Rule tags in SARIF file exceed limits

[stephenegriffin]

Originally reported here. I thought I had fixed it by deleting all previous scans and isolating codeql to its own action, but it's come back in multiple repos

Question

I'm working on MAPIStubLibrary. On my security tab, I've got a warning:
Code scanning: one or more analysis tools are reporting problems CodeQL is reporting warnings. Check the [status page](https://github.com/microsoft/MAPIStubLibrary/security/code-scanning/tools/CodeQL/status/configurations/api/74a8c85dff2dda02661ba4c491e7edc7db4d2491e021ce53e5df7e05ec472af1) for help.

When I follow that link, I see this:
Rule tags in SARIF file exceed limits The rule SM01718 in an uploaded SARIF file had 11 tags which is more than our limit of 10. Only 10 tags were stored for that rule, the additional ones were ignored.

You can edit the @tags metadata property of your query and remove some tags.

[Learn more about CodeQL query metadata](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/). [Learn more about limits in SARIF uploads](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#validating-your-sarif-file).

But there are no details about what SARIF file caused this problem, or how I could go about locating this file. I can't even identify which action is supposed to have generated this broken file.

As far as I'm aware, actions generate SARIF files, but they "upload" them to some nebulous location github where no one can actually view them. I've never actually seen a SARIF file myself. I tried configuring an action to SARIF files to artifacts but got a file sharing violation. The documentation on SARIF result limits does list this warning but has no prescriptive guidance on dealing with it.

So - what am I actually supposed to do about this warning? How do I determine which action is triggering it? Is there some way to see the SARIF files we're generating in our actions so we can try to analyze why they may be triggering the warning?

Screenshot of the warning:

When I click on last scan it just takes me to a commit. Under the ... I have an option to "Download list of rules used" which gives me a file that looks like this:
Configuration,Rule Source,Sarif Identifier,Alerts
"",CodeQL (2.19.2),SM01718,0
"",CodeQL (2.19.2),SM01733,0
"",CodeQL (2.19.2),SM01921,0
"",CodeQL (2.19.2),SM01922,0
"",CodeQL (2.19.2),SM01923,0
...
I can't find SM01718 anywhere else on the internet, except it's also the same rule being reported for MFCMAPI

[jketema]

Identifiers like SM01718 are assigned to queries by the CodeQL team within Microsoft. It looks like whatever query SM01718 corresponds too specifies too many @tags. I recommend escalating this internally.

[stephenegriffin]

What does "too many tags" mean anyway? Where would I go to, um, I guess I want to count some tags? Where would I do that? I see it references a "SARIF file" - is that available some place I can see it?

[jketema]

The tags come from CodeQL query metadata. Metadata is described here: https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/

[stephenegriffin]

I do appreciate you're trying to help and thank you, but I still don't know where to look. It says "an uploaded SARIF file" - where can I look to find that? I want to see what codeql is complaining about. If it says there are 11 tags I should be able to look at something and see 11 tags.

[jketema]

The uploaded SARIF files are not retained by the system. They are parsed, and only the data necessary for displaying alerts in the GitHub GUI is retained. This apparently includes 10 tags at most, as the system notifies you of. This is not really something you can fix. Either we need to increase the number of tags we allow, or the number of tags on the SM01718 query needs to be reduced to 10 at most.