search

github / codeql-action

Actions for running CodeQL analysis
MIT License
1.09k stars 305 forks source link

`upload-sarif@v3`: could not convert rules: invalid security severity value, is not a number: undefined #2187

Open NiccoloFei opened 4 months ago

NiccoloFei commented 4 months ago

Hi, recently I'm seeing the following error when running the upload-sarif@v3 GH action. Example failure: https://github.com/cloudnative-pg/postgres-containers/actions/runs/8196632252/job/22417260216

Uploading results
  Processing sarif files: ["snyk.sarif"]
  Uploading results
  Successfully uploaded results
Waiting for processing to finish
  Analysis upload status is pending.
  Analysis upload status is failed.
Error: Code Scanning could not process the submitted SARIF file:
could not convert rules: invalid security severity value, is not a number: undefined
Error: Code Scanning could not process the submitted SARIF file:
could not convert rules: invalid security severity value, is not a number: undefined
    at Object.waitForProcessing (/home/runner/work/_actions/github/codeql-action/v3/lib/upload-lib.js:359:[27](https://github.com/cloudnative-pg/postgres-containers/actions/runs/8196632252/job/22417260216#step:11:28))
    at async run (/home/runner/work/_actions/github/codeql-action/v3/lib/upload-sarif-action.js:58:13)
    at async runWrapper (/home/runner/work/_actions/github/codeql-action/v3/lib/upload-sarif-action.js:76:9)

I'm not sure what could cause that. The upload was working just fine and started failing the last few days. Any help is appreciated, thanks in advance!

mbg commented 4 months ago

Hi @NiccoloFei 👋

I'll check with the team to see if we have made any changes to the SARIF upload recently that could be responsible for this, but have you verified that the file generated by Snyk is actually a valid SARIF file? If so, could you make the SARIF file available?

NiccoloFei commented 4 months ago

Attaching the SARIF content below:

Sarif content: ``` { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", "version": "2.1.0", "runs": [ { "tool": { "driver": { "name": "Snyk Container", "properties": { "artifactsScanned": 169 }, "rules": [ { "id": "SNYK-DEBIAN11-EXPAT-6227598", "shortDescription": { "text": "High severity - Resource Exhaustion vulnerability in expat" }, "fullDescription": { "text": "(CVE-2023-52425) expat/libexpat1@2.2.10-2+deb11u5" }, "help": { "text": "", "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nThere is no fixed version for `Debian:11` `expat`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-52425)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n" }, "defaultConfiguration": { "level": "error" }, "properties": { "tags": [ "security", "CWE-400", "deb" ], "cvssv3_baseScore": 7.5, "security-severity": "7.5" } }, { "id": "SNYK-DEBIAN11-SYSTEMD-6277510", "shortDescription": { "text": "High severity - Allocation of Resources Without Limits or Throttling vulnerability in systemd" }, "fullDescription": { "text": "(CVE-2023-50387) systemd/libsystemd0@247.3-7+deb11u4" }, "help": { "text": "", "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `systemd` package and not the `systemd` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nCertain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.\n## Remediation\nThere is no fixed version for `Debian:11` `systemd`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-50387)\n- [cve@mitre.org](https://datatracker.ietf.org/doc/html/rfc4035)\n- [cve@mitre.org](https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html)\n- [cve@mitre.org](https://kb.isc.org/docs/cve-2023-50387)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=39367411)\n- [cve@mitre.org](https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/)\n- [cve@mitre.org](https://www.athene-center.de/aktuelles/key-trap)\n- [cve@mitre.org](https://www.isc.org/blogs/2024-bind-security-release/)\n- [cve@mitre.org](https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/)\n- [cve@mitre.org](https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=39372384)\n- [cve@mitre.org](https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1)\n- [cve@mitre.org](https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html)\n- [cve@mitre.org](https://access.redhat.com/security/cve/CVE-2023-50387)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1219823)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387)\n- [cve@mitre.org](https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2024/02/16/2)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2024/02/16/3)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/)\n" }, "defaultConfiguration": { "level": "error" }, "properties": { "tags": [ "security", "CWE-770", "deb" ], "cvssv3_baseScore": 7.5, "security-severity": "7.5" } }, { "id": "SNYK-DEBIAN11-ZLIB-6008961", "shortDescription": { "text": "Critical severity - Integer Overflow or Wraparound vulnerability in zlib" }, "fullDescription": { "text": "(CVE-2023-45853) zlib/zlib1g@1:1.2.11.dfsg-2+deb11u2" }, "help": { "text": "", "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:11` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.\n## Remediation\nThere is no fixed version for `Debian:11` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n- [cve@mitre.org](https://pypi.org/project/pyminizip/#history)\n- [cve@mitre.org](https://security.gentoo.org/glsa/202401-18)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2024/01/24/10)\n" }, "defaultConfiguration": { "level": "error" }, "properties": { "tags": [ "security", "CWE-190", "deb" ], "cvssv3_baseScore": 9.8, "security-severity": "9.8" } } ] } }, "results": [ { "ruleId": "SNYK-DEBIAN11-EXPAT-6227598", "level": "error", "message": { "text": "This file introduces a vulnerable expat package with a high severity vulnerability." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "Debian/14/Dockerfile" }, "region": { "startLine": 1 } }, "logicalLocations": [ { "fullyQualifiedName": "expat@2.2.10-2+deb11u5" } ] } ] }, { "ruleId": "SNYK-DEBIAN11-SYSTEMD-6277510", "level": "error", "message": { "text": "This file introduces a vulnerable systemd package with a high severity vulnerability." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "Debian/14/Dockerfile" }, "region": { "startLine": 1 } }, "logicalLocations": [ { "fullyQualifiedName": "systemd@247.3-7+deb11u4" } ] } ] }, { "ruleId": "SNYK-DEBIAN11-ZLIB-6008961", "level": "error", "message": { "text": "This file introduces a vulnerable zlib package with a critical severity vulnerability." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "Debian/14/Dockerfile" }, "region": { "startLine": 1 } }, "logicalLocations": [ { "fullyQualifiedName": "zlib@1:1.2.11.dfsg-2+deb11u2" } ] } ] } ] }, { "tool": { "driver": { "name": "Snyk Container", "properties": { "artifactsScanned": 39 }, "rules": [ { "id": "snyk:lic:pip:barman:GPL-3.0", "shortDescription": { "text": "High severity - GPL-3.0 license vulnerability in barman" }, "fullDescription": { "text": "barman@3.10.0" }, "help": { "text": "", "markdown": "GPL-3.0 license" }, "defaultConfiguration": { "level": "error" }, "properties": { "tags": [ "security", "pip" ], "security-severity": "undefined" } } ] } }, "results": [ { "ruleId": "snyk:lic:pip:barman:GPL-3.0", "level": "error", "message": { "text": "This file introduces a vulnerable barman package with a high severity vulnerability." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "/requirements.txt" }, "region": { "startLine": 1 } }, "logicalLocations": [ { "fullyQualifiedName": "barman@3.10.0" } ] } ] } ] }, { "tool": { "driver": { "name": "Snyk Container", "properties": { "artifactsScanned": 2 }, "rules": [] } }, "results": [] } ] } ```
aeisenberg commented 4 months ago

I'm pretty sure it's because your sarif has "security-severity": "undefined". I don't know what this value is supposed to be, but you should probably check with snyk to see if there is a known workaround. Otherwise, you can try post-processing the sarif before uploading.

abstractj commented 3 months ago

@aeisenberg your assessment seems accurate to me. I tried to downgrade upload-sarif to v2 and the issue persists.

aeisenberg commented 3 months ago

I'd recommend post-processing the SARIF that snyk produces to remove the undefined. I am not sure what value should replace it, but it should be numeric.

LeviPesin commented 3 months ago

Is there any issue opened within the Snyk? I'm getting the same exact error, except of undefined replaced with null: https://github.com/warriors-life/yokohama-proxy/actions/runs/8211361886/job/22460200402.

aeisenberg commented 3 months ago

There are no issues that I am aware of. I'd recommend that you raise one. This appears to be a recent change seeing as how there are multiple reports in this issue.

LeviPesin commented 3 months ago

Where can I create an issue? It seems like issues are disabled in the https://github.com/snyk/actions repository.

aeisenberg commented 3 months ago

See here https://github.com/snyk/actions/blob/master/CONTRIBUTING.md#reporting-issues.

aklira commented 3 months ago

Same problem here: https://github.com/fledge-power/fledgepower-deployment/actions/runs/8286079944/job/22675227175

LeviPesin commented 3 months ago

See here https://github.com/snyk/actions/blob/master/CONTRIBUTING.md#reporting-issues.

Thank you, submitted a ticket there!

mykolaveremeichyk commented 3 months ago

See here https://github.com/snyk/actions/blob/master/CONTRIBUTING.md#reporting-issues.

Thank you, submitted a ticket there!

Are there any updates regarding the submitted ticket?

LeviPesin commented 3 months ago

They've replied only today with a request to provide the full SARIF file (well, they could've downloaded it from just any run).

mprado-enclave commented 3 months ago

This behavior is expected - licenses and vulnerabilities were originally designed with a common structure but license-related findings are now managed differently. That is, license-related findings do not indicate a security vulnerability and are labeled as 'undefined'. You can use use the --sarif-file-output=snyk.sarif arg and add the following lines to fix it:

   - name: Replace security-severity undefined for license-related findings 
     run: sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif