Running

docker run --rm -e "WORKSPACE=${PWD}" -v ~/.m2:/.m2 -v <source path>:/app shiftleft/scan scan --src /app --type java

returns several result files:

-rw-r--r-- 1 sknoop sknoop 92K Jun 3 19:42 .sastscan.baseline
-rw-r--r-- 1 sknoop sknoop 7.1M Jun 3 19:41 class-report.html
-rw-r--r-- 1 sknoop sknoop 7.2M Jun 3 19:41 class-report.sarif
-rw-r--r-- 1 sknoop sknoop 13M Jun 3 19:41 class-report.xml
-rw-r--r-- 1 sknoop sknoop 8.6M Jun 3 19:42 ngsast-report.findings.json
-rw-r--r-- 1 sknoop sknoop 5.2M Jun 3 19:42 scan-full-report.json
-rw-r--r-- 1 sknoop sknoop 0 Jun 3 19:41 source-java-report.csv
-rw-r--r-- 1 sknoop sknoop 17K Jun 3 19:42 source-java-report.html
-rw-r--r-- 1 sknoop sknoop 2.3K Jun 3 19:42 source-java-report.sarif

For release 2.0.0 the file scan-full-report.json contains:

{"tool": {"driver": {"name": "Java Source Analyzer", [...]}
{"tool": {"driver": {"name": "Class File Analyzer", [...]}

Those are two JSON structures in one file which is invalid. Could you either split this to two files or wrap something around to fix this?

@darkspirit510 This is in jsonlines format where each line is a json. This can then be imported into supported platforms such as Google BigQuery for advanced analysis.

Never heard of this, but guess there will be some Java implementation. Then, of course, this is not a bug. Thank you for the reply!

@darkspirit510 I've shared the python snippet to parse this in the docs - https://slscan.io/en/latest/getting-started/use-cases/#parsing-the-full-report

Hope you could do the same in java: read line by line and parse the json to get the full sarif representation.