Valid SARIF file being rejected by GitHub with locationFromSarifResult error

Question

Valid SARIF file being rejected by GitHub with locationFromSarifResult error

blupants opened this issue a year ago · 2 comments

My issue seems to be similar to this previous one.

I am using the trivy open source security scanner that generates valid SARIF files such as this one.

Most of files get properly parsed and uploaded to GitHub Security tab. However, when I try to upload this one using "github/codeql-action/upload-sarif@v2" Action, I get the following error:

Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected artifact location
Error: Code Scanning could not process the submitted SARIF file:
locationFromSarifResult: expected artifact location
at Object.waitForProcessing (/runner/_work/_actions/github/codeql-action/v2/lib/upload-lib.js:335:23)
at async run (/runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:55:13)
at async runWrapper (/runner/_work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:70:9)

I checked GitHub documentation [1] [2] and it points to this Microsoft SARIF validator. I uploaded my SARIF file multiple times to the validator and it always says the file is good.

Steps to reproduce:

Make sure trivy-results-sarif is validated by https://sarifweb.azurewebsites.net/Validation
Select a repo with GitHub Actions available and create a "sarif-issue" branch
Create a folder .github/workflows/config and add trivy-results-sarif to it: .github/workflows/config/trivy-results.sarif
Create a new Action .github/workflows/sarif-issue.yml that will upload the SARIF to GitHub
Commit the changes and push them to the "sarif-issue" branch
Job "Upload Trivy scan results to GitHub Security tab" will fail and throw the "locationFromSarifResult: expected artifact location" error.

Answer 1 · 2024-08-22T23:25:48.000Z

I hit the same issue, github/codeql-action/upload-sarif failed with locationFromSarifResult: expected artifact location.

@blupants This is due to the Trivy action scanning libraries as well.

If I run for example (same command Action invokes):

trivy image --format sarif --output out.sarif --vuln-type os,library mcr.microsoft.com/dotnet/sdk:8.0-azurelinux3.0@sha256:c7e74bfb8704a1a538d52c18728e4d4772b44ae551b8d07053e23609807d2ece

I get an empty artifactLocation.uri in the output for this one library CVE, all others (OS vulns) have locations:

        {
          "ruleId": "CVE-2024-38095",
          "ruleIndex": 6,
          "level": "error",
          "message": {
            "text": "Package: System.Formats.Asn1\nInstalled Version: 6.0.0\nVulnerability CVE-2024-38095\nSeverity: HIGH\nFixed Version: 6.0.1, 8.0.1\nLink: [CVE-2024-38095](https://avd.aquasec.com/nvd/cve-2024-38095)"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "",
                  "uriBaseId": "ROOTPATH"
                },

Running with --vuln-type os works fine.