Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bugfix: sarif: use absolute physical locations only #453

Merged
merged 2 commits into from
Jan 17, 2025

Conversation

woodruffw
Copy link
Owner

This changes the SARIF generation so that physicalLocations now always contains an absolute path to the input. This is a slight over-correction of the previous behavior, which would use a repo-relative path when possible and fall back on the filename component when it couldn't infer one.

In practice, the trick used by the previous behavior worked well for workflow path (which are always under .github/workflows but doesn't generalize for action paths, which can be anywhere. As a result there's no "anchor" to distinguish the repository prefix from the rest of the path.

This should have no negative effect on most users: local users will have their full paths in the SARIF instead, as will remote (GitHub Actions) users. In the latter case, GitHub Advanced Security should be able to "rebase" the paths correctly.

Fixes #452.

@woodruffw woodruffw added the bugfix Fixes a known bug label Jan 17, 2025
@woodruffw woodruffw self-assigned this Jan 17, 2025
@woodruffw
Copy link
Owner Author

Did some more looking: GitHub recommends relative paths (reasonable), but it looks like they'll handle absolute paths in SARIFs just fine: upload-sarif will relativize using checkout_path, which defaults to ${{ github.workspace }}. That will be correct for 99.9% of users; certainly more correct than the previous behavior.

https://github.com/github/codeql-action/blob/c2c0a2908e95769d01b907f9930050ecb5cf050d/analyze/action.yml#L44-L47

@woodruffw woodruffw merged commit d343988 into main Jan 17, 2025
5 checks passed
@woodruffw woodruffw deleted the ww/sarif-absolute-paths-only branch January 17, 2025 01:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bugfix Fixes a known bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG]: Incorrect physical location for composite actions in subdirectories
1 participant