Merge pull request #7 from advanced-security/sarif-patching

GeekMasher · web-flow · commit a6dd57a82f6c · 2025-06-18T18:16:28.000+01:00
SARIF Patching fix
diff --git a/.release.yml b/.release.yml
@@ -1,6 +1,6 @@
 name: "codeql-extractor-action"
 repository: "advanced-security/codeql-extractor-action"
-version: 0.0.15
+version: 0.0.16
 
 ecosystems:
   - Docs
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -28,6 +28,9 @@ If you have an idea for a new feature or enhancement, please open an issue on Gi
 3. Make your changes
 4. Write tests for your changes (if applicable)
 5. Run the tests to make sure everything is working
+6. Commit your changes with a clear commit message
+7. Push your changes to your fork
+8. Open a [pull request][pr] against the `main` branch of the original repository
 
 ### Required Tools
 
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "codeql-extractor-action"
 description = "GitHub Action for CodeQL Extractors"
-version = "0.0.15"
+version = "0.0.16"
 authors = ["GeekMasher"]
 
 license = "MIT"
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ This action is designed to be used in conjunction with the [CodeQL][CodeQL] anal
 
 ```yml
 - name: "CodeQL Extractor Action"
-  uses: advanced-security/codeql-extractor-action@v0.0.15
+  uses: advanced-security/codeql-extractor-action@v0.0.16
   with:
     # Repository reference (e.g. "owner/repo", "owner/repo@ref")
     extractor: "advanced-security/codeql-extractor-iac"
@@ -50,8 +50,7 @@ A CodeQL extractor is a tool that extracts code from a repository and prepares i
 To create an extractor, you need to create a GitHub repository that contains the extractor releases as an artifact / assest in a GitHub release.
 The extractor should be a Tarball file that contains the compiled extractor and all other necessary files for the extractor to run.
 
-
-## Maintainers 
+## Maintainers
 
 <!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
 <!-- prettier-ignore-start -->
@@ -69,7 +68,7 @@ The extractor should be a Tarball file that contains the compiled extractor and
 
 ## Support
 
-Please create [GitHub Issues][github-issues] if there are bugs or feature requests.
+Please create [GitHub Issues][github-issues] or [GitHub Discussion][github-discussions] if there are bugs or feature requests.
 
 This project uses [Sematic Versioning (v2)](https://semver.org/) and with major releases, breaking changes will occur.
 
@@ -78,13 +77,11 @@ This project uses [Sematic Versioning (v2)](https://semver.org/) and with major
 This project is licensed under the terms of the MIT open source license.
 Please refer to [MIT][license] for the full terms.
 
-
 <!-- Resoucres -->
 
 [license]: ./LICENSE
 [github]: https://github.com/advanced-security/codeql-extractor-action
 [github-issues]: https://github.com/advanced-security/codeql-extractor-action/issues
 [github-actions]: https://github.com/advanced-security/codeql-extractor-action/actions
 [github-discussions]: https://github.com/advanced-security/codeql-extractor-action/discussions
-
 [CodeQL]: https://codeql.github.com/
diff --git a/action.Dockerfile b/action.Dockerfile
@@ -1,3 +1,3 @@
-FROM ghcr.io/advanced-security/codeql-extractor-action:v0.0.15
+FROM ghcr.io/advanced-security/codeql-extractor-action:v0.0.16
 
 ENTRYPOINT [ "codeql-extractor-action" ]
diff --git a/src/extractors.rs b/src/extractors.rs
@@ -149,6 +149,38 @@ pub async fn fetch_extractor(
     Ok(extractor_pack)
 }
 
+/// Update the SARIF file with the extractor information (CodeQL ${language})
+///
+///  Update only the `runs.0.tool.driver` section of the SARIF file
+pub fn update_sarif(path: &PathBuf, extractor: String) -> Result<()> {
+    let sarif_content =
+        std::fs::read_to_string(path).context(format!("Failed to read SARIF file: {:?}", path))?;
+    let mut sarif_json: serde_json::Value = serde_json::from_str(&sarif_content)
+        .context(format!("Failed to parse SARIF file: {:?}", path))?;
+
+    log::debug!("SARIF JSON :: {sarif_json:#?}");
+    if let Some(tool) = sarif_json
+        .get_mut("runs")
+        .and_then(|runs| runs.get_mut(0))
+        .and_then(|run| run.get_mut("tool"))
+    {
+        if let Some(driver) = tool.get_mut("driver") {
+            driver["name"] = serde_json::Value::String(format!("CodeQL - {}", extractor));
+            log::info!("Updated SARIF file with extractor: {extractor}");
+        } else {
+            log::warn!("No 'driver' field found in SARIF file");
+        }
+    } else {
+        log::warn!("No 'runs' or 'tool' field found in SARIF file");
+    }
+
+    let data = serde_json::to_string(&sarif_json)
+        .context(format!("Failed to serialize SARIF JSON: {:?}", path))?;
+    // Write the updated SARIF back to the file
+    std::fs::write(path, data).context(format!("Failed to write SARIF file: {:?}", path))?;
+    Ok(())
+}
+
 /// Update the permissions for tool scripts (*.sh) and the extractor (extractor)
 fn update_tools_permisisons(path: &PathBuf) -> Result<()> {
     let tools_path = path.join("tools");
diff --git a/src/main.rs b/src/main.rs
@@ -1,8 +1,8 @@
 use anyhow::{Context, Result};
 use ghactions::{ActionTrait, group, groupend};
 use ghactions_core::RepositoryReference;
+use ghastoolkit::codeql::database::queries::CodeQLQueries;
 use ghastoolkit::prelude::*;
-use ghastoolkit::{Sarif, codeql::database::queries::CodeQLQueries};
 use log::{debug, info};
 
 mod action;
@@ -189,24 +189,8 @@ async fn main() -> Result<()> {
 
         log::info!("Post-processing SARIF results");
 
-        match Sarif::try_from(sarif_path.clone()) {
-            Ok(mut sarif) => {
-                log::info!("Updating SARIF tool name for language: {language}");
-                sarif.runs.iter_mut().for_each(|run| {
-                    run.tool.driver.name = format!("CodeQL - {language}");
-                });
-
-                log::debug!("Writing SARIF file to {sarif_path:?}");
-                if let Err(e) = std::fs::write(&sarif_path, serde_json::to_string(&sarif)?) {
-                    log::error!("Failed to write SARIF file: {e}");
-                } else {
-                    log::info!("SARIF file written successfully: {sarif_path:?}");
-                }
-            }
-            Err(e) => {
-                log::error!("Failed to read and parse SARIF file: {e}");
-            }
-        }
+        extractors::update_sarif(&sarif_path, extractor.display_name.clone())
+            .context("Failed to update SARIF file with extractor information")?;
 
         // Reload the database to get analysis info
         database.reload()?;

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`		`-FROM ghcr.io/advanced-security/codeql-extractor-action:v0.0.15`
	`1`	`+FROM ghcr.io/advanced-security/codeql-extractor-action:v0.0.16`
`2`	`2`
`3`	`3`	`ENTRYPOINT [ "codeql-extractor-action" ]`