Unable to upload SARIF file

[aetos382]

When I attempted to upload a sarif file using the upload-sarif@v1 action, I encountered the following error.

Unable to upload "/home/runner/work/path-to.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.language does not match pattern "^[a-zA-Z]{2}|^[a-zA-Z]{2}-[a-zA-Z]{2}]?$"

The language property of my sarif file is ja-JP, which is a valid form of language tag, but it did not match the regular expression pattern described above.

I think the regular expression pattern for this schema is a mistake.

codeql-action/src/sarif_v2.1.0_schema.json

Line 2342 in cfec2bb

"pattern": "^[a-zA-Z]{2}|^[a-zA-Z]{2}-[a-zA-Z]{2}]?$"

I think this schema is coming from https://github.com/oasis-tcs/sarif-spec .
So, I'm submitting an issue to that repository as well.
oasis-tcs/sarif-spec#488

[aeisenberg]

Yes, that does seem suspicious. For now, can you change the language property to ja? I will investigate further.

[aeisenberg]

Apologies for not following up until now. I think the pattern we would want to use is this: ^[a-zA-Z]{2}(-[a-zA-Z]{2})?$.

@lcartey, does this look right to you?

[aetos382]

@aeisenberg

For now, can you change the language property to ja?

My sarif file was generated by the C# compiler, so I can't change the language tag.

I have now disabled this action in my workflow, as it was not important for my project to use the compiler generated sarif file.

I think the pattern we would want to use is this: ^[a-zA-Z]{2}(-[a-zA-Z]{2})?$

Yes. I also think that pattern is correct.

[stephenfuqua]

Still getting this error with release 2.9.4. My situation is also using a sarif file generated by the package Microsoft.CodeAnalysis in a .NET project. Example build failure. Locally I see that the sarif file has "en-US" for the language. I will continue to investigate as time is available, to see if I can find a workaround on my side or find and report on the root cause.

[aeisenberg]

Hmmmm...The regex ^[a-zA-Z]{2}(-[a-zA-Z]{2})?$ does match en-US. Is it possible that instance.runs[0].tool.driver.language the value at is actually something different? Or possibly that the sarif generated on Actions is different from the one generated locally?

The sarif file being uploaded is src/EdFi.AnalyticsMiddleTier.Console/results.sarif. Any chance you can grab that and send it over to me?

[stephenfuqua]

Tomorrow I can try to upload the artifact in the repo so that we can see the actual file generated in GitHub, and I may be able to spend a few minutes digging in further with the codeql code. Here's a locally-generated file:

{
  "$schema": "http://json.schemastore.org/sarif-2.1.0",
  "version": "2.1.0",
  "runs": [
    {
      "results": [
      ],
      "tool": {
        "driver": {
          "name": "Microsoft (R) Visual C# Compiler",
          "version": "4.2.0-4.22220.5 (432d17a8)",
          "dottedQuadFileVersion": "4.2.0.0",
          "semanticVersion": "4.2.0",
          "language": "en-US"
        }
      },
      "columnKind": "utf16CodeUnits"
    }
  ]
}

[stephenfuqua]

How interesting: the exact same dotnet application produces a sarif file with this, when run on GitHub Actions:

"language": "",

Which is obviously problematic. I will look into that further on the .NET side and submit a ticket in the proper .NET repository if needed. For the upload process, clearly there is a workaround: open the file and inject a valid language into it! And then 🤞 hopefully nothing else turns up.

[niederee]

I worked around it by replacing the value prior to upload

https://stackoverflow.com/questions/76568966/create-sarif-file-to-be-uploaded-to-from-dotnet-build-to-be-loaded-to-github-usi/76568967#76568967

[aetos382]

@stephenfuqua @niederee
Roslyn no longer outputs empty language property.
dotnet/roslyn#68745

You can also specify a <PreferredUILang> property to specify the language property values explicitly.