search

microsoft / sarif-azuredevops-extension-legacy

An Azure DevOps extension encapsulating the SARIF Web Component.
MIT License
8 stars 11 forks source link

Unable to render SARIF web component in Azure DevOps build tab #2

Closed rogeriopeixotocx closed 3 years ago

rogeriopeixotocx commented 3 years ago

I'm currently trying to view SARIF results in Azure DevOps pipelines with this extension and I'm having this 404 error in the browser console and the SARIF web component does not fully render:

image

The build is running fine and I'm pretty sure there are results in the scanned files as you can see in the logs:

image

Here's the relevant pipeline snippet:

stages:
- stage: Kics
  displayName: Kics
  jobs:
  - job: runKics
    displayName: runKics
    steps:
      - script: |
          OS=$(uname -s)
          LATEST_TAG=$(curl --silent "https://api.github.com/repos/Checkmarx/kics/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
          LATEST_VERSION=${LATEST_TAG#v}
          PACKAGE_NAME=kics_${LATEST_VERSION}_${OS}_x64.tar.gz
          TARGET_DIR=/home/vsts/kics
          mkdir -p ${TARGET_DIR}
          wget -q -c https://github.com/Checkmarx/kics/releases/download/${LATEST_TAG}/${PACKAGE_NAME} -O - | tar -xz -C ${TARGET_DIR}
          echo '--- START SCANNING ---'
          ${TARGET_DIR}/kics --no-progress -q ${TARGET_DIR}/assets/queries -p ${PWD} -o ${PWD}/kics-results.sarif
          ls -la
      - publish: $(System.DefaultWorkingDirectory)/kics-results.sarif
        artifact: CodeAnalysisLogs
meadisu27 commented 3 years ago

YMMV, but when I use the "Publish build artifacts" task instead of the "Publish Pipeline Artifact" it seems to render properly.

rogeriopeixotocx commented 3 years ago

@meadisu27 "Publish build artifacts" task seems to only work with Windows runners which breaks my scenario. I'm using ubuntu-latest pool.vmImage

mhabegger commented 3 years ago

It seems to be related to west europe hosted devops contents. From my understanding the component will download the artifact's ZIP from artprodsu6weu.artifacts... however, the API available here does not seem to respond properly to the Accept header property stating the required version 5.2-preview.5.

The original request contains:

Accept: application/zip;api-version=5.2-preview.5;excludeUrls=true;enumsAsNumbers=true;msDateFormat=true;noArrayWrap=true

if changed to

Accept: application/zip;excludeUrls=true;enumsAsNumbers=true;msDateFormat=true;noArrayWrap=true

the extension works, SARIF artifacts are downloaded and displayed.

I've tried this and was able to get around it using a header editor in the browser such as https://he.firefoxcn.net/.

mhabegger commented 3 years ago

@rogeriopeixotocx Artifacts Publishing works under ubuntu as well. Here's what we are using:

- task: PublishPipelineArtifact@1
  displayName: 'SARIF Artifacts'
  inputs:
    targetPath: CodeAnalysisLogs
    artifact: CodeAnalysisLogs
rogeriopeixotocx commented 3 years ago

Hello @mhabegger

Thank you for your comment. I've made some changes to the pipeline and I'm still having issues:

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

stages:
- stage: Kics
  displayName: Kics
  jobs:
  - job: runKics
    displayName: runKics
    steps:
      - script: |
          OS=$(uname -s)
          LATEST_TAG=$(curl --silent "https://api.github.com/repos/Checkmarx/kics/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
          LATEST_VERSION=${LATEST_TAG#v}
          PACKAGE_NAME=kics_${LATEST_VERSION}_${OS}_x64.tar.gz
          TARGET_DIR=/home/vsts/kics
          mkdir -p ${TARGET_DIR}
          wget -q -c https://github.com/Checkmarx/kics/releases/download/${LATEST_TAG}/${PACKAGE_NAME} -O - | tar -xz -C ${TARGET_DIR}
          echo '--- START SCANNING ---'
          ${TARGET_DIR}/kics --no-progress -q ${TARGET_DIR}/assets/queries -p ${PWD} -o ${PWD}/kics-results.sarif
          ls -la
      - task: PublishPipelineArtifact@1
        displayName: 'SARIF Artifacts'
        inputs:
          targetPath: $(System.DefaultWorkingDirectory)/kics-results.sarif
          artifact: CodeAnalysisLogs

image

willemm commented 3 years ago

I also managed to fix this by switching from PublishPipelineArtifacts to PublishBuildArtifacts

rogeriopeixotocx commented 3 years ago

I was finally able to render the SARIF web viewer with PublishBuildArtifacts.

image

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

stages:
- stage: Kics
  displayName: Kics
  jobs:
  - job: runKics
    displayName: runKics
    steps:
      - script: |
          OS=$(uname -s)
          LATEST_TAG=$(curl --silent "https://api.github.com/repos/Checkmarx/kics/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
          LATEST_VERSION=${LATEST_TAG#v}
          PACKAGE_NAME=kics_${LATEST_VERSION}_${OS}_x64.tar.gz
          TARGET_DIR=/home/vsts/kics
          mkdir -p ${TARGET_DIR}
          wget -q -c https://github.com/Checkmarx/kics/releases/download/${LATEST_TAG}/${PACKAGE_NAME} -O - | tar -xz -C ${TARGET_DIR}
          echo '--- START SCANNING ---'
          ${TARGET_DIR}/kics scan --no-progress -q ${TARGET_DIR}/assets/queries -p ${PWD} -o ${PWD}/kics-results.sarif
          ls -la
      #- task: PublishPipelineArtifact@1
      #  displayName: 'SARIF Artifacts'
      #  inputs:
      #    targetPath: $(System.DefaultWorkingDirectory)/kics-results.sarif
      #    artifact: CodeAnalysisLogs
      - task: PublishBuildArtifacts@1
        inputs:
          pathToPublish: $(System.DefaultWorkingDirectory)/kics-results.sarif
          artifactName: CodeAnalysisLogs