codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

SARIF result not uploaded

Open Itsukan0 opened this issue 3 years ago • 11 comments

Hi,

I'm trying to setup a basic code analysis in my CI on my project.

I setup CodeQL for Ubuntu, worked first time.

I tried to set up the same for Windows using this :

https://devblogs.microsoft.com/cppblog/microsoft-cpp-code-analysis-with-github-actions/

The workflow started and completed fine, except this :

image

The result of the MSCV check is not displayed in the Code Scanning Alert in the Security tab of my project, the Ubuntu one is.

I can get the SARIF file as an artifact, just not get it to display properly on the project page.

How can I solve this ? Thanks in advance

The yml code is the basic one :

name: Microsoft C++ Code Analysis

on:
  push:
    branches: [ main, dev, Basic_Protections ]
  pull_request:
    branches: [ main ]
    
env:
  # Path to the CMake build directory.
  build: '${{ github.workspace }}/build'

permissions:
  contents: read

jobs:
  analyze:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
    name: Analyze
    runs-on: windows-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Configure CMake
        run: cmake -B ${{ env.build }}

      # Build is not required unless generated source files are used
      # - name: Build CMake
      #   run: cmake --build ${{ env.build }}

      - name: Initialize MSVC Code Analysis
        uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99
        # Provide a unique ID to access the sarif output path
        id: run-analysis
        with:
          cmakeBuildDirectory: ${{ env.build }}
          # Ruleset file that will determine what checks will be run
          ruleset: NativeRecommendedRules.ruleset

      # Upload SARIF file to GitHub Code Scanning Alerts
      - name: Upload SARIF to GitHub
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.run-analysis.outputs.sarif }}

      # Upload SARIF file as an Artifact to download and view
      # - name: Upload SARIF as an Artifact
      #   uses: actions/upload-artifact@v3
      #   with:
      #     name: sarif-file
      #     path: ${{ steps.run-analysis.outputs.sarif }}

The problem happens ath the Upload

Itsukan0 avatar May 05 '22 13:05 Itsukan0

Thank you for raising this issue. The upload is failing because the file includes too many SARIF runs. Looking at how the microsoft/msvc-code-analysis-action is implemented, each compile target is converted into a single run.

I can think of two workarounds:

  1. Slice your analysis into multiple runs, each with a smaller number of targets. In this case you need to specify a different category for each slice.
  2. Post process the SARIF file and combine multiple runs into a single run.

aeisenberg avatar May 05 '22 17:05 aeisenberg

Forgive my ignorance, I just started using yml CI's, but how do I slice the analysis ? I do not see any args in the msvc-code-analysis repo to do so.

I just need to concatenate the data on the SARIF file and upload it then ?

Itsukan0 avatar May 05 '22 17:05 Itsukan0

Honestly, I'm not 100% sure either. But it would be something like this. Since this is cmake, instead of calling the root target, call each of its child targets separately and upload separately. However, I don't know for certain if this would work since I'm not sure how your make file is split up.

And now that I'm thinking about it, merging SARIF runs won't be straight forward either. Let me chat with the code scanning team to see if there are any suggestions they have.

I see that your repo just had a successful upload. Did something change there? And is it working now?

aeisenberg avatar May 05 '22 18:05 aeisenberg

Sadly no :

The workflow always runs and completes, it's the upload that's unsuccessful. The errors are mostly me messing around trying to get the upload to work, and show up.

As previously stated, the analysis completes and I can get the file via artifact, just not to display :'(

image Only the Ubuntu run is displayed even with the success

If you dig around in my repo's CI runs, the workflow name is Microsoft C++ Code Analysis

Itsukan0 avatar May 05 '22 20:05 Itsukan0

I've asked the code scanning team for some help with this.

aeisenberg avatar May 07 '22 01:05 aeisenberg

There is no easy way around the limitation of 15 runs per upload. After some discussion, the best we can suggest is that you work with the maintainers of microsoft/msvc-code-analysis-action and create fewer runs. Since all of these runs were created through a single invocation of the tool, conceptually, they should be all combined into a single run. However, I do not know enough about the tool to suggest how to do this.

aeisenberg avatar May 09 '22 21:05 aeisenberg

Thanks, I will write an issue tomorrow on their repo

Itsukan0 avatar May 09 '22 23:05 Itsukan0

Did you file an issue?

Fwiw, you can probably just hack through things like this using jq. It isn't terribly painful to have it merge objects together.

jsoref avatar Oct 09 '22 01:10 jsoref

Hello,

I did not file an issue as I fell ill while working on this and forgot. I don't think I plan on continuing this project, but for curiosity's sake, what is that jq that you mention ?

Itsukan0 avatar Oct 09 '22 22:10 Itsukan0

No worries. I hope you're recovering/recovered.

https://stedolan.github.io/jq/

jsoref avatar Oct 11 '22 04:10 jsoref

sarif-multitool can be used for doing that. It has an undocumented "--merge-runs" argument.

snnn avatar Apr 30 '23 04:04 snnn