X Tutup
The Wayback Machine - https://web.archive.org/web/20240113191537/https://github.com/github/codeql-action/issues/220
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recursive SARIF file detection from upload-sarif sarif_file parameter #220

Closed
tlsa opened this issue Sep 18, 2020 · 8 comments
Closed

Recursive SARIF file detection from upload-sarif sarif_file parameter #220

tlsa opened this issue Sep 18, 2020 · 8 comments

Comments

@tlsa
Copy link

tlsa commented Sep 18, 2020

I created a workflow that runs Clang scan-build with the -sarif parameter, to output SARIF format, and the -o build/sarif argument to put the output in the directory build/sarif.

When it is run, scan-build puts the actual SARIF files in a sub-directory of the specified output directory.

The output from scan-build is:

scan-build: Analysis run complete.
scan-build: Analysis results (sarif files) deposited in '/home/runner/work/libcyaml/libcyaml/build/sarif/2020-09-18-110804-4323-1'

And the sarif files are in the randomly named sub-directory:

$ find build/sarif
build/sarif
build/sarif/2020-09-18-110804-4323-1
build/sarif/2020-09-18-110804-4323-1/report-B4xj3N.sarif
build/sarif/2020-09-18-110804-4323-1/report-yK7dxl.sarif
build/sarif/2020-09-18-110804-4323-1/report-SrmlCl.sarif
build/sarif/2020-09-18-110804-4323-1/report-QPrVcF.sarif
build/sarif/2020-09-18-110804-4323-1/report-67tbyT.sarif
build/sarif/2020-09-18-110804-4323-1/report-OfHm5E.sarif
build/sarif/2020-09-18-110804-4323-1/report-T8GZn7.sarif
build/sarif/2020-09-18-110804-4323-1/report-NKjLYw.sarif
build/sarif/2020-09-18-110804-4323-1/report-z81jQ7.sarif
build/sarif/2020-09-18-110804-4323-1/report-bmXRUK.sarif
build/sarif/2020-09-18-110804-4323-1/report-6aH1dl.sarif
build/sarif/2020-09-18-110804-4323-1/report-iK7eHK.sarif
build/sarif/2020-09-18-110804-4323-1/report-vnqcCF.sarif
build/sarif/2020-09-18-110804-4323-1/report-aATCA3.sarif

You can see the CI run for this here: https://github.com/tlsa/libcyaml/runs/1133489433

At the moment, with

    - name: upload scan-build
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: build/sarif

I get the following error:

#[error]No SARIF files found to upload in "build/sarif".
Error: No SARIF files found to upload in "build/sarif".
    at Object.upload (/home/runner/work/_actions/github/codeql-action/v1/lib/upload-lib.js:114:19)
    at run (/home/runner/work/_actions/github/codeql-action/v1/lib/upload-sarif-action.js:29:46)

Could the sarif_file directory parameter be changed to a recursive search through the directory for SARIF files?
@robertbrignull
Copy link
Contributor

This sounds like a reasonable change to me. Shouldn't have any unintended side-effects as I highly doubt anyone is currently relying on the behaviour is specifically not being recursive.

@tlsa
Copy link
Author

tlsa commented Oct 1, 2020

Yeah, I hoped that would be the case!

@davidsneighbour davidsneighbour mentioned this issue Dec 6, 2020
Closed
@chao2zhang chao2zhang mentioned this issue Dec 22, 2020
Closed
@chao2zhang
Copy link
Contributor

Please allow me to share more use cases specifically for Java projects. With a multi-module Gradle project, static analysis tools like Checkstyle and Detekt can generate one or more reports per module. Therefore recursively walking through the directory is fairly common, at least for all gradle projects. I hope this issue can be addressed soon.

I did some quick search and it looks like the change is within this function upload-lib.js (https://github.com/github/codeql-action/blob/main/lib/upload-lib.js#L69). My Javascript skill is a bit rusty, but I can give it a try if this issue left unattended for a long time.

This was referenced Dec 23, 2020
Closed
Merged
@tlsa
Copy link
Author

tlsa commented Feb 25, 2021

@chao2zhang Thanks for implementing this! Confirmed it works with my original clang scan-build output use case.

@tlsa tlsa closed this as completed Feb 25, 2021
@Trass3r
Copy link

Trass3r commented Nov 11, 2022
edited

Did this make it work for you?

I'm always getting

  Error: Code Scanning could not process the submitted SARIF file:
  rejecting SARIF, as there are more runs than allowed (147 > 15)
  Error: Code Scanning could not process the submitted SARIF file:
  rejecting SARIF, as there are more runs than allowed (147 > 15)
      at Object.waitForProcessing (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-lib.js:337:19)
      at async run (/home/runner/work/_actions/github/codeql-action/v2/lib/upload-sarif-action.js:56:13)

due to the many report-xxxxx.sarif files getting generated.

@aeisenberg
Copy link
Contributor

@Trass3r, please raise a new issue for this. You are seeing a different problem than was originally reported. Your workflow is producing too many sarif runs. You will need to upload them in batches of 15 or less and use a different (but consistent) category name for each upload.

More information about categories.

@tlsa
Copy link
Author

tlsa commented Nov 14, 2022

@Trass3r Yes, something changed and the server now rejects the SARIF output generated by Clang scan-build.

@Trass3r
Copy link

Trass3r commented Nov 14, 2022

scan-build simply produces 1 sarif file per source file.
Even though most are empty 15 is still a pretty low limit.
It can be mitigated a bit via

npx -y @microsoft/sarif-multitool merge csa/*/*.sarif

But I can't say yet whether that really fixes the problem.

@Trass3r Trass3r mentioned this issue Nov 20, 2022
Closed
@aliscco aliscco mentioned this issue Apr 25, 2023
Open
@snyk-bot snyk-bot mentioned this issue Apr 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aeisenberg @Trass3r @chao2zhang @robertbrignull @tlsa
X Tutup