bugfix: sarif: use absolute physical locations only #453
+14
−40
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This changes the SARIF generation so that
physicalLocations
now always contains an absolute path to the input. This is a slight over-correction of the previous behavior, which would use a repo-relative path when possible and fall back on the filename component when it couldn't infer one.In practice, the trick used by the previous behavior worked well for workflow path (which are always under
.github/workflows
but doesn't generalize for action paths, which can be anywhere. As a result there's no "anchor" to distinguish the repository prefix from the rest of the path.This should have no negative effect on most users: local users will have their full paths in the SARIF instead, as will remote (GitHub Actions) users. In the latter case, GitHub Advanced Security should be able to "rebase" the paths correctly.
Fixes #452.