-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CodeQL adds redundant slash to upload sarif file endpoint #15020
Comments
Hi @filipss379, Which version of CodeQL are you using? |
2.15.3 |
It is true that a redundant |
Thank you for you reply. I checked all that parameters and it is correct - there is corresponding branch and commit in the repository. I did one additional test - I tried call the endpoint |
I think that's true, but I think the URL is getting cleaned up in between the URL object used to print the 404 error and being used to make the request -- my basis for this is having made a successful upload using codeql 2.15.3 using the same options as you, and then getting a 404 if I alter any of the ref, commit or repository parameters. Can you confirm the commandline you're using with all the variables substituted, editing minimally to remove anything confidential but keeping as much of the syntax as possible? |
Could you also paste the exact error you get please, again redacting as minimally as possible? |
So here is command that I use |
One reason for getting a 404 could be that token not having the needed rights to use that API endpoint. Is that an automatic token (https://docs.github.com/en/actions/security-guides/automatic-token-authentication), and if so do you know whether it has the needed rights? Could you try uploading sarif using a personal access token that has the |
The token I use is fine-grained token and it has write and read access for code scanning alerts. |
I note the API docs at https://docs.github.com/en/rest/code-scanning/code-scanning?apiVersion=2022-11-28#upload-an-analysis-as-sarif-data say |
I generated classic token with |
For reproduction purposes, could you paste the exact command that got you a 202? |
FYI current status here: it appears the leading |
Great to here you found the issue. For now to make upload working I'm adding token to environment variables like this |
Could you test whether CodeQL nightly https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20231211/codeql-bundle.tar.gz fixes your problem? |
I have similar symptoms, but not sure if it's the same problem. How did you confirm the URL that the CodeQL CLI was using? In my environment I have tested the above nightly build but that didn't resolve the issue. |
@AdamSmith-BT can you share the log of the failure you're seeing? |
I use Azure DevOps pipeline to perform CodeQL code scanning. It goes well until I try to upload sarif file to github. I use this command to do upload:
echo $(Github.TOKEN) | $(codeql) github upload-results --repository=$(Owner)/$(Repo) --ref=$(Build.SourceBranch) --commit=$(Build.SourceVersion) --sarif=$(sarifOutput) --github-auth-stdin --github-url=https://github.com
. In result CodeQL tries to upload sarif file using endpointhttps://api.github.com//repos/owner_name/repo_name/code-scanning/sarifs
. There is redundant slash in the url so I get 404 response. Do you have idea what is wrong and how to fix?The text was updated successfully, but these errors were encountered: