Fix SARIF export for PHPStan alerts

Author: alcaeus

code-scanning-export/__tests__/sarif.test.ts

@@ -122,6 +122,53 @@ const openAlert: AlertType = {
   instances_url:
     'https://api.github.com/repos/mongodb/mongo-php-library/code-scanning/alerts/331/instances'
 }
+const phpstanAlert: AlertType = {
+  number: 3,
+  created_at: '2024-05-24T09:29:19Z',
+  updated_at: '2024-05-24T09:29:23Z',
+  url: 'https://api.github.com/repos/alcaeus/laravel-mongodb/code-scanning/alerts/3',
+  html_url:
+    'https://github.com/alcaeus/laravel-mongodb/security/code-scanning/3',
+  state: 'open',
+  fixed_at: null,
+  dismissed_by: null,
+  dismissed_at: null,
+  dismissed_reason: null,
+  dismissed_comment: null,
+  rule: {
+    id: 'new.static',
+    severity: 'error',
+    description: '',
+    name: '',
+    tags: []
+  },
+  tool: {
+    name: 'PHPStan',
+    guid: null,
+    version: '1.11.x-dev@0055aac'
+  },
+  most_recent_instance: {
+    ref: 'refs/heads/export-sarif-on-release',
+    analysis_key: '.github/workflows/coding-standards.yml:analysis',
+    environment: '{"php":"8.2"}',
+    category: '.github/workflows/coding-standards.yml:analysis/php:8.2',
+    state: 'open',
+    commit_sha: '05cd5c7d1f6a16840fdf98b59e95cdde3c26bd77',
+    message: {
+      text: 'Unsafe usage of new static().'
+    },
+    location: {
+      path: 'src/Query/Builder.php',
+      start_line: 954,
+      end_line: 954,
+      start_column: 1,
+      end_column: 0
+    },
+    classifications: []
+  },
+  instances_url:
+    'https://api.github.com/repos/alcaeus/laravel-mongodb/code-scanning/alerts/3/instances'
+}
 
 describe('createSarifReport', () => {
   it('generates a valid sarif report', () => {
@@ -194,4 +241,27 @@ describe('createSarifResult', () => {
       ]
     })
   })
+
+  it('generates correct sarif for a phpstan alert', () => {
+    expect(createSarifResult(phpstanAlert)).toEqual({
+      ruleId: 'new.static',
+      message: {
+        text: 'Unsafe usage of new static().'
+      },
+      level: 'error',
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: { uri: 'src/Query/Builder.php' },
+            region: {
+              startLine: 954,
+              endLine: 954,
+              startColumn: 1
+            }
+          }
+        }
+      ],
+      suppressions: []
+    })
+  })
 })

code-scanning-export/dist/index.js

@@ -29344,10 +29344,9 @@ function createSarifReport(alerts) {
             };
         }
         results[alert.tool.name].results.push(createSarifResult(alert));
-        if (alert.rule.name &&
-            !results[alert.tool.name].tool.driver.rules[alert.rule.name]) {
-            results[alert.tool.name].tool.driver.rules[alert.rule.name] =
-                createSarifRule(alert.rule);
+        const ruleName = getRuleIdentifier(alert);
+        if (ruleName && !results[alert.tool.name].tool.driver.rules[ruleName]) {
+            results[alert.tool.name].tool.driver.rules[ruleName] = createSarifRule(alert.rule);
         }
     }
     return {
@@ -29377,7 +29376,7 @@ function createSarifRule(rule) {
 }
 function createSarifResult(alert) {
     return {
-        ruleId: alert.rule.name,
+        ruleId: getRuleIdentifier(alert),
         message: alert.most_recent_instance.message,
         level: alert.rule.severity,
         locations: createResultLocation(alert),
@@ -29393,12 +29392,7 @@ function createResultLocation(alert) {
         {
             physicalLocation: {
                 artifactLocation: { uri: alert.most_recent_instance.location.path },
-                region: {
-                    startLine: alert.most_recent_instance.location.start_line,
-                    endLine: alert.most_recent_instance.location.end_line,
-                    startColumn: alert.most_recent_instance.location.start_column,
-                    endColumn: alert.most_recent_instance.location.end_column
-                }
+                region: createRegion(alert.most_recent_instance.location)
             }
         }
     ];
@@ -29419,6 +29413,25 @@ function createResultSuppressions(alert) {
         }
     ];
 }
+function createRegion(location) {
+    const region = {};
+    if (location.start_line) {
+        region.startLine = location.start_line;
+    }
+    if (location.end_line) {
+        region.endLine = location.end_line;
+    }
+    if (location.start_column) {
+        region.startColumn = location.start_column;
+    }
+    if (location.end_column) {
+        region.endColumn = location.end_column;
+    }
+    return region;
+}
+function getRuleIdentifier(alert) {
+    return alert.rule.name ? alert.rule.name : alert.rule.id ? alert.rule.id : '';
+}
 
 
 /***/ }),

code-scanning-export/src/main.ts

@@ -16,9 +16,11 @@ type RepositoryInfo = {
  */
 export async function run(): Promise<void> {
   const repositoryInfo = getRepositoryInfo()
-  const ref = core.getInput('ref');
+  const ref = core.getInput('ref')
 
-  core.debug(`Fetching open and dismissed alerts for repository ${repositoryInfo.owner}/${repositoryInfo.repo}#${ref}`)
+  core.debug(
+    `Fetching open and dismissed alerts for repository ${repositoryInfo.owner}/${repositoryInfo.repo}#${ref}`
+  )
 
   const alerts = await getAlerts(
     repositoryInfo.owner,

code-scanning-export/src/sarif.ts

@@ -2,6 +2,8 @@ import { components } from '@octokit/openapi-types'
 
 export type AlertType = components['schemas']['code-scanning-alert-items']
 export type RuleType = components['schemas']['code-scanning-alert-rule-summary']
+export type AlertLocationType =
+  components['schemas']['code-scanning-alert-location']
 
 type SarifReport = {
   version: string
@@ -18,6 +20,13 @@ type SarifReport = {
   }[]
 }
 
+type Region = {
+  startLine?: number
+  endLine?: number
+  startColumn?: number
+  endColumn?: number
+}
+
 export function createSarifReport(alerts: AlertType[]): SarifReport {
   const results: {
     [index: string]: {
@@ -52,12 +61,12 @@ export function createSarifReport(alerts: AlertType[]): SarifReport {
 
     results[alert.tool.name].results.push(createSarifResult(alert))
 
-    if (
-      alert.rule.name &&
-      !results[alert.tool.name].tool.driver.rules[alert.rule.name]
-    ) {
-      results[alert.tool.name].tool.driver.rules[alert.rule.name] =
-        createSarifRule(alert.rule)
+    const ruleName = getRuleIdentifier(alert)
+
+    if (ruleName && !results[alert.tool.name].tool.driver.rules[ruleName]) {
+      results[alert.tool.name].tool.driver.rules[ruleName] = createSarifRule(
+        alert.rule
+      )
     }
   }
 
@@ -92,7 +101,7 @@ function createSarifRule(rule: RuleType): object {
 
 export function createSarifResult(alert: AlertType): object {
   return {
-    ruleId: alert.rule.name,
+    ruleId: getRuleIdentifier(alert),
     message: alert.most_recent_instance.message,
     level: alert.rule.severity,
     locations: createResultLocation(alert),
@@ -109,12 +118,7 @@ function createResultLocation(alert: AlertType): object[] {
     {
       physicalLocation: {
         artifactLocation: { uri: alert.most_recent_instance.location.path },
-        region: {
-          startLine: alert.most_recent_instance.location.start_line,
-          endLine: alert.most_recent_instance.location.end_line,
-          startColumn: alert.most_recent_instance.location.start_column,
-          endColumn: alert.most_recent_instance.location.end_column
-        }
+        region: createRegion(alert.most_recent_instance.location)
       }
     }
   ]
@@ -138,3 +142,27 @@ function createResultSuppressions(alert: AlertType): object[] {
     }
   ]
 }
+
+function createRegion(location: AlertLocationType): Region {
+  const region: Region = {}
+
+  if (location.start_line) {
+    region.startLine = location.start_line
+  }
+  if (location.end_line) {
+    region.endLine = location.end_line
+  }
+
+  if (location.start_column) {
+    region.startColumn = location.start_column
+  }
+  if (location.end_column) {
+    region.endColumn = location.end_column
+  }
+
+  return region
+}
+
+function getRuleIdentifier(alert: AlertType): string {
+  return alert.rule.name ? alert.rule.name : alert.rule.id ? alert.rule.id : ''
+}