Qodana 2021.2 Help

SARIF output

The Qodana IntelliJ linter produces the SARIF output, which is a JSON file formatted in accordance with the specification. The Qodana implementation follows the general format rules but also specifies several custom properties written in propertyBag.

Report example

{ "version": "2.1.0", "runs": [ { "tool": { ... }, "invocations": [ { "exitCode": 0, "executionSuccessful": true } ], "language": "en-US", "versionControlProvenance": [ { "repositoryUri": "https://github.com/avafanasiev/gson", "revisionId": "a785a47b348265d0e8034f2611f737b1b865a334", "branch": "master", "properties": { "vcsType": "Git", "tags": [ "vcsType" ] } } ], "results": [...], "automationDetails": { "id": "project - 7/10/21, 7:29 AM", "guid": "9a1a0587-1819-41f8-bdc6-3452268ae572" }, "newlineSequences": [ "\r\n", "\n" ] } ] }

Common structure

A report file always contain one Run object. This object always contains the following sections:


The list of Invocation objects, which always contains a single invocation object. An invocation comprises the following:

  • exitCode- tool exit code.
    • 0- indicates successful execution.

    • 1- indicates any internal error.

    • 255- indicates successful execution, but the exit code is non-zero due to failThreshold property.

  • executionSuccessful- if exitCode is 0 or 255.

  • exitCodeDescription- the description of the exit code for non-zero values.


The AutomationDetails object, which contains:

  • guid- a unique report ID.

  • id- a user-defined string, should be unique for the report.


The list of VersionControlDetails objects, which contains zero or one object corresponding to the vcs repository in project root. Currently supported VCS list: Git.

An object contains the following:

  • repositoryUri- the repository checkout URL.

  • revisionId- the last commit hash.

  • branch- the current repository branch.

  • properties- the propertyBag object with the vcsType field, which can be any of the following:
    • Git
    • Hg
    • Svn


The Tool object contains the description of the Qodana image, bundled plugins and inspections in them.


The list of Result objects.

Tool object

Tool example

{ "driver": { "name": "Qodana Intellij Linter", "rules": [] }, "extensions": [ { "name": "org.intellij.intelliLang", "version": "213.1056", "rules": [ { "id": "InjectionNotApplicable", "shortDescription": { "text": "Injection Annotation not applicable" }, "fullDescription": { "text": "<html>\n<body>\nReports when a <code>@Language</code> annotation is applied to an element with a type other than <code>String</code> or <code>String[]</code>.\n<p><b>Example:</b></p>\n<pre><code>\n @Language(\"HTML\") <b>int</b> i;\n</code></pre>\n<p>After the quick-fix is applied:</p>\n<pre><code>\n <b>int</b> i;\n</code></pre>\n</body>\n</html>\n" }, "defaultConfiguration": { "enabled": false, "level": "error", "parameters": { "ideaSeverity": "ERROR", "tags": [ "ideaSeverity" ] } } } ] } ] }

Tool structure

  • driver- ToolComponent object, which describes the Qodana Intellij Linter tool.

  • extensions- the list of ToolComponent objects. Each element of the list corresponds to the Intellij IDEA plugin used for this run.

ToolComponent structure

The object contains:

  • name- the pluginId for an Intellij IDEA plugin, "Qodana Intellij Linter" for the driver.

  • version- the plugin version for an Intellij IDEA plugin, the tool version for the driver.

  • rules- the list of ReportingDescriptor objects.

ReportingDescriptor structure

The object contains:

  • id- the inspectionId, that is, the short name of an inspection.

  • shortDescription- [MultiformatMessageString object]. Contains the field text with the name of an inspection as a value.

  • fullDescription- [MultiformatMessageString object]. Contains the field text with the description of an inspection as a value. The description string is provided in the HTML format.

  • defaultConfiguration- ReportingConfiguration object. The configuration of an inspection used by default.

ReportingConfiguration structure

The object contains:

SARIF severity

The SARIF severity values could be one of the following strings:

  • error- if the Intellij IDEA inspection severity is "ERROR".

  • warning- if the Intellij IDEA inspection severity is "WARNING".

  • note- in any other case.

The original Intellij IDEA inspection severity is stored in the same object's propertyBag field.

Result object

Result example

{ "ruleId": "InfiniteRecursion", "kind": "fail", "level": "warning", "message": { "text": "Method <code>visitTypeVariable()</code> recurses infinitely, and can only end by throwing an exception" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "asm-util/src/main/java/org/objectweb/asm/util/CheckSignatureAdapter.java", "uriBaseId": "SRCROOT" }, "region": { "startLine": 259, "startColumn": 14, "charLength": 17, "snippet": { "text": "visitTypeVariable" }, "sourceLanguage": "JAVA" }, "contextRegion": { "startLine": 257, "startColumn": 1, "charOffset": 9764, "charLength": 152, "snippet": { "text": "\n @Override\n public void visitTypeVariable(final String name) {\n visitTypeVariable(name);\n if (type != TYPE_SIGNATURE || state != State.EMPTY) {" } } }, "logicalLocations": [ { "fullyQualifiedName": "root.asm-util.main", "kind": "module" } ] } ], "partialFingerprints": { "equalIndicator/v1": "ac5714b0b15b7e8c4311899afd1c2b44069865039f2a9d309dcab04eddd4681d" }, "baselineState": "unchanged", "properties": { "ideaSeverity": "WARNING", "tags": [ "ideaSeverity" ] } }

Result structure

  • ruleId- the inspection short name (inspectionId), which is a unique inspection identifier.

  • kind- always "fail".

  • level- SARIF severity level.

  • message- an object of type Message with a single field text, which contains the result/problem description in the format of an Intellij IDEA message string.

  • partialFingerprints- a technical field contains hashes for comparing results between different runs. Used in the baseline feature.

  • baselineState- the field only appears if a linter was executed in baseline mode and can be any of the following:
    • new: The problem was detected only in the current run but not in the baseline run.

    • absent: The problem was detected only in the baseline run but not in the current run.

    • unchanged: The problem was detected both in the current run and in the baseline run.

  • properties- a propertyBag with the ideaSeverity field with the original Intellij IDEA inspection severity as a value.

  • locations- the list of Location objects. Always contains a single element.

Location structure

The object contains:

  • logicalLocations- the list of LogicalLocation objects, which contains zero or one element corresponding to the module in which the result appears. A module can be a Gradle subproject, Maven module, and so on.

  • physicalLocation- the PhysicalLocation object. Could be absent.

LogicalLocation Structure

The object contains:

  • kind- always "module".

  • fullyQualifiedName- the module name obtained from the project build system.

PhysicalLocation structure

The object contains:

  • artifactLocation- ArtifactLocation object, which contains the following:
    • uri- the path relative to the project root.

    • uriBaseId- always has the value "SRCROOT".

  • region- Region object, which is a part of the artifact's location containing the text that should be highlighted as a reason of the current result.

  • contextRegion- the Region object, which is a part of the artifact location's surrounding region. Typically, two rows above and under region. Used for problems comparisons in baseline.

Region structure

The object contains:

  • startLine- the one-based line number of the first character in the region.

  • startColumn- the one-based column number of the first character in the region.

  • charOffset- the zero-based character offset of the first character in the region from the beginning of the artifact.

  • charLength- region length in characters.

  • snippet- ArtifactContent object, which contains the field text with the value equal to the text of the specified region extracted from the artifact.

Last modified: 24 August 2021