validate sarif against schema before uploading

2020-05-15 17:22:59 +01:00 · 2020-05-15 17:22:59 +01:00 · ddee374101
commit ddee374101
parent ff40939f66
21 changed files with 5736 additions and 3 deletions
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@ -15,6 +15,7 @@ const http = __importStar(require("@actions/http-client"));
 const auth = __importStar(require("@actions/http-client/auth"));
 const file_url_1 = __importDefault(require("file-url"));
 const fs = __importStar(require("fs"));
+const jsonschema = __importStar(require("jsonschema"));
 const path = __importStar(require("path"));
 const zlib_1 = __importDefault(require("zlib"));
 const fingerprints = __importStar(require("./fingerprints"));
@ -121,25 +122,48 @@ function countResultsInSarif(sarif) {
    return numResults;
 }
 exports.countResultsInSarif = countResultsInSarif;
+// Validates that the given file path refers to a valid SARIF file.
+// Returns a non-empty list of error message if the file is invalid,
+// otherwise returns the empty list if the file is valid.
+function validateSarifFileSchema(sarifFilePath) {
+    const sarif = JSON.parse(fs.readFileSync(sarifFilePath, 'utf8'));
+    const schema = JSON.parse(fs.readFileSync(__dirname + '/../src/sarif_v2.1.0_schema.json', 'utf8'));
+    const result = new jsonschema.Validator().validate(sarif, schema);
+    if (result.valid) {
+        return [];
+    }
+    else {
+        return result.errors.map(e => e.message);
+    }
+}
+exports.validateSarifFileSchema = validateSarifFileSchema;
 // Uploads the given set of sarif files.
 // Returns true iff the upload occurred and succeeded
 async function uploadFiles(sarifFiles) {
    core.startGroup("Uploading results");
    let succeeded = false;
    try {
+        core.info("Uploading sarif files: " + JSON.stringify(sarifFiles));
        const sentinelEnvVar = "CODEQL_UPLOAD_SARIF";
        if (process.env[sentinelEnvVar]) {
            core.error("Aborting upload: only one run of the codeql/analyze or codeql/upload-sarif actions is allowed per job");
            return false;
        }
        core.exportVariable(sentinelEnvVar, sentinelEnvVar);
+        // Validate that the files we were asked to upload are all valid SARIF files
+        for (const file of sarifFiles) {
+            const errors = validateSarifFileSchema(file);
+            if (errors.length > 0) {
+                core.setFailed("Unable to upload \"" + file + "\" as it is not valid SARIF:\n" + errors.join("\n"));
+                return false;
+            }
+        }
        const commitOid = util.getRequiredEnvParam('GITHUB_SHA');
        const workflowRunIDStr = util.getRequiredEnvParam('GITHUB_RUN_ID');
        const ref = util.getRef();
        const analysisKey = await util.getAnalysisKey();
        const analysisName = util.getRequiredEnvParam('GITHUB_WORKFLOW');
        const startedAt = process.env[sharedEnv.CODEQL_ACTION_STARTED_AT];
-        core.info("Uploading sarif files: " + JSON.stringify(sarifFiles));
        let sarifPayload = combineSarifFiles(sarifFiles);
        sarifPayload = fingerprints.addFingerprints(sarifPayload);
        const zipped_sarif = zlib_1.default.gzipSync(sarifPayload).toString('base64');
--- a/lib/upload-lib.js.map
+++ b/lib/upload-lib.js.map
--- a/lib/upload-lib.test.js
+++ b/lib/upload-lib.test.js
@ -0,0 +1,25 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    result["default"] = mod;
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const ava_1 = __importDefault(require("ava"));
+const uploadLib = __importStar(require("./upload-lib"));
+ava_1.default('validateSarifFileSchema - valid', t => {
+    const inputFile = __dirname + '/../src/testdata/valid-sarif.sarif';
+    const errors = uploadLib.validateSarifFileSchema(inputFile);
+    t.deepEqual(errors, []);
+});
+ava_1.default('validateSarifFileSchema - invalid', t => {
+    const inputFile = __dirname + '/../src/testdata/invalid-sarif.sarif';
+    const errors = uploadLib.validateSarifFileSchema(inputFile);
+    t.notDeepEqual(errors, []);
+});
+//# sourceMappingURL=upload-lib.test.js.map
--- a/lib/upload-lib.test.js.map
+++ b/lib/upload-lib.test.js.map
@ -0,0 +1 @@
+{"version":3,"file":"upload-lib.test.js","sourceRoot":"","sources":["../src/upload-lib.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,8CAAuB;AAEvB,wDAA0C;AAE1C,aAAI,CAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE;IAC1C,MAAM,SAAS,GAAG,SAAS,GAAG,oCAAoC,CAAC;IACnE,MAAM,MAAM,GAAG,SAAS,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;IAC5D,CAAC,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC1B,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,mCAAmC,EAAE,CAAC,CAAC,EAAE;IAC5C,MAAM,SAAS,GAAG,SAAS,GAAG,sCAAsC,CAAC;IACrE,MAAM,MAAM,GAAG,SAAS,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;IAC5D,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC7B,CAAC,CAAC,CAAC"}
				`@ -0,0 +1 @@`
				{"version":3,"file":"upload-lib.test.js","sourceRoot":"","sources":["../src/upload-lib.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,8CAAuB;AAEvB,wDAA0C;AAE1C,aAAI,CAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE;IAC1C,MAAM,SAAS,GAAG,SAAS,GAAG,oCAAoC,CAAC;IACnE,MAAM,MAAM,GAAG,SAAS,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;IAC5D,CAAC,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC1B,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,mCAAmC,EAAE,CAAC,CAAC,EAAE;IAC5C,MAAM,SAAS,GAAG,SAAS,GAAG,sCAAsC,CAAC;IACrE,MAAM,MAAM,GAAG,SAAS,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;IAC5D,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC7B,CAAC,CAAC,CAAC"}