CKV2_AWS_38/39 produce empty `helpUri` in sarif output #3540

ankon · 2022-09-20T10:54:57Z

Describe the issue

We're producing sarif output from checkov in a github action. This started failing now because the sarif contains helpUri: null fields, which aren't valid (https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317848).

I can reproduce this locally with checkov 2.1.216, and in my case it's the rules CKV2_AWS_38 and CKV2_AWS_39 with invalid content:

Additional context

Possibly caused by: #3492 adding helpUri
A similar issue existed in cfn-lint, where the fix was to ensure that helpUri is pointing to something sane in all cases: aws-cloudformation/cfn-lint#2276

Workaround

We filter the content before uploading now:

      - name: "Band-aid: Remove empty helpUri in sarif"
        run: jq 'del(.runs[].tool.driver.rules[].helpUri|select(.=="" or .==null))' <results.sarif >results-fixed.sarif

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results-fixed.sarif

The text was updated successfully, but these errors were encountered:

ankon added the outputs label Sep 20, 2022

ankon mentioned this issue Sep 20, 2022

fix(general): only add helpUri to SARIF if it is non-empty #3542

Merged

7 tasks

Saarett closed this as completed in #3542 Sep 21, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CKV2_AWS_38/39 produce empty `helpUri` in sarif output #3540

CKV2_AWS_38/39 produce empty `helpUri` in sarif output #3540

ankon commented Sep 20, 2022 •

edited

Loading

CKV2_AWS_38/39 produce empty helpUri in sarif output #3540

CKV2_AWS_38/39 produce empty helpUri in sarif output #3540

Comments

ankon commented Sep 20, 2022 • edited Loading

CKV2_AWS_38/39 produce empty `helpUri` in sarif output #3540

CKV2_AWS_38/39 produce empty `helpUri` in sarif output #3540

ankon commented Sep 20, 2022 •

edited

Loading