Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Asking for clarification about SARIF report upload #29

Open
jasonloewen opened this issue May 1, 2024 · 4 comments
Open

Asking for clarification about SARIF report upload #29

jasonloewen opened this issue May 1, 2024 · 4 comments
Assignees
@sanyam803

Comments

@jasonloewen
Copy link

The README states:

  • Display issues with their severity as a SARIF Report in the GitHub Workspace after a scan completes.

I was hoping that meant the violation report would get uploaded and imported to the GH Security Advisories, but I can only download the artifact from the link in the workflow. Is this the intended result?
@sanyam803
Copy link
Member

Yes, the report gets uploaded in the run workflow and out of the box it is not uploaded to GH Security Advisory but it is available as an output of analyze-code-security-scc step and can be consumed by any subsequent step.

Tenant :
The GitHub action is mainly responsible for generating the SARIF file and making it available for consumption by subsequent steps. The action is closely inline with SRP and hence, any additional functionality is delivered through existing ecosystem of GitHub Actions.

That being said, currently the documentation illustrates an example where we use gitHub provided action : actions/upload-artifact(https://github.com/actions/upload-artifact) to upload report to workflow run workspace.
But, users can definitely experiment with other available actions like : github/codeql-action/upload-sarif(https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions) to upload SARIF generated by analyze-code-security-scc to GitHub repository and benefit from code scanning alerts.

AI on us : Enhance documentation to illustrate integration of github/codeql-action/upload-sarif to upload SARIF report to repository.

@jasonloewen
Copy link
Author

We did try the upload-sarif action before I posted this question, but got what looks like schema related errors. It doesn't like "informationUri": "". Can you confirm that Sarif 2.1.0 schema is being used to generate the report?

Here is the response from the workload:

{
    "path": [
      "runs",
      0,
      "tool",
      "driver",
      "informationUri"
    ],
    "property": "instance.runs[0].tool.driver.informationUri",
    "message": "does not conform to the \"uri\" format",
    "schema": {
      "description": "The absolute URI at which information about this version of the tool component can be found.",
      "type": "string",
      "format": "uri"
    },
    "instance": "",
    "name": "format",
    "argument": "uri",
    "stack": "instance.runs[0].tool.driver.informationUri does not conform to the \"uri\" format"
  }

@sanyam803
Copy link
Member

Yes we are adhering to SARIF 2.1.0 guidelines "informationUri" is a valid property, but it seems like it can not be an empty URL. We will take an action item to fix the report structure and file a bug for now.

Filed a Bug : #35

@sanyam803
Copy link
Member

We have addressed above gaps and fixed the bug. @jasonloewen can you please try again ?

@sanyam803 sanyam803 reopened this Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sanyam803 sanyam803

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sanyam803 @jasonloewen