fix(sarif): add fallback location for results without file locations #819
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cosmir17
force-pushed
the
fix-sarif-empty-locations
branch
2 times, most recently
from
ac4a373 to
02d64e2
Compare
Instead of hardcoding "Cargo.toml", use the workspace root path to construct the fallback location URI. This ensures the location points to an actual file in the workspace.
cosmir17
force-pushed
the
fix-sarif-empty-locations
branch
2 times, most recently
from
8eec434 to
ff4dfd6
Compare
The gix-date 0.11.0 vulnerability (TimeBuf::as_str can create non-UTF8 strings) is introduced via tame-index 0.25.0 which pins gix 0.75.0. Cannot update gix directly as it would conflict with tame-index's gix dependency. Ignoring until tame-index releases an update with gix 0.77+.
cosmir17
force-pushed
the
fix-sarif-empty-locations
branch
from
ff4dfd6 to
6b03985
Compare
Jake-Shadle
approved these changes
Jan 8, 2026
Member
Jake-Shadle
left a comment
Jake-Shadle
left a comment
There was a problem hiding this comment.
I think it would be better to point to the locations in each manifest that directly depends on the crate in question, but I don't really care about SARIF so someone can do that later if they want, I presume this is just to get past the github requirement more than anything.
Contributor
Author
|
Thanks for merging! You're right - this is primarily to satisfy GitHub's location requirement. The direct-dependency approach would be more informative for users investigating vulnerabilities. |
cosmir17
added a commit
to midnightntwrk/midnight-indexer
that referenced
this pull request
Jan 8, 2026
cargo-deny 0.19.0 now includes a fix for empty locations in SARIF output (EmbarkStudios/cargo-deny#819). The jq workaround that added Cargo.lock as a fallback location is no longer needed.
gilescope
pushed a commit
to midnightntwrk/midnight-indexer
that referenced
this pull request
Jan 8, 2026
cargo-deny 0.19.0 now includes a fix for empty locations in SARIF output (EmbarkStudios/cargo-deny#819). The jq workaround that added Cargo.lock as a fallback location is no longer needed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GitHub Code Scanning requires at least one location per SARIF result, but some diagnostics (e.g., dependency advisories) only reference Cargo.lock which is filtered out, leaving an empty
locationsarray.This adds a fallback location pointing to
Cargo.tomlline 1 when no locations exist.Fixes compatibility with
github/codeql-action/upload-sarif.cc'ing @gilescope