bug: SARIF's artifact location URI fails with does not conform to the "uri-reference" format

[gabrielkoo]

It originates from some findings that no source files are associated:

{
  "ruleId": "VulnerabilitiesID",
  "ruleIndex": 0,
  "message": {
    "text": "score is 8: 2 existing vulnerabilities detected:\nWarn: Project is vulnerable to: XXXX / YYYY\nClick Remediation section below to solve this issue"
  },
  "locations": [{
    "physicalLocation": {
      "region": {
        "startLine": 1
      },
      "artifactLocation": {
        "uri": "no file associated with this alert",
        "uriBaseId": "%SRCROOT%"
      }
    }
  }]
}

Sample error when trying to upload with github/codeql-action/upload-sarif@v2:

Error: Unable to upload "filteredResults.sarif" as it is not valid SARIF:
- instance.runs[1].results[0].locations[0].physicalLocation.artifactLocation.uri does not conform to the "uri-reference" format

Right now, I am using this hack to remove the locations when no source file is associated:

cat results.sarif | jq \
    '(.runs[].results[].locations) |= map(select(.physicalLocation.artifactLocation.uri != "no file associated with this alert"))' \
    > results.sarif

[daohoangson]

I ran into this error after updating github/codeql-action@v2.3.4.

[ben-manes]

Please fix asap; example failure

[davidkelliott]

We are getting the same, example

[akashsinghal]

+1 on this issue

[spencerschrock]

While we are working on a fix, a short term solution is to revert github/codeql-action to v2.3.3

[spencerschrock]

Also, upstream discussion at github/codeql-action#1703

[spencerschrock]

This is resolved by upgrading to github/codeql-action v2.3.5.