githubgithub-actionscode-analysissarif

How to Convert Json value into Sarif format


how to convert this values into sarif

Vulnerablilites: { "id": "66c5b89700fbf372c2f1f182", "method": "post", "path": "/user", "type": "API-DP9-2024", "severity": "High", "label": "Bot Data Modification", "impact": "Vulnerablity" }

Here is i try

sarif_output=$(cat <<EOF
{
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Custom Vulnerability Scanner",
          "version": "1.0",
          "informationUri": "https://example.com/tool-info",
          "rules": [
            {
              "id": "API-DP9-2024",
              "name": "Bot Data Modification",
              "shortDescription": {
                "text": "This rule identifies API endpoints vulnerable to bot data modification."
              },
              "fullDescription": {
                "text": "Bot Data Modification vulnerabilities occur when an API endpoint allows unauthorized data modification by automated systems."
              },
              "helpUri": "https://example.com/rules/API-DP9-2024",
              "defaultConfiguration": {
                "level": "error"
              }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "API-DP9-2024",
          "level": "error",
          "message": {
            "text": "Vulnerability Report: Bot Data Modification on POST /user Endpoint."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "user",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "startLine": 1
                }
              }
            }
          ]
        }
      ]
    }
  ]
}
EOF
)

Got Error failed

Error details: instance is not allowed to have the additional property ""
Error: Unable to upload "./vulnerabilities-results.sarif" as it is not valid SARIF:
- instance is not allowed to have the additional property ""

Using Github Action

plse tell me how to achive


Solution

  • The file in the question is valid according to the specified schema https://json.schemastore.org/sarif-2.1.0.json

    This file is accepted by github/codeql-action/upload-sarif@v3 action.

    However, the file that I see in the workflow you shared has an issue - the property "$schema" is missing. It is replaced by an empty string "" which is treated as a valid JSON property key but a key that is not allowed by SARIF. Hence it is referred to as additional property.

    Vulnerabilities SARIF: {
              "": "https://json.schemastore.org/sarif-2.1.0.json",
    

    The reason for this is most likely that the file was transformed by bash or similar which performed variable expansion on $schema. For example, if you run this command, you will see what I mean:

    cat <<EOF
    {
      "$schema": "https://json.schemastore.org/sarif-2.1.0.json"
    }
    EOF