search

david-a-wheeler / flawfinder

a static analysis tool for finding vulnerabilities in C/C++ source code
GNU General Public License v2.0
478 stars 81 forks source link

SARIF output malformed due to incorrect URI, which causes GitHub upload to fail #78

Open Robyt3 opened 1 year ago

Robyt3 commented 1 year ago

GitHub workflow file:

name: Flawfinder

on:
  push:
    branches: [master]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [master]
  schedule:
    - cron: '28 13 * * 2'

jobs:
  flawfinder:
    name: Flawfinder
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Scan with Flawfinder
        uses: david-a-wheeler/flawfinder@2.0.19
        with:
          arguments: '--sarif ./src'
          output: 'flawfinder_results.sarif'

      - name: Upload analysis results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{github.workspace}}/flawfinder_results.sarif

The upload step fails with this output:

Run github/codeql-action/upload-sarif@v2
Uploading results
  Processing sarif files: ["/home/runner/work/ddnet/ddnet/flawfinder_results.sarif"]
Error details: instance.runs[0].tool.driver.rules[18].helpUri does not conform to the "uri" format
Error: Unable to upload "/home/runner/work/ddnet/ddnet/flawfinder_results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.rules[18].helpUri does not conform to the "uri" format
Error: Unable to upload "/home/runner/work/ddnet/ddnet/flawfinder_results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.rules[18].helpUri does not conform to the "uri" format
    at validateSarifFileSchema (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:199:15)
    at uploadFiles (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:249:9)
    at Object.uploadFromActions (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:136:18)
    at async run (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:48:30)
    at async runWrapper (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:70:9)

Relevant excerpt from the SARIF output:

{
  "id": "FF1030",
  "name": "race/access",
  "shortDescription": {
    "text": "This usually indicates a security flaw.  If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition (CWE-362/CWE-367!)."
  },
  "defaultConfiguration": {
    "level": "error"
  },
  "helpUri": "https://cwe.mitre.org/data/definitions/362.htmlhttps://cwe.mitre.org/data/definitions/367.html",
  "relationships": [
    {
      "target": {
        "id": "CWE-362",
        "toolComponent": {
          "name": "CWE",
          "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
        }
      },
      "kinds": [
        "relevant"
      ]
    },
    {
      "target": {
        "id": "CWE-367",
        "toolComponent": {
          "name": "CWE",
          "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
        }
      },
      "kinds": [
        "incomparable"
      ]
    }
  ]
},
cooljeanius commented 11 months ago

dup of #66 perhaps?