Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

upload-sarif: token input doesn't work #2386

Open
jesus-linares opened this issue Jul 24, 2024 · 7 comments
Open

upload-sarif: token input doesn't work #2386

jesus-linares opened this issue Jul 24, 2024 · 7 comments
Labels
question Further information is requested

Comments

@jesus-linares
Copy link

jesus-linares commented Jul 24, 2024

I have this step in a workflow and it works:

      - name: "Upload Trivy scan results to GitHub Security tab"
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: '${{ env.trivy_output_file }}'
          category: 'trivy-image-${{ matrix.image }}'

but it doesn't work if add the token argument:

      - name: "Upload Trivy scan results to GitHub Security tab"
        uses: github/codeql-action/upload-sarif@v3
        with:
          token: ${{ secrets.MY_TOKEN }}
          sarif_file: '${{ env.trivy_output_file }}'
          category: 'trivy-image-${{ matrix.image }}'

This is the error:

Uploading results
  Processing sarif files: ["trivy-test-yellow.sarif"]
  Validating trivy-test-yellow.sarif
  Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file. For more information, see https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs
  Uploading results
  Warning: Not Found
  Error: Not Found
Debug
Uploading results
  Processing sarif files: ["trivy-test-yellow.sarif"]
  Validating trivy-test-yellow.sarif
  Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file. For more information, see https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs
  ##[debug]Validating that each SARIF run has a unique category
  ##[debug]Serializing SARIF for upload
  ##[debug]Compressing serialized SARIF
  ##[debug]Raw upload size: 542 bytes
  ##[debug]Base64 zipped upload size: 472 bytes
  ##[debug]Number of results in upload: 0
  Uploading results
  Warning: Not Found
  Error: Not Found
  ##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"v3","action_started_at":"2024-07-24T13:50:22.018Z","action_version":"3.25.13","analysis_key":".github/workflows/build new.yml:build","commit_oid":"f26f5724a7c97d43f52ce8d4c9c0ed09b5eeba51","first_party_analysis":false,"job_name":"build","job_run_uuid":"","ref":"refs/heads/main","runner_os":"Linux","started_at":"2024-07-24T13:50:22.018Z","status":"failure","steady_state_default_setup":false,"testing_environment":"","workflow_name":"builed new","workflow_run_attempt":1,"workflow_run_id":100[77](https://github.com/my..repo.../actions/runs/10077937806/job/27861647308#step:9:78)937806,"actions_event_name":"workflow_dispatch","runner_available_disk_space_bytes":21029244928,"runner_total_disk_space_bytes":7[78](https://github.com/my..repo.../actions/runs/10077937806/job/27861647308#step:9:79)51254784,"cause":"Not Found","exception":"HttpError: Not Found\n    at /home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/request/dist-node/index.js:86:21\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)\n    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v3/node_modules/bottleneck/light.js:405:18)","completed_at":"2024-07-24T13:50:22.[81](https://github.com/my..repo.../actions/runs/10077937806/job/27861647308#step:9:82)3Z","matrix_vars":"{\n  \"dockerfile\": \"Dockerfile-ok\",\n  \"image\": \"test/yellow\"\n}","runner_arch":"X64","runner_image_version":"20240721.1.0"}
  ##[debug]Node Action run completed with exit code 1
  ##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
  ##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
  ##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
  ##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
  ##[debug]CODEQL_ACTION_VERSION='3.25.13'
  ##[debug]CODEQL_ACTION_ANALYSIS_KEY='.github/workflows/build new.yml:build'
  ##[debug]CODEQL_WORKFLOW_STARTED_AT='2024-07-24T13:50:22.018Z'
  ##[debug]CODEQL_UPLOAD_SARIF_TRIVY_IMAGE_TEST_YELLOW__TRIVY='CODEQL_UPLOAD_SARIF_TRIVY_IMAGE_TEST_YELLOW__TRIVY'
  ##[debug]CODEQL_ACTION_JOB_STATUS='JOB_STATUS_FAILURE'
  ##[debug]Finishing: Upload Trivy scan results to GitHub Security tab

The secret is properly configured. If I change the secret value, I got "Bad credentials". I created this step to check the token and it works:

      - name: testing secrets
        env: 
          MY_TOKEN: ${{ secrets.MY_TOKEN }}
        run: |
          REPOSITORY=".../..."

          # Variables
          BASE_URL="https://api.github.com/repos/$REPOSITORY/code-scanning"

          HEADERS=(
            -H "Accept: application/vnd.github+json"
            -H "Authorization: Bearer $MY_TOKEN"
            -H "X-GitHub-Api-Version: 2022-11-28"
          )

          curl -Ls \
            -X GET \
            "${HEADERS[@]}" \
            "$BASE_URL/analyses?per_page=1"
@aeisenberg
Copy link
Contributor

Your SARIF file is suspiciously small 542 bytes. My guess is that there is something invalid about the file being generated. Could you share the file here? If you ran the job in debug mode, it should have been uploaded as an artifact.

@jwilmoth-ehs
Copy link

jwilmoth-ehs commented Aug 26, 2024

I'm experiencing the same issue. The logging immediately before and at the failure appears to come from this block https://github.com/github/codeql-action/blob/v3.25.0/src/upload-lib.ts#L233-L240. I did not see a corresponding PUT /repos/:owner/:repo/code-scanning/analysis entry in https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-code-scanning-alerts.

Action Debug Output

Run github/codeql-action/upload-sarif@v3
##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"v3","action_started_at":"2024-08-26T18:39:50.965Z","action_version":"3.26.5","analysis_key":".github/workflows/verify-pull-request.yml:image","commit_oid":"2f079b8b84d0790015bc4b6b46f16593f765a2a2","first_party_analysis":false,"job_name":"image","job_run_uuid":"","ref":"refs/heads/test-add-graphql-schema-verification","runner_os":"Linux","started_at":"2024-08-26T18:39:50.965Z","status":"starting","steady_state_default_setup":false,"testing_environment":"","workflow_name":"Verify","workflow_run_attempt":2,"workflow_run_id":10565163535,"actions_event_name":"push","runner_available_disk_space_bytes":18077360128,"runner_total_disk_space_bytes":77851254784,"matrix_vars":"null","runner_arch":"X64","runner_image_version":"20240818.1.0"}
::group::Uploading results
Uploading results
  Processing sarif files: ["./results.sarif"]
  Validating ./results.sarif
  Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Unable to compute fingerprint for non-existent file: /home/runner/work/java-standard/java-standard/java-standard-example//var/lib/rpm/rpmdb.sqlite
  ##[debug]Validating that each SARIF run has a unique category
  ##[debug]Serializing SARIF for upload
  ##[debug]Compressing serialized SARIF
  ##[debug]Raw upload size: 28023 bytes
  ##[debug]Base64 zipped upload size: 7228 bytes
  ##[debug]Number of results in upload: 7
  Uploading results
  Warning: Not Found
  Error: Not Found
  ##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"v3","action_started_at":"2024-08-26T18:39:50.965Z","action_version":"3.26.5","analysis_key":".github/workflows/verify-pull-request.yml:image","commit_oid":"2f079b8b84d0790015bc4b6b46f16593f765a2a2","first_party_analysis":false,"job_name":"image","job_run_uuid":"","ref":"refs/heads/test-add-graphql-schema-verification","runner_os":"Linux","started_at":"2024-08-26T18:39:50.965Z","status":"failure","steady_state_default_setup":false,"testing_environment":"","workflow_name":"Verify","workflow_run_attempt":2,"workflow_run_id":10565163535,"actions_event_name":"push","runner_available_disk_space_bytes":18077351936,"runner_total_disk_space_bytes":7785[125](https://github.com/VelocityEHS/java-standard/actions/runs/10565163535/job/29269593966#step:12:126)4784,"cause":"Not Found","exception":"HttpError: Not Found\n    at /home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/request/dist-node/index.js:86:21\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)\n    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v3/node_modules/bottleneck/light.js:405:18)","completed_at":"2024-08-26T18:39:51.738Z","matrix_vars":"null","runner_arch":"X64","runner_image_version":"20240818.1.0"}
  ##[debug]Node Action run completed with exit code 1
  ##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
  ##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
  ##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
  ##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
  ##[debug]CODEQL_ACTION_VERSION='3.26.5'
  ##[debug]CODEQL_ACTION_ANALYSIS_KEY='.github/workflows/verify-pull-request.yml:image'
  ##[debug]CODEQL_WORKFLOW_STARTED_AT='2024-08-26T18:39:50.965Z'
  ##[debug]CODEQL_UPLOAD_SARIF_CONTAINER__GRYPE='CODEQL_UPLOAD_SARIF_CONTAINER__GRYPE'
  ##[debug]CODEQL_ACTION_JOB_STATUS='JOB_STATUS_FAILURE'
  ##[debug]Finishing: Upload vulnerability report

@aeisenberg
Copy link
Contributor

It's likely that your token does not have the proper scopes associated with it. It needs the security_events permission. Please verify that it has it as well as access to read from the current repo.

@jwilmoth-ehs
Copy link

jwilmoth-ehs commented Sep 11, 2024

This is what the token summary shows:

image

And the code scanning alerts specific setting:
image

@aeisenberg aeisenberg added question Further information is requested and removed awaiting-response labels Sep 12, 2024
@chrisgavin
Copy link
Contributor

I believe currently only the built-in GitHub Actions token can be used to upload SARIF files with the codeql-action/upload-sarif Action (the existing documentation for this parameter appears to be incorrect 😢). If you could provide some more details about why you would like to use a custom token here we might be able to provide suggestions for how to work around this limitation.

Note that you should still be able to use a custom token for other steps like checking out the repository or downloading build dependencies.

@aeisenberg
Copy link
Contributor

Thanks, @chrisgavin. The docs are updated here #2477.

@jwilmoth-ehs
Copy link

I believe currently only the built-in GitHub Actions token can be used to upload SARIF files with the codeql-action/upload-sarif Action (the existing documentation for this parameter appears to be incorrect 😢). If you could provide some more details about why you would like to use a custom token here we might be able to provide suggestions for how to work around this limitation.

Note that you should still be able to use a custom token for other steps like checking out the repository or downloading build dependencies.

We leverage a shared workflow in a number of repositories and the custom token (with the required permissions) would allow us to avoid adding the following boilerplate to each call of the shared workflow.

    permissions:
      actions: read
      contents: read
      security-events: write

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

5 participants