danmar · danmar · Jul 14, 2025 · Jul 14, 2025
diff --git a/.github/workflows/selfcheck.yml b/.github/workflows/selfcheck.yml
@@ -187,38 +187,3 @@ jobs:
         with:
           name: Callgrind Output
           path: ./callgrind.*
-
-  build_sarif_github:
-    # Perform selfcheck and upload results to github using sarif format
-    # Results are shown here: https://github.com/danmar/cppcheck/security/code-scanning
-
-    strategy:
-      fail-fast: false # Prefer quick result
-
-    runs-on: ubuntu-24.04
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Build Cppcheck
-        run: |
-          make CXXFLAGS=-O2 MATCOMPILER=yes -j$(nproc)
-
-      - name: Run Cppcheck
-        run: |
-          ./cppcheck -D__CPPCHECK__ -D__GNUC__ -DCHECK_INTERNAL -DHAVE_RULES --std=c++11 --library=cppcheck-lib --library=qt --enable=style --inconclusive --inline-suppr cli frontend gui/*.cpp lib --output-format=sarif 2> results.sarif
-
-      - name: Results
-        run: |
-          cat results.sarif
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: results
-          path: results.sarif
-
-      - uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif
diff --git a/cli/cppcheckexecutor.cpp b/cli/cppcheckexecutor.cpp
@@ -115,8 +115,7 @@ namespace {
                     //else if (finding.severity == Severity::warning)
                     //    securitySeverity = 5.1; // We see potential undefined behavior
                     if (securitySeverity > 0.5) {
-                        // skipped: "security-severity" caused error when uploading to github
-                        // properties["security-severity"] = picojson::value(securitySeverity);
+                        properties["security-severity"] = picojson::value(securitySeverity);
                         const picojson::array tags{picojson::value("security")};
                         properties["tags"] = picojson::value(tags);
                     }
@@ -140,8 +139,8 @@ namespace {
                 artifactLocation["uri"] = picojson::value(location.getfile(false));
                 physicalLocation["artifactLocation"] = picojson::value(artifactLocation);
                 picojson::object region;
-                region["startLine"] = picojson::value(static_cast<int64_t>(location.line < 1 ? 1 : location.line));
-                region["startColumn"] = picojson::value(static_cast<int64_t>(location.column < 1 ? 1 : location.column));
+                region["startLine"] = picojson::value(static_cast<int64_t>(location.line));
+                region["startColumn"] = picojson::value(static_cast<int64_t>(location.column));
                 region["endLine"] = region["startLine"];
                 region["endColumn"] = region["startColumn"];
                 physicalLocation["region"] = picojson::value(region);

diff --git a/test/cli/helloworld_test.py b/test/cli/helloworld_test.py
@@ -373,8 +373,7 @@ def test_sarif():
     assert res['runs'][0]['results'][0]['ruleId'] == 'zerodiv'
     assert res['runs'][0]['tool']['driver']['rules'][0]['id'] == 'zerodiv'
     assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['precision'] == 'high'
-    # github does not seem to handle "security-severity" well so it's not added
-    #assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['security-severity'] > 9.5
+    assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['security-severity'] > 9.5
     assert 'security' in res['runs'][0]['tool']['driver']['rules'][0]['properties']['tags']
     assert re.match(r'[0-9]+(.[0-9]+)+', res['runs'][0]['tool']['driver']['semanticVersion'])
     assert 'level' in res['runs'][0]['tool']['driver']['rules'][0]['defaultConfiguration'] # #13885