Scan Generated SARIF file invalid

[rseeton]

Describe the bug

SARIF files generated from the jf scan command are not Valid SARIF files and are not interoperable with other tools (i.e. GitHub Advanced Security)

Current behavior

Generation of a SARIF file from our package completes successfully ( jf_scan_sarif.txt):

jf s ./tangerine-release*.tar.gz --format sarif

However, the resulting SARIF file (attached) fails the SARIF file validation and cannot be loaded to the target system (GHAS in our case).

We have analyzed the resulting file using these sites, which provide notes on the validation failures:

https://sarifweb.azurewebsites.net/Validation
https://www.jsonschemavalidator.net/

Reproduction steps

Scan package
Save SARIF format output
Analyze SARIF output

Expected behavior

SARIF file generated should meet the SARIF v2.1.0 specification to allow inter-operability.

JFrog CLI version

jf version 2.45.0

Operating system type and version

Ubuntu 20.0.4

JFrog Artifactory version

Enterprise Plus 7.55.10 rev 75510900

JFrog Xray version

xray_version:3.65.2 xray_revision:bca527a

[attiasas]

Hi @rseeton, thank you for reporting this issue!
we are currently working on fixing it so it will meet the SARIF v2.1.0 specification.
It will be available soon and we will update you as soon as possible.

[attiasas]

Hi @rseeton, v2.47.0 has been released and should fix the Sarif generation, it should be valid and contain much more information now. let us know if there are any issues left.

[davidka91]

Hi @attiasas
I have upgraded JFrog CLI to version 2.48.0 and the results from scanning a docker image or a npm package when saved as SARIF format, the SARIF file is invalid according to SARIF Version 2.1.0.

Steps to reproduce:

1. Pull a docker image or download npm package known to contain vulnerabilities

2. Scan the image or package and redirect the output to a file:
   jf docker scan --format sarif IMAGE_NAME > scan-results.sarif
   jf scan --format sarif PACKAGE_NAME > scan-results.sarif

3. Verify the SARIF file. Upload scan-results.sarif to https://sarifweb.azurewebsites.net/Validation

4. Select "GitHub ingestion rules" (select "Additional suggestions" to make the SARIF file even better)

Additionally a typo is noticed for the tool name (missing 'n' in 'Sca'). "name": "JFrog Xray Sca",

[attiasas]

@davidka91, thank you for bringing this issue to my attention. I have identified some of the issues that causes your output to fail.
you can follow this PR for a fix on this:
jfrog/jfrog-cli-core#968

In addition "Sca" = "software component analysis" We will consider renaming it to "SCA" or something more descriptive.

[rseeton]

@attiasas - Excellent, thanks for the updates.
The generated SARIF from JFrog CLI 2.48.0 is now loading cleanly to the GHAS system.

One outstanding issue:

Running the generated SARIF file through the JSON Validator ( https://www.jsonschemavalidator.net/ ), the system is failing on the follwing snippet:

---

     "locations": [
       {
         "physicalLocation": {
           "artifactLocation": {
             **"uri": " Package Descriptor"**
           }
         }
       }
     ]

Message:
String ' Package Descriptor' does not validate against format 'uri-reference'.
Schema path:
https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json#/definitions/artifactLocation/properties/uri/format

This is not a show-stopper (the SARIF file still loads), but it would be good to have this correctly populated.

Thanks.

[attiasas]

Hi @rseeton and @davidka91 CLI v2.49.0 has been released and should fix the issues raised here.
Let me know if it is fixed or if anything else is missing or failing.

[rseeton]

Resolved in 2.50.2