Generic Issue Format
We tried to make the generic issue format as close to SonarQube’s Generic Issue Import Format as possible because, guess what - we love bringing issues from the Scan Project report to the SonarQube dashboard!
Field description
| Field | Type | Description |
|---|---|---|
|
String |
String representation of a scanner name, e.g., |
|
String |
Scanners usually have an internal rule name that detected the issue, e.g. |
|
Enum: |
Issue type |
|
Enum: |
Issue severity |
|
String |
Short summary |
|
String |
Full description |
|
List<Integer> |
List of CWEs associated to the issue (many scanners return multiple) |
|
Location: List<filePath: String, lineNumber: Integer> |
Issue location |
Why not SARIF?
There’s an attempt to create a universal format to capture and process scan results from multiple tools by Microsoft called Static Analysis Results Interchange Format (SARIF).
We actually do support SARIF - but like all other security tool authors, we struggle with the complexity and lack of support for this format. SARIF is excellent for results storage and various exports. However, at the time of writing this, there’s still much more value in maintaining our generic format so that we can also normalize issues from different tools and apply advanced processing and decision-making algorithms to reduce the amount of noise produced by scanners.