Valid SARIF file being rejected by GitHub with locationFromSarifResult error

microsoft / sarif-sdk

.NET code and supporting files for working with the 'Static Analysis Results Interchange Format' (SARIF, see https://github.com/oasis-tcs/sarif-spec)

Other

193 stars 91 forks source link

Valid SARIF file being rejected by GitHub with locationFromSarifResult error #2770

Open blupants opened 8 months ago

blupants commented 8 months ago

My issue seems to be similar to this previous one.

I am using the trivy open source security scanner that generates valid SARIF files such as this one.

Most of files get properly parsed and uploaded to GitHub Security tab. However, when I try to upload this one using "github/codeql-action/upload-sarif@v2" Action, I get the following error:

Error: Code Scanning could not process the submitted SARIF file: locationFromSarifResult: expected artifact location Error: Code Scanning could not process the submitted SARIF file: locationFromSarifResult: expected artifact location at Object.waitForProcessing (/runner/_work/_actions/github/codeql-action/v2/lib/upload-lib.js:335:23) at async run (/runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:55:13) at async runWrapper (/runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:70:9)

I checked GitHub documentation [1] [2] and it points to this Microsoft SARIF validator. I uploaded my SARIF file multiple times to the validator and it always says the file is good.

Steps to reproduce:

Make sure trivy-results-sarif is validated by https://sarifweb.azurewebsites.net/Validation Select a repo with GitHub Actions available and create a "sarif-issue" branch Create a folder .github/workflows/config and add trivy-results-sarif to it: .github/workflows/config/trivy-results.sarif
Create a new Action .github/workflows/sarif-issue.yml that will upload the SARIF to GitHub Commit the changes and push them to the "sarif-issue" branch Job "Upload Trivy scan results to GitHub Security tab" will fail and throw the "locationFromSarifResult: expected artifact location" error.

na-jakobs commented 1 month ago

I hit the same issue, github/codeql-action/upload-sarif failed with locationFromSarifResult: expected artifact location.

@blupants This is due to the Trivy action scanning libraries as well.

If I run for example (same command Action invokes):

trivy image --format sarif --output out.sarif --vuln-type os,library mcr.microsoft.com/dotnet/sdk:8.0-azurelinux3.0@sha256:c7e74bfb8704a1a538d52c18728e4d4772b44ae551b8d07053e23609807d2ece

I get an empty artifactLocation.uri in the output for this one library CVE, all others (OS vulns) have locations:

        {
          "ruleId": "CVE-2024-38095",
          "ruleIndex": 6,
          "level": "error",
          "message": {
            "text": "Package: System.Formats.Asn1\nInstalled Version: 6.0.0\nVulnerability CVE-2024-38095\nSeverity: HIGH\nFixed Version: 6.0.1, 8.0.1\nLink: [CVE-2024-38095](https://avd.aquasec.com/nvd/cve-2024-38095)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },

Running with --vuln-type os works fine.