Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: Incorrect physical location for composite actions in subdirectories #452

Closed
2 tasks done
Bo98 opened this issue Jan 16, 2025 · 3 comments · Fixed by #453
Closed
2 tasks done

[BUG]: Incorrect physical location for composite actions in subdirectories #452

Bo98 opened this issue Jan 16, 2025 · 3 comments · Fixed by #453
Labels
bug Something isn't working triage Issue is being triaged

Comments

@Bo98
Copy link

Bo98 commented Jan 16, 2025
edited
Loading

Pre-submission checks

  • I am not filing a feature request. These should be filed via the feature request form instead.
  • I have looked through the open issues for a duplicate report.

Expected behavior

The physical location contains the full path from the root of the repository.

"logicalLocations": [
  {
    "properties": {
      "symbolic": {
        "key": {
          "Local": {
            "path": "/home/runner/work/repository/repository/subdirectory/action.yml"
          }

[...]

"physicalLocation": {
  "artifactLocation": {
    "uri": "subdirectory/action.yml",
    "uriBaseId": "%SRCROOT%"
  },

Actual behavior

The physical location is always action.yml regardless of how nested it is.

"logicalLocations": [
  {
    "properties": {
      "symbolic": {
        "key": {
          "Local": {
            "path": "/home/runner/work/repository/repository/subdirectory/action.yml"
          }

[...]

"physicalLocation": {
  "artifactLocation": {
    "uri": "action.yml",
    "uriBaseId": "%SRCROOT%"
  },

The result of this is that GitHub code scanning will not show where the problem is.

Reproduction steps

  1. Create a composite action that fails an audit.
  2. Make sure that action.yml is in a subdirectory, e.g. subaction/action.yml
  3. Run zizmor --format sarif.
  4. Note the physical location does not contain the subdirectory.

Logs

I can DM you a real-world example where this happened.

Additional context

No response
@Bo98 Bo98 added bug Something isn't working triage Issue is being triaged labels Jan 16, 2025
@Bo98 Bo98 changed the title [BUG]: Incorrect physical location for composite actions [BUG]: Incorrect physical location for composite actions in subdirectories Jan 16, 2025
@woodruffw
Copy link
Owner

Thanks @Bo98! Yeah, please DM me a real-world example and I'll try and fix this.

@woodruffw
Copy link
Owner

Ah yeah, I think I know what's happening here -- there's a bit of logic in the SARIF producer to obtain an appropriate "subjective" relative path, but that logic is incorrect in the action (non-workflow case).

(The reason we need this logic at all is because zizmor supports arbitrary paths as inputs, not just repo directories.)

@woodruffw woodruffw mentioned this issue Jan 17, 2025
Merged
@woodruffw
Copy link
Owner

#453 should do the trick, although I don't have a great way to test it. If that doesn't work then the next thing will probably be to handle inputs correctly more generally, i.e. actually distinguish repo-like and path-like inputs so that the former can be presented more sanely in the SARIF.

@woodruffw woodruffw mentioned this issue Jan 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage Issue is being triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bugfix: sarif: use absolute physical locations only woodruffw/zizmor
2 participants
@Bo98 @woodruffw