`upload-sarif@v3`: could not convert rules: invalid security severity value, is not a number: undefined

[NiccoloFei]

Hi, recently I'm seeing the following error when running the upload-sarif@v3 GH action. Example failure: https://github.com/cloudnative-pg/postgres-containers/actions/runs/8196632252/job/22417260216

Uploading results
  Processing sarif files: ["snyk.sarif"]
  Uploading results
  Successfully uploaded results
Waiting for processing to finish
  Analysis upload status is pending.
  Analysis upload status is failed.
Error: Code Scanning could not process the submitted SARIF file:
could not convert rules: invalid security severity value, is not a number: undefined
Error: Code Scanning could not process the submitted SARIF file:
could not convert rules: invalid security severity value, is not a number: undefined
    at Object.waitForProcessing (/home/runner/work/_actions/github/codeql-action/v3/lib/upload-lib.js:359:[27](https://github.com/cloudnative-pg/postgres-containers/actions/runs/8196632252/job/22417260216#step:11:28))
    at async run (/home/runner/work/_actions/github/codeql-action/v3/lib/upload-sarif-action.js:58:13)
    at async runWrapper (/home/runner/work/_actions/github/codeql-action/v3/lib/upload-sarif-action.js:76:9)

I'm not sure what could cause that. The upload was working just fine and started failing the last few days. Any help is appreciated, thanks in advance!

[mbg]

Hi @NiccoloFei 👋

I'll check with the team to see if we have made any changes to the SARIF upload recently that could be responsible for this, but have you verified that the file generated by Snyk is actually a valid SARIF file? If so, could you make the SARIF file available?

[NiccoloFei]

Attaching the SARIF content below:

Sarif content:

``` { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", "version": "2.1.0", "runs": [ { "tool": { "driver": { "name": "Snyk Container", "properties": { "artifactsScanned": 169 }, "rules": [ { "id": "SNYK-DEBIAN11-EXPAT-6227598", "shortDescription": { "text": "High severity - Resource Exhaustion vulnerability in expat" }, "fullDescription": { "text": "(CVE-2023-52425) expat/libexpat1@2.2.10-2+deb11u5" }, "help": { "text": "", "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nThere is no fixed version for `Debian:11` `expat`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-52425)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n" }, "defaultConfiguration": { "level": "error" }, "properties": { "tags": [ "security", "CWE-400", "deb" ], "cvssv3_baseScore": 7.5, "security-severity": "7.5" } }, { "id": "SNYK-DEBIAN11-SYSTEMD-6277510", "shortDescription": { "text": "High severity - Allocation of Resources Without Limits or Throttling vulnerability in systemd" }, "fullDescription": { "text": "(CVE-2023-50387) systemd/libsystemd0@247.3-7+deb11u4" }, "help": { "text": "", "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `systemd` package and not the `systemd` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nCertain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.\n## Remediation\nThere is no fixed version for `Debian:11` `systemd`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-50387)\n- [cve@mitre.org](https://datatracker.ietf.org/doc/html/rfc4035)\n- [cve@mitre.org](https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html)\n- [cve@mitre.org](https://kb.isc.org/docs/cve-2023-50387)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=39367411)\n- [cve@mitre.org](https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/)\n- [cve@mitre.org](https://www.athene-center.de/aktuelles/key-trap)\n- [cve@mitre.org](https://www.isc.org/blogs/2024-bind-security-release/)\n- [cve@mitre.org](https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/)\n- [cve@mitre.org](https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=39372384)\n- [cve@mitre.org](https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1)\n- [cve@mitre.org](https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html)\n- [cve@mitre.org](https://access.redhat.com/security/cve/CVE-2023-50387)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1219823)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387)\n- [cve@mitre.org](https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2024/02/16/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2024/02/16/3)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/)\n" }, "defaultConfiguration": { "level": "error" }, "properties": { "tags": [ "security", "CWE-770", "deb" ], "cvssv3_baseScore": 7.5, "security-severity": "7.5" } }, { "id": "SNYK-DEBIAN11-ZLIB-6008961", "shortDescription": { "text": "Critical severity - Integer Overflow or Wraparound vulnerability in zlib" }, "fullDescription": { "text": "(CVE-2023-45853) zlib/zlib1g@1:1.2.11.dfsg-2+deb11u2" }, "help": { "text": "", "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.\n## Remediation\nThere is no fixed version for `Debian:11` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n- [cve@mitre.org](https://pypi.org/project/pyminizip/#history)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202401-18)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2024/01/24/10)\n" }, "defaultConfiguration": { "level": "error" }, "properties": { "tags": [ "security", "CWE-190", "deb" ], "cvssv3_baseScore": 9.8, "security-severity": "9.8" } } ] } }, "results": [ { "ruleId": "SNYK-DEBIAN11-EXPAT-6227598", "level": "error", "message": { "text": "This file introduces a vulnerable expat package with a high severity vulnerability." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "Debian/14/Dockerfile" }, "region": { "startLine": 1 } }, "logicalLocations": [ { "fullyQualifiedName": "expat@2.2.10-2+deb11u5" } ] } ] }, { "ruleId": "SNYK-DEBIAN11-SYSTEMD-6277510", "level": "error", "message": { "text": "This file introduces a vulnerable systemd package with a high severity vulnerability." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "Debian/14/Dockerfile" }, "region": { "startLine": 1 } }, "logicalLocations": [ { "fullyQualifiedName": "systemd@247.3-7+deb11u4" } ] } ] }, { "ruleId": "SNYK-DEBIAN11-ZLIB-6008961", "level": "error", "message": { "text": "This file introduces a vulnerable zlib package with a critical severity vulnerability." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "Debian/14/Dockerfile" }, "region": { "startLine": 1 } }, "logicalLocations": [ { "fullyQualifiedName": "zlib@1:1.2.11.dfsg-2+deb11u2" } ] } ] } ] }, { "tool": { "driver": { "name": "Snyk Container", "properties": { "artifactsScanned": 39 }, "rules": [ { "id": "snyk:lic:pip:barman:GPL-3.0", "shortDescription": { "text": "High severity - GPL-3.0 license vulnerability in barman" }, "fullDescription": { "text": "barman@3.10.0" }, "help": { "text": "", "markdown": "GPL-3.0 license" }, "defaultConfiguration": { "level": "error" }, "properties": { "tags": [ "security", "pip" ], "security-severity": "undefined" } } ] } }, "results": [ { "ruleId": "snyk:lic:pip:barman:GPL-3.0", "level": "error", "message": { "text": "This file introduces a vulnerable barman package with a high severity vulnerability." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "/requirements.txt" }, "region": { "startLine": 1 } }, "logicalLocations": [ { "fullyQualifiedName": "barman@3.10.0" } ] } ] } ] }, { "tool": { "driver": { "name": "Snyk Container", "properties": { "artifactsScanned": 2 }, "rules": [] } }, "results": [] } ] } ```

[aeisenberg]

I'm pretty sure it's because your sarif has "security-severity": "undefined". I don't know what this value is supposed to be, but you should probably check with snyk to see if there is a known workaround. Otherwise, you can try post-processing the sarif before uploading.

[abstractj]

@aeisenberg your assessment seems accurate to me. I tried to downgrade upload-sarif to v2 and the issue persists.

[aeisenberg]

I'd recommend post-processing the SARIF that snyk produces to remove the undefined. I am not sure what value should replace it, but it should be numeric.

[LeviPesin]

Is there any issue opened within the Snyk? I'm getting the same exact error, except of undefined replaced with null: https://github.com/warriors-life/yokohama-proxy/actions/runs/8211361886/job/22460200402.

[aeisenberg]

There are no issues that I am aware of. I'd recommend that you raise one. This appears to be a recent change seeing as how there are multiple reports in this issue.

[LeviPesin]

Where can I create an issue? It seems like issues are disabled in the https://github.com/snyk/actions repository.

[aeisenberg]

See here https://github.com/snyk/actions/blob/master/CONTRIBUTING.md#reporting-issues.

[aklira]

Same problem here: https://github.com/fledge-power/fledgepower-deployment/actions/runs/8286079944/job/22675227175

[LeviPesin]

See here https://github.com/snyk/actions/blob/master/CONTRIBUTING.md#reporting-issues.

Thank you, submitted a ticket there!

[mykolaveremeichyk]

See here https://github.com/snyk/actions/blob/master/CONTRIBUTING.md#reporting-issues.

Thank you, submitted a ticket there!

Are there any updates regarding the submitted ticket?

[LeviPesin]

They've replied only today with a request to provide the full SARIF file (well, they could've downloaded it from just any run).

[mprado-enclave]

This behavior is expected - licenses and vulnerabilities were originally designed with a common structure but license-related findings are now managed differently. That is, license-related findings do not indicate a security vulnerability and are labeled as 'undefined'. You can use use the --sarif-file-output=snyk.sarif arg and add the following lines to fix it:

   - name: Replace security-severity undefined for license-related findings 
     run: sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif

[aklira]

This behavior is expected - licenses and vulnerabilities were originally designed with a common structure but license-related findings are now managed differently. That is, license-related findings do not indicate a security vulnerability and are labeled as 'undefined'. You can use use the --sarif-file-output=snyk.sarif arg and add the following lines to fix it:

   - name: Replace security-severity undefined for license-related findings 
     run: sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif

I had to add the following line to fix the issue:

sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif