Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Valid SARIF file being rejected by GitHub with locationFromSarifResult error #2770

Open
blupants opened this issue Jan 29, 2024 · 2 comments

Comments

@blupants
Copy link

blupants commented Jan 29, 2024

My issue seems to be similar to this previous one.

I am using the trivy open source security scanner that generates valid SARIF files such as this one.

Most of files get properly parsed and uploaded to GitHub Security tab. However, when I try to upload this one using "github/codeql-action/upload-sarif@v2" Action, I get the following error:

Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected artifact location
Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected artifact location
at Object.waitForProcessing (/runner/_work/_actions/github/codeql-action/v2/lib/upload-lib.js:335:23)
at async run (/runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:55:13)
at async runWrapper (/runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:70:9)

I checked GitHub documentation [1] [2] and it points to this Microsoft SARIF validator. I uploaded my SARIF file multiple times to the validator and it always says the file is good.

Steps to reproduce:

Make sure trivy-results-sarif is validated by https://sarifweb.azurewebsites.net/Validation
Select a repo with GitHub Actions available and create a "sarif-issue" branch
Create a folder .github/workflows/config and add trivy-results-sarif to it: .github/workflows/config/trivy-results.sarif
Create a new Action .github/workflows/sarif-issue.yml that will upload the SARIF to GitHub
Commit the changes and push them to the "sarif-issue" branch
Job "Upload Trivy scan results to GitHub Security tab" will fail and throw the "locationFromSarifResult: expected artifact location" error.

rkoster added a commit to cloudfoundry/bosh-linux-stemcell-builder that referenced this issue May 16, 2024
cf-bosh-ci-bot pushed a commit to cloudfoundry/bosh-linux-stemcell-builder that referenced this issue May 16, 2024
@na-jakobs
Copy link

I hit the same issue, github/codeql-action/upload-sarif failed with locationFromSarifResult: expected artifact location.

@blupants This is due to the Trivy action scanning libraries as well.

If I run for example (same command Action invokes):

trivy image --format sarif --output out.sarif --vuln-type os,library mcr.microsoft.com/dotnet/sdk:8.0-azurelinux3.0@sha256:c7e74bfb8704a1a538d52c18728e4d4772b44ae551b8d07053e23609807d2ece

I get an empty artifactLocation.uri in the output for this one library CVE, all others (OS vulns) have locations:

        {
          "ruleId": "CVE-2024-38095",
          "ruleIndex": 6,
          "level": "error",
          "message": {
            "text": "Package: System.Formats.Asn1\nInstalled Version: 6.0.0\nVulnerability CVE-2024-38095\nSeverity: HIGH\nFixed Version: 6.0.1, 8.0.1\nLink: [CVE-2024-38095](https://avd.aquasec.com/nvd/cve-2024-38095)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },

Running with --vuln-type os works fine.

@nikpivkin
Copy link

Hi! Any updates?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants