Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: URI "no file associated with this alert" in SARIF now invalid in github/codeql-action #3063

Closed
michaelkedar opened this issue May 25, 2023 · 2 comments
Closed

BUG: URI "no file associated with this alert" in SARIF now invalid in github/codeql-action #3063

michaelkedar opened this issue May 25, 2023 · 2 comments
Labels
kind/bug Something isn't working

Comments

@michaelkedar
Copy link

michaelkedar commented May 25, 2023
edited
Loading

Describe the bug
Currently, the URI in SARIF files for alerts without locations is set to the string "no file associated with this alert" .
Using github/codeql-action/[email protected], this causes errors:

Error details: instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
Error: Unable to upload "results.sarif" as it is not valid SARIF

Reproduction steps
Steps to reproduce the behavior:

  1. Have scorecard generate a SARIF file with an alert with no associated file
  2. Pass SARIF file to github/codeql-action/[email protected] action

Expected behavior
This shouldn't cause an error.

Additional context
The schema file was updated here:
github/codeql-action@febbadf
@michaelkedar michaelkedar added the kind/bug Something isn't working label May 25, 2023
@michaelkedar michaelkedar mentioned this issue May 25, 2023
Merged
michaelkedar added a commit to google/osv.dev that referenced this issue May 25, 2023
@michaelkedar
Fix scorecard action by pinning github/codeql-action to 2.3.3 (#1325)
0ee38bd 
Newest version (2.3.4) does allow scorecard's "no file" URI to be parsed
correctly ossf/scorecard#3063

Also, the version comment was pretty outdated.
@luhi-DT luhi-DT mentioned this issue May 25, 2023
Merged
3 tasks
@roger2hk roger2hk mentioned this issue May 25, 2023
Merged
@naveensrinivasan naveensrinivasan mentioned this issue May 25, 2023
Closed
@laurentsimon
Copy link
Contributor

Created github/codeql-action#1703 on their side. They made a breaking change without following semver. AFAIR, the URI needs to be populated otherwise the results don't show up for results that don't have a "path".

We can to try to generate a conformant URI that does not correspond to a file in the repo...

@drewroengoogle drewroengoogle mentioned this issue May 25, 2023
Closed
@spencerschrock
Copy link
Member

This is resolved by upgrading to github/codeql-action v2.3.5.

@luhi-DT luhi-DT mentioned this issue May 26, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spencerschrock @michaelkedar @laurentsimon