feat: further error re-classification

[NlightNFotis]

Description

This PR adds some further error classification for issues we observe in telemetry, along with a re-classification of InvalidSarifUploadErrors as user-errors.

Merge / deployment checklist

NOTE: This is an internal/telemetry change, and doesn't affect users in any way that would induce the need to update either the readme or the changelog file.

• Confirm this change is backwards compatible with existing workflows.
• Confirm the readme has been updated if necessary.
• Confirm the changelog has been updated if necessary.

[Copilot]

Pull Request Overview

This PR refines how error classification is handled in telemetry by re-classifying InvalidSarifUploadError as a user error and improving error message matching for configuration and upload errors. Key changes include:

• Updating error classification functions (shouldConsiderConfigurationError and shouldConsiderInvalidRequest) to use substring matching.
• Modifying the getActionsStatus logic to treat InvalidSarifUploadError as a user-error.
• Extending API client error handling to cover additional error message conditions.

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/upload-lib.ts	Updated error classification logic and exported the helper functions.
src/upload-lib.test.ts	Added tests validating new error classification behavior for configuration and invalid request errors.
src/status-report.ts & lib/status-report.js	Modified getActionsStatus to include InvalidSarifUploadError handling.
src/api-client.ts & lib/api-client.js	Extended error message matching in wrapApiConfigurationError.
Other test files	Added corresponding unit tests verifying updated error handling.

Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more

[Copilot]

Using .includes for matching error messages can potentially lead to false positives if an error string contains an expected substring unintentionally. Consider using stricter matching or regex patterns to ensure only the intended error messages are classified.

[NlightNFotis]

Hi @henrymercer, would it be possible to get a review on this one?

I'd like some further eyes on f21cf0b, as I'm fairly confident the functionality works, but I'm not sure if we are to consider InvalidSarifUploadErrors as user-errors (I've seen discussions leaning both ways).

[henrymercer]

There's an opportunity to provide a better error message here too, for example for bad credentials / not found we could ask whether the job has contents: read and security-events: write permissions.

[NlightNFotis]

Thanks for the suggestion, I have implemented this at 55ee663.

[henrymercer]

This should only be a user error if a third-party tool generated the SARIF. See the handling of InvalidSarifUploadError in src/upload-sarif-action.ts.

[NlightNFotis]

I put some thought into trying to come up with a schema for identifying how to handle this case, and I came to realisation that perhaps the best way to implement this is by passing getActionsStatus an extra parameter indicating whether the analysis is a third party one or not. This would also make it easier to extend it in the future based on this information.

I have implemented this approach in 55ee663.

[henrymercer]

I'd prefer to keep getActionsStatus simple and delegate the task of deciding whether errors are user errors or not to the part of the code where the relevant logic is implemented.

For example, the upload-sarif Action we should catch any InvalidSarifUploadErrors and rethrow them as a ConfigurationError if it's a third-party run. So by the time we reach the top-level status reporting logic, we should only be dealing with InvalidSarifUploadErrors that aren't user errors.

If we're seeing InvalidSarifUploadErrors from third-party runs, there's a bug in the upload-sarif Action — we should fix that to make sure it's wrapping those errors in ConfigurationErrors.

[NlightNFotis]

Thank you, I have re-implemented it this way, managing to repurpose some of the code already written to simplify the code and its handling: 498c7f3

[henrymercer]

How's this possible if we're validating the SARIF against the JSON schema before we try to upload it? I'd be surprised if this was going wrong, but is there a bug in the way we combine the SARIF files?

[aeisenberg]

Are we getting this error when we're doing the validation locally? And if so, does this function catch the error?

If we're getting this error from the server, I would say this is a bug.

[NlightNFotis]

Henry is correct, I misunderstood the error location and thought this was coming from the backend. Judging from the stack trace I've seen, this appears to be coming from the uploadFiles function calling validateSarifFileSchema on each input file, which then fails the validation.

In this case, the upload-sarif-action.ts would be the best location for that, and we also probably want to categorise as a user-error the case where we ourselves are not the producers of a SARIF file with syntax errors.

I have now corrected this at b53826d

[aeisenberg]

Can you convert this to a function in status-report.ts? You are duplicating and negating the call to isFirstPartyAnalysis in enough places that it might be cleaner to just extract it to a separate function.

[henrymercer]

(posting this review so Slack doesn't keep reminding me)

See #2833 (comment)

[henrymercer]

Thanks for addressing the feedback! Looks good, just one suggestion.

[henrymercer]

There's a small chance that by catching any SyntaxError here we miss something genuine. If we put a try/catch around the JSON parse block specifically, and throw an InvalidSarifUploadError if there was invalid JSON, we can avoid that situation.

[NlightNFotis]

Thanks, this is a great suggestion! Added in 676a422