2ms
2ms copied to clipboard
Published
20 hours ago •
Checkmarx
Checkmarx
Adjust SARIF format to Github Code Scanning
You can Upload a SARIF file to GitHub, and in #71 we added a SARIF output format.
If you will try to upload this SARIF, you will find that the property artifactLocation is wrong, with the error locationFromSarifResult: expected artifact location.
Steps to reproduce:
- Fork this repo
- Enable Code Scanning for the repo
- Scan it with 2ms (
go run . git . --report-path results.sarif) - Upload an analysis as SARIF data. I created a script for you, save it and run it as bash script:
# GitHub CLI api
# https://cli.github.com/manual/gh_api
sarif=$(gzip -c results.sarif | base64 -w0)
commit=$(git rev-parse HEAD)
# ask the user for the repo name
read -p "Enter the repo name (OWNER/REPO): " repo
response=$(gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/$repo/code-scanning/sarifs \
-f commit_sha="$commit" \
-f ref='refs/heads/main' \
-f sarif="$sarif")
sarifID=$(echo $response | jq -r '.id')
echo "SARIF ID: $sarifID"
# wait for SARIF to be processed
echo "Waiting for SARIF to be processed..."
sleep 10
response=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/$repo/code-scanning/sarifs/$sarifID)
echo $response
- You will see this response:
{
"processing_status": "failed",
"errors": [
"locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location"
]
}
You need to check if we can omit this artifactLocation, or if we have to fill it.
I will look into this issue. I've started working on the SARIF in #147.
It is strange to me that artifactLocation is missing, maybe it was because #147 , so check this issue and maybe you will find it is not reproducible.