-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Jenkins 2.332.1
Warnings Next Generation Plugin Version 9.11.1
Analysis Model API Plugin Version 10.9.3
I'm using a couple different static analysis tools, both of which produce valid SARIF files according to https://sarifweb.azurewebsites.net/Validation
The SARIF files contain issues with their level set to "note", "warning", and "error", but the output from Warnings NG after running recordIssues against the SARIF file only shows Low severity items.
I've attached a sanitized SARIF file with my file paths removed, but it's still valid per the validator above.
This is running in a pipeline, using the following recordIssues command:
recordIssues(aggregatingResults: true, skipPublishingChecks: true, blameDisabled: true, filters: [excludeFile('.*\\/test\\/.*')], tool: sarif(id: 'Security_Code_Scan', name: 'Security Code Scan', pattern: '*.sarif'))
- links to
[JENKINS-68079] SARIF Issue Severity Always Low
I have multiple reports, but this one only has "warning" in it, I can provide another if you need, or these can easily be changed to "note" or "error" to test. I've tried SARIF files with a mix of "note", "warning", and "error", all "warning", or all "error" and the report that comes out of recordIssues still only shows "Low" severity.
Also, wouldn't "warning" translate to something other than "Low"?
Josh Stutts
added a comment - - edited I have multiple reports, but this one only has "warning" in it, I can provide another if you need, or these can easily be changed to "note" or "error" to test. I've tried SARIF files with a mix of "note", "warning", and "error", all "warning", or all "error" and the report that comes out of recordIssues still only shows "Low" severity.
Also, wouldn't "warning" translate to something other than "Low"? Ok, it would be actually helpful to have another actual example with other severities that I can use in a test case out of the box.
I am using https://github.com/tomasbjerre/violations-lib to parse the SARIF file and convert it to my model in https://github.com/jenkinsci/analysis-model/blob/master/src/main/java/edu/hm/hafner/analysis/parser/violations/AbstractViolationAdapter.java#L177
Maybe the default mapping should be changed. I'm not sure if the parser correctly reads the severity from the SARIF file though.
Interested in adding a test and changing the behavior?
Josh Stutts
added a comment - I've attached an updated SARIF file that contains "note", "warning", and "error" values for "level". I had looked through the violations-lib SarifTransformer code before opening this ticket trying to figure out what was going wrong, but I'm not familiar enough with how that library operates to determine how it is parsing "level" and resulting in everything showing up as Low. I haven't done Java development in over 15 years, sorry.
Josh Stutts
added a comment - I've attached an updated SARIF file that contains "note", "warning", and "error" values for "level". I had looked through the violations-lib SarifTransformer code before opening this ticket trying to figure out what was going wrong, but I'm not familiar enough with how that library operates to determine how it is parsing "level" and resulting in everything showing up as Low. I haven't done Java development in over 15 years, sorry. Digging into this further, this is indeed a problem with how violations-lib parses SARIF files. I installed https://github.com/tomasbjerre/violations-command-line and ran it against the attached SARIF file and all issues are reported with a severity of "INFO" by violations-lib. See the screenshot I just attached. I guess this should be re-opened as an issue against the violations-lib project instead.
Josh Stutts
added a comment - - edited Digging into this further, this is indeed a problem with how violations-lib parses SARIF files. I installed https://github.com/tomasbjerre/violations-command-line and ran it against the attached SARIF file and all issues are reported with a severity of "INFO" by violations-lib. See the screenshot I just attached. I guess this should be re-opened as an issue against the violations-lib project instead. Josh Stutts
added a comment - I've opened https://github.com/tomasbjerre/violations-lib/issues/144, not sure if you want to leave this open to track that issue and ensure it fixes the display of severity within Warnings NG. Thanks for your quick responses today.
Josh Stutts
added a comment - I've opened https://github.com/tomasbjerre/violations-lib/issues/144 , not sure if you want to leave this open to track that issue and ensure it fixes the display of severity within Warnings NG. Thanks for your quick responses today. FYI, it appears that release v10.9.4 of Analysis Model https://github.com/jenkinsci/analysis-model/releases/tag/v10.9.4 lists this ticket in its release notes as being resolved with the message "Bump violations-lib from 1.148.0 to 1.148.2", but the issue wasn't fixed in violations-lib 1.148.2, the bugfix was released in violations-lib 1.148.3: https://github.com/tomasbjerre/violations-lib/commits/master
Also seen here in violations-lib referencing the issue I opened and tagged as 1.148.3: https://github.com/tomasbjerre/violations-lib/commit/bfafee1692869e5e42597b971507e4b2f9e2e879
Josh Stutts
added a comment - - edited FYI, it appears that release v10.9.4 of Analysis Model https://github.com/jenkinsci/analysis-model/releases/tag/v10.9.4 lists this ticket in its release notes as being resolved with the message "Bump violations-lib from 1.148.0 to 1.148.2", but the issue wasn't fixed in violations-lib 1.148.2, the bugfix was released in violations-lib 1.148.3: https://github.com/tomasbjerre/violations-lib/commits/master
Also seen here in violations-lib referencing the issue I opened and tagged as 1.148.3: https://github.com/tomasbjerre/violations-lib/commit/bfafee1692869e5e42597b971507e4b2f9e2e879
I see. In this release two different PRs for the violations-lib have been merged, I simply picked the wrong one for the ChangeLog. In master the correct version is referenced.
I'm not sure if I am missing something but your report seems to have only issues of severity: