Skip to content

πŸ› fix(ci): preserve leading slash in ZAP SARIF artifact URIs so root scans validate#405

Merged
s-b-e-n-s-o-n merged 1 commit into
mainfrom
fix/zap-sarif-empty-uri
May 29, 2026
Merged

πŸ› fix(ci): preserve leading slash in ZAP SARIF artifact URIs so root scans validate#405
s-b-e-n-s-o-n merged 1 commit into
mainfrom
fix/zap-sarif-empty-uri

Conversation

@s-b-e-n-s-o-n
Copy link
Copy Markdown
Contributor

@s-b-e-n-s-o-n s-b-e-n-s-o-n commented May 29, 2026

Summary

Follow-up to PR #404. The previous fix relativised http URIs but stripped the leading `/`, which meant root-path scans (`http://localhost:3333/\` β€” the most common ZAP baseline target) ended up as `uri: ''`. GHAS Code Scanning then rejected the upload:

`locationFromSarifResult: expected artifact location`

(seen in post-merge CI Verify run 26615030359, job 78430341466)

Fix

Don't strip the leading slash. Result: root URL emits `uri='/'`, paths emit `uri='/auth/login'` etc. Both are valid absolute-path-references per RFC 3986 Β§4.2 and resolve correctly against `originalUriBaseIds.TARGET` per SARIF Β§3.4.4.

Verification

  • 10/10 ZAP tests pass; 53/53 full scripts suite pass
  • Pre-push gates all green (coverage 100%, build, biome, qlty)

Test plan

  • Post-merge CI Verify on main: `Upload ZAP SARIF` succeeds β€” fully closes the DAST chain

@s-b-e-n-s-o-n
πŸ› fix(ci): preserve leading slash in ZAP SARIF artifact URIs so root …
e86e03a 
…scans validate

GHAS Code Scanning rejects SARIF results with an empty artifactLocation.uri
(error: locationFromSarifResult: expected artifact location). The root URL
http://localhost:3333/ produced pathname '/' which, after stripping the leading
slash, became ''. Keep the leading slash so root scans emit uri='/' and all
other paths emit '/foo' β€” both are valid absolute-path-references per RFC 3986
Β§4.2 and resolve correctly against originalUriBaseIds.TARGET.
@vercel
Copy link
Copy Markdown

vercel Bot commented May 29, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
drydock-demo Ready Ready Preview, Comment May 29, 2026 3:27am
drydock-website Ready Ready Preview, Comment May 29, 2026 3:27am

biggest-littlest
biggest-littlest approved these changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@biggest-littlest biggest-littlest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM β€” preserves leading slash, satisfies absolute-path-reference per RFC 3986.

ALARGECOMPANY
ALARGECOMPANY approved these changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ALARGECOMPANY ALARGECOMPANY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 29, 2026

Codecov Report

βœ… All modified and coverable lines are covered by tests.

πŸ“’ Thoughts on this report? Let us know!

@s-b-e-n-s-o-n s-b-e-n-s-o-n merged commit ee674b9 into main May 29, 2026
24 checks passed
@s-b-e-n-s-o-n s-b-e-n-s-o-n deleted the fix/zap-sarif-empty-uri branch May 29, 2026 03:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@biggest-littlest biggest-littlest biggest-littlest approved these changes

@ALARGECOMPANY ALARGECOMPANY ALARGECOMPANY approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@s-b-e-n-s-o-n @biggest-littlest @ALARGECOMPANY