Message string for each result in SARIF report.

[yongyan-gh]

Please consider creating message strings for each instance of a rule violation (result).
A message string should contain enough information to enable a user to resolve the problem. It can include dynamic information indicates the instance of a rule violation. e.g. "{0} in the '{1}' organization’s '{2}' project are currently exposed to builds for repository forks."
A tutorial about message string can be found at https://github.com/microsoft/sarif-tutorials/blob/main/docs/Authoring-rule-metadata-and-result-messages.md#message-strings

Related Issue: #33

[JohnathonMohr]

PowerShell results especially don't play well with SARIF right now because we're limited by the strings the ARM TTK outputs for descriptions, and the SARIF writer assumes each rule will have a standard description that's constant for all violations, in addition to a possible instance-specific message for failures.

• The JSON rules have a standard description that's the same for all rules, but lacks instance-specific messaging.
• The TTK has instance-specific messaging, but no standard description (failures simply write to the console output, and BPA captures those messages, which contain details of the specific failures).
  • This means the first violation of a given PowerShell rule becomes the "standard description" for all other violations, which is really confusing when the description contains mentions of specific items in the template that only apply to the first violation.

Some thought is needed in designing a messaging system that will work for rules in general (JSON rules can use it immediately). The PowerShell rule messaging can be updated to work properly once a proper PowerShell engine is implemented (that isn't just a wrapper around TTK).