Open amitgupta7 opened 2 years ago
It seems that the CWE coverage is derived from the Applied Code Scanning Rules, which are code scanning rules that are retrieved from the sarif files that were previously generated by CodeQL's analysis action.
However, the expected format of the sarif files used to populate the rules
property of the SarifReport
is the following:
{
"file": "/home/runner/work/sample-repository/results/csharp.sarif",
"payload": {
"data": {
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool" : {
"driver" : {
"name" : "CodeQL",
"organization" : "GitHub",
"semanticVersion" : "2.2.5",
"rules": [ { } ]
}
}
}
]
}
}
}
Which doesn't quite match the output of the sarif report, which is in the format of:
{
"file": "/home/runner/work/sample-repository/results/csharp.sarif",
"payload": {
"data": {
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool" : {
"driver" : {
"name" : "CodeQL",
"organization" : "GitHub",
"semanticVersion" : "2.2.5",
"rules": []
},
"extensions": [
{
"name": "codeql/java-queries",
"semanticVersion": "0.0.13+4551af90f61a8d5f5c1c88a036595b5919a6c98e",
"locations": [ { } ],
"notifications": [ { } ],
"rules": [ { } ]
}
]
}
}
]
}
}
}
While the rules
property is still inside the driver
property, it will always be empty. So, in order to fix this issue it is necessary to get the rules of all extensions while considering that only extensions with rules applied will have a rules
property. This can be done in the getRules
function of the SarifReport
class.
I created a PR that makes the changes described above but keep in mind that I believe this approach works great for creating reports with only one language but not when you have more than one language.
The reasoning behind that is that the action uses GitHub's API to retrieve alerts, dependencies and vulnerabilities, which will have all the information of all the languages when the last language finishes its analysis; however, the sarif files will only have information of the rules related to the last language being analyzed.
There could potentially be a few ways to address that, but I am wondering if leveraging the rule associated with every alert in the alerts method of the API would suffice.
I might create another PR based on that, but I am not sure if the intent of the number of rules applied was the number of rules that were applied. If that is the case, then the fix would be easy.
Hi Peter,
The report generated from the action seems to be missing the CWE data, seems CWE labels are removed the Code Scanning alerts API. Please see attached, the summary PDF generated.
summary.pdf
@rohitnb @mohan-the-octocat @amol1717