validate sarif against schema before uploading

2020-05-15 17:22:59 +01:00 · 2020-05-15 17:22:59 +01:00 · ddee374101
commit ddee374101
parent ff40939f66
21 changed files with 5736 additions and 3 deletions
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@ -15,6 +15,7 @@ const http = __importStar(require("@actions/http-client"));
 const auth = __importStar(require("@actions/http-client/auth"));
 const file_url_1 = __importDefault(require("file-url"));
 const fs = __importStar(require("fs"));
+const jsonschema = __importStar(require("jsonschema"));
 const path = __importStar(require("path"));
 const zlib_1 = __importDefault(require("zlib"));
 const fingerprints = __importStar(require("./fingerprints"));
@ -121,25 +122,48 @@ function countResultsInSarif(sarif) {
    return numResults;
 }
 exports.countResultsInSarif = countResultsInSarif;
+// Validates that the given file path refers to a valid SARIF file.
+// Returns a non-empty list of error message if the file is invalid,
+// otherwise returns the empty list if the file is valid.
+function validateSarifFileSchema(sarifFilePath) {
+    const sarif = JSON.parse(fs.readFileSync(sarifFilePath, 'utf8'));
+    const schema = JSON.parse(fs.readFileSync(__dirname + '/../src/sarif_v2.1.0_schema.json', 'utf8'));
+    const result = new jsonschema.Validator().validate(sarif, schema);
+    if (result.valid) {
+        return [];
+    }
+    else {
+        return result.errors.map(e => e.message);
+    }
+}
+exports.validateSarifFileSchema = validateSarifFileSchema;
 // Uploads the given set of sarif files.
 // Returns true iff the upload occurred and succeeded
 async function uploadFiles(sarifFiles) {
    core.startGroup("Uploading results");
    let succeeded = false;
    try {
+        core.info("Uploading sarif files: " + JSON.stringify(sarifFiles));
        const sentinelEnvVar = "CODEQL_UPLOAD_SARIF";
        if (process.env[sentinelEnvVar]) {
            core.error("Aborting upload: only one run of the codeql/analyze or codeql/upload-sarif actions is allowed per job");
            return false;
        }
        core.exportVariable(sentinelEnvVar, sentinelEnvVar);
+        // Validate that the files we were asked to upload are all valid SARIF files
+        for (const file of sarifFiles) {
+            const errors = validateSarifFileSchema(file);
+            if (errors.length > 0) {
+                core.setFailed("Unable to upload \"" + file + "\" as it is not valid SARIF:\n" + errors.join("\n"));
+                return false;
+            }
+        }
        const commitOid = util.getRequiredEnvParam('GITHUB_SHA');
        const workflowRunIDStr = util.getRequiredEnvParam('GITHUB_RUN_ID');
        const ref = util.getRef();
        const analysisKey = await util.getAnalysisKey();
        const analysisName = util.getRequiredEnvParam('GITHUB_WORKFLOW');
        const startedAt = process.env[sharedEnv.CODEQL_ACTION_STARTED_AT];
-        core.info("Uploading sarif files: " + JSON.stringify(sarifFiles));
        let sarifPayload = combineSarifFiles(sarifFiles);
        sarifPayload = fingerprints.addFingerprints(sarifPayload);
        const zipped_sarif = zlib_1.default.gzipSync(sarifPayload).toString('base64');