SARIF output violates the spec and puts all locations into one result

[valentinas]

Hi,

I have encountered an issue where I want to use mobsfscan with GitHub Code Scanning. GitHub needs the output to be in SARIF format, but mobsfscan produces SARIF that has all instances of the same type of vulnerability inside one "result" object with multiple "locations" objects.

This goes against the SARIF spec, which states that:

The locations array SHALL NOT be used to specify distinct occurrences of the same result which can be corrected independently.

Because of this GitHub only displays the first instance of each vulnerability.

[heltoft]

This fix would be very appreciated - is it possible to get some action on this? I see there is a open pull request for it.

I ran into the same issue and created a workaround that can be used until the issue is resolved.
In case it is useful to others the workaround is to run the mobsfscan output through jq to modify the output to get the expected result:

cat mobsfscan_output.sarif | \
jq '.runs |= map(.results |= map(.locations[] as $loc | .locations = [$loc] | .))' \
> fixed_mobsfscan_output.sarif

[ajinabraham]

I am working on a libsast performance update. This will be addressed along with that.

[ajinabraham]

I bumped the libsast version. Can you update this PR accordingly?

[valentinas]

Yep, will do now