how to convert this values into sarif
Vulnerablilites: { "id": "66c5b89700fbf372c2f1f182", "method": "post", "path": "/user", "type": "API-DP9-2024", "severity": "High", "label": "Bot Data Modification", "impact": "Vulnerablity" }
Here is i try
sarif_output=$(cat <<EOF
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Custom Vulnerability Scanner",
"version": "1.0",
"informationUri": "https://example.com/tool-info",
"rules": [
{
"id": "API-DP9-2024",
"name": "Bot Data Modification",
"shortDescription": {
"text": "This rule identifies API endpoints vulnerable to bot data modification."
},
"fullDescription": {
"text": "Bot Data Modification vulnerabilities occur when an API endpoint allows unauthorized data modification by automated systems."
},
"helpUri": "https://example.com/rules/API-DP9-2024",
"defaultConfiguration": {
"level": "error"
}
}
]
}
},
"results": [
{
"ruleId": "API-DP9-2024",
"level": "error",
"message": {
"text": "Vulnerability Report: Bot Data Modification on POST /user Endpoint."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "user",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 1
}
}
}
]
}
]
}
]
}
EOF
)
Got Error failed
Error details: instance is not allowed to have the additional property ""
Error: Unable to upload "./vulnerabilities-results.sarif" as it is not valid SARIF:
- instance is not allowed to have the additional property ""
Using Github Action
plse tell me how to achive
The file in the question is valid according to the specified schema https://json.schemastore.org/sarif-2.1.0.json
This file is accepted by github/codeql-action/upload-sarif@v3
action.
However, the file that I see in the workflow you shared has an issue - the property "$schema" is missing. It is replaced by an empty string "" which is treated as a valid JSON property key but a key that is not allowed by SARIF. Hence it is referred to as additional property
.
Vulnerabilities SARIF: {
"": "https://json.schemastore.org/sarif-2.1.0.json",
The reason for this is most likely that the file was transformed by bash or similar which performed variable expansion on $schema
. For example, if you run this command, you will see what I mean:
cat <<EOF
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json"
}
EOF