🐛 keep SARIF runs and rules for exempted checks, only skip the result…

…s. (#4153) * keep runs and rules for exempted checks, only skip the results. Signed-off-by: Spencer Schrock <[email protected]> * update test Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
ossf · Jun 14, 2024 · da0f2b4 · mcneilrp1 · Sep 12, 2024 · da0f2b4
1 parent 5ef9831
commit da0f2b4
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 9 deletions.
diff --git a/pkg/sarif.go b/pkg/sarif.go
@@ -627,13 +627,6 @@ func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel log.Level,
 	for _, check := range r.Checks {
 		check := check
 
-		// SARIF output triggers GitHub security alerts for a repository.
-		// For annotated checks, we don't want to send alerts.
-		exempted, _ := check.IsExempted(r.Config)
-		if exempted {
-			continue
-		}
-
 		doc, err := checkDocs.GetCheck(check.Name)
 		if err != nil {
 			return sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("GetCheck: %v: %s", err, check.Name))
@@ -677,6 +670,11 @@ func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel log.Level,
 			continue
 		}
 
+		// Skip checks that are annotated
+		if exempted, _ := check.IsExempted(r.Config); exempted {
+			continue
+		}
+
 		// Unclear what to use for PartialFingerprints.
 		// GitHub only uses `primaryLocationLineHash`, which is not properly defined
 		// and Appendix B of https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html

diff --git a/pkg/sarif_test.go b/pkg/sarif_test.go
@@ -229,7 +229,7 @@ func TestSARIFOutput(t *testing.T) {
 			},
 		},
 		{
-			name:           "check-1 annotations",
+			name:           "annotated check defined but no results",
 			showDetails:    true,
 			showAnotations: true,
 			expected:       "./testdata/check1_annotations.sarif",

diff --git a/pkg/testdata/check1_annotations.sarif b/pkg/testdata/check1_annotations.sarif
@@ -1,5 +1,48 @@
 {
    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
    "version": "2.1.0",
-   "runs": []
+   "runs": [
+      {
+         "automationDetails": {
+            "id": "supply-chain/local/ccbc59901773ab4c051dfcea0cc4201a1567abdd-17 Aug 21 18:57 +0000"
+         },
+         "tool": {
+            "driver": {
+               "name": "Scorecard",
+               "informationUri": "https://github.com/ossf/scorecard",
+               "semanticVersion": "1.2.3",
+               "rules": [
+                  {
+                     "id": "CheckNameID",
+                     "name": "Check-Name",
+                     "helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
+                     "shortDescription": {
+                        "text": "Check-Name"
+                     },
+                     "fullDescription": {
+                        "text": "short description"
+                     },
+                     "help": {
+                        "text": "short description",
+                        "markdown": "**Remediation (click \"Show more\" below)**:\n\n- not-used1\n\n- not-used2\n\n\n\n**Severity**: High\n\n\n\n**Details**:\n\nlong description\n\n other line"
+                     },
+                     "defaultConfiguration": {
+                        "level": "error"
+                     },
+                     "properties": {
+                        "precision": "high",
+                        "problem.severity": "error",
+                        "security-severity": "7.0",
+                        "tags": [
+                           "tag1",
+                           "tag2"
+                        ]
+                     }
+                  }
+               ]
+            }
+         },
+         "results": []
+      }
+   ]
 }