upload-sarif@v2 Doesn't support suppressions property in Sarif files. #1230
Description
I've recently noticed, when running semgrep, that findings that are suppressed in code with #nosemgrep flag the results with a suppressions property. This seems to be valid sarif formatting.
Example of a result:
{
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": []
}
],
"results": [
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "backend/opre_ops/django_config/settings/common.py",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 15,
"endLine": 91,
"snippet": {
"text": "REST_FRAMEWORK = { # nosemgrep: python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config"
},
"startColumn": 1,
"startLine": 91
}
}
}
],
"message": {
"text": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application."
},
"ruleId": "python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config",
"suppressions": [
{
"kind": "inSource"
}
]
}
],
"tool": {
"driver": {
"name": "semgrep",
"rules": [
{
"defaultConfiguration": {
"level": "error"
},
...
"semanticVersion": "0.111.1"
}
}
}
],
"version": "2.1.0"
}
When results like this are uploaded via the github/codeql-action/upload-sarif@v2 the results are still propagated as-if valid findings.
Shouldn't these be ignored, or flagged in some other way?