Search code examples

How to Convert Json value into Sarif format

how to convert this values into sarif

Vulnerablilites: { "id": "66c5b89700fbf372c2f1f182", "method": "post", "path": "/user", "type": "API-DP9-2024", "severity": "High", "label": "Bot Data Modification", "impact": "Vulnerablity" }

Here is i try

sarif_output=$(cat <<EOF
  "$schema": "",
  "version": "2.1.0",
  "runs": [
      "tool": {
        "driver": {
          "name": "Custom Vulnerability Scanner",
          "version": "1.0",
          "informationUri": "",
          "rules": [
              "id": "API-DP9-2024",
              "name": "Bot Data Modification",
              "shortDescription": {
                "text": "This rule identifies API endpoints vulnerable to bot data modification."
              "fullDescription": {
                "text": "Bot Data Modification vulnerabilities occur when an API endpoint allows unauthorized data modification by automated systems."
              "helpUri": "",
              "defaultConfiguration": {
                "level": "error"
      "results": [
          "ruleId": "API-DP9-2024",
          "level": "error",
          "message": {
            "text": "Vulnerability Report: Bot Data Modification on POST /user Endpoint."
          "locations": [
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "user",
                  "uriBaseId": "%SRCROOT%"
                "region": {
                  "startLine": 1

Got Error failed

Error details: instance is not allowed to have the additional property ""
Error: Unable to upload "./vulnerabilities-results.sarif" as it is not valid SARIF:
- instance is not allowed to have the additional property ""

Using Github Action

plse tell me how to achive


  • The file in the question is valid according to the specified schema

    This file is accepted by github/codeql-action/upload-sarif@v3 action.

    However, the file that I see in the workflow you shared has an issue - the property "$schema" is missing. It is replaced by an empty string "" which is treated as a valid JSON property key but a key that is not allowed by SARIF. Hence it is referred to as additional property.

    Vulnerabilities SARIF: {
              "": "",

    The reason for this is most likely that the file was transformed by bash or similar which performed variable expansion on $schema. For example, if you run this command, you will see what I mean:

    cat <<EOF
      "$schema": ""