The "level" is not taken into account when importing a SARIF report

SonarQube Server / Community Build
,
1

Hello

I’m using SonarQube 25.3.0.104237 and Sonar Scanner CLI 7.0.2.4839.

Importing a SARIF report which contains an issue with a rule violation and the level set as

        {
          "ruleId": "my_rule",
          "level": "error",
          "message": {
            "text": "my rule message"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "C:/my_sonar/my_file.adb"
                },
                "region": {
                  "startLine": 26,
                  "startColumn": 17,
                  "sourceLanguage": "Ada"
                }
              },
              "logicalLocations": [
                { "fullyQualifiedName": "input", "kind": "function" }
              ]
            }

the level related information is ignored.

It is the same pattern as suggested in your sample report at Importing issues from SARIF reports | SonarQube Server Documentation

Could you tell us if this is not supported ? If it is the case, can you suggest an other way to set the severity of a given rule ?

Thanks in advance for your feedback

2

Hey @MonikaK

Thanks for the report. Can you please provide a small sample project with a complete example of the valid SARIF report (just containing the one issue) where level is not taken into account?

3

sdc.zip (1.3 MB)

Please find attached a sample project with one rule and one results.

In order to use it, please unfold under C:/gnatmail/gnathub/sdc_tuto/sdc. The sonar-project.properties is located under obj/gnathub/sonar folder and the SARIF file to be used is located under obj/gnatsas/sdc.sarif.
The level is set in the results part as "level": "note" and it is imported as Medium severity and we expected to be set to Low (as shown in the image).

image
image1596×418 30.9 KB

Thanks in advance for your help!

4

Thanks @MonikaK

In this case, I believe this section of the docs applies:

But as soon as I try to add the severity to the rule (as the docs suggest):

    • If a SARIF severity field is provided at the rule level for the issue then the mapping below is used to retrieve the corresponding impact level.
          "rules": [
            {
              "id": "array index check",
              "name": "Inspector - array index check",
              "level": "note",
              "shortDescription": {
                "text": "index value could be outside the array bounds"
              },

I get an error importing the analysis results.

10:47:41.739 WARN: Failed to process SARIF report from file 'obj/gnatsas/sdc.sarif', error: 'Failed to read SARIF report at '/Users/colin/Downloads/sdc/obj/gnatsas/sdc.sarif': invalid JSON syntax or file is not UTF-8 encoded'

So something seems wrong here. It’s also not good that our examples in the docs document exactly what we tell users will be ignored (severity at the issue level) and don’t document how it should be set at the rule level.

I’ve flagged this for attention.

6

Thanks for flagging this.
Adding just "level": "note", as a field of rule definition is not SARIF format compliant AFAIK.

Could this be fixed and the "level": "note", mentioned at the results level be taken into account?
In any case, the documentation should be updated since it is not accurate to illustrate how to set the security level for the issues.
Thanks for your help!

7

Could you please give some guidelines to set the severity correctly in order to be taken into account? Thanks in advance!

8

Hey @MonikaK

I thought you figured it out the other day but for some reason you edited it out of your post

        {
           "id": "array index check",
          "name": "Inspector - array index check",
          "shortDescription": {
            "text": "index value could be outside the array bounds"
          },
          "defaultConfiguration": {
            "level": "note"
          }
        }

Did this not actually work?

9

No, this is not actually working. The issue severity level stays on Medium and for "level" : "error" I would expect other than the Severity visible in the image

image
image1669×376 27.7 KB

The way that I added this level setting is

          "rules": [
            {
              "id": "array index check",
              "name": "Inspector - array index check",
              "shortDescription": {
                "text": "index value could be outside the array bounds"
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "relationships": [
                {
                  "target": {
                    "id": "CWE120",
                    "toolComponent": {
                      "name": "CWE"
                    }
                  },
                  "kinds": [
                    "superset"
                  ]
                }
              ]
            }
          ],

Maybe something is still wrong
Please find attached the full SARIF file.
sdc.sarif.zip (2.1 KB)

10

The documentation states that

image
image972×114 7.15 KB

Is it in your plans to support it?
Could you please provide guidelines about how to set the severity for an issue in the meantime ?
Thanks!