-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TS-161] rejecting SARIF, as there are more runs than allowed (16 > 15) #95
Comments
Internal ticket created : TS-161 |
might work around codacy/codacy-analysis-cli-action#95 only as long as the number of result-carrying runs is small…
the commit 746f198 workaround for codacy/codacy-analysis-cli-action#95 was not so good because the empty results seem to be needed to flush former results out of GH codescanning…
reopens codacy/codacy-analysis-cli-action#95 but this is needed so old reports will go away once no longer found
⚠ This is unfortunately a showstopper! ⚠ There seems to be no way to disable tools that we don’t use anyway (like tsqllint, which seems to be for some Microsoft thing, whereas we use PostgreSQL); they still show up in the SARIF file. This prevents SARIF file upload, and all possible workarounds end up having flaws preventing their use. |
SARIF file, to have two known-empty (or not, but then it’s not our fault because we disable these two tools) runs less, another codacy/codacy-analysis-cli-action#95 workaround attempt
I missed this issue and opened a duplicate in #121 a while back. I finally took a look and fixed it by removing the duplicate runs. jq '.runs |= unique_by({tool, invocations})' results.sarif > codacy.sarif original sarif$ gron results.sarif.json | rg "tool.driver.name"
json.runs[0].tool.driver.name = "Checkov (reported by Codacy)";
json.runs[1].tool.driver.name = "Semgrep (reported by Codacy)";
json.runs[2].tool.driver.name = "Pmd (reported by Codacy)";
json.runs[3].tool.driver.name = "Semgrep (reported by Codacy)";
json.runs[4].tool.driver.name = "Cppcheck (reported by Codacy)";
json.runs[5].tool.driver.name = "Pmd (reported by Codacy)";
json.runs[6].tool.driver.name = "Markdownlint (reported by Codacy)";
json.runs[7].tool.driver.name = "Trivy (reported by Codacy)";
json.runs[8].tool.driver.name = "Semgrep (reported by Codacy)";
json.runs[9].tool.driver.name = "Shellcheck (reported by Codacy)";
json.runs[10].tool.driver.name = "Semgrep (reported by Codacy)";
json.runs[11].tool.driver.name = "Trivy (reported by Codacy)";
json.runs[12].tool.driver.name = "Jacksonlinter (reported by Codacy)";
json.runs[13].tool.driver.name = "Detekt (reported by Codacy)";
json.runs[14].tool.driver.name = "Flawfinder (reported by Codacy)";
json.runs[15].tool.driver.name = "Remark-lint (reported by Codacy)";
json.runs[16].tool.driver.name = "Spectral (reported by Codacy)";
json.runs[17].tool.driver.name = "Trivy (reported by Codacy)";
json.runs[18].tool.driver.name = "Trivy (reported by Codacy)";
json.runs[19].tool.driver.name = "Spectral (reported by Codacy)";
json.runs[20].tool.driver.name = "Checkov (reported by Codacy)"; fixed sarif$ gron codacy.sarif | rg "tool.driver.name"
json.runs[0].tool.driver.name = "Checkov (reported by Codacy)";
json.runs[1].tool.driver.name = "Cppcheck (reported by Codacy)";
json.runs[2].tool.driver.name = "Detekt (reported by Codacy)";
json.runs[3].tool.driver.name = "Flawfinder (reported by Codacy)";
json.runs[4].tool.driver.name = "Jacksonlinter (reported by Codacy)";
json.runs[5].tool.driver.name = "Markdownlint (reported by Codacy)";
json.runs[6].tool.driver.name = "Pmd (reported by Codacy)";
json.runs[7].tool.driver.name = "Remark-lint (reported by Codacy)";
json.runs[8].tool.driver.name = "Semgrep (reported by Codacy)";
json.runs[9].tool.driver.name = "Shellcheck (reported by Codacy)";
json.runs[10].tool.driver.name = "Spectral (reported by Codacy)";
json.runs[11].tool.driver.name = "Trivy (reported by Codacy)"; |
@ben-manes oh, good idea… … but lacking in the execution as this can hide results; my SARIF has (after sorting) parts like this:
|
|
(ideally, there would be a SARIF merger, best contained within Codacy’s already-existing tools) |
Since recently we get the following error messages on SARIF upload in https://github.com/metabrainz/picard/ :
This happens without any obvious change on our side. I downloaded one of the generated SARIF files, and indeed the
runs
array contains 16 entries. But this also includes tools like spectral or markdownlint that we have disabled in the Codacy UI for this project.It looks like this action will run all the tools available on Codacy, but then it fails because codeql does not allow so many runs in the sarif upload. That's a bit of an odd situation.
How can we get this action to generate a sarif files codeql then accepts?
Our action YML: https://github.com/metabrainz/picard/blob/master/.github/workflows/codacy-analysis.yml
The text was updated successfully, but these errors were encountered: