[BUG][code-analyzer] Title: SARIF output contains results missing physicalLocation, causing GitHub Code Scanning upload failures

[patrykacc]

Have you tried to resolve this issue yourself first?

• I confirm I have gone through the above steps and still have an issue to report.

Bug Description

When running sf code-analyzer run, the generated SARIF file includes several result objects that contain logicalLocations (e.g., Apex Class names) but are missing the physicalLocation property (the specific file URI and line numbers).

According to the SARIF specification and GitHub's ingestion requirements, a result intended for code scanning must be anchored to a physical artifact. When these "homeless" results are present, the GitHub upload-sarif action fails with the error: locationFromSarifResult: expected artifact location

Steps to Reproduce:
Run the analyzer on a Salesforce project:

Bash

sf code-analyzer run --target "./force-app" --workspace "./force-app" --output-file scan.sarif
Attempt to upload the resulting file to GitHub using github/codeql-action/upload-sarif.

The upload fails because of results like the following found in the SARIF:

JSON

{
"ruleId": "AvoidHardcodingConfigurations",
"locations": [
{
"logicalLocations": [
{
"fullyQualifiedName": "SomeClassName",
"kind": "class"
}
]
// ERROR: physicalLocation object is missing here
}
]
}
Expected Behavior:
Every result in the SARIF file should either:

Include a valid physicalLocation with a relative uri.

Be omitted from the SARIF output if no physical file location can be determined, as these results cannot be rendered in GitHub Code Scanning.

Actual Behavior:
The scanner produces results that only identify the logical structure (Apex Class), which causes the entire SARIF file to be rejected by GitHub's API.

Output / Logs

Steps To Reproduce

1. Run: sf code-analyzer run --target "./force-app" --workspace "./force-app" --output-file scan.sarif
2. Attempt to upload the resulting file to GitHub using github/codeql-action/upload-sarif.
3. error about artifact location is being thrown

Expected Behavior

Include a valid physicalLocation with a relative uri allowing to process the report

Operating System

Ubuntu 24.04.4 LTS

Salesforce CLI Version

2.117.7

Code Analyzer Plugin (code-analyzer) Version

5.8.0

Node Version

20.19.6

Java Version

No response

Python Version

No response

Additional Context (Screenshots, Files, etc)

No response

Workaround

No response

Urgency

Low

[patrykacc]

Anyone?

[johnbelosf]

Thank you @patrykacc our team will investigate and revert

[pkozuchowski]

Github Workflow:

name: Static Code Analyze

on:
    workflow_call:

jobs:
    scanner:
        runs-on: ubuntu-22.04-4core
        permissions:
            actions: read
            contents: read
            security-events: write
        steps:
            - uses: actions/checkout@v4
            - uses: actions/setup-node@v4
            - name: Setup Salesforce CLI
              run: |
                  npm install --global @salesforce/cli
                  sf plugins install code-analyzer

            - name: Scan Code
              run: |
                  sf code-analyzer run --workspace ./force-app --output-file scan.sarif --config-file ./config/code-analyzer.yml

            - name: Upload Scan Results
              uses: github/codeql-action/upload-sarif@v4
              with:
                  sarif_file: ./scan.sarif
                  category: shared

[namrata111f]

@patrykacc can you please also share the code-base where you are are running the command? Wanted to see the violations which do not have the physical locations. Or if can share the scan.sarif file itself.

[pkozuchowski]

@namrata111f We can't share our client's code base, but we could share the sarif file