 'VB.NET Unit Test Results Import' skipped because there is no related file in current project
14:43:53.460 DEBUG: 'Java CPD Block Indexer' skipped because there is no related file in current project
14:43:53.461 DEBUG: Sensors : Import external issues report from SARIF file. -> Dependency-Check -> Analysis Warnings import -> Zero Coverage Sensor
14:43:53.461 INFO: Sensor Import external issues report from SARIF file.
14:43:53.461 DEBUG: Importing SARIF issues from '/var/vsts_agent/_work/178/drop/.gdn/msdo.sarif'
14:43:53.491 INFO: File /var/vsts_agent/_work/178/drop/.gdn/msdo.sarif: 1 run(s) successfully imported (1 vulnerabilities in total).
14:43:53.491 INFO: Sensor Import external issues report from SARIF file. (done) | time=30ms
14:43:53.491 INFO: Sensor Dependency-Check [dependencycheck]
14:43:53.492 INFO: Process Dependency-Check report
14:43:53.492 INFO: Using JSON-Reportparser

ganncamp · May 7, 2024, 3:14pm

Hi,

Well. That was helpful.

Before I throw in the towel on this, the file uri in your report is myrepo/src/main.js. What is sonar.sources set to in your analysis properties? Because if it’s set to src, then your file path should probably be main.js. (Also, I’m assuming main.js does exist in your project, right? )

Ann

wooch · May 7, 2024, 4:04pm

I have a pipeline task with these parameters:

- task: SonarQubePrepare@5
    inputs:
        SonarQube: 'SonarQube'
        scannerMode: 'CLI'
        configMode: 'manual'
        cliProjectKey: $(SonarQubeProjectKey)
        cliSources: '.'
        extraProperties: |
          -X
          sonar.exclusions=**/test.yaml
          sonar.scm.exclusions.disabled = true
          sonar.javascript.lcov.reportPaths=./coverage/lcov.info
          sonar.branch.name=$(AppRepoBranch)
          sonar.sarifReportPaths=$(Pipeline.Workspace)/drop/.gdn/msdo.sarif
          sonar.verbose=true

I’ve tried to use only main.js in the filepath with no luck.
And, yes, I have the file:

ganncamp · May 7, 2024, 4:09pm

Hi,

You’re not setting sonar.sources, so it’s defaulting to .. Now… is . myrepo? I.e. is analysis running inside the directory named myrepo, or does it see myrepo? Because the paths in your report need to match up to the paths analysis sees.

Ann

wooch · May 8, 2024, 4:27pm

Hi,
I’ve set sonar.sources but it didn’t change anything. Analysis running inside the directory named myrepo

ganncamp · May 8, 2024, 4:36pm

Hi,

Then your path needs to start at src.

Ann

wooch · May 9, 2024, 9:53am

Hi, I tried various combinations with no luck.
This way doesn’t work either:

 "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/main.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 2
                }
              }
            }
          ],
          "ruleId": "no-unsanitized/property"

ganncamp · May 9, 2024, 11:26am

Hi,

Thanks for trying.

I’m going to flag this for someone who could, at least, get the logging improved so we’d have a better chance of figuring this out.

Ann

Julien_HENRY · May 24, 2024, 12:40pm

Hi @wooch ,

We have created a small reproducer based on the information you shared, and it works fine.

I have noticed that you run your analysis with the parameter sonar.branch.name=$(AppRepoBranch). Can you confirm that you are looking at the right branch in the SonarQube UI? In your screenshot, we can see master, but is it really the branch you analyze in Azure?

Can you also double-check that you don’t have any issue exclusion configured on this SonarQube project?

Here is the project we used as a reproducer:
sarif-repro.zip (1.2 KB)

wooch · June 3, 2024, 10:32am

Hi, thanks for your post. I tried to run with your files, and it works. Maybe something is wrong with my main.js.

Julien_HENRY · June 4, 2024, 7:05am

Hi @wooch

If you manage to create a small reproducer that you can share with me, that would be useful to understand your issue.

You can send the reproducer to me privately if you are concerned about sharing sensitive data.

Best,

wooch · June 6, 2024, 4:27pm

Archive.zip (2.5 KB)
Hi Julien,
this file contains my sarif report and one of file from repo. After import I can’t see anything:

and the same log during pipeline:

INFO: ------------- Run sensors on project
INFO: Sensor Import external issues report from SARIF file.
INFO: File /var/vsts_agent/_work/233/drop/.gdn/sarif.json: 2 run(s) successfully imported (3 vulnerabilities in total).
INFO: Sensor Import external issues report from SARIF file. (done) | time=31ms

Julien_HENRY · June 7, 2024, 7:13am

Hi @wooch

This is working perfectly fine for me. Therefore I am testing with the latest SonarQube build, so maybe there is an issue in the SARIF import that has been fixed in the past versions. Can you try upgrading to SonarQube 10.5?

julien.henry:~/tmp/sarif$ /home/julien.henry/Softwares/sonar-scanner-6.0.0.4432-linux/bin/sonar-scanner -Dsonar.host.url=http://localhost:9000 -Dsonar.login=xxx -Dsonar.password=xxx -Dsonar.projectKey=reproducer-sarif -Dsonar.sarifReportPaths=sarif.json

wooch · August 27, 2024, 3:25pm

Hello, apologies for the delayed response. I have upgraded to version 10.6, and it appears that was the issue. I am now able to view the imported content.

system · September 3, 2024, 3:26pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.