Adjust SARIF format to Github Code Scanning

[baruchiro]

You can Upload a SARIF file to GitHub, and in #71 we added a SARIF output format.

If you will try to upload this SARIF, you will find that the property artifactLocation is wrong, with the error locationFromSarifResult: expected artifact location.

Steps to reproduce:

1. Fork this repo
2. Enable Code Scanning for the repo
3. Scan it with 2ms (go run . git . --report-path results.sarif)
4. Upload an analysis as SARIF data. I created a script for you, save it and run it as bash script:

# GitHub CLI api
# https://cli.github.com/manual/gh_api

sarif=$(gzip -c results.sarif | base64 -w0)
commit=$(git rev-parse HEAD)
# ask the user for the repo name
read -p "Enter the repo name (OWNER/REPO): " repo

response=$(gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  /repos/$repo/code-scanning/sarifs \
  -f commit_sha="$commit" \
 -f ref='refs/heads/main' \
 -f sarif="$sarif")

sarifID=$(echo $response | jq -r '.id')
echo "SARIF ID: $sarifID"

# wait for SARIF to be processed
echo "Waiting for SARIF to be processed..."
sleep 10

response=$(gh api \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  /repos/$repo/code-scanning/sarifs/$sarifID)

echo $response

5. You will see this response:

{
  "processing_status": "failed",
  "errors": [
    "locationFromSarifResult: expected artifact location, locationFromSarifResult: expected artifact location"
  ]
}

You need to check if we can omit this artifactLocation, or if we have to fill it.

[jossef]

for example

(Out of scope here, moved to #134)

[itay-goldraich]

I will look into this issue.
I've started working on the SARIF in #147.

[baruchiro]

It is strange to me that artifactLocation is missing, maybe it was because #147 , so check this issue and maybe you will find it is not reproducible.