search

google / osv-scanner-action

https://google.github.io/osv-scanner/github-action/
Apache License 2.0
16 stars 13 forks source link

configuration not found warning when using unified gh workflow #7

Open shahar-h opened 6 months ago

shahar-h commented 6 months ago

I'm using the unified osv-scanner gh workflow in my repo:

name: OSV-Scanner

on:
  pull_request:
    branches:
    - "main"
  merge_group:
    branches:
    - "main"
  push:
    branches:
    - "main"
  schedule:
  - cron: '44 15 * * 5'

permissions:
  contents: read

jobs:
  scan-scheduled:
    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78"  # v1.7.1
    permissions:
      contents: read
      # Require writing security events to upload SARIF file to security tab
      security-events: write
  scan-pr:
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78"  # v1.7.1
    permissions:
      contents: read
      # Require writing security events to upload SARIF file to security tab
      security-events: write

I get the following warning on PRs:

image

I guess that it's related to the fact that the job name is different between reusable workflows:

Can you assist?

another-rex commented 6 months ago

I'm having some trouble reproducing this issue, I copied the GH workflow you provided to a new repo, and it seems to work for me. (https://github.com/another-rex/oss-fuzz-gen/blob/main/.github/workflows/osv-scanner.yml)

https://github.com/another-rex/oss-fuzz-gen/pull/1

Can you provide a bit more detail or a link to the repository (if it's public) where you are running into this issue?

One thing to check is maybe your main branch might be called master?

shahar-h commented 6 months ago

You also have the same warning in Code scanning results / osv-scanner check: https://github.com/another-rex/oss-fuzz-gen/pull/1/checks?check_run_id=24407746581

another-rex commented 6 months ago

Not sure this can be fixed, I believe the issue is with the fact that we skip the scheduled scan on PRs, and only perform the PR code scanning. So Gtihub can't find the sarif file for the scheduled scan. I also might be misinterpreting what that warning means though.

shahar-h commented 6 months ago

The warning was disappeared once I renamed job name in osv-scanner-reusable-pr.yml from scan-pr to osv-scan(same as in osv-scanner-reusable.yml): https://github.com/shahar-h/osv-scanner-action/commit/28046d1755e91d7bc80ec9af5687999384ca9438

image
shahar-h commented 6 months ago

@another-rex any update?

another-rex commented 1 week ago

Hmm... even after the fix I recently ran into this again when using the new Github Rulesets feature. Reopening this to investigate further.