SARIF output
Qodana reports are formatted according to the SARIF specification and are contained in a JSON file. The Qodana implementation of SARIF follows the general format rules, but also specifies several custom properties contained in property bags.
Report structure
Here is the structure of reports produced by Qodana:
Each report is represented by a runs
array containing a single Qodana run
. This object contains several nested objects, such as:
Object | Description |
---|---|
Information about the Qodana linter, plugins and inspections | |
Result of the Qodana invocation | |
The version control system from which the project was checked out | |
Codebase problems detected by Qodana | |
Identification of the Qodana run | |
The newline sequences that were used for calculating the line numbers | |
Custom Qodana properties, see below |
The custom Qodana properties are:
Property | Description |
---|---|
| How the inspection profile was found; one of |
| The tracking ID used for anonymous statistics. |
tool
The tool
object describes the Qodana linter, bundled plugins, and the available inspections.
The tool
object contains two nested objects:
Object | Description |
---|---|
Information about the invoked Qodana linter | |
The loaded plugins, as well as all available inspections |
The driver object
This object contains information about the invoked Qodana linter.
The object consists of the following fields:
Field | Description |
---|---|
| ID of the Qodana linter |
| Full name of the Qodana linter |
| Version of the Qodana linter |
| Descriptions of the available inspections, as |
| The categories of the inspections, including the relationships between categories |
The extensions object
Each element of the extensions
array corresponds to one IntelliJ IDEA plugin, providing information about the plugin name and version, as well as the inspections provided by the plugin.
This object contains the following fields:
Field | Description |
---|---|
| The ID of the Qodana plugin |
| The version of the Qodana plugin |
| The inspections provided by the plugin |
Each inspection from the plugin is described by a reportingDescriptor
with the following fields:
Field | Description |
---|---|
| Inspection ID |
| Short description of the inspection |
| Detailed description of the inspection |
| The |
| The relation of the inspection to other inspections, see |
invocations
The invocations
array contains a single element describing the Qodana invocation
, telling whether Qodana ran successfully or not.
In the above example, Qodana execution was successful (exitCode
, executionSuccessful
). Despite the (technically) successful execution, Qodana reported that its sanity inspections found some problems (message
, level=error
). When the 'sanity' inspections fail, this typically means that the project configuration was broken.
The possible values for exitCode
are:
Value | Description |
---|---|
| Successful execution |
| Any internal error |
| Out of memory, the Docker container for Qodana needs at least 6 GB of RAM |
| Successful execution and exit resulted from the exceeded |
Here is the description of the other fields from the invocations
object:
The toolExecutionNotifications
field contains notifications generated during a Qodana run, such as a reached threshold.
versionControlProvenance
The versionControlProvenance
array describes the version control systems that the project code was checked out from. Each version control system is described by a versionControlDetails
object. If the project does not use a version control system, the whole versionControlProvenance
is absent.
Each versionControlDetails
object contains the following fields:
Field | Description |
---|---|
| Repository checkout URL |
| Latest commit hash |
| Repository branch |
| Additional properties, see below |
Additional properties are stored as a property bag, they contain information about the author of the last commit. The vcsType
property always has the value Git
.
results
The results
array describes the problems detected during inspection. Each problem detected by Qodana is described by a separate result
object.
Each result
object consists of the following fields:
Field | Description |
---|---|
| The unique inspection ID ( |
| Always takes the |
| The SARIF severity level |
| A |
| Array of the |
| Contains hashes for comparing results between different runs. Used by the baseline feature |
| Indicates whether a linter was executed in baseline mode and can accept the following values:
|
| The |
The location object
Each location
object describes a concrete physical location in a file, augmented by a high-level logical location.
The physicalLocation object
The physicalLocation
object contains the following fields:
Field | Description |
---|---|
| The
|
| Contains information about the problem location and the snippet that should be highlighted. See the section below for details |
| Contains information about the text that surrounds the snippet from the |
The region object
The region
object contains the following fields:
Field | Description |
---|---|
| The line number of the first character in the region. Starts with 1 |
| The column number of the first character in the region. Starts with 1, measured in UTF-16 code units |
| The number of UTF-16 code units between the beginning of the file and the beginning of the region |
| The length of the region, measured in UTF-16 code units |
| The |
| Programming language of the inspected snippet. Used for highlighting in the user interface of Qodana |
The logicalLocations object
The logicalLocations
object contains the following fields:
Field | Description |
---|---|
| Always takes the |
| The module name obtained from the project build system |
automationDetails
The runAutomationDetails
object provides details of the run
object.
The automationDetails
object contains the following fields:
Field | Description |
---|---|
| User-readable string, unique per report |
| Unique machine-readable report ID |
| Additional information about the run, for Qodana, it contains the URL of the CI/CD build that produced the report |
newlineSequences
The newlineSequences
array contains unique strings, each of which specifies a character sequence that Qodana treated as a line break during a run.
properties
In addition to the inspections configured in the inspection profile, Qodana runs a few extra inspections for sanity-checking the project configuration. If these extra inspections find any problems, the project configuration is probably wrong. The results of these extra inspections are recorded in the qodana.sanity.results
property in the same format as the regular result
objects.
SARIF severity
The SARIF severity values correspond to the severity values of IntelliJ IDEA according to this table:
IDE severity | SARIF severity | Qodana report severity | Code Climate severity | Bitbucket severity |
---|---|---|---|---|
ERROR | ERROR | Critical | Blocker | High |
WARNING | WARNING | High | Critical | High |
WEAK WARNING | NOTE | Moderate | Major | Medium |
TYPO | NOTE | Low | Minor | Low |
INFORMATION | NOTE | Info | Info | Info |
OTHER | NOTE | Info | Info | Info |
The original IntelliJ IDEA inspection severity is stored in the propertyBag
field of the same object.