[BUG] SARIF export fails validation

[safejulian]

Is there an existing issue for this?

• I have searched the existing issues.

Current Behavior

Running nuclei with -se filename.sarif generates a SARIF file.

Uploading the SARIF file to a GitHub repository works, but there isn't much information shown to the team.

After uploading the generated file to Microsoft's SARIF validator to see what is missing, the validator shows some failing validation rules.

Expected Behavior

Running nuclei with the -se filename.sarif option should generate a SARIF file that passes validation. This ensures that the findings in the SARIF file are easily readable after import (for example, in GitHub Advanced Security).

Steps To Reproduce

1. Run nuclei -u https://honey.scanme.sh --tags misconfig -se report.sarif
2. Upload report.sarif to the SARIF Validator
3. Review findings

Relevant log output

Environment

- OS: MacOS 15.7.4
- Nuclei: v3.7.1 via homebrew
- Go:

Anything else?

I have PRs ready to fix this.

[dwisiswant0]

Can you share that SARIF file (with any sensitive info redacted, obviously)? I'm not getting much context from your screenshot, but the error is showing that, if I had to guess, it needs to be unique, which your PR fix doesn't actually resolve that.

[safejulian]

Can you share that SARIF file (with any sensitive info redacted, obviously)? I'm not getting much context from your screenshot, but the error is showing that, if I had to guess, it needs to be unique, which your PR fix doesn't actually resolve that.

Hey @dwisiswant0 - happy to share more details. We work with someone who has some templates in a private repo. The SARIF output is readable by GitHub, but once the SARIF is ingested by GitHub, the GHAS Code Scanning alerts don't give the developers much feedback. I'll share more detail in this thread.

I am finishing up a PR in for nuclei that will depend on the PR for the sarif project. I hope that will also clarify things.

This is my first contribution to this GitHub organization, and first GoLang contribution; happy to take feedback!

[safejulian]

Hey @dwisiswant0 I have updated this issue description with the screenshot of what a nuclei finding looks like in GitHub. I'll get the nuclei PR pushed ASAP.

[dwisiswant0]

Hi, thanks for coming back. But unfortunately I'm still not seeing any SARIF files attached there.

[safejulian]

Sorry! Here it is, renamed to satisfy GitHub's file upload. honey.sarif.json

[dwisiswant0]

Like I mentioned before, I don't think your PR is actually going to resolve the "[there] isn't much information [shown to the team]" issue. IMO, if we want to handle that kind of enrichment properly, it really needs to happen further downstream, here on Nuclei instead.

I've tried reproducing the SARIF file using your patch on the upstream side, ran it through SARIF Validator, and the results were exactly the same as before. I also went ahead and validated (https://www.jsonschemavalidator.net) the SARIF against the full 2.1.0 spec just to be sure, and it passed without any issues.

So, given that the spec is being met but the core problem remains, I still feel like we're looking at the wrong spot for the fix.

[dwisiswant0]

I've already got the patches prepped for both downstream & upstream to make the whole thing a lot more enriched with extra context and significantly easier to triage when issues pop up.

Everything is pretty much good to go on my end, just putting some final touches on it and polishing a bit rn.

[safejulian]

Hey @dwisiswant0

Sorry for the confusion! I thought you were asking for the original SARIF output to reproduce the issue, but you wanted to see the improved SARIF.

I have been working in a nuclei fork to address some of the validation problems, which depends on the PR for the SARIF library. I've been distracted by other things so am not ready to make a nuclei PR right now.

The screenshot that you've shared looks great, so I'll wait for your change - it could fix the issue for my developers.

Thanks for your patience.