SARIF result not uploaded

[Itsukan0]

Hi,

I'm trying to setup a basic code analysis in my CI on my project.

I setup CodeQL for Ubuntu, worked first time.

I tried to set up the same for Windows using this :

https://devblogs.microsoft.com/cppblog/microsoft-cpp-code-analysis-with-github-actions/

The workflow started and completed fine, except this :

The result of the MSCV check is not displayed in the Code Scanning Alert in the Security tab of my project, the Ubuntu one is.

I can get the SARIF file as an artifact, just not get it to display properly on the project page.

How can I solve this ?
Thanks in advance

The yml code is the basic one :

name: Microsoft C++ Code Analysis

on:
  push:
    branches: [ main, dev, Basic_Protections ]
  pull_request:
    branches: [ main ]
    
env:
  # Path to the CMake build directory.
  build: '${{ github.workspace }}/build'

permissions:
  contents: read

jobs:
  analyze:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
    name: Analyze
    runs-on: windows-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Configure CMake
        run: cmake -B ${{ env.build }}

      # Build is not required unless generated source files are used
      # - name: Build CMake
      #   run: cmake --build ${{ env.build }}

      - name: Initialize MSVC Code Analysis
        uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99
        # Provide a unique ID to access the sarif output path
        id: run-analysis
        with:
          cmakeBuildDirectory: ${{ env.build }}
          # Ruleset file that will determine what checks will be run
          ruleset: NativeRecommendedRules.ruleset

      # Upload SARIF file to GitHub Code Scanning Alerts
      - name: Upload SARIF to GitHub
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.run-analysis.outputs.sarif }}

      # Upload SARIF file as an Artifact to download and view
      # - name: Upload SARIF as an Artifact
      #   uses: actions/upload-artifact@v3
      #   with:
      #     name: sarif-file
      #     path: ${{ steps.run-analysis.outputs.sarif }}

The problem happens ath the Upload

[aeisenberg]

Thank you for raising this issue. The upload is failing because the file includes too many SARIF runs. Looking at how the microsoft/msvc-code-analysis-action is implemented, each compile target is converted into a single run.

I can think of two workarounds:

1. Slice your analysis into multiple runs, each with a smaller number of targets. In this case you need to specify a different category for each slice.
2. Post process the SARIF file and combine multiple runs into a single run.

[Itsukan0]

Forgive my ignorance, I just started using yml CI's, but how do I slice the analysis ? I do not see any args in the msvc-code-analysis repo to do so.

I just need to concatenate the data on the SARIF file and upload it then ?

[aeisenberg]

Honestly, I'm not 100% sure either. But it would be something like this. Since this is cmake, instead of calling the root target, call each of its child targets separately and upload separately. However, I don't know for certain if this would work since I'm not sure how your make file is split up.

And now that I'm thinking about it, merging SARIF runs won't be straight forward either. Let me chat with the code scanning team to see if there are any suggestions they have.

I see that your repo just had a successful upload. Did something change there? And is it working now?

[Itsukan0]

Sadly no :

The workflow always runs and completes, it's the upload that's unsuccessful. The errors are mostly me messing around trying to get the upload to work, and show up.

As previously stated, the analysis completes and I can get the file via artifact, just not to display :'(

Only the Ubuntu run is displayed even with the success

If you dig around in my repo's CI runs, the workflow name is Microsoft C++ Code Analysis

[aeisenberg]

I've asked the code scanning team for some help with this.

[aeisenberg]

There is no easy way around the limitation of 15 runs per upload. After some discussion, the best we can suggest is that you work with the maintainers of microsoft/msvc-code-analysis-action and create fewer runs. Since all of these runs were created through a single invocation of the tool, conceptually, they should be all combined into a single run. However, I do not know enough about the tool to suggest how to do this.

[Itsukan0]

Thanks, I will write an issue tomorrow on their repo

[jsoref]

Did you file an issue?

Fwiw, you can probably just hack through things like this using jq. It isn't terribly painful to have it merge objects together.

[Itsukan0]

Hello,

I did not file an issue as I fell ill while working on this and forgot. I don't think I plan on continuing this project, but for curiosity's sake, what is that jq that you mention ?

[jsoref]

No worries. I hope you're recovering/recovered.

https://stedolan.github.io/jq/

[snnn]

sarif-multitool can be used for doing that. It has an undocumented "--merge-runs" argument.