Skip to content

VIolation of SARIF specification par. 3.27.12.  #2459

Description

@vivaat

Summary

github/codeql-action/upload-sarif violates SARIF specification par. 3.27.12.

Details

According to SARIF specification par. 3.27.12, a result object SHOULD contain a property named locations whose value is an array of zero or more location objects. At the same time, starting github/codeql-action/upload-sarif@v3 action on a sarif report that contain result object with empty locations property fails with the error Code Scanning could not process the submitted SARIF file: locationFromSarifResult: expected at least one location.

PoC

Having a report with result object with empty list locations property.

{
  "version": "2.1.0",
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "runs": [
    {
      "tool" : {
        "driver": {
          "name": "PVS-Studio",
          "semanticVersion": "7.32.0.1",
          "informationUri": "https://pvs-studio.com",
          "rules": [
            {
              "id": "V010",
              "name": "RuleV010",
              "help": {
                "text": "https://pvs-studio.com/en/docs/warnings/v010/"
              },
              "helpUri": "https://pvs-studio.com/en/docs/warnings/v010/"
            }
          ],
          "results": [
            {
              "ruleId": "V010",
              "message": {
                "text": "Analysis of 'Utility' type projects is not supported in this tool. Use direct analyzer integration or compiler monitoring instead."
              },
              "level": "error",
              "locations": []
            }
          ]
        }
      }
    }
  ]
}

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions