SARIF formatter silently dropping findings from build dependencies

[mbarbero]

Describe the bug
The sarif formatter is only checking PackageDependencies when collecting findings for a package, missing findings where the purl matched a BuildDependency. Rules like github_action_from_unverified_creator_used assign findings a purl corresponding to a GitHub Actions build dependency, which caused those findings to appear in 'pretty' output but not in 'sarif' output.

To Reproduce
Compare output of sarif and pretty with failing rules like github_action_from_unverified_creator_used

Expected behavior
Sarif and pretty formatter should report the same list of violations

---

I've prepared a fix in a fork. If the maintainer acknowledges this as an issue, I'll create a pull request with the fix. Thanks!

[SUSTAPLE117]

@mbarbero indeed currently this is missing from the output. My only concern would be what this looks like in the sarif output and if we lose too much context to interpret the results(knowing it represents a build dependency finding)