microsoft / sarif-sdk

.NET code and supporting files for working with the 'Static Analysis Results Interchange Format' (SARIF, see https://github.com/oasis-tcs/sarif-spec)
Other
194 stars 93 forks source link

`npx @microsoft/sarif-multitool merge reports/*.sarif` yields empty runs for empty results #2551

Open jsoref opened 2 years ago

jsoref commented 2 years ago

Reported in: https://github.com/github/codeql-action/issues/390#issuecomment-786543363

reports/a.sarif:

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "runs": [
    {
      "artifacts": [],
      "columnKind": "unicodeCodePoints",
      "results": [],
      "tool": {
        "driver": {
          "fullName": "clang static analyzer",
          "language": "en-US",
          "name": "clang",
          "rules": [],
          "version": "clang version 10.0.0-4ubuntu1 "
        }
      }
    }
  ],
  "version": "2.1.0"
}
$ rm -f merged.sarif; ls reports; npx @microsoft/sarif-multitool merge reports/*.sarif; cat merged.sarif
a.sarif
Merge completed in 00:00:00.5145477.
{
  "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json",
  "version": "2.1.0",
  "runs": []
}

Expected results

The output should be a lot closer to the input.

Namely, all of the tool objects from all of the runs should be included in the merged output even if there were no results for a given run.

mathroule commented 11 months ago

Indeed, the empty runs is problematic. For instance, it leads to an error when uploading SARIF to GitHub: Error when processing the SARIF file.