scripts/submit-finding.sh: jq error 'array + object' (exit 5) when ingesting hypatia findings #46
Description
Summary
scripts/submit-finding.sh fails with exit code 5 when called from a
downstream repo's hypatia-scan.yml workflow after a successful scan.
The failure is a jq type error: trying to add an array to an object.
Reproduction
Any repo running hypatia-scan.yml where Hypatia returns findings.
Example run:
The scan produced a valid hypatia-findings.json (19 findings),
submit-finding.sh was invoked with the absolute path to it, and:
📤 Submitting findings from hyperpolymath/airborne-submarine-squadron to gitbot-fleet...
Cloning into '/tmp/gitbot-fleet-2661'...
Switched to a new branch 'findings-submissions'
jq: error (at .../hypatia-findings.json:158): array ([{"reason":...) and object ({"submissio...) cannot be added
##[error]Process completed with exit code 5.
Diagnosis
The input JSON is a top-level array of finding objects (that's what
hypatia-cli.sh emits). Somewhere in submit-finding.sh there's a jq
expression like:
jq '. + {submission: {...}}' findings.json. + {...} is well-defined only when . is also an object. For an
array of findings it needs to be something like:
jq '{submission: {...}, findings: .}' findings.jsonor the submission wrapper should be applied to each finding:
jq '[.[] | . + {submission: {...}}]' findings.jsonImpact
Every downstream repo running hypatia-scan.yml sees its workflow go
red at the submit step even when the scan itself worked and the
findings artifact uploaded fine. It's masking the actual scan result.
Workaround applied downstream
In airborne-submarine-squadron the submit step was made non-fatal:
bash "$FLEET_DIR/scripts/submit-finding.sh" "$PWD/hypatia-findings.json" || {
echo "::warning::submit-finding.sh failed — see upstream jq bug"
}Once this is fixed upstream I'll propose patching hypatia-scan.yml in
the template repo to drop the workaround.
Related: hyperpolymath/hypatia#141 (env.HOME footgun in same workflow).