-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upload-sarif action doesn't seem to respect "uriBaseId" in SARIF files #2215
Comments
While In this case I’m afraid Android Lint isn’t producing SARIF that is compatible with Code Scanning, so I think you’ll need to open a ticket with them to address the problem. Documentation on supported SARIF properties can be found here. |
Thanks for the response!
Well, the |
Sorry for the further delay in responding! Perhaps what might help here is to specify the checkout path when calling https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml#L12 That should hopefully allow you override the default (root of the repo checkout) and append an |
Well there are multiple lint "runs" in the sarif file. Each gradle subproject gets a different lint result, and each one has a different |
In that case, if you're looking for a way to get quickly unblocked you could try post-processing the SARIF in order to ensure the Also, it's worth reiterating that even if Code Scanning did use |
We're already doing that, as I mentioned above. Except we don't use relative paths - we specify absolute paths in the uri field, and it works just fine. Because upload sarif is designed to do that.
This is not correct. I explained above that It's quite simple - upload sarif only reads the "uri" field, which doesn't match the SARIF spec. Instead it should read Again, no changes are needed for Android Lint - they are the ones following the recommendations from the SARIF spec. It's |
Apologies, so you did. Returning sporadically to this issue was not a recipe for the most coherent response... 😬
Ah, I have learned it is not in fact the Action that handles this, but in GitHub itself...
This explains why the GitHub interface does in fact work, even though As documented Code Scanning only commits to supporting a subset of the SARIF spec, but I'll create a feature request for adding support for |
We're using "Android Lint" to generate a sarif file. The sarif locations use this pattern:
The artifact location is relative to this
uriBaseId
. This is a reference tooriginalUriBaseIds
, which the SARIF spec says should be used by consumers to find the absolute path.However, the
upload-sarif
action debug logs show lines such as this:which shows that it's not resolving paths using that
%SRCROOT%
path -- the correct path would be/runner/_work/myrepo/myrepo/some/repo/dir/src/main/kotlin/Foo.kt
. We also see that the code scanning page sayssrc/main/kotlin/Foo.kt
can't be found in our repo ("Sorry, we couldn't find this file in the repository.").(Caveat: we're using
v2
because we can't use node20 in our private runners yet)The text was updated successfully, but these errors were encountered: