SARIF output

Edit page Last modified: 01 February 2023

Qodana reports are formatted according to the SARIF specification and are contained in a JSON file. The Qodana implementation of SARIF follows the general format rules, but also specifies several custom properties contained in property bags.

Report structure

Here is the structure of reports produced by Qodana:

{
  "version": "2.1.0",
  "runs": [
    {
      "tool": {...},
      "invocations": [...],
      "language": "en-US",
      "versionControlProvenance": [...],
      "results": [...],
      "automationDetails": {...},
      "newlineSequences": [...],
      "properties": {...}
    }
  ]
}

Each report is represented by a runs array containing a single Qodana run. This object contains several nested objects, such as:

Object

Description

tool

Information about the Qodana linter, plugins and inspections

invocations

Result of the Qodana invocation

versionControlProvenance

The version control system from which the project was checked out

results

Codebase problems detected by Qodana

automationDetails

Identification of the Qodana run

newlineSequences

The newline sequences that were used for calculating the line numbers

properties

Custom Qodana properties, see below

The custom Qodana properties are:

Property

Description

configProfile

How the inspection profile was found; one of empty, starter, recommended, path, single, absent, other.

deviceId

The tracking ID used for anonymous statistics.

tool

The tool object describes the Qodana linter, bundled plugins, and the available inspections.

{
  "tool": {
    "driver": {...},
    "extensions": [...]
  }
}

The tool object contains two nested objects:

Object

Description

driver

Information about the invoked Qodana linter

extensions

The loaded plugins, as well as all available inspections

The driver object

This object contains information about the invoked Qodana linter.

{
  "driver": {
    "name": "QDPHP",
    "fullName": "Qodana for PHP",
    "version": "222.4190.104",
    "rules": [],
    "taxa": [
      {
        "id": "EditorConfig",
        "name": "EditorConfig"
      },
      {
        "id": "PHP",
        "name": "PHP"
      },
      {
        "id": "PHP/Php Inspections (EA Extended)",
        "name": "Php Inspections (EA Extended)",
        "relationships": [
          {
            "target": {
              "id": "PHP",
              "index": 1,
              "toolComponent": {
                "name": "QDPHP"
              }
            },
            "kinds": [
              "superset"
            ]
          }
        ]
      }
    ]
  }
}

The object consists of the following fields:

Field

Description

name

ID of the Qodana linter

fullName

Full name of the Qodana linter

version

Version of the Qodana linter

rules

Descriptions of the available inspections, as reportingDescriptor objects

taxa

The categories of the inspections, including the relationships between categories

The extensions object

Each element of the extensions array corresponds to one IntelliJ IDEA plugin, providing information about the plugin name and version, as well as the inspections provided by the plugin.

{
  "extensions": [
    {
      "name": "org.editorconfig.editorconfigjetbrains",
      "version": "222.4190",
      "rules": [
        {
          "id": "EditorConfigCharClassRedundancy",
          "shortDescription": {
            "text": "Unnecessary character class"
          },
          "fullDescription": {
            "text": "Reports character classes that consist of a single character. Such classes can be simplified to a character, for example '[a]'→'a'.",
            "markdown": "Reports character classes that consist of a single character. Such classes can be simplified to a character, for example `[a]`→`a`."
          },
          "defaultConfiguration": {
            "enabled": true,
            "level": "warning",
            "parameters": {
              "ideaSeverity": "WARNING",
              "tags": [
                "ideaSeverity"
              ]
            }
          },
          "relationships": [
            {
              "target": {
                "id": "EditorConfig",
                "index": 0,
                "toolComponent": {
                  "name": "QDPHP"
                }
              },
              "kinds": [
                "superset"
              ]
            }
          ]
        }
      ],
      "language": "en-US",
      "contents": [
        "localizedData",
        "nonLocalizedData"
      ]
    }
  ]
}

This object contains the following fields:

Field

Description

name

The ID of the Qodana plugin

version

The version of the Qodana plugin

rules

The inspections provided by the plugin

Each inspection from the plugin is described by a reportingDescriptor with the following fields:

Field

Description

id

Inspection ID

shortDescription

Short description of the inspection

fullDescription

Detailed description of the inspection

defaultConfiguration

The reportingConfiguration object containing detailed information about the inspection, including its severity level and describing whether the inspection is enabled

relationships

The relation of the inspection to other inspections, see taxa for details

invocations

The invocations array contains a single element describing the Qodana invocation, telling whether Qodana ran successfully or not.

{
  "invocations": [
    {
      "exitCode": 0,
      "toolExecutionNotifications": [
        {
          "message": {
            "text": "Reporting from [\"Java annotator\"] 'sanity' inspections was suspended due to high problems count."
          },
          "level": "error"
        }
      ],
      "executionSuccessful": true
    }
  ]
}

In the above example, Qodana execution was successful (exitCode, executionSuccessful). Despite the (technically) successful execution, Qodana reported that its sanity inspections found some problems (message, level=error). When the 'sanity' inspections fail, this typically means that the project configuration was broken.

The possible values for exitCode are:

Value

Description

0

Successful execution

1

Any internal error

137

Out of memory, the Docker container for Qodana needs at least 6 GB of RAM

255

Successful execution and exit resulted from the exceeded fail-threshold property value

Here is the description of the other fields from the invocations object:

The toolExecutionNotifications field contains notifications generated during a Qodana run, such as a reached threshold.

note

After the linter process has exited successfully, the results folder contains the report file and the process exit code is equal to the exitCode value in the report.

If the process was terminated abnormally, the results folder may or may not contain the report file. A typical exit code in such cases is 137 (SIGKILL, due to out of memory).

versionControlProvenance

The versionControlProvenance array describes the version control systems that the project code was checked out from. Each version control system is described by a versionControlDetails object. If the project does not use a version control system, the whole versionControlProvenance is absent.

{
  "versionControlProvenance": [
    {
      "repositoryUri": "https://github.com/example/example.git",
      "revisionId": "6c034f977505b058c7cf764b3d9b1abd068a725e",
      "branch": "master",
      "properties": {
        "repoUrl": "https://github.com/example/example.git",
        "lastAuthorName": "Jane Doe",
        "vcsType": "Git",
        "lastAuthorEmail": "mail@example.com",
        "tags": [
          "repoUrl",
          "lastAuthorEmail",
          "lastAuthorName",
          "vcsType"
        ]
      }
    }
  ]
}

Each versionControlDetails object contains the following fields:

Field

Description

repositoryUri

Repository checkout URL

revisionId

Latest commit hash

branch

Repository branch

properties

Additional properties, see below

Additional properties are stored as a property bag, they contain information about the author of the last commit. The vcsType property always has the value Git.

results

The results array describes the problems detected during inspection. Each problem detected by Qodana is described by a separate result object.

{
  "results": [
    {
      "ruleId": "InfiniteRecursion",
      "kind": "fail",
      "level": "warning",
      "message": {
        "text": "Method <code>visitTypeVariable()</code> recurses infinitely, and can only end by throwing an exception"
      },
      "locations": [
        ...
      ],
      "partialFingerprints": {
        "equalIndicator/v1": "ac5714b0b15b7e8c4311899afd1c2b44069865039f2a9d309dcab04eddd4681d"
      },
      "baselineState": "unchanged",
      "properties": {
        "ideaSeverity": "WARNING",
        "tags": [
          "ideaSeverity"
        ]
      }
    }
  ]
}

Each result object consists of the following fields:

Field

Description

ruleId

The unique inspection ID (inspectionId)

kind

Always takes the fail value

level

The SARIF severity level

message

A message object with the nested text field containing the result/problem description in the format of an IntelliJ IDEA message string

locations

Array of the location objects. Always contains a single element comprised of the physicalLocation and the logicalLocations objects

partialFingerprints

Contains hashes for comparing results between different runs. Used by the baseline feature

baselineState

Indicates whether a linter was executed in baseline mode and can accept the following values:

  • new denotes that the problem was detected only in the current run but not in the baseline run

  • absent denotes that the problem was detected only in the baseline run but not in the current run

  • unchanged denotes that the problem was detected both in the current run and in the baseline run

properties

The propertyBag containing the ideaSeverity field with the original IntelliJ IDEA inspection severity as a value

The location object

Each location object describes a concrete physical location in a file, augmented by a high-level logical location.

{
  "physicalLocation": {
    "artifactLocation": {
      "uri": "asm-util/src/main/java/org/objectweb/asm/util/CheckSignatureAdapter.java",
      "uriBaseId": "SRCROOT"
    },
    "region": {
      "startLine": 259,
      "startColumn": 14,
      "charLength": 17,
      "snippet": {
        "text": "visitTypeVariable"
      },
      "sourceLanguage": "JAVA"
    },
    "contextRegion": {
      "startLine": 257,
      "startColumn": 1,
      "charOffset": 9764,
      "charLength": 152,
      "snippet": {
        "text": "\n  @Override\n  public void visitTypeVariable(final String name) {\n    visitTypeVariable(name);\n    if (type != TYPE_SIGNATURE || state != State.EMPTY) {"
      }
    }
  },
  "logicalLocations": [
    {
      "fullyQualifiedName": "root.asm-util.main",
      "kind": "module"
    }
  ]
}

The physicalLocation object

{
  "physicalLocation": {
    "artifactLocation": {
      "uri": "asm-util/src/main/java/org/objectweb/asm/util/CheckSignatureAdapter.java",
      "uriBaseId": "SRCROOT"
    },
    "region": {
      "startLine": 259,
      "startColumn": 14,
      "charLength": 17,
      "snippet": {
        "text": "visitTypeVariable"
      },
      "sourceLanguage": "JAVA"
    },
    "contextRegion": {
      "startLine": 257,
      "startColumn": 1,
      "charOffset": 9764,
      "charLength": 152,
      "snippet": {
        "text": "\n  @Override\n  public void visitTypeVariable(final String name) {\n    visitTypeVariable(name);\n    if (type != TYPE_SIGNATURE || state != State.EMPTY) {"
      }
    }
  }
}

The physicalLocation object contains the following fields:

Field

Description

artifactLocation

The artifactLocation object containing the following fields:

  • uri denotes the path relative to the project root

  • uriBaseId always has the SRCROOT value

region

Contains information about the problem location and the snippet that should be highlighted. See the section below for details

contextRegion

Contains information about the text that surrounds the snippet from the region field. This field is used for comparing problems in the baseline mode

The region object
{
  "region": {
    "startLine": 72,
    "startColumn": 23,
    "charOffset": 1852,
    "charLength": 11,
    "snippet": {
      "text": "options.php"
    },
    "sourceLanguage": "HTML"
  }
}

The region object contains the following fields:

Field

Description

startLine

The line number of the first character in the region. Starts with 1

startColumn

The column number of the first character in the region. Starts with 1, measured in UTF-16 code units

charOffset

The number of UTF-16 code units between the beginning of the file and the beginning of the region

charLength

The length of the region, measured in UTF-16 code units

snippet

The artifactContent object containing the text field with the value equal to the text of the specified region

sourceLanguage

Programming language of the inspected snippet. Used for highlighting in the user interface of Qodana

The logicalLocations object

{
  "logicalLocations": [
    {
      "fullyQualifiedName": "root.asm-util.main",
      "kind": "module"
    }
  ]
}

The logicalLocations object contains the following fields:

Field

Description

kind

Always takes the module value

fullyQualifiedName

The module name obtained from the project build system

automationDetails

The runAutomationDetails object provides details of the run object.

{
  "automationDetails": {
    "id": "project/qodana/2022-09-12",
    "guid": "bc9770e3-0cf4-4e46-a8fd-455e5bf116a2",
    "properties": {
      "jobUrl": "https://build.example.org/job/12345678",
      "tags": [
        "jobUrl"
      ]
    }
  }
}

The automationDetails object contains the following fields:

Field

Description

id

User-readable string, unique per report

guid

Unique machine-readable report ID

properties

Additional information about the run, for Qodana, it contains the URL of the CI/CD build that produced the report

newlineSequences

The newlineSequences array contains unique strings, each of which specifies a character sequence that Qodana treated as a line break during a run.

{
  "newlineSequences": [
    "\r\n",
    "\n"
  ]
}

properties

In addition to the inspections configured in the inspection profile, Qodana runs a few extra inspections for sanity-checking the project configuration. If these extra inspections find any problems, the project configuration is probably wrong. The results of these extra inspections are recorded in the qodana.sanity.results property in the same format as the regular result objects.

{
  "properties": {
    "qodana.sanity.results": [
      {
        "ruleId": "JavaAnnotator",
        "kind": "fail",
        "level": "error",
        "message": {
          "text": "Variable 'points' might not have been initialized",
          "markdown": "Variable 'points' might not have been initialized"
        },
        "locations": [
          {
            "physicalLocation": {
              "artifactLocation": {
                "uri": "core/src/main/java/com/google/zxing/datamatrix/detector/Detector.java",
                "uriBaseId": "SRCROOT"
              },
              "region": {
                "startLine": 52,
                "startColumn": 41,
                "charOffset": 1772,
                "charLength": 6,
                "snippet": {
                  "text": "points"
                },
                "sourceLanguage": "JAVA"
              },
              "contextRegion": {
                "startLine": 50,
                "startColumn": 1,
                "charOffset": 1670,
                "charLength": 180,
                "snippet": {
                  "text": "    ResultPoint[] cornerPoints = rectangleDetector.detect();\n\n    ResultPoint[] points = detectSolid2(points);\n    points[3] = correctTopRight(points);\n    if (points[3] == null) {"
                }
              }
            },
            "logicalLocations": [
              {
                "fullyQualifiedName": "core",
                "kind": "module"
              }
            ]
          }
        ],
        "partialFingerprints": {
          "equalIndicator/v1": "2bf8eae4ff0d22f23008fe342fb1cfc67aa4f6db9b276e16ba621c77e3fda618"
        },
        "properties": {
          "ideaSeverity": "ERROR"
        }
      }
    ]
  }
}

SARIF severity

The SARIF severity values correspond to the severity values of IntelliJ IDEA:

  • error corresponds to the ERROR severity of IntelliJ IDEA, errors are marked with red in the Qodana user interface

  • warning corresponds to the WARNING severity of IntelliJ IDEA, errors are marked with orange in the Qodana user interface

  • note in any other cases besides error and warning, errors are marked with yellow in the Qodana user interface

The original IntelliJ IDEA inspection severity is stored in the propertyBag field of the same object.