jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-25 02:17:36 -05:00
Code Issues Projects Releases Wiki Activity

New section of files for troubleshooting SARIF upload warnings and errors (#38554)

Browse Source 
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
Co-authored-by: Kitty Chiu <42864823+KittyChiu@users.noreply.github.com>
This commit is contained in:
Felicity Chapman
2023-07-24 14:27:17 +01:00
committed by GitHub
parent 962667c66e
commit 1444ca93fb
17 changed files with 477 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page.md
View File

@@ -117,4 +117,4 @@ For integrated tools such as {% data variables.product.prodname_codeql %}, you c
{% endnote %}
For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)."
For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning){% ifversion code-scanning-tool-status-page %}" and "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif){% endif %}."

1
content/code-security/code-scanning/index.md
View File

@@ -21,5 +21,6 @@ children:
- /integrating-with-code-scanning
- /using-codeql-code-scanning-with-your-existing-ci-system
- /troubleshooting-code-scanning
- /troubleshooting-sarif
---

64
content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md
View File

@@ -33,14 +33,6 @@ To upload a SARIF file from a third-party static code analysis engine, you'll ne
If you're using {% data variables.product.prodname_actions %} with the {% data variables.code-scanning.codeql_workflow %} or using the {% data variables.product.prodname_codeql_cli %}, then the {% data variables.product.prodname_code_scanning %} results will automatically use the supported subset of SARIF 2.1.0. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)" or "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system)."
You can upload multiple SARIF files for the same commit, and display the data from each file as {% data variables.product.prodname_code_scanning %} results. When you upload multiple SARIF files for a commit, you must indicate a "category" for each analysis. The way to specify a category varies according to the analysis method:
- Using the {% data variables.product.prodname_codeql_cli %} directly, pass the `--sarif-category` argument to the `codeql database analyze` command when you generate SARIF files. For more information, see "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#about-generating-code-scanning-results-with-codeql-cli)."
- Using {% data variables.product.prodname_actions %} with `codeql-action/analyze`, the category is set automatically from the workflow name and any matrix variables (typically, `language`). You can override this by specifying a `category` input for the action, which is useful when you analyze different sections of a mono-repository in a single workflow.
- Using {% data variables.product.prodname_actions %} to upload results from other static analysis tools, then you must specify a `category` input if you upload more than one file of results for the same tool in one workflow. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions)."
- If you are not using either of these approaches, you must specify a unique `runAutomationDetails.id` in each SARIF file to upload. For more information about this property, see [`runAutomationDetails` object](#runautomationdetails-object) below.
If you upload a second SARIF file for a commit with the same category and from the same tool, the earlier results are overwritten. However, if you try to upload multiple SARIF files for the same tool and category in a single {% data variables.product.prodname_actions %} workflow run, the misconfiguration is detected and the run will fail.
{% data variables.product.prodname_dotcom %} uses properties in the SARIF file to display alerts. For example, the `shortDescription` and `fullDescription` appear at the top of a {% data variables.product.prodname_code_scanning %} alert. The `location` allows {% data variables.product.prodname_dotcom %} to show annotations in your code file. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)."
If you're new to SARIF and want to learn more, see Microsoft's [`SARIF tutorials`](https://github.com/microsoft/sarif-tutorials) repository.
@@ -100,57 +92,23 @@ The file is successfully uploaded as both absolute URIs use the same URI scheme
You can check a SARIF file is compatible with {% data variables.product.prodname_code_scanning %} by testing it against the {% data variables.product.prodname_dotcom %} ingestion rules. For more information, visit the [Microsoft SARIF validator](https://sarifweb.azurewebsites.net/).
For each `gzip`-compressed SARIF file, SARIF upload supports a maximum size of 10 MB. Any uploads over this limit will be rejected. If your SARIF file is too large because it contains too many results, you should update the configuration to focus on results for the most important rules or queries.
For each gzip-compressed SARIF file, SARIF upload supports a maximum size of 10 MB. Any uploads over this limit will be rejected. If your SARIF file is too large because it contains too many results, you should update the configuration to focus on results for the most important rules or queries.{% ifversion code-scanning-tool-status-page %} For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif/file-too-large)."{% endif %}
{% data variables.product.prodname_code_scanning_caps %} supports uploading a maximum number of entries for the data objects in the following table. If any of these objects exceeds its maximum value the SARIF file is rejected. For some objects, there is an additional limit on the number of values that will be displayed. Whenever possible the most important values are shown. To get the most out of your analysis when it includes data above the supported limits, try to optimize the analysis configuration (for example, for the CodeQL tool, identify and disable the most noisy queries).
{% data variables.product.prodname_code_scanning_caps %} supports uploading a maximum number of entries for the data objects in the following table. If any of these objects exceeds its maximum value the SARIF file is rejected. For some objects, there is also a additional limit on the number of values that will be displayed. Whenever possible the most important values are shown. To get the most out of your analysis when it includes data above the supported limits, try to optimize the analysis configuration (for example, for the {% data variables.product.prodname_codeql %} tool, identify and disable the most noisy queries).{% ifversion code-scanning-tool-status-page %} For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif/results-exceed-limit)."{% endif %}
{% ifversion fpt or ghec or ghes > 3.8 %}
{% data reusables.code-scanning.sarif-limits %}
{% rowheaders %}
{% ifversion code-scanning-tool-status-page %}For information about other errors, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif)"{% endif %}
| **SARIF data** | **Maximum values** | **Additional limits** |
|----------------|:------------------:|-----------------------|
| Runs per file | 20 | None |
| Results per run | 25,000 | Only the top 5,000 results will be included, prioritized by severity. |
| Rules per run | 25,000 | None |
| Tool extensions per run | 100 | None |
| Thread Flow Locations per result | 10,000 | Only the top 1,000 Thread Flow Locations will be included, using prioritization. |
| Location per result | 1,000 | Only 100 locations will be included. |
| Tags per rule | 20 | Only 10 tags will be included. |
## Uploading more than one SARIF file for a commit
{% endrowheaders %}
You can upload multiple SARIF files for the same commit, and display the data from each file as {% data variables.product.prodname_code_scanning %} results. When you upload multiple SARIF files for a commit, you must indicate a "category" for each analysis. The way to specify a category varies according to the analysis method:
- Using the {% data variables.product.prodname_codeql_cli %} directly, pass the `--sarif-category` argument to the `codeql database analyze` command when you generate SARIF files. For more information, see "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#about-generating-code-scanning-results-with-codeql-cli)."
- Using {% data variables.product.prodname_actions %} with `codeql-action/analyze`, the category is set automatically from the workflow name and any matrix variables (typically, `language`). You can override this by specifying a `category` input for the action, which is useful when you analyze different sections of a monorepo in a single workflow.
- Using {% data variables.product.prodname_actions %} to upload results from other static analysis tools, then you must specify a `category` input if you upload more than one file of results for the same tool in one workflow. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions)."
- If you are not using either of these approaches, you must specify a unique `runAutomationDetails.id` in each SARIF file to upload. For more information about this property, see "[`runAutomationDetails` object](#runautomationdetails-object)."
{% elsif ghes < 3.9 %}
{% rowheaders %}
| **SARIF data** | **Maximum values** | **Additional limits** |
|----------------|:------------------:|-----------------------|
| Runs per file | 15 | None |
| Results per run | 25,000 | Only the top 5,000 results will be included, prioritized by severity. |
| Rules per run | 25,000 | None |
| Tool extensions per run | 100 | None |
| Thread Flow Locations per result | 10,000 | Only the top 1,000 Thread Flow Locations will be included, using prioritization. |
| Location per result | 1,000 | Only 100 locations will be included. |
| Tags per rule | 20 | Only 10 tags will be included. |
{% endrowheaders %}
{% else %}
{% rowheaders %}
| **SARIF data** | **Maximum values** | **Additional limits** |
|----------------|:------------------:|-----------------------|
| Runs per file | 15 | None |
| Results per run | 25,000 | Only the top 5,000 results will be included, prioritized by severity. |
| Rules per run | 25,000 | None |
| Thread Flow Locations per result | 10,000 | Only the top 1,000 Thread Flow Locations will be included, using prioritization. |
| Location per result | 1,000 | Only 100 locations will be included. | None |
{% endrowheaders %}
{% endif %}
If you upload a second SARIF file for a commit with the same category and from the same tool, the earlier results are overwritten. However, if you try to upload multiple SARIF files for the same tool and category in a single {% data variables.product.prodname_actions %} workflow run, the misconfiguration is detected and the run will fail.
## Supported SARIF output file properties

1
content/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github.md
View File

@@ -155,6 +155,7 @@ jobs:
## Further reading
{% ifversion code-scanning-tool-status-page %}- "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif)"{% endif %}
- "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)"
- "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history)"
- "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system)"

51
content/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled.md
View File

@@ -4,9 +4,54 @@ shortTitle: 'Advanced Security must be enabled'
intro: 'If you see this error, make sure that {% data variables.product.prodname_GH_advanced_security %} is enabled.'
allowTitleToDifferFromFilename: true
product: '{% data reusables.gated-features.code-scanning %}'
type: reference
topics:
- Code scanning
- Errors
- Troubleshooting
versions:
fpt: '*'
ghec: '*'
feature: code-scanning-tool-status-page
---
For private and internal repositories, {% data variables.product.prodname_code_scanning %} is available when {% data variables.product.prodname_GH_advanced_security %} features are enabled for the repository. If you see the error `Error: "Advanced Security must be enabled for this repository to use code scanning"`, check that {% data variables.product.prodname_GH_advanced_security %} is enabled. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)."
## About this error
```text
Advanced Security must be enabled for this repository to use code scanning
403: GitHub Advanced Security is not enabled
```
This error is reported if you try to run {% data variables.product.prodname_code_scanning %} in a repository where {% data variables.product.prodname_GH_advanced_security %} is not enabled or where use of this feature is blocked by a policy.
{% ifversion fpt or ghec %}You will only see this error for repositories with private or internal visibility. {% data variables.product.prodname_GH_advanced_security %} is enabled by default for all public repositories.{% endif %}
## Confirming the cause of the error
{% ifversion fpt %}
If you are on a free, pro, or team plan, you can only use {% data variables.product.prodname_code_scanning %} on repositories that are publically available. To enable {% data variables.product.prodname_code_scanning %} for private or internal repositories, you must upgrade to GitHub Enterprise with {% data variables.product.prodname_GH_advanced_security %} and enable {% data variables.product.prodname_GH_advanced_security %} for the repository. For more information, see "[AUTOTITLE](/get-started/learning-about-github/githubs-products#github-enterprise)" and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)."
{% else %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.user-settings.security-analysis %}
1. Scroll down to "{% data variables.product.prodname_GH_advanced_security %}."
1. If there is an associated and active **Enable** button, {% data variables.product.prodname_GH_advanced_security %} is available for this repository but not yet enabled.
1. If use of {% data variables.product.prodname_GH_advanced_security %} is blocked by a policy, the **Enable** button is inactive and the owner of the policy is listed.
![Screenshot of the "{% data variables.product.prodname_GH_advanced_security %}" setting. The owner of the enterprise policy and the inactive "Enable" button are highlighted with a dark orange outline.](/assets/images/help/repository/ghas-enterprise-policy-block.png)
## Fixing the problem
If {% data variables.product.prodname_GH_advanced_security %} is available to your repository, you can enable it on the settings page. If {% data variables.product.prodname_GH_advanced_security %} is blocked by a policy, you first need to request access.
### Requesting access to {% data variables.product.prodname_GH_advanced_security %}
1. In the "{% data variables.product.prodname_GH_advanced_security %}" settings, click the enterprise name to display a list of users with access to edit the policy that controls access to {% data variables.product.prodname_GH_advanced_security %}. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-for-the-use-of-github-advanced-security-in-your-enterprises-organizations)."
1. Follow your company's policy for requesting access to additional features.
### Enabling {% data variables.product.prodname_GH_advanced_security %}
1. In the "{% data variables.product.prodname_GH_advanced_security %}" settings, click **Enable**.
1. Rerun {% data variables.product.prodname_code_scanning %}.
{% endif %}

47
content/code-security/code-scanning/troubleshooting-sarif/default-setup-enabled.md Normal file
View File

@@ -0,0 +1,47 @@
---
title: 'Upload was rejected because CodeQL default setup is enabled for {% data variables.product.prodname_code_scanning %}'
shortTitle: Default setup is enabled
allowTitleToDifferFromFilename: true
intro: 'You cannot upload SARIF results generated by the {% data variables.product.prodname_codeql %} action or {% data variables.product.prodname_codeql %} CLI when default setup for {% data variables.product.prodname_code_scanning %} is enabled. Check your configuration and decide whether to keep default setup or unblock SARIF upload.'
product: '{% data reusables.gated-features.code-scanning %}'
type: reference
topics:
- Code scanning
- Errors
- SARIF
- Troubleshooting
versions:
feature: code-scanning-tool-status-page
---
## About this error
```text
Upload with CodeQL results rejected due to "default setup"
```
This error is reported if a process attempts to upload a SARIF file containing results of {% data variables.product.prodname_codeql %} analysis to a repository where {% data variables.product.prodname_codeql %} default setup is enabled. This includes uploads using the REST API and the {% data variables.product.prodname_codeql_cli %}. SARIF uploads are blocked when {% data variables.product.prodname_codeql %} default setup is enabled to reduce the potential for users to be confused by seeing similar {% data variables.product.prodname_code_scanning %} alerts generated by different systems.
You will only see this error for SARIF files that contain results created using {% data variables.product.prodname_codeql %}.
## Confirming the cause of the error
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.user-settings.security-analysis %}
1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the page, next to "{% data variables.product.prodname_codeql %} analysis," click {% octicon "kebab-horizontal" aria-label="Menu" %}.
1. If there is a {% octicon "workflow" aria-hidden="true" %} **Switch to advanced** option, default setup is enabled for the respository.
## Fixing the problem
Before you can fix the problem, you need to decide whether {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis in this repository should be generated using default setup or uploaded from SARIF files.
### Continuing to generate alerts using default setup
1. Leave the repository settings as they are, with default setup enabled.
1. Disable the process or processes that tried to upload SARIF files to the repository.
### Disabling default setup to unblock SARIF upload
1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the page, next to "{% data variables.product.prodname_codeql %} analysis," from the {% octicon "kebab-horizontal" aria-label="Menu" %} menu select {% octicon "stop" aria-hidden="true" %} **Disable {% data variables.product.prodname_codeql %}**.
{% data reusables.code-scanning.sarif-upload-retry %}

105
content/code-security/code-scanning/troubleshooting-sarif/file-too-large.md Normal file
View File

@@ -0,0 +1,105 @@
---
title: 'SARIF results file is too large'
shortTitle: Results file too large
allowTitleToDifferFromFilename: true
intro: 'You cannot upload a SARIF results file larger than 10 MB to {% data variables.product.prodname_code_scanning %}. Explore ways to generate a smaller file containing the highest impact results.'
product: '{% data reusables.gated-features.code-scanning %}'
type: reference
topics:
- Code scanning
- Errors
- SARIF
- Troubleshooting
versions:
feature: code-scanning-tool-status-page
---
## About this error
```text
SARIF file is too large
SARIF results file is too large
SARIF upload is rejected (bigger than allowed size for zip archive)
SARIF ZIP upload is too large
A fatal error occurred: SARIF file is too large
413: Payload Too Large
```
One of these errors is reported if a process attempts to upload a SARIF file that is larger than the maximum size of 10 MB. {% data variables.product.prodname_code_scanning_caps %} does not accept files above this size. There are several different ways to reduce the number of results generated for upload to {% data variables.product.prodname_code_scanning %}.
You could see this error for SARIF files generated by {% data variables.product.prodname_codeql %} or by third-party analysis tools. For information about the limits on uploads, see {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#validating-your-sarif-file)."
## Confirming the cause of the error
There are many potential causes of very large SARIF results files.
### SARIF file compression
Take a look at the results file that was rejected by {% data variables.product.prodname_code_scanning %} to see if:
- the SARIF file was compressed using gzip
- the compressed file is smaller than 10 MB
If the file wasn't compressed using gzip, try compressing the file before rerunning the upload process. If the compressed file is still too large, you need to configure the analysis to generate a smaller set of results.
### Amount of code analyzed
If you have too many results, you should configure analysis to analyze only the most important code.
- For interpreted languages, check if the repository contains many tests, demos, or vendored dependencies where fixing alerts is a lower priority. Try excluding this code from analysis. For more information, see "[Excluding code from analysis for interpreted languages](#excluding-code-from-analysis-for-interpreted-languages)."
- For compiled languages, check if the build process generates more than one variant of the code (for example, targets for multiple operating environments or architectures). Try analyzing just one variant of the code initially. For more information, see "[Optimizing the build command](#optimizing-the-build-command)."
### Number of queries run
If you still have too many results, check how many queries you are using to analyze the code. Try running fewer queries. You can reintroduce additional queries when the initial alerts are fixed. For example, for {% data variables.product.prodname_codeql %} analysis you could run just the default suite of queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-queries-in-ql-packs)."
### Number of results found by queries
Sometimes a single query reports many results because the codebase has a specific coding style, or because the analysis does not understand a particular library. You can review the results file in a SARIF viewer to see the distribution of results. For example, https://microsoft.github.io/sarif-web-component/.
- Check if the results are dominated by alerts identfied by a single query. Try excluding that query from analysis. You can reintroduce it when other alerts are fixed. For more information about {% data variables.product.prodname_codeql %} query configuration, see "[Excluding a query from analysis](#excluding-a-query-from-analysis)."
- Check if there are dataflow queries with many deep paths. Try omitting dataflow paths from the output. For more information about {% data variables.product.prodname_codeql %} analysis configuration, see "[Omitting dataflow paths from the output](#omitting-dataflow-paths-from-the-output)."
## Fixing the problem
The following options are listed in order of complexity. You need to revise the configuration to reduce the number of results to a manageable size. Once you have fixed all of those alerts, you can update the configuration to expand the analysis to cover more code or run more queries.
### Excluding code from analysis for interpreted languages
Excluding non-production code from analysis is a simple way to reduce the size of the results file.
- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use `paths` and `paths-ignore` in the workflow file to specify what code to analyze. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#specifying-directories-to-scan)."
- {% data variables.product.prodname_codeql_cli %} `database create`: create a YAML configuration file for code scanning using the same syntax to define which code to analyze. Update the `database create` command to call this configuration file using the `--codescanning-config` option. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#specifying-directories-to-scan)."
### Optimizing the build command
Using a build command that compiles only one variant is a simple way to reduce the size of the results file.
- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: update the workflow file to specify your chosen build command. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language)."
- {% data variables.product.prodname_codeql_cli %} `database create`: specify your chosen build command either by calling the `database create` command with the `--command` option, or by defining the build command in a YAML configuration file for code scanning and calling the file using the `--codescanning-config` option. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)."
### Defining the query suite to run
You may already be running only the default security queries, but it is worth checking.
- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: check the workflow file for the `queries` keyword. If it is not present, then only the default query suite is run. If it is present, it defines which queries to run. Try commenting out this line of the workflow file. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-queries-in-ql-packs)."
- {% data variables.product.prodname_codeql_cli %} `database analyze`: check the database analysis command for any paths that specify queries, query suites, or query packs. If none are present, then only the default query suite is run. If any are present, they define which queries to run, you can try removing them from the call. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-codeql-query-pack)."
### Excluding a query from analysis
If the results are dominated by the results for a single rule, excluding the rule from the analysis may be the best solution.
- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use the `query-filters` keyword to exclude one or more queries from analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#excluding-specific-queries-from-analysis)."
- {% data variables.product.prodname_codeql_cli %} `database analyze`: update the database analysis command to exclude one or more queries from analysis. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-subset-of-queries-in-a-codeql-pack)."
Alternatively, you can use a tool like the [filter-sarif](https://github.com/advanced-security/filter-sarif) action to rewrite the SARIF file to exclude specific detections via an exclusion pattern.
### Omitting dataflow paths from the output
If there are many deep code paths highlighted in the SARIF results, you can reduce the number of paths reported for each alert.
{% data reusables.code-scanning.max-paths-setting %}
## Further reading
- "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)"

29
content/code-security/code-scanning/troubleshooting-sarif/ghas-required.md Normal file
View File

@@ -0,0 +1,29 @@
---
title: 'Upload fails because GitHub Advanced Security is disabled'
shortTitle: GitHub Advanced Security disabled
allowTitleToDifferFromFilename: true
intro: 'You can only upload SARIF results to {% ifversion fpt or ghec %}private or internal {% endif %}repositories where {% data variables.product.prodname_GH_advanced_security %} is enabled.'
product: '{% data reusables.gated-features.code-scanning %}'
type: reference
topics:
- Code scanning
- Errors
- SARIF
- Troubleshooting
versions:
feature: code-scanning-tool-status-page
---
## About this error
```text
GitHub Advanced Security not enabled
GitHub Advanced Security blocked by a policy
403: GitHub Advanced Security is not enabled
```
This error is reported if a process attempts to upload a SARIF file to a repository where {% data variables.product.prodname_GH_advanced_security %} is not enabled or where use of this feature is blocked by a policy.
You will only see this error for SARIF files that contain results created using {% data variables.product.prodname_codeql %}{% ifversion fpt or ghec %} and for uploads to repositories with private or internal visibility. {% data variables.product.prodname_GH_advanced_security %} is enabled by default for all public repositories{% endif %}.
For information on how to confirm this error and fix the problem, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled)."

19
content/code-security/code-scanning/troubleshooting-sarif/index.md Normal file
View File

@@ -0,0 +1,19 @@
---
title: Troubleshooting SARIF uploads
intro: 'Learn how to resolve problems uploading SARIF files of {% data variables.product.prodname_code_scanning %} results to {% data variables.product.prodname_dotcom %}.'
product: '{% data reusables.gated-features.code-scanning %}'
versions:
feature: code-scanning-tool-status-page
topics:
- Advanced Security
- Code scanning
- Integration
children:
- /ghas-required
- /default-setup-enabled
- /missing-token
- /sarif-invalid
- /file-too-large
- /results-exceed-limit
---

33
content/code-security/code-scanning/troubleshooting-sarif/missing-token.md Normal file
View File

@@ -0,0 +1,33 @@
---
title: 'GitHub token is required to upload SARIF results'
shortTitle: GitHub token missing
allowTitleToDifferFromFilename: true
intro: 'You need to provide an authentication method for the upload process to use to access the repository.'
product: '{% data reusables.gated-features.code-scanning %}'
type: reference
topics:
- Code scanning
- Errors
- SARIF
- Troubleshooting
versions:
feature: code-scanning-tool-status-page
---
## About this error
```text
A GitHub token is required to upload SARIF results but none was specified
```
This error is reported if the upload process does not reference an authentication method, or if that method has the wrong permission. The permissions required to upload SARIF file to a repository are the same no matter what process you use to upload the data.
- Fine-grained {% data variables.product.pat_generic_plural %} require `write` scope for the repository.
- Classic {% data variables.product.pat_generic_plural %} require `security_events` scope for the repository{% ifversion fpt or ghec %} for private or internal repositories. You can use tokens with the `public_repo` scope for public repositories.{% endif %}
- {% data variables.product.prodname_github_apps %} require `security_events` scope for the repository.
You could see this error for SARIF files created using any tool and uploaded using any method.
## Fixing the problem
Create a new {% data variables.product.pat_generic %} or {% data variables.product.prodname_github_app %} with the correct permission. For more information see, "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)", or "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app)" and "[AUTOTITLE](/apps/creating-github-apps/about-creating-github-apps/deciding-when-to-build-a-github-app)."

84
content/code-security/code-scanning/troubleshooting-sarif/results-exceed-limit.md Normal file
View File

@@ -0,0 +1,84 @@
---
title: 'SARIF results exceed one or more limits'
shortTitle: Results exceed limits
allowTitleToDifferFromFilename: true
intro: 'Learn how to resolve problems when a SARIF file is rejected by {% data variables.product.prodname_code_scanning %} because one or more limits is exceeded.'
product: '{% data reusables.gated-features.code-scanning %}'
type: reference
topics:
- Code scanning
- Errors
- SARIF
- Troubleshooting
versions:
feature: code-scanning-tool-status-page
---
## About {% data variables.product.prodname_code_scanning %} limits on SARIF results
```text
# SARIF results exceed soft limits
Locations for an alert exceeded limits
Analysis SARIF file exceeded alert limits
Rule tags in SARIF file exceed limits
Alert in SARIF upload exceeded thread flow location limits
# SARIF results exceed hard limit
Alert(s) in SARIF file exceeded thread flow location limits
Analysis SARIF file rejected due to extension limits
Analysis SARIF file rejected due to location limit
Analysis SARIF file rejected due to rule tag limits
Analysis SARIF file rejected due to result limits
Analysis SARIF file rejected due to rule limits
Analysis SARIF file rejected due to run limits
```
{% data variables.product.prodname_code_scanning_caps %} sets two types of limits on fields in SARIF results files.
- Soft limits which determine how much data is stored and displayed to users.
- Hard limits which determine the maximum amount of data accepted for processing.
You could see these errors for SARIF files generated by {% data variables.product.prodname_codeql %} or by third-party analysis tools.
{% data reusables.code-scanning.sarif-limits %}
For information about validating your SARIF file, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#validating-your-sarif-file)."
## Fixing soft limit errors
When soft limits are exceeded, {% data variables.product.prodname_code_scanning %} shows the highest priority information. Often you do not need to make any changes to your {% data variables.product.prodname_code_scanning %} configuration. As your team fixes alerts, the number of results reported in each run will reduce until they are within the soft limits and all results are displayed. Alternatively, you can use the approaches described for hard limit errors.
## Fixing "Analysis SARIF file rejected due to results limits"
There are many considerations and potential solutions for reducing the number of results included in a SARIF results file. For guidance, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif/file-too-large)."
## Fixing "Alert(s) in SARIF file exceeded thread flow location limits"
You can configure the analysis to limit the number of dataflow paths included in the results. By default, 4 dataflow paths are included for each result.
{% data reusables.code-scanning.max-paths-setting %}
## Fixing "Analysis SARIF file rejected due to run limits"
The simplest approach is generate a new SARIF file for each run and upload each file separately. You add a "category" to each results and this enables {% data variables.product.prodname_code_scanning %} to store and display the results appropriately. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit)."
## Fixing "Analysis SARIF file rejected due to rule limits"
There are two possible approaches here.
1. Reduce the number of rules you use to analyze the code. For more information, see "[Defining the query suite to run](/code-security/code-scanning/troubleshooting-sarif/file-too-large#defining-the-query-suite-to-run)" and "[Excluding a query from analysis](/code-security/code-scanning/troubleshooting-sarif/file-too-large#excluding-a-query-from-analysis)" in "SARIF results file too large."
2. Run the analysis twice, each time with a different set of rules, and upload both results files to {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit)."
## Fixing "Analysis SARIF file rejected due to extension limits"
The simplest approach is to create a separate SARIF file each time you run the tool and upload each file separately. You may also need to contact the maintainer of the tool. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit)."
{% data variables.product.prodname_codeql %} analysis should not generate this error. If you see this error while using the {% data variables.product.prodname_codeql %} action or {% data variables.product.prodname_codeql_cli %}, you should contact {% data variables.contact.github_support %} to let us know. For more information, see "[AUTOTITLE](/support/contacting-github-support)."
## Fixing "Analysis SARIF file rejected due to location limit"
The best way to resolve this problem is usually to identify the query that reports too many locations and exclude it from analysis. For information on how to do this, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-sarif/file-too-large#excluding-a-query-from-analysis)."
## Fixing "Analysis SARIF file rejected due to rule tag limits"
You need to update the SARIF file or the generator so that the array of tags reported for each `reportingDescriptor` object is fewer than 10. For more information, see `properties.tags[]` in "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object)."

36
content/code-security/code-scanning/troubleshooting-sarif/sarif-invalid.md Normal file
View File

@@ -0,0 +1,36 @@
---
title: 'SARIF file is invalid'
shortTitle: SARIF file invalid
allowTitleToDifferFromFilename: true
intro: '{% data variables.product.prodname_code_scanning_caps %} can only process syntactically invalid SARIF files. Invalid files are rejected.'
product: '{% data reusables.gated-features.code-scanning %}'
type: reference
topics:
- Code scanning
- Errors
- SARIF
- Troubleshooting
versions:
feature: code-scanning-tool-status-page
---
## About this error
```text
Invalid SARIF
SARIF file invalid
SARIF ZIP upload is invalid
400: Bad Request if the sarif field is invalid
```
One of these errors is reported if {% data variables.product.prodname_code_scanning %} cannot parse the SARIF file.
You are unlikely to see this error when using {% data variables.product.prodname_codeql %} analysis.
## Confirming the cause of the error
You can investigate the underlying cause of the error by looking at the log for the workflow run that uploaded the analysis and by checking the SARIF file in a validator. For more information, see "[AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs)" and visit the [Microsoft SARIF validator](https://sarifweb.azurewebsites.net/).
## Fixing the problem
After you identify the invalid parts of the SARIF file, you may be able to resolve smaller issues manually, but you may need to talk to the maintainers of the tool. For information about validation and the format supported by {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)."