Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SARIF files are missing detailed finding information #66

Open
2 tasks
fcasal opened this issue Oct 28, 2024 · 1 comment
Open
2 tasks

SARIF files are missing detailed finding information #66

fcasal opened this issue Oct 28, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@fcasal
Copy link

fcasal commented Oct 28, 2024

The SARIF files generated by zizmor are missing information present when the tool is run using the stdout:

  • The code span in the SARIF file does not span the vulnerable regions (at least for the template-injection rule):
error[template-injection]: code injection via template expansion
  --> .github/workflows/hazmat.yml:50:9
   |
50 |         - name: vulnerable-2
   |           ^^^^^^^^^^^^^^^^^^ this step
51 |           # NOT OK: attacker controlled workflow_dispatch input
52 |           run: |
   |  _________^
53 | |           echo "doing a thing: ${{ inputs.hackme }}"
   | |____________________________________________________^ inputs.hackme may expand into attacker-controllable code

only spans line 50 on the sarif file:

              "physicalLocation": {
                "artifactLocation": {
                  "uri": "hazmat.yml",
                  "uriBaseId": "%workflows%"
                },
                "region": {
                  "endColumn": 27,
                  "endLine": 50,
                  "snippet": {
                    "text": "name: vulnerable-2"
                  },
                  "sourceLanguage": "yaml",
                  "startColumn": 9,
                  "startLine": 50
                }
              }
@woodruffw woodruffw added the bug Something isn't working label Oct 28, 2024
@woodruffw woodruffw mentioned this issue Oct 29, 2024
Open
@woodruffw
Copy link
Owner

Began on this with #68, although it's currently blocked by psastras/sarif-rs#738.

@woodruffw woodruffw mentioned this issue Oct 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@woodruffw @fcasal