Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HDF->SARIF converters missing location, making invalid for use by GitHub #2694

Closed
candrews opened this issue Jul 21, 2023 · 1 comment
Closed

HDF->SARIF converters missing location, making invalid for use by GitHub #2694

candrews opened this issue Jul 21, 2023 · 1 comment

Comments

@candrews
Copy link
Collaborator

The SARIF generated by this tool from HDF does not pass GitHub validation.

To reproduce:

  1. Take this sample HDF: openscap-report.hdf.json.gz
  2. Use this project to convert it to SARIF: npx @microsoft/[email protected] convert -t Hdf -o "openscap-report.sarif" "openscap-report.hdf.json" Here's the resulting sarif (I pretty formatted it for readability):
    openscap-report.sarif.gz
  3. Use the validator at https://sarifweb.azurewebsites.net/Validation to validate the openscap-report.sarif file with the "GitHub ingestion rules" option selected.

Expected:
Successful validation.

Actual:
GH1001: Each result location must provide the property 'physicalLocation.artifactLocation.uri'. GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.

When trying to use the SARIF in practice with GitHub's github/codeql-action/upload-sarif@v2 action as documented at https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository GitHub fails to process the SARIF as expected due to the missing required location data. For example failing GitHub action, see https://github.com/candrews/jumpstart/actions/runs/5603707977/job/15181171825?pr=884#step:10:22 the failure is:

Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location
Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location, locationFromSarifResult: expected at least one location

Trivy had the same problem a while back (see aquasecurity/trivy#1038), they solved it by add location/region information to the SARIF: AndreyLevchenko/trivy@a8ec7ec

Perhaps this tool could similarly add location information when it converts HDF->SARIF?
@candrews candrews mentioned this issue Jul 24, 2023
Merged
candrews added a commit that referenced this issue Jul 24, 2023
@candrews
HdfConverter: Add location, address GitHub validation error (#2694)
604dc6e 
Per https://sarifweb.azurewebsites.net/Validation
> Each result location must provide the property 'physicalLocation.artifactLocation.uri'.
> GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.

Signed-off-by: Craig Andrews <[email protected]>
@candrews candrews mentioned this issue Jul 24, 2023
Merged
candrews added a commit that referenced this issue Jul 24, 2023
@candrews
HdfConverter: Add location, address GitHub validation error (#2694)
75c5071 
Per https://sarifweb.azurewebsites.net/Validation
> Each result location must provide the property 'physicalLocation.artifactLocation.uri'.
> GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.

Signed-off-by: Craig Andrews <[email protected]>
candrews added a commit that referenced this issue Jul 24, 2023
@candrews
HdfConverter: Add location, address GitHub validation error (#2694)
b464653 
Per https://sarifweb.azurewebsites.net/Validation
> Each result location must provide the property 'physicalLocation.artifactLocation.uri'.
> GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.

Signed-off-by: Craig Andrews <[email protected]>
candrews added a commit that referenced this issue Jul 25, 2023
@candrews
HdfConverter: Add location, address GitHub validation error (#2694)
7dce0a7 
Per https://sarifweb.azurewebsites.net/Validation
> Each result location must provide the property 'physicalLocation.artifactLocation.uri'.
> GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.

Signed-off-by: Craig Andrews <[email protected]>
candrews added a commit that referenced this issue Jul 25, 2023
@candrews
HdfConverter: Add location, address GitHub validation error (#2694)
6688dd8 
Per https://sarifweb.azurewebsites.net/Validation
> Each result location must provide the property 'physicalLocation.artifactLocation.uri'.
> GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.

Signed-off-by: Craig Andrews <[email protected]>
michaelcfanning pushed a commit that referenced this issue Jul 27, 2023
@candrews
HdfConverter improvements (#2699)
d9b7272 
* HdfConverter: Add location, address GitHub validation error (#2694)

Per https://sarifweb.azurewebsites.net/Validation
> Each result location must provide the property 'physicalLocation.artifactLocation.uri'.
> GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.

Signed-off-by: Craig Andrews <[email protected]>

* HdfConvert: Use HDF "control.descriptions" for "help" (#2633)

Signed-off-by: Craig Andrews <[email protected]>

* HdfConverter: Use HDF title as SARIF shortDescription

* HdfConverter: make name a Pascal case identifier

See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317843
Signed-off-by: Craig Andrews <[email protected]>

* HdfConverter: Set Enabled to true if and only if all results have status skipped

See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317854
Signed-off-by: Craig Andrews <[email protected]>

---------

Signed-off-by: Craig Andrews <[email protected]>
@candrews
Copy link
Collaborator Author

This issue has been resolved as of version 4.2.1.

@blupants blupants mentioned this issue Jan 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@candrews