SARIF SAST Scans Tab not showing scan results

[nsid123]

Hi I added Microsoft Security DevOps task and installed SARIF SAST Scans Tab. I can see the artifacts that is getting generated with the extension msdo.sarif but i am not seeing any output in the Scans tab. It shows a blank page. Could you please help us on this

[eli-gc]

Having this exact issue as well.

[tmanor2604]

Hi! I also have the same issue. Though .sarif report is available under CodeAnalysisLogs, 'Scans' tab displays blank page

[Interface007]

I have the same issue - I've checked that my msdo.sarif is a 5KB json file with 4 "message" nodes. In my case, the issue seems that there are only two empty result-nodes "results": [],. In this case, the tab looks like nothing has been scanned, while the result communicated by Microsoft Security DevOps was: "I have scanned with two tools, but there was no finding." - which is a completely different message than "No results found".

So, for clarity, it may be a good option to indicate on the tab that a scan has been done and what tools did report "No results".

[50Wliu]

@nsid123, @tmanor2604 - are your scans also coming up with 0 results?

[50Wliu]

Also, to make sure we're talking about the same thing when we say "a blank page", screenshots would be helpful!

[50Wliu]

Proposed change for when scans run without returning any results:

[jH-]

Experiencing this issue in my org's DevOps. Artifacts are generated in the correct location, but the Scans tab is empty (despite results after scanning).

No related errors observed in devtools when inspecting the page.
The request you asked to check in the other issue thread (#24 ) does contain the CodeAnalysisLogs item, type: Container.
I also went back and checked some retained pipeline runs from july/august; here the scan tab still display the results.

I haven't been able to pinpoint a change after this that could cause this issue, or seem in any way related.

[50Wliu]

Thanks @jH-. Do those logs also contain results? Or do they come back "clean" (i.e. successfully scanned, but no results to report)?

[jH-]

@50Wliu They contain results.

[tmanor2604]

@nsid123, @tmanor2604 - are your scans also coming up with 0 results?

After I moved SARIF results at the root level of CodeAnalysisLogs, I can view results for a Static Code Analysis tool called Coverity but not from another tool called Astree

[vdkrobby7]

I have the same issue when using a .gdnconfig file for scanning a particular directory.

When I use the generic 'MicrosoftSecurityDevOps@1' task I do get all the scans in both the scan tab and the mdso.sarif file.

Working yaml config:

`pool:
vmImage: 'windows-latest'
trigger:
branches:
include:
- feature/*
steps:

• task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'
  inputs:
  categories: 'IaC'`

Results :

Not working yaml & gdnconfig config

`trigger: none
pool:
vmImage: 'windows-latest'
steps:

• task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'
  inputs:
  tools: 'TemplateAnalyzer'
  config: pipelines/test-devsecops.gdnconfig
  categories: 'IaC'`

gdnconfig file:

Results

Small remark: it does see that there is an error but does not mark it in red like the task above does.

Is there anything else that needs to be configured somewhere?

[50Wliu]

Reopening because it seems like there's another issue here that needs fixing.

[Daholli]

I also seem to have issues getting this to display

Not sure what I am doing wrong

This might have to do with the file ending that is being appended on windows machines but they are still valid sarif files