Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid SARIF format reported by CodeQL upload-sarif #1224

Closed
komish opened this issue Sep 17, 2024 · 4 comments · Fixed by #1226
Closed

Invalid SARIF format reported by CodeQL upload-sarif #1224

komish opened this issue Sep 17, 2024 · 4 comments · Fixed by #1226

Comments

@komish
Copy link

komish commented Sep 17, 2024

Summary

I have the same issue outlined here #1220 . I've been searching through all the referenced issues and must be missing the conclusion at which I should arrive. My apologies if it's something obvious.

This was closed with references to issues that don't seem to actually describe a fix other than "it's working". Rolling back to a previous version of gosec seems to be the only path that works for me, as I've tested the latest version of the action, as well as manually installing gosec binaries at both the latest release and the master branch with no change. They all produce the issue.

I do not use the securego/gosec action, I just tried it to see if it's working (didn't seem to work for me).

In my GitHub actions, I install the gosec tool directly from this repository. I've also replicated this locally (as in, I've installed various versions of gosec and generated my SARIF, then I ran the codeql/upload-sarif Validation logic locally).

I's unclear whether the schema def that's been added to gosec needs to be used by the codeql repositories and we need to chase this down there, or if there's an issue with the file that's used here.

Any guidance is much appreciated.

Steps to reproduce the behavior

gosec version

master @ 3004932
2.21.2

Go version (output of 'go version')

1.22.6

Operating system / Environment

N/A

Expected behavior

I expect the generated SARIF to be considered valid by the codeql/upload-sarif logic

Actual behavior

It's not considered valid.
@ccojocar
Copy link
Member

ccojocar commented Sep 18, 2024
edited
Loading

Did you use the master version of GitHub action? It works fine with gosec build. See the details #1220 (comment)

https://github.com/securego/gosec/actions/runs/10880221244/job/30186534443

@komish
Copy link
Author

komish commented Sep 18, 2024

I’ll test again to be sure, but as mentioned, I don’t use the GitHub action for gosec in my pipelines.

@ccojocar ccojocar mentioned this issue Sep 18, 2024
Merged
@ccojocar
Copy link
Member

This should be fixed now in v2.21.3 release. It is tested with the master version of the action in #1228.

@komish
Copy link
Author

komish commented Sep 18, 2024

Confirmed, working for me. Thanks for your help here @ccojocar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Populate the fixes only when autofix is not empty securego/gosec
2 participants
@ccojocar @komish