buildroot "scorecard" action is failing on not valid SARIF

[gaaclarke]

example: https://github.com/flutter/buildroot/actions/runs/5082436625

log

Uploading results
Error details: instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
Error details: instance.runs[2].results[0].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
Error details: instance.runs[2].results[1].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
Error details: instance.runs[2].results[2].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
Error details: instance.runs[2].results[3].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
Error: Unable to upload "results.sarif" as it is not valid SARIF:
- instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
- instance.runs[2].results[0].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
- instance.runs[2].results[1].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
- instance.runs[2].results[2].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
- instance.runs[2].results[3].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
Error: Unable to upload "results.sarif" as it is not valid SARIF:
- instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
- instance.runs[2].results[0].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
- instance.runs[2].results[1].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
- instance.runs[2].results[2].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format
- instance.runs[2].results[3].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format

cc @sealesj

[drewroengoogle]

It seems like flutter/buildroot@42583ce is the culprit here based on the commit message:

Updated the SARIF 2.1.0 JSON schema file to the latest from https://github.com/oasis-tcs/sarif-spec/blob/123e95847b13fbdd4cbe2120fa5e33355d4a042b/Schemata/sarif-schema-2.1.0.json

There is a bug filed with the scorecards team (ossf/scorecard#3063) which caused the filing of github/codeql-action#1703.

Short term, does it make sense to roll back to 2.3.3 and then have dependabot ignore 2.3.4?

[drewroengoogle]

I reverted the patch to codeql-action and blocked 2.3.4 from being automatically updated again by dependabot. Closing

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.