Bug description
When importing a valid SARIF 2.1.0 report that contains no results (i.e., an empty results array), the import fails with an IndexError: list index out of range. The error occurs because the parser assumes that if run["tool"]["driver"]["rules"] is empty, the extensions array will have at least one element. This assumption is not guaranteed by the SARIF specification.
The exact traceback points to:
File "/app/dojo/tools/sarif/parser.py", line 389, in get_rules
rules_array = run["tool"]["extensions"][0].get("rules", [])
Steps to reproduce
Generate or create a valid SARIF 2.1.0 file where no issues were found by the scanning tool.
Ensure the file has the following structure, which is compliant with the SARIF spec:
runs[].tool.driver.rules is an empty array ([]).
runs[].tool.extensions is either absent or an empty array ([]).
runs[].results is an empty array ([]).
Attempt to import this file into DefectDojo.
Observe the list index out of range error.
Expected behavior
DefectDojo should gracefully handle a SARIF file with no results. The expected outcome is a successful import with a status indicating "No findings found" or simply a successful completion without creating any findings. The parser should not assume that extensions is non-empty or contains a rules array.
Deployment method
Environment information
Operating System: [Ubuntu 24.04]
Docker Compose or Helm version: [docker compose version]
DefectDojo version (see footer) or commit message: 2.58.3
Attached is a minimal, spec-compliant SARIF file that triggers the error:
json
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "ExampleTool",
"rules": []
}
},
"results": []
}
]
}
Screenshot
Bug description
When importing a valid SARIF 2.1.0 report that contains no results (i.e., an empty results array), the import fails with an IndexError: list index out of range. The error occurs because the parser assumes that if run["tool"]["driver"]["rules"] is empty, the extensions array will have at least one element. This assumption is not guaranteed by the SARIF specification.
The exact traceback points to:
File "/app/dojo/tools/sarif/parser.py", line 389, in get_rules
rules_array = run["tool"]["extensions"][0].get("rules", [])
Steps to reproduce
Generate or create a valid SARIF 2.1.0 file where no issues were found by the scanning tool.
Ensure the file has the following structure, which is compliant with the SARIF spec:
runs[].tool.driver.rules is an empty array ([]).
runs[].tool.extensions is either absent or an empty array ([]).
runs[].results is an empty array ([]).
Attempt to import this file into DefectDojo.
Observe the list index out of range error.
Expected behavior
DefectDojo should gracefully handle a SARIF file with no results. The expected outcome is a successful import with a status indicating "No findings found" or simply a successful completion without creating any findings. The parser should not assume that extensions is non-empty or contains a rules array.
Deployment method
Environment information
Operating System: [Ubuntu 24.04]
Docker Compose or Helm version: [docker compose version]
DefectDojo version (see footer) or commit message: 2.58.3
Attached is a minimal, spec-compliant SARIF file that triggers the error:
json
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "ExampleTool",
"rules": []
}
},
"results": []
}
]
}
Screenshot