Unable to upload SARIF file #418

aetos382 · 2021-03-12T23:22:23Z

When I attempted to upload a sarif file using the upload-sarif@v1 action, I encountered the following error.

Unable to upload "/home/runner/work/path-to.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.language does not match pattern "^[a-zA-Z]{2}|^[a-zA-Z]{2}-[a-zA-Z]{2}]?$"

The language property of my sarif file is ja-JP, which is a valid form of language tag, but it did not match the regular expression pattern described above.

I think the regular expression pattern for this schema is a mistake.

codeql-action/src/sarif_v2.1.0_schema.json

Line 2342 in cfec2bb

"pattern": "^[a-zA-Z]{2}|^[a-zA-Z]{2}-[a-zA-Z]{2}]?$"

I think this schema is coming from https://github.com/oasis-tcs/sarif-spec .
So, I'm submitting an issue to that repository as well.
oasis-tcs/sarif-spec#488

The text was updated successfully, but these errors were encountered:

aeisenberg · 2021-03-13T00:07:06Z

Yes, that does seem suspicious. For now, can you change the language property to ja? I will investigate further.

aeisenberg · 2021-04-08T18:54:44Z

Apologies for not following up until now. I think the pattern we would want to use is this: ^[a-zA-Z]{2}(-[a-zA-Z]{2})?$.

@lcartey, does this look right to you?

aetos382 · 2021-04-09T02:12:18Z

@aeisenberg

For now, can you change the language property to ja?

My sarif file was generated by the C# compiler, so I can't change the language tag.

I have now disabled this action in my workflow, as it was not important for my project to use the compiler generated sarif file.

I think the pattern we would want to use is this: ^[a-zA-Z]{2}(-[a-zA-Z]{2})?$

Yes. I also think that pattern is correct.

@lcartey

This was first mentioned in github/codeql-action#418 Also, raised in oasis-tcs#488. cc: @lcartey

See oasis-tcs/sarif-spec#490 See #418 Note that this changes the sarif spec file. Unless this change is actually merged in the sarif spec repo, the version used by the action will be slightly different.

See oasis-tcs/sarif-spec#490 See github#418 Note that this changes the sarif spec file. Unless this change is actually merged in the sarif spec repo, the version used by the action will be slightly different.

stephenfuqua · 2022-06-20T21:13:25Z

Still getting this error with release 2.9.4. My situation is also using a sarif file generated by the package Microsoft.CodeAnalysis in a .NET project. Example build failure. Locally I see that the sarif file has "en-US" for the language. I will continue to investigate as time is available, to see if I can find a workaround on my side or find and report on the root cause.

aeisenberg · 2022-06-20T21:36:33Z

Hmmmm...The regex ^[a-zA-Z]{2}(-[a-zA-Z]{2})?$ does match en-US. Is it possible that instance.runs[0].tool.driver.language the value at is actually something different? Or possibly that the sarif generated on Actions is different from the one generated locally?

The sarif file being uploaded is src/EdFi.AnalyticsMiddleTier.Console/results.sarif. Any chance you can grab that and send it over to me?

stephenfuqua · 2022-06-20T21:45:50Z

Tomorrow I can try to upload the artifact in the repo so that we can see the actual file generated in GitHub, and I may be able to spend a few minutes digging in further with the codeql code. Here's a locally-generated file:

{
  "$schema": "http://json.schemastore.org/sarif-2.1.0",
  "version": "2.1.0",
  "runs": [
    {
      "results": [
      ],
      "tool": {
        "driver": {
          "name": "Microsoft (R) Visual C# Compiler",
          "version": "4.2.0-4.22220.5 (432d17a8)",
          "dottedQuadFileVersion": "4.2.0.0",
          "semanticVersion": "4.2.0",
          "language": "en-US"
        }
      },
      "columnKind": "utf16CodeUnits"
    }
  ]
}

stephenfuqua · 2022-06-21T16:07:08Z

How interesting: the exact same dotnet application produces a sarif file with this, when run on GitHub Actions:

"language": "",

Which is obviously problematic. I will look into that further on the .NET side and submit a ticket in the proper .NET repository if needed. For the upload process, clearly there is a workaround: open the file and inject a valid language into it! And then 🤞 hopefully nothing else turns up.

niederee · 2023-06-27T23:25:05Z

I worked around it by replacing the value prior to upload

https://stackoverflow.com/questions/76568966/create-sarif-file-to-be-uploaded-to-from-dotnet-build-to-be-loaded-to-github-usi/76568967#76568967

aetos382 · 2023-07-04T09:54:28Z

@stephenfuqua @niederee
Roslyn no longer outputs empty language property.
dotnet/roslyn#68745

You can also specify a <PreferredUILang> property to specify the language property values explicitly.

aeisenberg added a commit to aeisenberg/sarif-spec that referenced this issue Apr 9, 2021

Fix regex in language and locale recognition

f1f6ae7

This was first mentioned in github/codeql-action#418 Also, raised in oasis-tcs#488. cc: @lcartey

aeisenberg mentioned this issue Apr 9, 2021

Fix regex in language and locale recognition oasis-tcs/sarif-spec#490

Closed

aeisenberg mentioned this issue Apr 9, 2021

Fixes a regex for language and locale recognition #442

Merged

2 tasks

aliscco mentioned this issue Apr 29, 2023

[Snyk] Fix for 13 vulnerabilities aliscco/codeql-action#404

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to upload SARIF file #418

Unable to upload SARIF file #418

Unable to upload SARIF file #418

Unable to upload SARIF file #418

Comments