Fix SARIF formatter silently dropping findings from build dependencies#393
Open
mbarbero wants to merge 1 commit intoboostsecurityio:mainfrom
Open
Fix SARIF formatter silently dropping findings from build dependencies#393mbarbero wants to merge 1 commit intoboostsecurityio:mainfrom
mbarbero wants to merge 1 commit intoboostsecurityio:mainfrom
Conversation
The sarif formatter was only checking PackageDependencies when collecting findings for a package, missing findings where the purl matched a BuildDependency. Rules like 'github_action_from_unverified_creator_used' assign findings a purl corresponding to a GitHub Actions build dependency, which caused those findings to appear in 'pretty' output but not in 'sarif' output. Also add deduplication via a seenPurls map to avoid adding the same findings twice if a purl appears in both lists. Adds TestSarifFormatBuildDependencyFindings to cover this case. Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Signed-off-by: Mikaël Barbero <mikael.barbero@eclipse-foundation.org>
fproulx-boostsecurity
requested changes
Mar 3, 2026
Contributor
There was a problem hiding this comment.
Thanks again for the contribution @mbarbero
If I look at SARIF output for the other findings , they all have locations, but those don't have at the moment... We need to see how to make that minimally useful.
{
"properties": {
"boost/confidence": "low"
},
"ruleId": "github_action_from_unverified_creator_used",
"ruleIndex": 4,
"level": "note",
"message": {
"text": "Usage of the following GitHub Actions repositories was detected in workflows\nor composite actions, but their owner is not a verified creator."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": ""
},
"region": {
"startLine": 1,
"endLine": 1
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "4a4dd91e418258786df104ae4c98b9c2dc7c6da4fb9f69c157b903beecd331b8"
}
},
vs
{
"properties": {
"boost/confidence": "medium"
},
"ruleId": "injection",
"ruleIndex": 3,
"level": "warning",
"message": {
"text": "The pipeline contains an injection into bash or JavaScript with an expression\nthat can contain user input. Prefer placing the expression in an environment variable\ninstead of interpolating it directly into a script."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": ".github/workflows/level1.yml"
},
"region": {
"startLine": 31,
"endLine": 31
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "f0d341a136d8750346e05abb89ccbceb257c5cc99d9cefb86917081ecb699977"
}
},
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The sarif formatter was only checking
PackageDependencieswhen collecting findings for a package, missing findings where the purl matched aBuildDependency. Rules likegithub_action_from_unverified_creator_usedassign findings a purl corresponding to a GitHub Actions build dependency, which caused those findings to appear in 'pretty' output but not in 'sarif' output.Also add deduplication via a
seenPurlsmap to avoid adding the same findings twice if a purl appears in both lists.Adds
TestSarifFormatBuildDependencyFindingsto cover this case.Fixes #390