github github-actions code-analysis sarif

How to Convert Json value into Sarif format

how to convert this values into sarif

Vulnerablilites: { "id": "66c5b89700fbf372c2f1f182", "method": "post", "path": "/user", "type": "API-DP9-2024", "severity": "High", "label": "Bot Data Modification", "impact": "Vulnerablity" }

Here is i try

sarif_output=$(cat <<EOF
{
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Custom Vulnerability Scanner",
          "version": "1.0",
          "informationUri": "https://example.com/tool-info",
          "rules": [
            {
              "id": "API-DP9-2024",
              "name": "Bot Data Modification",
              "shortDescription": {
                "text": "This rule identifies API endpoints vulnerable to bot data modification."
              },
              "fullDescription": {
                "text": "Bot Data Modification vulnerabilities occur when an API endpoint allows unauthorized data modification by automated systems."
              },
              "helpUri": "https://example.com/rules/API-DP9-2024",
              "defaultConfiguration": {
                "level": "error"
              }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "API-DP9-2024",
          "level": "error",
          "message": {
            "text": "Vulnerability Report: Bot Data Modification on POST /user Endpoint."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "user",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "startLine": 1
                }
              }
            }
          ]
        }
      ]
    }
  ]
}
EOF
)

Got Error failed

Error details: instance is not allowed to have the additional property ""
Error: Unable to upload "./vulnerabilities-results.sarif" as it is not valid SARIF:
- instance is not allowed to have the additional property ""

Using Github Action

plse tell me how to achive

Solution

The file in the question is valid according to the specified schema https://json.schemastore.org/sarif-2.1.0.json

This file is accepted by github/codeql-action/upload-sarif@v3 action.

However, the file that I see in the workflow you shared has an issue - the property "$schema" is missing. It is replaced by an empty string "" which is treated as a valid JSON property key but a key that is not allowed by SARIF. Hence it is referred to as additional property.

Vulnerabilities SARIF: {
          "": "https://json.schemastore.org/sarif-2.1.0.json",

The reason for this is most likely that the file was transformed by bash or similar which performed variable expansion on $schema. For example, if you run this command, you will see what I mean:

cat <<EOF
{
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json"
}
EOF