Hello,
Happy to be able to import SARIF reports into SonarQube ! This is a great addition.
Technical context :
-
SQ Enterprise Version 9.8 (build 63668)
-
Azure pipelines running on an Ubuntu-20.02 VMSS (Virtual Machine Scale Set), with the
System.Debug
variable set totrue
to increase verbosity -
Sample project containing just one or two python files to perform tests
The thing is that I can’t seem to debug what goes wrong in my SARIF file ingestion, I only have a stacktrace in my pipeline execution :
Gitleaks import
ADOS run for gitleaks
2022-12-22T15:41:44.0668699Z ##[debug]SONARQUBE_SCANNER_PARAMS={"sonar.host.url":"https://sonarqube.app.corp/","sonar.login":***,"sonar.projectKey":"faurecia-cloud---sandbox---sandbox","sonar.projectName":"Sandbox - Sandbox","sonar.projectVersion":"c01ae1e44d08f645de847964d2cfcc2054316c05","sonar.sources":"/agent/_work/1/s","sonar.pullrequest.key":"35573","sonar.pullrequest.base":"develop","sonar.pullrequest.branch":"features/sonarqube-sarif","sonar.pullrequest.provider":"vsts","sonar.pullrequest.vsts.instanceUrl":"https://dev.azure.com/faurecia-cloud/","sonar.pullrequest.vsts.project":"Sandbox","sonar.pullrequest.vsts.repository":"Sandbox","sonar.scanner.metadataFilePath":"/agent/_work/_temp/sonar/20221222.2/87d50c3d-e6f0-2168-9cbf-3ea4f03a9ed5/report-task.txt","sonar.exclusions":"**/*.bin,Web/wwwroot/lib/**/*","sonar.projectBaseDir":"/agent/_work/1/s","sonar.links.homepage":"https:/dev.azure.com/faurecia-cloud/Sandbox","sonar.links.scm":"https:/dev.azure.com/faurecia-cloud/Sandbox/_git/Sandbox","sonar.externalIssuesReportPaths":"/agent/_work/1/s/gitleaks.sarif"}
2022-12-22T15:41:44.0672475Z ##[debug]SONARQUBE_ENDPOINT=***
2022-12-22T15:41:44.0674954Z ##[debug]set SONARQUBE_SCANNER_PARAMS={"sonar.host.url":"https://sonarqube.app.corp/","sonar.login":***,"sonar.projectKey":"faurecia-cloud---sandbox---sandbox","sonar.projectName":"Sandbox - Sandbox","sonar.projectVersion":"c01ae1e44d08f645de847964d2cfcc2054316c05","sonar.sources":"/agent/_work/1/s","sonar.pullrequest.key":"35573","sonar.pullrequest.base":"develop","sonar.pullrequest.branch":"features/sonarqube-sarif","sonar.pullrequest.provider":"vsts","sonar.pullrequest.vsts.instanceUrl":"https://dev.azure.com/faurecia-cloud/","sonar.pullrequest.vsts.project":"Sandbox","sonar.pullrequest.vsts.repository":"Sandbox","sonar.scanner.metadataFilePath":"/agent/_work/_temp/sonar/20221222.2/87d50c3d-e6f0-2168-9cbf-3ea4f03a9ed5/report-task.txt","sonar.exclusions":"**/*.bin,Web/wwwroot/lib/**/*","sonar.projectBaseDir":"/agent/_work/1/s","sonar.links.homepage":"https:/dev.azure.com/faurecia-cloud/Sandbox","sonar.links.scm":"https:/dev.azure.com/faurecia-cloud/Sandbox/_git/Sandbox","sonar.externalIssuesReportPaths":"/agent/_work/1/s/gitleaks.sarif"}
2022-12-22T15:41:44.0681923Z ##[debug]Processed: ##vso[task.setvariable variable=SONARQUBE_SCANNER_PARAMS;isOutput=false;issecret=false;]{"sonar.host.url":"https://sonarqube.app.corp/","sonar.login":***,"sonar.projectKey":"faurecia-cloud---sandbox---sandbox","sonar.projectName":"Sandbox - Sandbox","sonar.projectVersion":"c01ae1e44d08f645de847964d2cfcc2054316c05","sonar.sources":"/agent/_work/1/s","sonar.pullrequest.key":"35573","sonar.pullrequest.base":"develop","sonar.pullrequest.branch":"features/sonarqube-sarif","sonar.pullrequest.provider":"vsts","sonar.pullrequest.vsts.instanceUrl":"https://dev.azure.com/faurecia-cloud/","sonar.pullrequest.vsts.project":"Sandbox","sonar.pullrequest.vsts.repository":"Sandbox","sonar.scanner.metadataFilePath":"/agent/_work/_temp/sonar/20221222.2/87d50c3d-e6f0-2168-9cbf-3ea4f03a9ed5/report-task.txt","sonar.exclusions":"**/*.bin,Web/wwwroot/lib/**/*","sonar.projectBaseDir":"/agent/_work/1/s","sonar.links.homepage":"https:/dev.azure.com/faurecia-cloud/Sandbox","sonar.links.scm":"https:/dev.azure.com/faurecia-cloud/Sandbox/_git/Sandbox","sonar.externalIssuesReportPaths":"/agent/_work/1/s/gitleaks.sarif"}
2022-12-22T15:41:44.0684713Z ##[debug]Absolute path for pathSegments: /agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0,sonar-scanner,bin,sonar-scanner = /agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner
2022-12-22T15:41:44.0696893Z ##[debug]which '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner'
2022-12-22T15:41:44.0701941Z ##[debug]found: '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner'
2022-12-22T15:41:44.0703489Z ##[debug]system.debug=true
2022-12-22T15:41:44.0704985Z ##[debug]/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner arg: -X
2022-12-22T15:41:44.0707278Z ##[debug]exec tool: /agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner
2022-12-22T15:41:44.0708289Z ##[debug]arguments:
2022-12-22T15:41:44.0709229Z ##[debug] -X
2022-12-22T15:41:44.0710169Z [command]/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner -X
2022-12-22T15:41:44.2717005Z 15:41:44.269 INFO: Scanner configuration file: /agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/conf/sonar-scanner.properties
2022-12-22T15:41:44.2718763Z 15:41:44.271 INFO: Project root configuration file: NONE
2022-12-22T15:41:44.2989823Z 15:41:44.298 INFO: SonarScanner 4.7.0.2747
2022-12-22T15:41:44.2990848Z 15:41:44.298 INFO: Java 11.0.16.1 Eclipse Adoptium (64-bit)
2022-12-22T15:41:44.2991732Z 15:41:44.298 INFO: Linux 5.15.0-1020-azure amd64
[...]
2022-12-22T15:41:58.4886077Z 15:41:58.488 DEBUG: Importing issues from '/agent/_work/1/s/gitleaks.sarif'
2022-12-22T15:41:58.5008659Z 15:41:58.500 INFO: ------------------------------------------------------------------------
2022-12-22T15:41:58.5010540Z 15:41:58.500 INFO: EXECUTION FAILURE
2022-12-22T15:41:58.5011773Z 15:41:58.500 INFO: ------------------------------------------------------------------------
2022-12-22T15:41:58.5012495Z 15:41:58.500 INFO: Total time: 14.262s
2022-12-22T15:41:58.5619717Z 15:41:58.559 INFO: Final Memory: 33M/117M
2022-12-22T15:41:58.5621578Z 15:41:58.559 INFO: ------------------------------------------------------------------------
2022-12-22T15:41:58.5652448Z ##[error]15:41:58.559 ERROR: Error during SonarScanner execution
java.lang.NullPointerException
2022-12-22T15:41:58.5661163Z ##[debug]Processed: ##vso[task.logissue type=error;]15:41:58.559 ERROR: Error during SonarScanner execution%0Ajava.lang.NullPointerException
2022-12-22T15:41:58.5662412Z 15:41:58.559 ERROR: Error during SonarScanner execution
2022-12-22T15:41:58.5662979Z java.lang.NullPointerException
2022-12-22T15:41:58.5675432Z ##[error]at org.sonar.scanner.externalissue.ReportParser.validate(ReportParser.java:52)
at org.sonar.scanner.externalissue.ReportParser.parse(ReportParser.java:43)
at org.sonar.scanner.externalissue.ExternalIssuesImportSensor.execute(ExternalIssuesImportSensor.java:72)
at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:88)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:61)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:79)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:61)
at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(SpringModuleScanContainer.java:82)
at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
at org.sonar.scanner.scan.SpringProjectScanContainer.scan(SpringProjectScanContainer.java:401)
at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(SpringProjectScanContainer.java:397)
at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:366)
at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:135)
at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
at com.sun.proxy.$Proxy0.execute(Unknown Source)
at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
at org.sonarsource.scanner.cli.Main.main(Main.java:61)
2022-12-22T15:41:58.5687944Z ##[debug]Processed: ##vso[task.logissue type=error;]at org.sonar.scanner.externalissue.ReportParser.validate(ReportParser.java:52)%0A at org.sonar.scanner.externalissue.ReportParser.parse(ReportParser.java:43)%0A at org.sonar.scanner.externalissue.ExternalIssuesImportSensor.execute(ExternalIssuesImportSensor.java:72)%0A at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64)%0A at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:88)%0A at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:61)%0A at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:79)%0A at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:61)%0A at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(SpringModuleScanContainer.java:82)%0A at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)%0A at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)%0A at org.sonar.scanner.scan.SpringProjectScanContainer.scan(SpringProjectScanContainer.java:401)%0A at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(SpringProjectScanContainer.java:397)%0A at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:366)%0A at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)%0A at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)%0A at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:135)%0A at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)%0A at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)%0A at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)%0A at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)%0A at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)%0A at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)%0A at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)%0A at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)%0A at java.base/java.lang.reflect.Method.invoke(Method.java:566)%0A at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)%0A at com.sun.proxy.$Proxy0.execute(Unknown Source)%0A at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)%0A at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)%0A at org.sonarsource.scanner.cli.Main.execute(Main.java:112)%0A at org.sonarsource.scanner.cli.Main.execute(Main.java:75)%0A at org.sonarsource.scanner.cli.Main.main(Main.java:61)
2022-12-22T15:41:58.5694659Z at org.sonar.scanner.externalissue.ReportParser.validate(ReportParser.java:52)
2022-12-22T15:41:58.5695316Z at org.sonar.scanner.externalissue.ReportParser.parse(ReportParser.java:43)
2022-12-22T15:41:58.5695983Z at org.sonar.scanner.externalissue.ExternalIssuesImportSensor.execute(ExternalIssuesImportSensor.java:72)
2022-12-22T15:41:58.5696682Z at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64)
2022-12-22T15:41:58.5697334Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:88)
2022-12-22T15:41:58.5698006Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:61)
2022-12-22T15:41:58.5698655Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:79)
2022-12-22T15:41:58.5699325Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:61)
2022-12-22T15:41:58.5699995Z at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(SpringModuleScanContainer.java:82)
2022-12-22T15:41:58.5700711Z at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
2022-12-22T15:41:58.5701401Z at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
2022-12-22T15:41:58.5702087Z at org.sonar.scanner.scan.SpringProjectScanContainer.scan(SpringProjectScanContainer.java:401)
2022-12-22T15:41:58.5702774Z at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(SpringProjectScanContainer.java:397)
2022-12-22T15:41:58.5703480Z at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:366)
2022-12-22T15:41:58.5704352Z at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
2022-12-22T15:41:58.5705069Z at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
2022-12-22T15:41:58.5705758Z at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:135)
2022-12-22T15:41:58.5706475Z at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
2022-12-22T15:41:58.5707166Z at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
2022-12-22T15:41:58.5707795Z at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
2022-12-22T15:41:58.5708352Z at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
2022-12-22T15:41:58.5708980Z at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
2022-12-22T15:41:58.5709626Z at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
2022-12-22T15:41:58.5710381Z at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
2022-12-22T15:41:58.5711075Z at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2022-12-22T15:41:58.5711730Z at java.base/java.lang.reflect.Method.invoke(Method.java:566)
2022-12-22T15:41:58.5712359Z at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
2022-12-22T15:41:58.5712939Z at com.sun.proxy.$Proxy0.execute(Unknown Source)
2022-12-22T15:41:58.5713499Z at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
2022-12-22T15:41:58.5714170Z at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
2022-12-22T15:41:58.5714751Z at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
2022-12-22T15:41:58.5715288Z at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
2022-12-22T15:41:58.5715830Z at org.sonarsource.scanner.cli.Main.main(Main.java:61)
2022-12-22T15:41:58.8923372Z ##[debug]Exit code 1 received from tool '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner'
2022-12-22T15:41:58.8926639Z ##[debug]STDIO streams have closed for tool '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner'
2022-12-22T15:41:58.8954253Z ##[debug]task result: Failed
2022-12-22T15:41:58.8956504Z ##[error]The process '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner' failed with exit code 1
2022-12-22T15:41:58.8958324Z ##[debug]Processed: ##vso[task.issue type=error;]The process '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner' failed with exit code 1
2022-12-22T15:41:58.8961804Z ##[debug]Processed: ##vso[task.complete result=Failed;]The process '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner' failed with exit code 1
Having a look at the Importing issues from SARIF reports
doc tells about some sections to mandatorily have in the SARIF file :
Mandatory fields for SonarQube
-
version
- must be “2.1.0”
$ cat gitleaks.sarif | yq '.version'
2.1.0
-
runs[].tool.driver.name
- name of the tool that created the report
$ cat gitleaks.sarif | yq '.runs[].tool.driver.name'
gitleaks
-
runs[].results[].message.text
- message of the external issue
$ cat gitleaks.sarif | yq '.runs[].results[].message.text'
sendgrid-api-token has detected secret for file files/python/configure.py.
CSCAN0092 / CSCAN0043 has detected secret for file files/python/configure.py.
-
sarifLog.runs[].result[].ruleId
- ID of the corresponding rule in the tool that created the report
$ cat gitleaks.sarif | yq '.sarifLog.runs[].result[].ruleId'
# This one confused me. I don't have anything in this section. But :
$ cat gitleaks.sarif | yq '.runs[].results[].ruleId'
sendgrid-api-token
CSCAN0092 / CSCAN0043
Optional fields
runs[].results[].locations[]
cat gitleaks.sarif | yq '.runs[].results[].locations[]'
{"physicalLocation": {"artifactLocation": {"uri": "files/python/configure.py"}, "region": {"startLine": 56, "startColumn": 18, "endLine": 56, "endColumn": 87, "snippet": {"text": "REDACTED"}}}}
{"physicalLocation": {"artifactLocation": {"uri": "files/python/configure.py"}, "region": {"startLine": 57, "startColumn": 74, "endLine": 57, "endColumn": 110, "snippet": {"text": "REDACTED"}}}}
sarifLog.runs[].result[].level
cat gitleaks.sarif | yq '.sarifLog.runs[].result[].level'
# This one is not found in my SARIF file, but:
cat gitleaks.sarif | yq '.runs[].results[].level'
null
null
Trivy import
ADOS run for trivy
2022-12-22T16:01:52.1230478Z ##[debug]SONARQUBE_SCANNER_PARAMS={"sonar.host.url":"https://sonarqube.app.corp/","sonar.login":***,"sonar.projectKey":"faurecia-cloud---sandbox---sandbox","sonar.projectName":"Sandbox - Sandbox","sonar.projectVersion":"174887a0dca11fd3407fe247563921777b6546ce","sonar.sources":"/agent/_work/1/s","sonar.pullrequest.key":"35573","sonar.pullrequest.base":"develop","sonar.pullrequest.branch":"features/sonarqube-sarif","sonar.pullrequest.provider":"vsts","sonar.pullrequest.vsts.instanceUrl":"https://dev.azure.com/faurecia-cloud/","sonar.pullrequest.vsts.project":"Sandbox","sonar.pullrequest.vsts.repository":"Sandbox","sonar.scanner.metadataFilePath":"/agent/_work/_temp/sonar/20221222.4/2b994488-b660-c085-463a-a865557d63f3/report-task.txt","sonar.exclusions":"**/*.bin,Web/wwwroot/lib/**/*","sonar.projectBaseDir":"/agent/_work/1/s","sonar.links.homepage":"https:/dev.azure.com/faurecia-cloud/Sandbox","sonar.links.scm":"https:/dev.azure.com/faurecia-cloud/Sandbox/_git/Sandbox","sonar.externalIssuesReportPaths":"/agent/_work/1/s/trivy.sarif"}
2022-12-22T16:01:52.1235265Z ##[debug]SONARQUBE_ENDPOINT=***
2022-12-22T16:01:52.1239768Z ##[debug]set SONARQUBE_SCANNER_PARAMS={"sonar.host.url":"https://sonarqube.app.corp/","sonar.login":***,"sonar.projectKey":"faurecia-cloud---sandbox---sandbox","sonar.projectName":"Sandbox - Sandbox","sonar.projectVersion":"174887a0dca11fd3407fe247563921777b6546ce","sonar.sources":"/agent/_work/1/s","sonar.pullrequest.key":"35573","sonar.pullrequest.base":"develop","sonar.pullrequest.branch":"features/sonarqube-sarif","sonar.pullrequest.provider":"vsts","sonar.pullrequest.vsts.instanceUrl":"https://dev.azure.com/faurecia-cloud/","sonar.pullrequest.vsts.project":"Sandbox","sonar.pullrequest.vsts.repository":"Sandbox","sonar.scanner.metadataFilePath":"/agent/_work/_temp/sonar/20221222.4/2b994488-b660-c085-463a-a865557d63f3/report-task.txt","sonar.exclusions":"**/*.bin,Web/wwwroot/lib/**/*","sonar.projectBaseDir":"/agent/_work/1/s","sonar.links.homepage":"https:/dev.azure.com/faurecia-cloud/Sandbox","sonar.links.scm":"https:/dev.azure.com/faurecia-cloud/Sandbox/_git/Sandbox","sonar.externalIssuesReportPaths":"/agent/_work/1/s/trivy.sarif"}
2022-12-22T16:01:52.1249595Z ##[debug]Processed: ##vso[task.setvariable variable=SONARQUBE_SCANNER_PARAMS;isOutput=false;issecret=false;]{"sonar.host.url":"https://sonarqube.app.corp/","sonar.login":***,"sonar.projectKey":"faurecia-cloud---sandbox---sandbox","sonar.projectName":"Sandbox - Sandbox","sonar.projectVersion":"174887a0dca11fd3407fe247563921777b6546ce","sonar.sources":"/agent/_work/1/s","sonar.pullrequest.key":"35573","sonar.pullrequest.base":"develop","sonar.pullrequest.branch":"features/sonarqube-sarif","sonar.pullrequest.provider":"vsts","sonar.pullrequest.vsts.instanceUrl":"https://dev.azure.com/faurecia-cloud/","sonar.pullrequest.vsts.project":"Sandbox","sonar.pullrequest.vsts.repository":"Sandbox","sonar.scanner.metadataFilePath":"/agent/_work/_temp/sonar/20221222.4/2b994488-b660-c085-463a-a865557d63f3/report-task.txt","sonar.exclusions":"**/*.bin,Web/wwwroot/lib/**/*","sonar.projectBaseDir":"/agent/_work/1/s","sonar.links.homepage":"https:/dev.azure.com/faurecia-cloud/Sandbox","sonar.links.scm":"https:/dev.azure.com/faurecia-cloud/Sandbox/_git/Sandbox","sonar.externalIssuesReportPaths":"/agent/_work/1/s/trivy.sarif"}
2022-12-22T16:01:52.1254080Z ##[debug]Absolute path for pathSegments: /agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0,sonar-scanner,bin,sonar-scanner = /agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner
2022-12-22T16:01:52.1270579Z ##[debug]which '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner'
2022-12-22T16:01:52.1275660Z ##[debug]found: '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner'
2022-12-22T16:01:52.1277270Z ##[debug]system.debug=true
2022-12-22T16:01:52.1278970Z ##[debug]/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner arg: -X
2022-12-22T16:01:52.1280965Z ##[debug]exec tool: /agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner
2022-12-22T16:01:52.1282501Z ##[debug]arguments:
2022-12-22T16:01:52.1283813Z ##[debug] -X
2022-12-22T16:01:52.1285180Z [command]/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner -X
2022-12-22T16:01:53.6371799Z 16:01:53.634 INFO: Scanner configuration file: /agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/conf/sonar-scanner.properties
2022-12-22T16:01:53.6373840Z 16:01:53.636 INFO: Project root configuration file: NONE
2022-12-22T16:01:53.8122968Z 16:01:53.811 INFO: SonarScanner 4.7.0.2747
2022-12-22T16:01:53.8124820Z 16:01:53.812 INFO: Java 11.0.16.1 Eclipse Adoptium (64-bit)
2022-12-22T16:01:53.8125834Z 16:01:53.812 INFO: Linux 5.15.0-1020-azure amd64
[...]
2022-12-22T16:02:10.2175727Z 16:02:10.217 DEBUG: Importing issues from '/agent/_work/1/s/trivy.sarif'
2022-12-22T16:02:10.2309617Z 16:02:10.230 INFO: ------------------------------------------------------------------------
2022-12-22T16:02:10.2311653Z 16:02:10.230 INFO: EXECUTION FAILURE
2022-12-22T16:02:10.2312872Z 16:02:10.230 INFO: ------------------------------------------------------------------------
2022-12-22T16:02:10.2314179Z 16:02:10.230 INFO: Total time: 16.713s
2022-12-22T16:02:10.3131020Z 16:02:10.311 INFO: Final Memory: 33M/117M
2022-12-22T16:02:10.3133574Z 16:02:10.311 INFO: ------------------------------------------------------------------------
2022-12-22T16:02:10.3181881Z ##[error]16:02:10.311 ERROR: Error during SonarScanner execution
java.lang.NullPointerException
at org.sonar.scanner.externalissue.ReportParser.validate(ReportParser.java:52)
at org.sonar.scanner.externalissue.ReportParser.parse(ReportParser.java:43)
at org.sonar.scanner.externalissue.ExternalIssuesImportSensor.execute(ExternalIssuesImportSensor.java:72)
at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:88)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:61)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:79)
at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:61)
at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(SpringModuleScanContainer.java:82)
at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
at org.sonar.scanner.scan.SpringProjectScanContainer.scan(SpringProjectScanContainer.java:401)
at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(SpringProjectScanContainer.java:397)
at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:366)
at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:135)
at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
at com.sun.proxy.$Proxy0.execute(Unknown Source)
at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
at org.sonarsource.scanner.cli.Main.main(Main.java:61)
2022-12-22T16:02:10.3202860Z ##[debug]Processed: ##vso[task.logissue type=error;]16:02:10.311 ERROR: Error during SonarScanner execution%0Ajava.lang.NullPointerException%0A at org.sonar.scanner.externalissue.ReportParser.validate(ReportParser.java:52)%0A at org.sonar.scanner.externalissue.ReportParser.parse(ReportParser.java:43)%0A at org.sonar.scanner.externalissue.ExternalIssuesImportSensor.execute(ExternalIssuesImportSensor.java:72)%0A at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64)%0A at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:88)%0A at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:61)%0A at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:79)%0A at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:61)%0A at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(SpringModuleScanContainer.java:82)%0A at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)%0A at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)%0A at org.sonar.scanner.scan.SpringProjectScanContainer.scan(SpringProjectScanContainer.java:401)%0A at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(SpringProjectScanContainer.java:397)%0A at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:366)%0A at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)%0A at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)%0A at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:135)%0A at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)%0A at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)%0A at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)%0A at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)%0A at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)%0A at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)%0A at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)%0A at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)%0A at java.base/java.lang.reflect.Method.invoke(Method.java:566)%0A at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)%0A at com.sun.proxy.$Proxy0.execute(Unknown Source)%0A at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)%0A at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)%0A at org.sonarsource.scanner.cli.Main.execute(Main.java:112)%0A at org.sonarsource.scanner.cli.Main.execute(Main.java:75)%0A at org.sonarsource.scanner.cli.Main.main(Main.java:61)
2022-12-22T16:02:10.3209987Z 16:02:10.311 ERROR: Error during SonarScanner execution
2022-12-22T16:02:10.3210328Z java.lang.NullPointerException
2022-12-22T16:02:10.3210770Z at org.sonar.scanner.externalissue.ReportParser.validate(ReportParser.java:52)
2022-12-22T16:02:10.3211310Z at org.sonar.scanner.externalissue.ReportParser.parse(ReportParser.java:43)
2022-12-22T16:02:10.3211891Z at org.sonar.scanner.externalissue.ExternalIssuesImportSensor.execute(ExternalIssuesImportSensor.java:72)
2022-12-22T16:02:10.3212497Z at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64)
2022-12-22T16:02:10.3213088Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:88)
2022-12-22T16:02:10.3213676Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:61)
2022-12-22T16:02:10.3214299Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:79)
2022-12-22T16:02:10.3214921Z at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:61)
2022-12-22T16:02:10.3215518Z at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(SpringModuleScanContainer.java:82)
2022-12-22T16:02:10.3216143Z at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
2022-12-22T16:02:10.3216753Z at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
2022-12-22T16:02:10.3217342Z at org.sonar.scanner.scan.SpringProjectScanContainer.scan(SpringProjectScanContainer.java:401)
2022-12-22T16:02:10.3217914Z at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(SpringProjectScanContainer.java:397)
2022-12-22T16:02:10.3218542Z at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:366)
2022-12-22T16:02:10.3219161Z at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
2022-12-22T16:02:10.3219782Z at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
2022-12-22T16:02:10.3220399Z at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:135)
2022-12-22T16:02:10.3221018Z at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:188)
2022-12-22T16:02:10.3221627Z at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:167)
2022-12-22T16:02:10.3222157Z at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72)
2022-12-22T16:02:10.3222625Z at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66)
2022-12-22T16:02:10.3223179Z at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
2022-12-22T16:02:10.3223749Z at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
2022-12-22T16:02:10.3224296Z at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
2022-12-22T16:02:10.3224936Z at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2022-12-22T16:02:10.3225499Z at java.base/java.lang.reflect.Method.invoke(Method.java:566)
2022-12-22T16:02:10.3226030Z at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
2022-12-22T16:02:10.3226523Z at com.sun.proxy.$Proxy0.execute(Unknown Source)
2022-12-22T16:02:10.3226993Z at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189)
2022-12-22T16:02:10.3227536Z at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138)
2022-12-22T16:02:10.3228048Z at org.sonarsource.scanner.cli.Main.execute(Main.java:112)
2022-12-22T16:02:10.3228500Z at org.sonarsource.scanner.cli.Main.execute(Main.java:75)
2022-12-22T16:02:10.3228947Z at org.sonarsource.scanner.cli.Main.main(Main.java:61)
2022-12-22T16:02:10.6453417Z ##[debug]Exit code 1 received from tool '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner'
2022-12-22T16:02:10.6458445Z ##[debug]STDIO streams have closed for tool '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner'
2022-12-22T16:02:10.6488621Z ##[debug]task result: Failed
2022-12-22T16:02:10.6490964Z ##[error]The process '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner' failed with exit code 1
2022-12-22T16:02:10.6492465Z ##[debug]Processed: ##vso[task.issue type=error;]The process '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner' failed with exit code 1
2022-12-22T16:02:10.6495533Z ##[debug]Processed: ##vso[task.complete result=Failed;]The process '/agent/_work/_tasks/SonarQubeAnalyze_6d01813a-9589-4b15-8491-8164aeb38055/5.8.0/sonar-scanner/bin/sonar-scanner' failed with exit code 1
Mandatory fields for SonarQube
-
version
- must be “2.1.0”
$ cat trivy.sarif | yq '.version'
2.1.0
-
runs[].tool.driver.name
- name of the tool that created the report
$ cat trivy.sarif | yq '.runs[].tool.driver.name'
Trivy
-
runs[].results[].message.text
- message of the external issue
$ cat gitleaks.sarif | yq '.runs[].results[].message.text'
Artifact: files/python/configure.py
Type:
Secret SendGrid API token
Severity: MEDIUM
Match: SG_TOKEN = "*********************************************************************"
-
sarifLog.runs[].result[].ruleId
- ID of the corresponding rule in the tool that created the report
$ cat cat trivy.sarif | yq '.runs[].results[].ruleId'
sendgrid-api-token
Optional fields
runs[].results[].locations[]
cat trivy.sarif | yq '.runs[].results[].locations[]'
{"physicalLocation": {"artifactLocation": {"uri": "files/python/configure.py", "uriBaseId": "ROOTPATH"}, "region": {"startLine": 56, "startColumn": 1, "endLine": 56, "endColumn": 1}}, "message": {"text": "files/python/configure.py"}}
sarifLog.runs[].result[].level
cat trivy.sarif | yq '.sarifLog.runs[].result[].level'
# This one is not found in my SARIF file, but:
cat trivy.sarif | yq '.runs[].results[].level'
warning
Would you happen to have an idea about this ?
(I’ll try to add details for a checkov file execution in the future)