Adjust SARIF format to Github Code Scanning

[baruchiro]

You can Upload a SARIF file to GitHub, and in #71 we added a SARIF output format.

If you will try to upload this SARIF, you will find that the property artifactLocation is wrong, with the error locationFromSarifResult: expected artifact location.

Steps to reproduce:

1. Fork this repo
2. Enable Code Scanning for the repo
3. Scan it with 2ms (go run . git . --report-path results.sarif)
4. Upload an analysis as SARIF data. I created a script for you, save it and run it as bash script:

   
   # GitHub CLI api
   # https://cli.github.com/manual/gh_api

sarif=$(gzip -c results.sarif | base64 -w0) commit=$(git rev-parse HEAD)

ask the user for the repo name

read -p "Enter the repo name (OWNER/REPO): " repo

response=$(gh api \ --method POST \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/$repo/code-scanning/sarifs \ -f commit_sha="$commit" \ -f ref='refs/heads/main' \ -f sarif="$sarif")

sarifID=$(echo $response | jq -r '.id') echo "SARIF ID: $sarifID"

wait for SARIF to be processed

echo "Waiting for SARIF to be processed..." sleep 10

response=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/$repo/code-scanning/sarifs/$sarifID)

echo $response

5. You will see this response:
```json
{
  "processing_status": "failed",
  "errors": [
    "locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location"
  ]
}

You need to check if we can omit this artifactLocation, or if we have to fill it.

[jossef]

for example

(Out of scope here, moved to #134)

[itay-goldraich]

I will look into this issue. I've started working on the SARIF in #147.

[baruchiro]

It is strange to me that artifactLocation is missing, maybe it was because #147 , so check this issue and maybe you will find it is not reproducible.