Outputting results to SARIF file also records stdout messages

[beckler]

Was trying to use SARIF files written by gokart, but noticed when they identify issues, it seems to record some messages that seem destined for stdout.

Here's an example:

This is the command I ran: gokart scan -s -o results.sarif . The raw file output is listed below, notice that the last line is:

Identified 2 potential CWE-78: OS Command Injection

It isn't present when there are no identified issues.

{
  "version": "2.1.0",
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "GoKart",
          "informationUri": "https://github.com/praetorian-inc/gokart"
        }
      },
      "results": [
        {
          "ruleId": "CWE-78: OS Command Injection",
          "message": {
            "text": "Danger: possible command injection detected"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "REDACTED"
                },
                "region": {
                  "startLine": 22,
                  "endLine": 22
                }
              }
            }
          ]
        },
        {
          "ruleId": "CWE-78: OS Command Injection",
          "message": {
            "text": "Danger: possible command injection detected"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "REDACTED"
                },
                "region": {
                  "startLine": 44,
                  "endLine": 44
                }
              }
            }
          ]
        }
      ]
    }
  ]
}
Identified 2 potential CWE-78: OS Command Injection

[beckler]

Sorry... false alarm! I didn't immediately realize I was running a fairly out-of-date version of this...