Skip to content

ci(binskim): fix 'expected a result message' SARIF upload errors#175

Merged
prsasattms merged 1 commit into
mainfrom
fix/binskim-sarif-message-text
Jun 3, 2026
Merged

ci(binskim): fix 'expected a result message' SARIF upload errors#175
prsasattms merged 1 commit into
mainfrom
fix/binskim-sarif-message-text

Conversation

@prsasattms

Copy link
Copy Markdown
Collaborator

Fixes the BinSkim "Code Scanning failed - 2 errors" banner on the binskim-rust configuration page (https://github.com/AzureCosmosDB/OmniVec/security/code-scanning).

Root cause

BinSkim emits SARIF results that reference rule messageStrings by id (e.g. message.id = "Warning_NativeWithInsecureStaticLibraryCompilands" plus arguments), without an inlined message.text field.

GitHub Code Scanning's SARIF ingester requires message.text to be present directly on every result, so the upload was failing with:

expected a result message, expected a result message

The 2 errors correspond to the 2 suppressed BinSkim results on docgrok-router.exe (rules BA2004 and BA2024, both with documented upstream-toolchain justifications in scripts/security/binskim_suppressions.json).

Fix

scripts/security/filter_binskim_sarif.py already walked the SARIF to suppress documented findings. Extended it to also synthesize message.text when missing:

  1. For each result without message.text, look up tool.driver.rules[ruleIndex].messageStrings[message.id].text.
  2. Substitute arguments into the {0}, {1}, … placeholders.
  3. Write the resolved text back to message.text.

Falls back to a deterministic placeholder (<ruleId>: <messageId>) if the template cannot be resolved, so the SARIF always uploads.

Verification

Tested locally against the actual SARIF artifact downloaded from the most recent main-branch run:

BinSkim filter: kept=0 suppressed=2 unsuppressed_fails_or_warnings=0 message_text_patched=2
results without message.text: 0

No security findings change — the 2 results remain suppressed at level: note with their existing justifications. This PR only fixes the SARIF format so the upload succeeds and the BinSkim configuration page shows clean instead of "2 errors".

…ed a result message' errors

BinSkim emits results that reference rule messageStrings by id (e.g.
message.id=Warning_NativeWithInsecureStaticLibraryCompilands plus
arguments) without an inlined message.text. GitHub Code Scanning's
SARIF ingester requires message.text directly, so the binskim-rust
configuration on main was failing with:
  'expected a result message, expected a result message'
(2 errors corresponding to the 2 suppressed BA2004/BA2024 results).

Patch the SARIF in filter_binskim_sarif.py: walk runs->results, find
results missing message.text, look up tool.driver.rules[ruleIndex]
.messageStrings[message.id].text, .format(*arguments), and inline.

No security findings change: both results are already suppressed with
documented upstream-toolchain justifications. This only fixes the
SARIF-upload error so the BinSkim configuration page shows clean.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@prsasattms prsasattms merged commit ff659ba into main Jun 3, 2026
8 checks passed
@prsasattms prsasattms deleted the fix/binskim-sarif-message-text branch June 3, 2026 15:39
prsasattms pushed a commit that referenced this pull request Jun 3, 2026
The BinSkim go configuration on main was showing the warning
'unsuccessful tool execution, exit code 0' because BinSkim sets
invocations[0].executionSuccessful=false when it can't load a PDB
for the Go binary (ERR997.ExceptionLoadingPdb). Go's toolchain does
not emit MSVC PDBs — this is the documented limitation, not a tool
failure or a security finding.

Changes:
- scripts/security/filter_binskim_sarif.py: new _normalize_invocations
  step. Walks toolConfigurationNotifications, demotes ones matching
  binskim_suppressions.json[invocation_notifications] from error to
  note (with audit-trail suppression entry), and flips
  executionSuccessful back to True when no error-level notifications
  remain.
- scripts/security/binskim_suppressions.json: add documented
  invocation_notifications entry for ERR997.ExceptionLoadingPdb on
  omnivec.exe with a security justification (Go security posture is
  enforced by Go toolchain + runtime, not by MSVC linker switches).
- .github/workflows/binskim.yml: wire binskim-dotnet and binskim-go
  jobs through filter_binskim_sarif.py before SARIF upload. Rust was
  already wired (PR #175).

After this PR all three configurations (binskim-dotnet, binskim-go,
binskim-rust) should show clean on the BinSkim configuration page
with no errors and no warnings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
prsasattms added a commit that referenced this pull request Jun 3, 2026
The BinSkim go configuration on main was showing the warning
'unsuccessful tool execution, exit code 0' because BinSkim sets
invocations[0].executionSuccessful=false when it can't load a PDB
for the Go binary (ERR997.ExceptionLoadingPdb). Go's toolchain does
not emit MSVC PDBs — this is the documented limitation, not a tool
failure or a security finding.

Changes:
- scripts/security/filter_binskim_sarif.py: new _normalize_invocations
  step. Walks toolConfigurationNotifications, demotes ones matching
  binskim_suppressions.json[invocation_notifications] from error to
  note (with audit-trail suppression entry), and flips
  executionSuccessful back to True when no error-level notifications
  remain.
- scripts/security/binskim_suppressions.json: add documented
  invocation_notifications entry for ERR997.ExceptionLoadingPdb on
  omnivec.exe with a security justification (Go security posture is
  enforced by Go toolchain + runtime, not by MSVC linker switches).
- .github/workflows/binskim.yml: wire binskim-dotnet and binskim-go
  jobs through filter_binskim_sarif.py before SARIF upload. Rust was
  already wired (PR #175).

After this PR all three configurations (binskim-dotnet, binskim-go,
binskim-rust) should show clean on the BinSkim configuration page
with no errors and no warnings.

Co-authored-by: Pradeep Sasatt <prsasatt@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants