trivy-action fails to upload SARIF files after upgrading to trivy v0.69.1

[obounaim]

Description

After upgrading @aquasecurity/trivy-action from v0.33.1 to v0.34.0, the action now fails when attempting to upload SARIF files to GitHub Advanced Security. This issue appears to be connected to the bundled Trivy version upgrade from v0.65.0 to v0.69.1.

This is mostly related to GCP Terraform resources.

Desired Behavior

SARIF files should upload successfully to GitHub Advanced Security as in previous releases.

Actual Behavior

The action fails during the upload step with v0.34.0.

Reproduction Steps

1. Use `@aquasecurity/trivy-action@v0.34.0` in your workflow.
2. Scan your project, generate a SARIF file, and attempt to upload it to GitHub Advanced Security.
3. Observe that the upload fails, while it worked as expected in v0.33.1.

Target

Filesystem

Scanner

Misconfiguration

Output Format

SARIF

Mode

Standalone

Debug Output

no

Operating System

Github Trivy Action

Version

v0.69.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @obounaim
Thanks for your report!

Can you share more info (logs, wrong file, etc.) about your issue?

Regards, Dmitriy

[obounaim]

Hey, at this point I am really not sure what file or terraform resource is causing the issue. We had similar issues in the past when trying to scan GCP Terraform resources. It got fixed with newer versions of trivy and now it is back.

We are roll backing to trivy version v0.65.0 to stop the error from happening.

Error:
Code Scanning could not process the submitted SARIF file: locationFromSarifResult: expected artifact location

cause":"Code Scanning could not process the submitted SARIF file:\nlocationFromSarifResult: expected artifact location","exception":"Error: Code Scanning could not process the submitted SARIF file:\nlocationFromSarifResult: expected artifact location\n at run (/home/runner/_work/_actions/github/codeql-action/v4/lib/upload-sarif-action.js:111293:130)\n at async runWrapper (/home/runner/_work/_actions/github/codeql-action/v4/lib/upload-sarif-action.js:111316:5)

[DmitriyLewen]

IIUC this is a similar situation:
#7905

Can you check your sarif report file and send me result with empty artifactLocation.uri field?