SARIF report issue - unable to see imported content

  • SonarQube 10.3
    I’m struggling with import SARIF report into SonarQube. I took an example from the documentation page and add some rules for testing.
{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "eslint",
          "informationUri": "https://www….",
          "version": "7.23.0",
          "rules": [
            {
              "id": "no-unsanitized/property",
              "defaultConfiguration": {
                "level": "error"
              },
              "shortDescription": {
                "text": "ESLint rule to disallow unsanitized property assignment"
              },
              "helpUri": "https://github.com/mozilla/eslint-plugin-no-unsanitized/tree/master/docs/rules/property.md",
              "properties": {
                "category": "possible-errors"
              }
            },
            {
              "id": "no-wildcard-postmessage/no-wildcard-postmessage",
              "defaultConfiguration": {
                "level": "error"
              },
              "shortDescription": {
                "text": "Flag Wildcard Targets in `postmessage`"
              }
            }
          ]
        }
      },
      "results": [
        {
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "myrepo/src/main.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 2
                }
              }
            }
          ],
          "ruleId": "no-unsanitized/property"
        }
      ]
    }
  ]
}

In the pipeline log I can see that it was imported:

INFO: ------------- Run sensors on project
INFO: Sensor Import external issues report from SARIF file.
INFO: File /var/vsts_agent/_work/178/drop/.gdn/msdo.sarif: 1 run(s) successfully imported (1 vulnerabilities in total).
INFO: Sensor Import external issues report from SARIF file. (done) | time=26ms

But there is no any information in the Sonarqube:

Any ideas what’s the problem?

Hi,

Welcome to the community!

Could you add -Dsonar.verbose=true to your analysis command and post that log, please?

 
Thx,
Ann

Hi,
that’s the thing that verbose/debug/trace doesn’t provide any additional information:

14:43:53.396 INFO: ------------- Run sensors on project
14:43:53.456 DEBUG: 'Generic Coverage Report' skipped because one of the required properties is missing
14:43:53.456 DEBUG: 'C#' skipped because there is no related file in current project
14:43:53.457 DEBUG: 'C# File Caching Sensor' skipped because there is no related file in current project
14:43:53.457 DEBUG: 'C# Tests Coverage Report Import' skipped because there is no related file in current project
14:43:53.458 DEBUG: '[Deprecated] C# Integration Tests Coverage Report Import' skipped because there is no related file in current project
14:43:53.458 DEBUG: 'C# Unit Test Results Import' skipped because there is no related file in current project
14:43:53.458 DEBUG: 'VB.NET' skipped because there is no related file in current project
14:43:53.459 DEBUG: 'VB.NET File Caching Sensor' skipped because there is no related file in current project
14:43:53.459 DEBUG: 'VB.NET Tests Coverage Report Import' skipped because there is no related file in current project
14:43:53.460 DEBUG: '[Deprecated] VB.NET Integration Tests Coverage Report Import' skipped because there is no related file in current project
14:43:53.460 DEBUG: 'VB.NET Unit Test Results Import' skipped because there is no related file in current project
14:43:53.460 DEBUG: 'Java CPD Block Indexer' skipped because there is no related file in current project
14:43:53.461 DEBUG: Sensors : Import external issues report from SARIF file. -> Dependency-Check -> Analysis Warnings import -> Zero Coverage Sensor
14:43:53.461 INFO: Sensor Import external issues report from SARIF file.
14:43:53.461 DEBUG: Importing SARIF issues from '/var/vsts_agent/_work/178/drop/.gdn/msdo.sarif'
14:43:53.491 INFO: File /var/vsts_agent/_work/178/drop/.gdn/msdo.sarif: 1 run(s) successfully imported (1 vulnerabilities in total).
14:43:53.491 INFO: Sensor Import external issues report from SARIF file. (done) | time=30ms
14:43:53.491 INFO: Sensor Dependency-Check [dependencycheck]
14:43:53.492 INFO: Process Dependency-Check report
14:43:53.492 INFO: Using JSON-Reportparser

Hi,

Well. That was helpful. :stuck_out_tongue_closed_eyes:

Before I throw in the towel on this, the file uri in your report is myrepo/src/main.js. What is sonar.sources set to in your analysis properties? Because if it’s set to src, then your file path should probably be main.js. (Also, I’m assuming main.js does exist in your project, right? :smiley: )

 
Ann

I have a pipeline task with these parameters:

- task: SonarQubePrepare@5
    inputs:
        SonarQube: 'SonarQube'
        scannerMode: 'CLI'
        configMode: 'manual'
        cliProjectKey: $(SonarQubeProjectKey)
        cliSources: '.'
        extraProperties: |
          -X
          sonar.exclusions=**/test.yaml
          sonar.scm.exclusions.disabled = true
          sonar.javascript.lcov.reportPaths=./coverage/lcov.info
          sonar.branch.name=$(AppRepoBranch)
          sonar.sarifReportPaths=$(Pipeline.Workspace)/drop/.gdn/msdo.sarif
          sonar.verbose=true

I’ve tried to use only main.js in the filepath with no luck.
And, yes, I have the file:

Hi,

You’re not setting sonar.sources, so it’s defaulting to .. Now… is . myrepo? I.e. is analysis running inside the directory named myrepo, or does it see myrepo? Because the paths in your report need to match up to the paths analysis sees.

 
Ann

Hi,
I’ve set sonar.sources but it didn’t change anything. Analysis running inside the directory named myrepo

Hi,

Then your path needs to start at src.

 
Ann

Hi, I tried various combinations with no luck.
This way doesn’t work either:

 "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/main.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 2
                }
              }
            }
          ],
          "ruleId": "no-unsanitized/property"

Hi,

Thanks for trying.

I’m going to flag this for someone who could, at least, get the logging improved so we’d have a better chance of figuring this out.

 
Ann

1 Like

Hi @wooch ,

We have created a small reproducer based on the information you shared, and it works fine.

I have noticed that you run your analysis with the parameter sonar.branch.name=$(AppRepoBranch). Can you confirm that you are looking at the right branch in the SonarQube UI? In your screenshot, we can see master, but is it really the branch you analyze in Azure?

Can you also double-check that you don’t have any issue exclusion configured on this SonarQube project?

Here is the project we used as a reproducer:
sarif-repro.zip (1.2 KB)