Skip to content

Duplicate Rule Error for Sarif File #1076

New issue
New issue
Closed
Closed
Duplicate Rule Error for Sarif File#1076
@akashsinghal

Description

@akashsinghal
akashsinghal
opened on Jan 21, 2023

I've set up the ossf/scorecard-action to run for a project I'm working on. We started seeing errors from the action saying the outputted Sarif file is not valid (see below):

Error: Unable to upload "results.sarif" as it is not valid SARIF:
- instance.runs[2].tool.driver.rules contains duplicate item
Error: Unable to upload "results.sarif" as it is not valid SARIF:
- instance.runs[2].tool.driver.rules contains duplicate item
    at validateSarifFileSchema (/home/runner/work/_actions/github/codeql-action/a34ca99b4610d924e04c68db79e503e1f79f9f02/lib/upload-lib.js:189:15)
    at uploadFiles (/home/runner/work/_actions/github/codeql-action/a34ca99b4610d924e04c68db79e503e1f79f9f02/lib/upload-lib.js:238:9)
    at Object.uploadFromActions (/home/runner/work/_actions/github/codeql-action/a34ca99b4610d924e04c68db79e503e1f79f9f02/lib/upload-lib.js:132:18)
    at async run (/home/runner/work/_actions/github/codeql-action/a34ca99b4610d924e04c68db79e503e1f79f9f02/lib/upload-sarif-action.js:46:30)
    at async runWrapper (/home/runner/work/_actions/github/codeql-action/a34ca99b4610d924e04c68db79e503e1f79f9f02/lib/upload-sarif-action.js:68:9)

The workflow file we use is almost identical to the sample in the documentation: Here is the workflow file we use:

name: Scorecards supply-chain security
on:
  branch_protection_rule:
  schedule:
    # Weekly on Saturdays.
    - cron: '30 1 * * 6'
  push:
    branches: [ main ]
  workflow_dispatch:

permissions: read-all

jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      id-token: write
      actions: read
      contents: read
    
    steps:
      - name: "Checkout code"
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=3.0.2
        with:
          persist-credentials: false

      - name: "Run analysis"
        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # tag=v2.0.4
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          publish_results: true

      - name: "Upload artifact"
        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@515828d97454b8354517688ddc5b48402b723750 # tag=v2.1.38
        with:
          sarif_file: results.sarif

Could I get some guidance on what the issue might be? As far as I understand, the rules are default and come preset with the OSSF action?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions