feat(report): add location.message to SARIF output (#3002)

[candrews]

Description

SARIF allows a "message" to be provided for a location and that can have more useful information. See:
https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317675

It would be helpful to set this property so SARIF consumers can display better information. It would be particularly nice if Trivy includes the file and the package name and version (ex, pom.xml:org.yaml:snakeyaml@1.30).

Related issues

• Close Specify location.message in SARIF reports #3002

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[afdesk]

@candrews thanks for your PR!
but I'd like to update the title.
and i can see that you're updating it now. could you write me when you finish? thanks again

[candrews]

I think I'm finished.

I'm having trouble running the tests myself (tinygo is broken in Fedora 37 so I haven't been able to use it), sorry for the noise :(

[candrews]

@afdesk can this be merged now?

If not, please let me know what I can do and I'll get right on it - thank you!

[afdesk]

@candrews thanks!
I've updated a sarif golden file for the integration test.

[candrews]

@candrews thanks! I've updated a sarif golden file for the integration test.

Thank you!

[afdesk]

@candrews could you give me an advice?
it seems this change doesn't affect on the SARIF for github security, right?

[candrews]

it seems this change doesn't affect on the SARIF for github security, right?

According to https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#location-object

location.message.text | Optional. A message relevant to the location.

So GitHub at least knows about this field. I don't know exactly how it will present it in the UI.

FWIW, I'm working on improving SARIF support in general. I'm not testing / developing against GitHub. My use case involves a different tool.

[afdesk]

@candrews thanks! it's ok, I understand your point.
it was just interesting.

[knqyf263]

Thanks