Skip to content

πŸ› fix(ci): preserve leading slash in ZAP SARIF artifact URIs so root scans validate #405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
s-b-e-n-s-o-n merged 1 commit into from
May 29, 2026
Merged

πŸ› fix(ci): preserve leading slash in ZAP SARIF artifact URIs so root scans validate #405

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions scripts/zap-json-to-sarif.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,9 +154,11 @@ function resolveArtifactLocation(rawUri) {
try {
const parsed = new URL(rawUri);
if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
// Relative path (without leading slash) + uriBaseId referencing the origin.
const relative = (parsed.pathname + parsed.search + parsed.hash).replace(/^\//, '');
return { uri: relative || '', uriBaseId: 'TARGET', origin: parsed.origin + '/' };
// Keep the leading slash so the root path becomes '/' instead of ''.
// GHAS Code Scanning rejects empty artifactLocation.uri values
// (locationFromSarifResult: expected artifact location).
const path = parsed.pathname + parsed.search + parsed.hash;
return { uri: path, uriBaseId: 'TARGET', origin: parsed.origin + '/' };
}
} catch {
// Not a URL β€” fall through and return as-is.
Expand Down
12 changes: 7 additions & 5 deletions scripts/zap-json-to-sarif.test.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,8 @@ describe('zap-json-to-sarif', () => {
assert.equal(sarif.runs[0].results[0].ruleId, '10055-6');
assert.equal(sarif.runs[0].results[0].level, 'warning');
// http URIs must be relativised: origin goes into originalUriBaseIds, path into uri.
assert.equal(sarif.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri, '');
// Root path must be '/' not '' β€” GHAS rejects empty artifactLocation.uri.
assert.equal(sarif.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri, '/');
assert.equal(
sarif.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uriBaseId,
'TARGET',
Expand Down Expand Up @@ -135,10 +136,10 @@ describe('zap-json-to-sarif', () => {
assert.equal(sarif.runs[0].tool.driver.rules.length, 1);
assert.equal(sarif.runs[0].results.length, 1);
assert.equal(sarif.runs[0].results[0].ruleId, 'singleton-alert');
// http URI β†’ relative path + uriBaseId; origin hoisted to originalUriBaseIds.
// http URI β†’ absolute-path-reference + uriBaseId; origin hoisted to originalUriBaseIds.
assert.equal(
sarif.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri,
'singleton',
'/singleton',
);
assert.equal(
sarif.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uriBaseId,
Expand Down Expand Up @@ -191,12 +192,13 @@ describe('zap-json-to-sarif', () => {
],
});

// http URIs are relativised; non-http fallbacks ('zap-target') pass through unchanged.
// http URIs become absolute-path-references (leading slash preserved);
// non-http fallbacks ('zap-target') pass through unchanged.
assert.deepEqual(
sarif.runs[0].results.map(
(result) => result.locations[0].physicalLocation.artifactLocation.uri,
),
['node', '', 'zap-target'],
['/node', '/', 'zap-target'],
);
assert.deepEqual(
sarif.runs[0].results.map(
Expand Down
Loading