Asking for clarification about SARIF report upload

[jasonloewen]

The README states:

• Display issues with their severity as a SARIF Report in the GitHub Workspace after a scan completes.

I was hoping that meant the violation report would get uploaded and imported to the GH Security Advisories, but I can only download the artifact from the link in the workflow. Is this the intended result?

[sanyam803]

Yes, the report gets uploaded in the run workflow and out of the box it is not uploaded to GH Security Advisory but it is available as an output of analyze-code-security-scc step and can be consumed by any subsequent step.

Tenant :
The GitHub action is mainly responsible for generating the SARIF file and making it available for consumption by subsequent steps. The action is closely inline with SRP and hence, any additional functionality is delivered through existing ecosystem of GitHub Actions.

That being said, currently the documentation illustrates an example where we use gitHub provided action : actions/upload-artifact(https://github.com/actions/upload-artifact) to upload report to workflow run workspace.
But, users can definitely experiment with other available actions like : github/codeql-action/upload-sarif(https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions) to upload SARIF generated by analyze-code-security-scc to GitHub repository and benefit from code scanning alerts.

AI on us : Enhance documentation to illustrate integration of github/codeql-action/upload-sarif to upload SARIF report to repository.

[jasonloewen]

We did try the upload-sarif action before I posted this question, but got what looks like schema related errors. It doesn't like "informationUri": "". Can you confirm that Sarif 2.1.0 schema is being used to generate the report?

Here is the response from the workload:

{
    "path": [
      "runs",
      0,
      "tool",
      "driver",
      "informationUri"
    ],
    "property": "instance.runs[0].tool.driver.informationUri",
    "message": "does not conform to the \"uri\" format",
    "schema": {
      "description": "The absolute URI at which information about this version of the tool component can be found.",
      "type": "string",
      "format": "uri"
    },
    "instance": "",
    "name": "format",
    "argument": "uri",
    "stack": "instance.runs[0].tool.driver.informationUri does not conform to the \"uri\" format"
  }

[sanyam803]

Yes we are adhering to SARIF 2.1.0 guidelines "informationUri" is a valid property, but it seems like it can not be an empty URL. We will take an action item to fix the report structure and file a bug for now.

Filed a Bug : #35

[sanyam803]

We have addressed above gaps and fixed the bug. @jasonloewen can you please try again ?

[dayallnash]

@sanyam803 I have tested using the upload-sarif action as above and I am now getting a different schema error:

Error: Unable to upload "./iac-scan-sarif.json" as it is not valid SARIF:
- instance.runs[0] is not allowed to have the additional property "note"

I can see in the SARIF file output, it does indeed have that additional field which doesn't adhere to the SARIF 2.1.0 schema. The instance.runs[*].note field says:

"IaC validation is limited to certain asset types and policies. For information about supported asset types and policies for IaC validation, see https://cloud.google.com/security-command-center/docs/supported-iac-assets-policies."

I think that message is redundant and should be removed, especially since it doesn't fit the schema.