github
How should repo level issues be handled?
Not all issues have a uri associated with them. For example:
{"ruleId":"Branch-Protection - BranchProtectionID (sscs-scorecard)","level":"error","message":{"text":"score is 5: branch protection is not maximal on development and all release branches:\nWarn: \u0026#39;last push approval\u0026#39; disabled on branch \u0026#39;main\u0026#39;\nWarn: number of required reviewers is 1 on branch \u0026#39;main\u0026#39;, while the ideal suggested is 2\nWarn: stale review dismissal disabled on branch \u0026#39;main\u0026#39;"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"","description":{"text":"Issue Found in your GitHub repository"}}
Is the issue that "uri":"" was specified by checkmarx here and should have been omitted?
With kind regards,
Giles
The fix we had to use to allow github to accept the results was:
- name: Filter out repo level issues that github can't handle
run: |
mv ./cx_result.sarif ./cx_result.sarif.orig
jq '. | .runs[0].results |= map(select(.locations[0].physicalLocation.artifactLocation.uri != ""))' cx_result.sarif.orig > cx_result.sarif
# Upload results to github
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.29.2
with:
sarif_file: cx_result.sarif
artifactLocation.uri being "" fails the upload. So the question is how should a repo level issue be represented? Should there be no uri? How is this meant to work for repo level security issues? Obviously we shouldn't be filtering them out. And for context the repo level issues are related to https://github.com/ossf/scorecard (let's not go into the debate about how relevant those issues are).
(Our CI where this is run is now open source: https://github.com/midnightntwrk/midnight-node-docker/pull/29 )
This is not supported at present. Code scanning expects all alerts to be about physical locations in your code. See also: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.