Unable to upload "infer-out/report.sarif" as it is not valid SARIF - startColumn/startLine must have a minimum value of 1
mj-dias opened this issue · 5 comments
After running the microsoft/infersharpaction@v1.4 action and trying to upload the report generated to GitHub using the github/codeql-action/upload-sarif@v2 action the following error is displayed:
**Stack trace**
Unable to upload "infer-out/report.sarif" as it is not valid SARIF:
Error details: instance.runs[0].results[1].codeFlows[0].threadFlows[0].locations[2].location.physicalLocation.region.startColumn must have a minimum value of 1
{
"property": "instance.runs[0].results[1].codeFlows[0].threadFlows[0].locations[2].location.physicalLocation.region.startColumn",
"message": "must have a minimum value of 1",
"schema": {
"description": "The column number of the first character in the region.",
"type": "integer",
"minimum": 1
},
"name": "minimum",
"argument": 1,
"stack": "instance.runs[0].results[1].codeFlows[0].threadFlows[0].locations[2].location.physicalLocation.region.startColumn must have a minimum value of 1"
}
This also happens for the following JSON Path: instance.runs.results.locations.physicalLocation.region.startLine, for example.
To bypass this error we have a temporary workaround
- run Infer tool using
microsoft/infersharpaction@v1.4action - run a custom step to fix SARIF report
- upload the resulting report (from previous step) into GitHub using
github/codeql-action/upload-sarif@v2action.
The custom step enumerated in 2. is just checking if the paths having trouble have a value equal to zero, and if so, overwriting it with 1 and then saving a new report with this overwritten values.
An example of the SARIF report generated with this kind of errors:
{
"$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Infer",
"informationUri": "https://github.com/facebook/infer",
"version": "1.1.0",
"rules": [
{
"id": "PULSE_RESOURCE_LEAK",
"shortDescription": {
"text": "Pulse Resource Leak"
},
"helpUri": "https://fbinfer.com/docs/next/all-issue-types#pulse_resource_leak"
}
]
}
},
"results": [
{
"message": {
"text": "Resource dynamically allocated by constructor (...) on line 16 is not closed after the last access at line 16, column 15."
},
"level": "error",
"ruleId": "PULSE_RESOURCE_LEAK",
"codeFlows": [...],
"locations": [...]
},
{
"message": {
"text": "Resource dynamically allocated by constructor (...) on line 56 is not closed after the last access at line 16707566, column 0."
},
"level": "error",
"ruleId": "PULSE_RESOURCE_LEAK",
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{},
{},
{
"nestingLevel": 0,
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "Something.cs",
"uriBaseId": "Something.cs"
},
"region": {
"startLine": 16707566,
"startColumn": 0
}
},
"message": {
"text": "memory becomes unreachable here"
}
}
}
]
}
]
}
],
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Something.cs",
"uriBaseId": "Something.cs"
},
"region": {
"startLine": 16707566,
"startColumn": 0
}
}
}
]
}
]
}
]
}Hi @mj-dias ,
Thanks for reaching out! This issue happens because SARIF renderer does not support the cases when startColumn or startLine is less than 1. We are composing a fix at Infer backend side. Stay tuned!
Just FYI, For the weird startLine and startColumn numbers, it is a known issue caused by Mono.Cecil.
Thanks for taking a look at this @xi-liu-ds
Since the referenced issue is marked as wontfix, is it acceptable to search and replace for all "startColumn": 0 with "startColumn": 1?
Just wondering if this can potentially create some issues down the road when we actually try to fix the reported findings (i.e. not being able to close the finding in GitHub security)
Thanks for taking a look at this @xi-liu-ds
Since the referenced issue is marked as
wontfix, is it acceptable to search and replace for all"startColumn": 0with"startColumn": 1? Just wondering if this can potentially create some issues down the road when we actually try to fix the reported findings (i.e. not being able to close the finding in GitHub security)
Yes, all you need is to search and replace for all "startColumn": 0 with "startColumn": 1 every time before uploading to GitHub. When you fixed the reported findings in GitHub security, they won't be reported again since Infer won't find this bug anymore.
We are working on a fix to replace all "startLine/startColumn": 0 with "startLine/startColumn": 1 at Infer backend. Stay tuned.
Thanks for taking a look at this @xi-liu-ds
Since the referenced issue is marked aswontfix, is it acceptable to search and replace for all"startColumn": 0with"startColumn": 1? Just wondering if this can potentially create some issues down the road when we actually try to fix the reported findings (i.e. not being able to close the finding in GitHub security)Yes, all you need is to search and replace for all
"startColumn": 0with"startColumn": 1every time before uploading to GitHub. When you fixed the reported findings in GitHub security, they won't be reported again since Infer won't find this bug anymore.We are working on a fix to replace all
"startLine/startColumn": 0with"startLine/startColumn": 1at Infer backend. Stay tuned.
Here is the fix.