SARIF output malformed due to incorrect URI, which causes GitHub upload to fail
Robyt3 opened this issue · comments
Robert Müller commented
GitHub workflow file:
name: Flawfinder
on:
push:
branches: [master]
pull_request:
# The branches below must be a subset of the branches above
branches: [master]
schedule:
- cron: '28 13 * * 2'
jobs:
flawfinder:
name: Flawfinder
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Scan with Flawfinder
uses: david-a-wheeler/flawfinder@2.0.19
with:
arguments: '--sarif ./src'
output: 'flawfinder_results.sarif'
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{github.workspace}}/flawfinder_results.sarif
The upload step fails with this output:
Run github/codeql-action/upload-sarif@v2
Uploading results
Processing sarif files: ["/home/runner/work/ddnet/ddnet/flawfinder_results.sarif"]
Error details: instance.runs[0].tool.driver.rules[18].helpUri does not conform to the "uri" format
Error: Unable to upload "/home/runner/work/ddnet/ddnet/flawfinder_results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.rules[18].helpUri does not conform to the "uri" format
Error: Unable to upload "/home/runner/work/ddnet/ddnet/flawfinder_results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.rules[18].helpUri does not conform to the "uri" format
at validateSarifFileSchema (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:199:15)
at uploadFiles (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:249:9)
at Object.uploadFromActions (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:136:18)
at async run (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:48:30)
at async runWrapper (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:70:9)
Relevant excerpt from the SARIF output:
{
"id": "FF1030",
"name": "race/access",
"shortDescription": {
"text": "This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition (CWE-362/CWE-367!)."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://cwe.mitre.org/data/definitions/362.htmlhttps://cwe.mitre.org/data/definitions/367.html",
"relationships": [
{
"target": {
"id": "CWE-362",
"toolComponent": {
"name": "CWE",
"guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
}
},
"kinds": [
"relevant"
]
},
{
"target": {
"id": "CWE-367",
"toolComponent": {
"name": "CWE",
"guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
}
},
"kinds": [
"incomparable"
]
}
]
},
Eric Gallager commented
dup of #66 perhaps?