search

microsoft / sarif-sdk

.NET code and supporting files for working with the 'Static Analysis Results Interchange Format' (SARIF, see https://github.com/oasis-tcs/sarif-spec)
Other
192 stars 90 forks source link

HDF->SARIF converters missing location, making invalid for use by GitHub #2694

Closed candrews closed 1 year ago

candrews commented 1 year ago

The SARIF generated by this tool from HDF does not pass GitHub validation.

To reproduce:

  1. Take this sample HDF: openscap-report.hdf.json.gz
  2. Use this project to convert it to SARIF: npx @microsoft/sarif-multitool@4.2.2 convert -t Hdf -o "openscap-report.sarif" "openscap-report.hdf.json" Here's the resulting sarif (I pretty formatted it for readability): openscap-report.sarif.gz
  3. Use the validator at https://sarifweb.azurewebsites.net/Validation to validate the openscap-report.sarif file with the "GitHub ingestion rules" option selected.

Expected: Successful validation.

Actual: GH1001: Each result location must provide the property 'physicalLocation.artifactLocation.uri'. GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.

When trying to use the SARIF in practice with GitHub's github/codeql-action/upload-sarif@v2 action as documented at https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository GitHub fails to process the SARIF as expected due to the missing required location data. For example failing GitHub action, see https://github.com/candrews/jumpstart/actions/runs/5603707977/job/15181171825?pr=884#step:10:22 the failure is:

Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location
Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location

Trivy had the same problem a while back (see https://github.com/aquasecurity/trivy/issues/1038), they solved it by add location/region information to the SARIF: https://github.com/AndreyLevchenko/trivy/commit/a8ec7ec6d7584a8388c1e18db03969b3bb5fb13a

Perhaps this tool could similarly add location information when it converts HDF->SARIF?

candrews commented 1 year ago

This issue has been resolved as of version 4.2.1.