G304 produces artifactChanges object set to null causing SARIF validation failure #1407
Description
I've got a gosec SARIF that contains this block (truncated for clarity):
{
"runs": [
{
"results": [
{
"fixes": [
{
"artifactChanges": null,
"description": {
"markdown": "Consider using os.Root to scope file access under a fixed root (Go \u003e=1.24). Prefer root.Open/root.Stat over os.Open/os.Stat to prevent directory traversal.",
"text": "Consider using os.Root to scope file access under a fixed root (Go \u003e=1.24). Prefer root.Open/root.Stat over os.Open/os.Stat to prevent directory traversal."
}
}
],
"level": "error",
"locations": [
// ...
],
"message": {
"text": "Potential file inclusion via variable"
},
"ruleId": "G304"
},
// ...When using github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 to upload the SARIF, I get a schema validation failure because the schema indicates artifactChanges is required and must be an array.
From what I can tell, the autoFix logic JUST adds "description" values, but no artifactChanges. I'm not sure where artifactChanges is supposed to come from.
If it helps, I see AI-powered autofix suggestions in the code, but I'm not using it. For this rule, I believe the static osRootSuggestion is what's being used.
For now, I've just disabled rule G304.
GoSec Version I'm using is here, being used via direct binary installation.
GOSEC_VERSION ?= 6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10