X Tutup
The Wayback Machine - https://web.archive.org/web/20240113180701/https://github.com/github/codeql-action/issues/129
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting tags for sarif uploads #129

Open
pmatos opened this issue Aug 3, 2020 · 8 comments
Open

Allow setting tags for sarif uploads #129

pmatos opened this issue Aug 3, 2020 · 8 comments

Comments

@pmatos
Copy link

pmatos commented Aug 3, 2020

It would be useful at time of upload to be able to either tag sarif upload of override the tool name.

Software artifacts that can be build differently from the same sources (for example cross-builds) could use a way to differentiate between vulnerabilities in different artifacts.
@jhutchings1
Copy link
Contributor

Hi @pmatos Can you provide more details on this scenario? I'm not sure I get what you're hoping to accomplish. Thanks!

@pmatos
Copy link
Author

pmatos commented Aug 3, 2020

Hi @pmatos Can you provide more details on this scenario? I'm not sure I get what you're hoping to accomplish. Thanks!

Sure - apologies if I was too terse.

I am discussing racket/racket here. In our CI, we can build from the same sources 3 different types of compiler: let's call it a, b and c. Each of these, due to the way they are compiled (mainly compile-time parameters) can have different static analysis results.

We run the LLVM static analyzer scan-build on the three different compilation modes, create sarif files and upload. The problem is that github aggregates the results based on tool name. The tool name is clang for all of the three modes. However, it would be good to tag the results as well. So we can tag the results during the sarif upload and call them vulnerabilities-a, vulnerabilities-b and vulnerabilities-c for each of the compilation modes.

@pmatos
Copy link
Author

pmatos commented Aug 3, 2020

Also, I recall that this is relevant not only for different compilation modes but also different architectures. So, in arm32 you might get one set of vulnerabilities and in arm64 another set. The same tool clang will create both sarif files but it would be great to distinguish which of the architecture contain some vulnerability. If you nowadays just use upload-sarif for both arm32 and arm64 vulnerabilities they will be conflated in the vulnerabilities panel under the clang tool.

pmatos pushed a commit to racket/racket that referenced this issue Aug 3, 2020
Fix tool name in SARIF files depending on racket build mode (#3328)
e62b3b8 
This should replace the toolname in sarif files to workaround the lack of tags when uploading them.

See here for a request to add that:
github/codeql-action#129
@pmatos
Copy link
Author

pmatos commented Aug 3, 2020

I have added a workaround - which hope it works - to trick the system into splitting the vulnerabilities. Instead of splitting by tag (which is what makes sense) I split by toolname. That's what racket/racket@e62b3b8 is about.

@jhutchings1
Copy link
Contributor

@pmatos Thanks for clarifying (and sorry for the delay). It sounds like this is the same pattern we're using the matrix parameter for. That would allow you to separate the vulnerabilities according to a particular configuration without changing the tool name.

maueroats pushed a commit to maueroats/racket that referenced this issue Jun 17, 2021
Fix tool name in SARIF files depending on racket build mode (racket#3328
d6c549a 
)

This should replace the toolname in sarif files to workaround the lack of tags when uploading them.

See here for a request to add that:
github/codeql-action#129
@jpcmonster
Copy link

Sorry - I know this is an old convo :) but the closest thing to what seems like a general case - "one tool, many artifacts" - sarif problem :) Is using matrix still the best "workaround" here?

@jhutchings1
Copy link
Contributor

@turbo or @AlonaHlobina could you have a look at this?

@aeisenberg
Copy link
Contributor

It sounds like what you want is to you want is to specify a custom category for each configuration.

This will allow you to run multiple analyses over the same code when it is built for different platforms and using different configurations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pmatos @aeisenberg @jhutchings1 @jpcmonster
X Tutup