codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard

Published 20 hours ago verified publisher icon github

"Analysis processing failed"

Open h3xstream opened this issue 3 years ago • 5 comments

When we see "Analysis processing failed", where should we look to investigate what failed?

test

The ouput of the CodeQL action is saying

Processing sarif files: ["reports/test.sarif"]
Uploading results
Successfully uploaded results

h3xstream avatar Jul 29 '21 17:07 h3xstream

Normally, there should be a failing code scanning workflow run in the Actions tab of your repository. The fact that the latest scan has a duration of 1s, implies to me that the workflow didn't really run at all (or at least it was aborted shortly after starting).

Can you locate which run this was? And add the logs?

If this repo is public, can you share the link?

aeisenberg avatar Jul 29 '21 18:07 aeisenberg

Hi This is the workflow: https://github.com/h3xstream/sarif-samples/actions/workflows/upload-me.yml

h3xstream avatar Jul 29 '21 19:07 h3xstream

Thanks for the information. I've forwarded this on to the code scanning team and someone should follow up.

aeisenberg avatar Jul 29 '21 23:07 aeisenberg

:wave: @h3xstream We have few additional expectations from the SARIF file that are stricter than what the standard requires. These are meant to provide a reasonable UI experience. One of those is that each result should have a message. The file you uploaded does not include these values.

You can see the full explanation at: https://docs.github.com/en/code-security/secure-coding/integrating-with-code-scanning/sarif-support-for-code-scanning#result-object

To further debug this type of problems, you can use the Code Scanning API endpoint to list analyses. These errors are reported under the error property: https://docs.github.com/en/rest/reference/code-scanning#list-code-scanning-analyses-for-a-repository

Hope this helps!

marcogario avatar Jul 30 '21 09:07 marcogario

So, I'm looking at

  • https://github.com/jsoref/examples-testing/actions/runs/3454140264
  • https://github.com/jsoref/examples-testing/security/code-scanning?query=is:open+pr:25 -- has an "Analysis processing failed".
  • https://github.com/jsoref/examples-testing/actions -- There is nothing in the /actions list directly relating to analysis processing...

Thoughts:

  1. If at all possible, the Analysis processing failed should be a link to something. Preferably to a report showing the specific complaint(s). Alternatively, to a page explaining how to debug a failure.
  2. I was hoping there'd be some way for me to do what I'm trying to do here, but, so far, I haven't found one...
  3. It isn't obvious why the error message appears to be doubled.
  4. If the errors thing should be an array, perhaps it should be reformulated as such?
  5. if you're going to merge items into a human readable message in errors, please include whitespace between entries.
  6. If an error can be sufficiently ambiguous, why not include the actual value you dislike instead of just the parsed portion?
  7. I guess that results_count and rules_count aren't populated unless the sarif parser is entirely happy, ...
  8. To make my life easier (and to enable one to pull the sarif file into other tools, e.g. VSCode), the action generates a sarif artifact, so people can retrieve it and review manually.
code-scanning/analyses/51044536

gh api /repos/jsoref/examples-testing/code-scanning/analyses/51044536:

{
  "analysis_key": ".github/workflows/spelling.yml:spelling",
  "category": "check-spelling",
  "commit_sha": "1903e85d65371f1fb587e60e92fddf822e81a55c",
  "created_at": "2022-11-13T06:26:40Z",
  "deletable": false,
  "environment": "{}",
  "error": "SARIF URI scheme \"https\" did not match the checkout URI scheme \"file\",SARIF URI scheme \"https\" did not match the checkout URI scheme \"file\",",
  "id": 51044536,
  "ref": "refs/pull/25/merge",
  "results_count": 0,
  "rules_count": 0,
  "sarif_id": "21e893e4-631c-11ed-88e3-9a1618496759",
  "tool": {
    "guid": null,
    "name": "check-spelling",
    "version": "0.0.20"
  },
  "url": "https://api.github.com/repos/jsoref/examples-testing/code-scanning/analyses/51044536",
  "warning": ""
}
The relevant sarif items

... appear to be:

[
...
        {
          "ruleId": "unrecognized-spelling",
          "ruleIndex": 0,
          "message": {
            "text": "[haddd](#security-tab) is not a recognized word. \\(unrecognized-spelling\\)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "https://github.com/jsoref/examples-testing/pull/25#",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 6,
                  "endColumn": 11
                }
              }
            }
          ]
        },
...
        {
          "ruleId": "unrecognized-spelling",
          "ruleIndex": 0,
          "message": {
            "text": "[fleeze](#security-tab) is not a recognized word. \\(unrecognized-spelling\\)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "https://github.com/jsoref/examples-testing/pull/25#",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endColumn": 11
                }
              }
            }
          ]
        },
...
]

jsoref avatar Nov 13 '22 07:11 jsoref