Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: SARIF's artifact location URI fails with does not conform to the "uri-reference" format #1149

Closed
gabrielkoo opened this issue May 25, 2023 · 7 comments

Comments

@gabrielkoo
Copy link

It originates from some findings that no source files are associated:

{
  "ruleId": "VulnerabilitiesID",
  "ruleIndex": 0,
  "message": {
    "text": "score is 8: 2 existing vulnerabilities detected:\nWarn: Project is vulnerable to: XXXX / YYYY\nClick Remediation section below to solve this issue"
  },
  "locations": [{
    "physicalLocation": {
      "region": {
        "startLine": 1
      },
      "artifactLocation": {
        "uri": "no file associated with this alert",
        "uriBaseId": "%SRCROOT%"
      }
    }
  }]
}

Sample error when trying to upload with github/codeql-action/upload-sarif@v2:

Error: Unable to upload "filteredResults.sarif" as it is not valid SARIF:
- instance.runs[1].results[0].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format

Right now, I am using this hack to remove the locations when no source file is associated:

cat results.sarif | jq \
    '(.runs[].results[].locations) |= map(select(.physicalLocation.artifactLocation.uri != "no file associated with this alert"))' \
    > results.sarif
@daohoangson
Copy link

I ran into this error after updating github/codeql-action@v2.3.4.

@ben-manes
Copy link

Please fix asap; example failure

@davidkelliott
Copy link

We are getting the same, example

@akashsinghal
Copy link

+1 on this issue

@spencerschrock
Copy link
Member

While we are working on a fix, a short term solution is to revert github/codeql-action to v2.3.3

@spencerschrock
Copy link
Member

Also, upstream discussion at github/codeql-action#1703

@spencerschrock
Copy link
Member

This is resolved by upgrading to github/codeql-action v2.3.5.

peap added a commit to peap/git-global that referenced this issue May 29, 2023
Use codeql-action v2.3.5 to fix (see ossf/scorecard-action#1149)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants