Rule tags in SARIF file exceed limits

[stephenegriffin]

Select Topic Area

Question

Body

I'm working on MAPIStubLibrary. On my security tab, I've got a warning:
Code scanning: one or more analysis tools are reporting problems CodeQL is reporting warnings. Check the [status page](https://github.com/microsoft/MAPIStubLibrary/security/code-scanning/tools/CodeQL/status/configurations/api/74a8c85dff2dda02661ba4c491e7edc7db4d2491e021ce53e5df7e05ec472af1) for help.

When I follow that link, I see this:
Rule tags in SARIF file exceed limits The rule SM01718 in an uploaded SARIF file had 11 tags which is more than our limit of 10. Only 10 tags were stored for that rule, the additional ones were ignored.

You can edit the @tags metadata property of your query and remove some tags.

[Learn more about CodeQL query metadata](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/). [Learn more about limits in SARIF uploads](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#validating-your-sarif-file).

But there are no details about what SARIF file caused this problem, or how I could go about locating this file. I can't even identify which action is supposed to have generated this broken file.

As far as I'm aware, actions generate SARIF files, but they "upload" them to some nebulous location github where no one can actually view them. I've never actually seen a SARIF file myself. I tried configuring an action to SARIF files to artifacts but got a file sharing violation. The documentation on SARIF result limits does list this warning but has no prescriptive guidance on dealing with it.

So - what am I actually supposed to do about this warning? How do I determine which action is triggering it? Is there some way to see the SARIF files we're generating in our actions so we can try to analyze why they may be triggering the warning?

[stephenegriffin]

Screenshot of the warning:

When I click on last scan it just takes me to a commit. Under the ... I have an option to "Download list of rules used" which gives me a file that looks like this:
Configuration,Rule Source,Sarif Identifier,Alerts
"",CodeQL (2.19.2),SM01718,0
"",CodeQL (2.19.2),SM01733,0
"",CodeQL (2.19.2),SM01921,0
"",CodeQL (2.19.2),SM01922,0
"",CodeQL (2.19.2),SM01923,0
...
I can't find SM01718 anywhere else on the internet, except it's also the same rule being reported for MFCMAPI

[stephenegriffin]

Found this link internally: https://liquid.microsoft.com/Web/Object/Read/ScanningToolWarnings/Requirements/CodeQL.SM01718#Zguide

[stephenegriffin]

Issue is now resolved
Steps I took before issue vanished:

• Used .gitattributes to remove files from scanning that were polluting github's language detection (like thinking there was python in the repo)
• used gh api to delete the codeql database (suspect this did not help)
• used gh api to list and delete all analyses associated with the repo
  After that last step, github reverted back to thinking code scanning wasn't even enabled on the repo, so the error was gone. Once changes committed, codeql scanning took place again and security tab now shows all tools (including codeql) working as expected

[stephenegriffin]

And the issue came back. Can anyone explain what this error means and how to properly resolve it?