Do not let the upload action fail if the SARIF file does not contain a location.

Question

Do not let the upload action fail if the SARIF file does not contain a location.

aetos382 opened this issue a year ago · comments

When I compiled my C# project with the ErrorLog option, the compiler generated the following SARIF file.

SARIF File

{
  "$schema": "http://json.schemastore.org/sarif-2.1.0",
  "version": "2.1.0",
  "runs": [
    {
      "results": [
        {
          "ruleId": "EnableGenerateDocumentationFile",
          "ruleIndex": 291,
          "level": "warning",
          "message": {
            "text": "Set MSBuild property 'GenerateDocumentationFile' to 'true' in project file to enable IDE0005 (Remove unnecessary usings/imports) on build"
          },
          "properties": {
            "warningLevel": 1
          }
        }
      ],
      "tool": {
        "driver": {
          "name": "Microsoft (R) Visual C# Compiler",
          "version": "4.7.0-3.23280.5 (aff92b57)",
          "dottedQuadFileVersion": "4.7.0.0",
          "semanticVersion": "4.7.0",
          "language": "en-US",
          "rules": [
           // Too long to be omitted.
          ]
        }
      },
      "columnKind": "utf16CodeUnits"
    }
  ]
}

Uploading this file using the upload-sarif action will result in the following error.

Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected at least one location
    at Object.waitForProcessing (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:337:23)
    at async run (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:55:13)
    at async runWrapper (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:70:9)

The reason this file did not contain a location element is because there was no warning associated with the location in the source file, and the SARIF file is not malformed.
To avoid interrupting the workflow when uploading such a file, do not make an error with this file.

Note that I know that this error is generated by the GitHub API, not the upload-sarif action.
So, I think it might be more appropriate to fix the API behavior or add an option to the API to ignore the error.
If so, please forward this issue to the appropriate department.

Andrew Eisenberg · Answer 1 · Tue Jun 27 2023 02:11:46 GMT+0800 (China Standard Time)

Thanks for raising this issue. I've asked the team who's maintaining the code-scanning back end to provide some advice.

Andrew Eisenberg · Answer 2 · Tue Jun 27 2023 23:00:18 GMT+0800 (China Standard Time)

I spoke with the alert processing team and they mentioned that it is part of the core design that all alerts have at least one location. Are you the author of the tool that is creating this SARIF? If so, my recommendation is to attach a location to the alert even if it is not 100% correct.

I may be mistaken, but I believe it is possible to add a location to a file that doesn't exist.

Here is some of the documentation around result objects.

https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#result-object

Andrew Eisenberg · Answer 3 · Tue Jun 27 2023 23:00:43 GMT+0800 (China Standard Time)

I'm closing this issue, but feel free to continue the discussion if you have any more questions.