You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PMD produces a SARIF file with multiple location entries per result. It appears that on GitHub only the first location is used.
Example file: pmd-report.sarif.txt
In this case, we have in total 24 violations in 6 files. The violations are from one of 9 different rules.
In the end, we don't have 24 alerts but only 9 alerts after uploading. This is also visible in the build log: "num_results_in_sarif":9.
3.14.23 results property
... an array of zero or more result objects (§3.27) each of which represents a single result detected in the course of the run
Could be interpreted in the way, that since we have 24 violations, each of these violations should be a single result...
3.27.12 locations property
a) A result object SHOULD contain a property named locations whose value is an array of zero or more location objects (§3.28) each of which specifies a location where the result occurred.
b) The locations array SHALL NOT contain more than one element unless the condition indicated by the result, if any, can only be corrected by making a change at every location specified in the array.
c) The locations array SHALL NOT be used to specify distinct occurrences of the same result which can be corrected independently.
ok, a) is what PMD does. All locations where a specific rule was violated.
sentence b) is probably violated: every location must be fixed to in order to correct the result
sentence c) is also violated: PMD only produces distinct results and they usually can be corrected independently.
PMD produces a SARIF file with multiple location entries per result. It appears that on GitHub only the first location is used.
Example file: pmd-report.sarif.txt
In this case, we have in total 24 violations in 6 files. The violations are from one of 9 different rules.
In the end, we don't have 24 alerts but only 9 alerts after uploading. This is also visible in the build log:
"num_results_in_sarif":9
.Code scanning alerts: https://github.com/pmd/pmd-github-action-tests/security/code-scanning?query=branch%3Ajava
Test case, see https://github.com/pmd/pmd-github-action-tests/tree/java#code-scanning-alerts
Sarif feature in PMD: https://pmd.github.io/latest/pmd_userdocs_report_formats.html#sarif
Sarif Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html
Could be interpreted in the way, that since we have 24 violations, each of these violations should be a single result...
ok, a) is what PMD does. All locations where a specific rule was violated.
sentence b) is probably violated: every location must be fixed to in order to correct the result
sentence c) is also violated: PMD only produces distinct results and they usually can be corrected independently.
So, I guess, that's a bug in PMD: pmd/pmd#3768.
The text was updated successfully, but these errors were encountered: