Valid SARIF report won't import (parser exception)

Must-share information :

  • VERSION : SonarQube server 9.9 LTS, Sonar Scanner 4.8
  • how is SonarQube deployed: Helm
  • Trying to : import a valid SARIF report

The following SARIF JSON is validated against SARIF schema 2.1.0 (SARIF Validator) but fails import with an exception (see below)

  "version": "2.1.0",
  "$schema": "",
  "runs": [
      "results": [
          "ruleId": "clang-diagnostic-error",
          "level": "error",
          "locations": [
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "CompilerIdC/CMakeCCompilerId.c"
                "region": {
                  "startColumn": 3,
                  "startLine": 2
          "message": {
            "text": " <doublequote>A C++ compiler has been selected for C.<doublequote> [clang-diagnostic-error]<return># error <doublequote>A C++ compiler has been selected for C.<doublequote><return>  ^<return>"
      "tool": {
        "driver": {
          "informationUri": "",
          "name": "clang-tidy",
          "version": "14.0.0 Ubuntu LLVM version"

Debug log :

12:06:11.813 DEBUG: Sensors : Import external issues report -> JaCoCo XML Report Importer -> IaC CloudFormation Sensor -> IaC Kubernetes Sensor -> TypeScript analysis -> CSS Rules -> C# Project Type Information -> C# Analysis Log -> C# Properties -> HTML -> TextAndSecretsSensor -> VB.NET Project Type Information -> VB.NET Analysis Log -> VB.NET Properties -> com.github.mc1arke.sonarqube.plugin.scanner.ScannerPullRequestPropertySensor -> IaC Docker Sensor
12:06:11.813 INFO: Sensor Import external issues report
12:06:11.813 DEBUG: Importing issues from '/home/user/projects/clang-tidy-sarif/build/output.sarif'
12:06:11.822 INFO: ------------------------------------------------------------------------
12:06:11.822 INFO: ------------------------------------------------------------------------
12:06:11.822 INFO: Total time: 5.967s
12:06:11.857 INFO: Final Memory: 19M/74M
12:06:11.857 INFO: ------------------------------------------------------------------------
12:08:05.012 ERROR: Error during SonarScanner execution
java.lang.NullPointerException: Cannot read the array length because "<local2>" is null
	at org.sonar.scanner.externalissue.ReportParser.validate(
	at org.sonar.scanner.externalissue.ReportParser.parse(
	at org.sonar.scanner.externalissue.ExternalIssuesImportSensor.execute(
	at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(
	at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(
	at org.sonar.scanner.scan.SpringModuleScanContainer.doAfterStart(
	at org.sonar.core.platform.SpringComponentContainer.startComponents(
	at org.sonar.core.platform.SpringComponentContainer.execute(
	at org.sonar.scanner.scan.SpringProjectScanContainer.scan(
	at org.sonar.scanner.scan.SpringProjectScanContainer.scanRecursively(
	at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(
	at org.sonar.core.platform.SpringComponentContainer.startComponents(
	at org.sonar.core.platform.SpringComponentContainer.execute(
	at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(
	at org.sonar.core.platform.SpringComponentContainer.startComponents(
	at org.sonar.core.platform.SpringComponentContainer.execute(
	at org.sonar.batch.bootstrapper.Batch.doExecute(
	at org.sonar.batch.bootstrapper.Batch.execute(
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(
	at jdk.proxy1/jdk.proxy1.$Proxy0.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(
	at org.sonarsource.scanner.cli.Main.execute(
	at org.sonarsource.scanner.cli.Main.execute(
	at org.sonarsource.scanner.cli.Main.main(
your results will be published into SONARWEBSERVER= 

Hi @bcopy ,

How are things at CERN :slight_smile: ?

This happens because you are using the property to import generic issues sonar.externalIssuesReportPaths instead of the one to import sarif files: sonar.sarifReportPaths.

You can see the details here: Importing issues from SARIF reports

Cheers and greetings to BE-CO members from Sonar :wave:


Hi Aurélien,

thanks very much; it did help 1
Things are well despite some operational up and downs you can read about in the news :slight_smile:

1 Like

Can’t seem to find a way to contact you in DM, but it would be awesome to organize a site visit, when would be a good time for a small CERN delegation to come over and have lunch with you guys ?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.