[BUG] artifactLocation.uri in SARIF output is missing a leading `/`

[thecmdradama]

Description of the issue

When using the SARIF output type with the SARIF SAST Scans Tab extension in Azure DevOps, the failing rules that are shown under the scans tab have a broken url (Leads to a completely blank page). This seems to be caused by a missing / from the artifactLocation.uri in the generated SARIF output.

For example:

Current URL: https://dev.azure.com/sampleOrg/projectName/_git/repoName?path=path/to/file/with/issue.bicepparam&version={sha}&line=1&lineEnd=2&lineStartColumn=1
Correct URL: https://dev.azure.com/sampleOrg/projectName/_git/repoName?path=/path/to/file/with/issue.bicepparam&version={sha}&line=1&lineEnd=2&lineStartColumn=1

Not sure if there's something I should have set in the options via the ps-rule.yaml file or if this is a relatively simple bug in the sarif generator.

Thanks

Error messages

No response

Reproduction

1. Install the SARIF SAST Scans Tab extension in Azure DevOps if not already present.
2. Trigger an Azure Pipeline that runs a scan of any .bicepparam file which will output the result as a SARIF file
3. Ensure that the pipeline uploads the SARIF file as an artifact.
4. Go to the Scans tab and click on a link for a failing rule.
5. Append a / at the start of the path in the URL.

Version of PSRule

2.9.0

How are you running PSRule

Azure Pipelines

Additional context

No response

[github-actions]

Thanks for raising your first issue, the team appreciates the time you have taken 😉

[BernieWhite]

Thanks for reporting the issue @thecmdradama.

A few minor follow up questions:

1. Is the pipeline running on a Linux or Windows host?
2. Does path/to start with a directory outside your repository? i.e. tmp/ or something similar.

[thecmdradama]

Thanks for reporting the issue @thecmdradama.

A few minor follow up questions:

1. Is the pipeline running on a Linux or Windows host?

The Pipeline is running on a Linux agent (Ubuntu 22.04 currently)

2. Does path/to start with a directory outside your repository? i.e. tmp/ or something similar.

It does not. The path that's referenced in artifactLocation.uri and the final URL starts with zones/platform/ which is the valid path within the repo.

Thanks for the quick reply as well.

[BernieWhite]

@thecmdradama great thanks let me double check a few things. This might be a implementation difference between ADO and GitHub features.

But yeah, if it's not a bug in the ADO extension vs the spec then an option can be added, but there isn't one currently.