Skip to content

Fix SARIF formatter silently dropping findings from build dependencies#393

Open
mbarbero wants to merge 1 commit intoboostsecurityio:mainfrom
mbarbero:fix-sarif
Open

Fix SARIF formatter silently dropping findings from build dependencies#393
mbarbero wants to merge 1 commit intoboostsecurityio:mainfrom
mbarbero:fix-sarif

Conversation

@mbarbero
Copy link

@mbarbero mbarbero commented Mar 3, 2026

The sarif formatter was only checking PackageDependencies when collecting findings for a package, missing findings where the purl matched a BuildDependency. Rules like
github_action_from_unverified_creator_used assign findings a purl corresponding to a GitHub Actions build dependency, which caused those findings to appear in 'pretty' output but not in 'sarif' output.

Also add deduplication via a seenPurls map to avoid adding the same findings twice if a purl appears in both lists.

Adds TestSarifFormatBuildDependencyFindings to cover this case.

Fixes #390

@mbarbero mbarbero requested a review from a team as a code owner March 3, 2026 20:34
fproulx-boostsecurity
fproulx-boostsecurity requested changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@fproulx-boostsecurity fproulx-boostsecurity left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for the contribution @mbarbero

If I look at SARIF output for the other findings , they all have locations, but those don't have at the moment... We need to see how to make that minimally useful.

        {
          "properties": {
            "boost/confidence": "low"
          },
          "ruleId": "github_action_from_unverified_creator_used",
          "ruleIndex": 4,
          "level": "note",
          "message": {
            "text": "Usage of the following GitHub Actions repositories was detected in workflows\nor composite actions, but their owner is not a verified creator."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": ""
                },
                "region": {
                  "startLine": 1,
                  "endLine": 1
                }
              }
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "4a4dd91e418258786df104ae4c98b9c2dc7c6da4fb9f69c157b903beecd331b8"
          }
        },

vs

{
          "properties": {
            "boost/confidence": "medium"
          },
          "ruleId": "injection",
          "ruleIndex": 3,
          "level": "warning",
          "message": {
            "text": "The pipeline contains an injection into bash or JavaScript with an expression\nthat can contain user input. Prefer placing the expression in an environment variable\ninstead of interpolating it directly into a script."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": ".github/workflows/level1.yml"
                },
                "region": {
                  "startLine": 31,
                  "endLine": 31
                }
              }
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "f0d341a136d8750346e05abb89ccbceb257c5cc99d9cefb86917081ecb699977"
          }
        },

Copilot AI mentioned this pull request Mar 5, 2026
Closed
@mbarbero @claude
Fix SARIF formatter silently dropping findings and missing locations
cc8e8a7 
The SARIF formatter only iterated PackageDependencies when collecting
findings, causing all findings from BuildDependencies to be silently
omitted. Additionally, two rego rules produced findings with purls that
could never match a package in the formatter's purl-based lookup:

- github_action_from_unverified_creator_used used the action purl as the
  finding identifier and emitted coarse "Used in N repo(s)" aggregates
  with no file path or line number, resulting in empty SARIF locations.
  Rewritten to emit per-step findings with path, line, job, step, and
  event triggers, keyed by pkg.purl.

- known_vulnerability_in_build_platform used input.provider (e.g.
  "gitlab") as the finding purl. Changed to use pkg.purl so findings
  are discoverable by the formatter.

The formatter now iterates both PackageDependencies and
BuildDependencies for purl lookup, with deduplication via a seen set,
and avoids append into a foreign slice's backing array.

Fixes boostsecurityio#390

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Signed-off-by: Mikaël Barbero <mikael.barbero@eclipse-foundation.org>
@mbarbero
Copy link
Author

mbarbero commented Mar 5, 2026

Indeed 🤦. The patch has been revamped, and all SARIF output for those findings now have locations.

Also fixed known_vulnerability_in_build_platform (that used input.provider as the finding URL) to use pkg.purl so findings are discoverable by the formatter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fproulx-boostsecurity fproulx-boostsecurity fproulx-boostsecurity requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SARIF formatter silently dropping findings from build dependencies

2 participants

@mbarbero @fproulx-boostsecurity