Skip to content

Fix for Issue #1482 - SARIF artifactChanges null validation error#1483

Merged
ccojocar merged 1 commit intosecurego:masterfrom
ravisastryk:fix/issue-1482-sarif-artifact-changes
Jan 25, 2026
Merged

Fix for Issue #1482 - SARIF artifactChanges null validation error#1483
ccojocar merged 1 commit intosecurego:masterfrom
ravisastryk:fix/issue-1482-sarif-artifact-changes

Conversation

@ravisastryk
Copy link
Contributor

@ravisastryk ravisastryk commented Jan 23, 2026

Summary

Only create Fix object when autofix is non-empty to avoid null artifactChanges. Fixes #1482.

Problem

GitHub's CodeQL upload-sarif action was rejecting SARIF files generated by gosec with the error:

instance.runs[0].results[23].fixes[0].artifactChanges is not of a type(s) array

Root Cause: The Fix object was being created unconditionally, even when autofix was empty. This resulted in ArtifactChanges being null in the JSON output, which violates the SARIF 2.1.0 schema requirement that artifactChanges must be a non-empty array when present.

Solution

Only create the Fix object when autofix content is non-empty. This ensures:

  • No fixes field when there's no fix suggestion (schema-compliant)
  • Valid artifactChanges array when fix exists (schema-compliant)

Tests

  • Made sure all existing tests run along with existing SARIF tests
  • New test added to validate fix

@ravisastryk
Fix SARIF artifactChanges null validation error
3952481 
Only create Fix object when autofix is non-empty to avoid null artifactChanges.
Fixes securego#1482.
@ravisastryk ravisastryk mentioned this pull request Jan 23, 2026
Closed
@ravisastryk ravisastryk marked this pull request as ready for review January 23, 2026 16:50
@ravisastryk
Copy link
Contributor Author

ravisastryk commented Jan 23, 2026

@ccojocar Please take a look at this PR when you get a chance. Folks have been waiting to get a release instead of doing some workarounds. It would be a nice for gosec adoption in the community.

@codecov-commenter
Copy link

codecov-commenter commented Jan 23, 2026

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.23%. Comparing base (1216c9b) to head (3952481).
⚠️ Report is 173 commits behind head on master.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1483      +/-   ##
==========================================
+ Coverage   68.49%   69.23%   +0.73%     
==========================================
  Files          75       83       +8     
  Lines        4384     6663    +2279     
==========================================
+ Hits         3003     4613    +1610     
- Misses       1233     1825     +592     
- Partials      148      225      +77

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ccojocar ccojocar merged commit d24bbf7 into securego:master Jan 25, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ccojocar ccojocar ccojocar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GitHub complains about SARIF file: instance.runs[0].results[23].fixes[0].artifactChanges is not of a type(s) array

3 participants

@ravisastryk @codecov-commenter @ccojocar