Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68079

SARIF Issue Severity Always Low

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • analysis-model
    • None
    • Jenkins 2.332.1
      Warnings Next Generation Plugin Version 9.11.1
      Analysis Model API Plugin Version 10.9.3

      I'm using a couple different static analysis tools, both of which produce valid SARIF files according to https://sarifweb.azurewebsites.net/Validation

      The SARIF files contain issues with their level set to "note", "warning", and "error", but the output from Warnings NG after running recordIssues against the SARIF file only shows Low severity items.

      I've attached a sanitized SARIF file with my file paths removed, but it's still valid per the validator above.

      This is running in a pipeline, using the following recordIssues command:

      recordIssues(aggregatingResults: true, skipPublishingChecks: true, blameDisabled: true, filters: [excludeFile('.*\\/test\\/.*')], tool: sarif(id: 'Security_Code_Scan', name: 'Security Code Scan', pattern: '*.sarif'))

        1. Screen Shot 2022-03-18 at 4.35.24 PM.png
          Screen Shot 2022-03-18 at 4.35.24 PM.png
          198 kB
        2. security-scan.sarif
          48 kB

          [JENKINS-68079] SARIF Issue Severity Always Low

          Josh Stutts created issue -
          Ulli Hafner made changes -
          Component/s New: analysis-model [ 23523 ]
          Component/s Original: warnings-ng-plugin [ 24526 ]

          Ulli Hafner added a comment -

          I'm not sure if I am missing something but your report seems to have only issues of severity:

                    "level": "warning",

          Ulli Hafner added a comment - I'm not sure if I am missing something but your report seems to have only issues of severity: "level" : "warning" ,

          Josh Stutts added a comment - - edited

          I have multiple reports, but this one only has "warning" in it, I can provide another if you need, or these can easily be changed to "note" or "error" to test.  I've tried SARIF files with a mix of "note", "warning", and "error", all "warning", or all "error" and the report that comes out of recordIssues still only shows "Low" severity.

           

          Also, wouldn't "warning" translate to something other than "Low"?

          Josh Stutts added a comment - - edited I have multiple reports, but this one only has "warning" in it, I can provide another if you need, or these can easily be changed to "note" or "error" to test.  I've tried SARIF files with a mix of "note", "warning", and "error", all "warning", or all "error" and the report that comes out of recordIssues still only shows "Low" severity.   Also, wouldn't "warning" translate to something other than "Low"?

          Ulli Hafner added a comment - - edited

          Ok, it would be actually helpful to have another actual example with other severities that I can use in a test case out of the box.

          I am using https://github.com/tomasbjerre/violations-lib to parse the SARIF file and convert it to my model in https://github.com/jenkinsci/analysis-model/blob/master/src/main/java/edu/hm/hafner/analysis/parser/violations/AbstractViolationAdapter.java#L177

          Maybe the default mapping should be changed. I'm not sure if the parser correctly reads the severity from the SARIF file though.

          Interested in adding a test and changing the behavior?

          Ulli Hafner added a comment - - edited Ok, it would be actually helpful to have another actual example with other severities that I can use in a test case out of the box. I am using https://github.com/tomasbjerre/violations-lib to parse the SARIF file and convert it to my model in https://github.com/jenkinsci/analysis-model/blob/master/src/main/java/edu/hm/hafner/analysis/parser/violations/AbstractViolationAdapter.java#L177 Maybe the default mapping should be changed. I'm not sure if the parser correctly reads the severity from the SARIF file though. Interested in adding a test and changing the behavior?
          Josh Stutts made changes -
          Attachment Original: security-scan.sarif [ 57496 ]
          Josh Stutts made changes -
          Attachment New: security-scan.sarif [ 57497 ]

          Josh Stutts added a comment -

          I've attached an updated SARIF file that contains "note", "warning", and "error" values for "level".  I had looked through the violations-lib SarifTransformer code before opening this ticket trying to figure out what was going wrong, but I'm not familiar enough with how that library operates to determine how it is parsing "level" and resulting in everything showing up as Low.  I haven't done Java development in over 15 years, sorry.

          Josh Stutts added a comment - I've attached an updated SARIF file that contains "note", "warning", and "error" values for "level".  I had looked through the violations-lib SarifTransformer code before opening this ticket trying to figure out what was going wrong, but I'm not familiar enough with how that library operates to determine how it is parsing "level" and resulting in everything showing up as Low.  I haven't done Java development in over 15 years, sorry.
          Josh Stutts made changes -
          Attachment New: Screen Shot 2022-03-18 at 4.35.24 PM.png [ 57498 ]

          Josh Stutts added a comment - - edited

          Digging into this further, this is indeed a problem with how violations-lib parses SARIF files.  I installed https://github.com/tomasbjerre/violations-command-line and ran it against the attached SARIF file and all issues are reported with a severity of "INFO" by violations-lib.  See the screenshot I just attached.  I guess this should be re-opened as an issue against the violations-lib project instead.

          Josh Stutts added a comment - - edited Digging into this further, this is indeed a problem with how violations-lib parses SARIF files.  I installed https://github.com/tomasbjerre/violations-command-line and ran it against the attached SARIF file and all issues are reported with a severity of "INFO" by violations-lib.  See the screenshot I just attached.  I guess this should be re-opened as an issue against the violations-lib project instead.

            drulli Ulli Hafner
            jstutts Josh Stutts
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: