It is a Maven Plugin parsing SARIF files which were created by conducted CodeQL scan. The parsed result is provided to Sonarqube via SonarIssueReporter thus issue are displayed on Sonar's project dashboard.
In order to use this plugin properly, your JAVA project needs to be configured in Sonar already and connected using org.sonarsource.scanner.maven:sonar-maven-plugin
add the following plugin to your pom.xml
<plugin>
<groupId>com.baloise.open</groupId>
<artifactId>codeql2sonar-maven-plugin</artifactId>
<version>0.1.7</version>
</plugin>Run to execute mvn codeql2sonar:SonarIssueReporter
- codeql2sonar.sarif.inputfile: specifies the SARIF file created by CodeQL scan
- codeql2sonar.sarif.outputfile: location where to write the parsed result.
Default: target/sonar/codeql2sonar.json - codeql2sonar.sarif.ignoreTests: if set to true, resources containing '/test/' in artifact location
are not reported to Sonar.
Default: false - codeql2sonar.sarif.path.excludes: Array of artifact locations to be excluded from result.
Regex-patterns can be used here according to pattern
.*<codeql2sonar.sarif.path.excludes.value>.*while patterns are compiled case-insensitive.
Example:When using on command line with -Dcodeql2sonar.sarif.path.exclude= the paths can be separated by comma, e.g.<codeql2sonar.sarif.path.excludes> <param>value1</param> <param>value2</param> </codeql2sonar.sarif.path.excludes>
-Dcodeql2sonar.sarif.path.excludes=path/subdir1,path/subdir2/