Giters

david-a-wheeler / flawfinder

a static analysis tool for finding vulnerabilities in C/C++ source code

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SARIF output malformed due to incorrect URI, which causes GitHub upload to fail

Robyt3 opened this issue · comments

commented

GitHub workflow file:

name: Flawfinder

on:
  push:
    branches: [master]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [master]
  schedule:
    - cron: '28 13 * * 2'

jobs:
  flawfinder:
    name: Flawfinder
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Scan with Flawfinder
        uses: david-a-wheeler/flawfinder@2.0.19
        with:
          arguments: '--sarif ./src'
          output: 'flawfinder_results.sarif'

      - name: Upload analysis results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{github.workspace}}/flawfinder_results.sarif

The upload step fails with this output:

Run github/codeql-action/upload-sarif@v2
Uploading results
  Processing sarif files: ["/home/runner/work/ddnet/ddnet/flawfinder_results.sarif"]
Error details: instance.runs[0].tool.driver.rules[18].helpUri does not conform to the "uri" format
Error: Unable to upload "/home/runner/work/ddnet/ddnet/flawfinder_results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.rules[18].helpUri does not conform to the "uri" format
Error: Unable to upload "/home/runner/work/ddnet/ddnet/flawfinder_results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.rules[18].helpUri does not conform to the "uri" format
    at validateSarifFileSchema (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:199:15)
    at uploadFiles (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:249:9)
    at Object.uploadFromActions (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:136:18)
    at async run (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:48:30)
    at async runWrapper (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:70:9)

Relevant excerpt from the SARIF output:

{
  "id": "FF1030",
  "name": "race/access",
  "shortDescription": {
    "text": "This usually indicates a security flaw.  If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition (CWE-362/CWE-367!)."
  },
  "defaultConfiguration": {
    "level": "error"
  },
  "helpUri": "https://cwe.mitre.org/data/definitions/362.htmlhttps://cwe.mitre.org/data/definitions/367.html",
  "relationships": [
    {
      "target": {
        "id": "CWE-362",
        "toolComponent": {
          "name": "CWE",
          "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
        }
      },
      "kinds": [
        "relevant"
      ]
    },
    {
      "target": {
        "id": "CWE-367",
        "toolComponent": {
          "name": "CWE",
          "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
        }
      },
      "kinds": [
        "incomparable"
      ]
    }
  ]
},
commented

dup of #66 perhaps?