feat(report): set location.message (aquasecurity#3002)

Signed-off-by: Craig Andrews <candrews@integralblue.com>

pkg/report/sarif.go

@@ -56,6 +56,7 @@ type sarifData struct {
 	url              string
 	resultIndex      int
 	artifactLocation string
+	locationMessage  string
 	message          string
 	cvssScore        string
 	startLine        int
@@ -104,7 +105,7 @@ func (sw *SarifWriter) addSarifResult(data *sarifData) {
 		WithRuleIndex(data.resultIndex).
 		WithMessage(sarif.NewTextMessage(data.message)).
 		WithLevel(toSarifErrorLevel(data.severity)).
-		WithLocations([]*sarif.Location{sarif.NewLocation().WithPhysicalLocation(location)})
+		WithLocations([]*sarif.Location{sarif.NewLocation().WithMessage(data.locationMessage).WithPhysicalLocation(location)})
 	sw.run.AddResult(result)
 }
 
@@ -148,6 +149,7 @@ func (sw SarifWriter) Write(report types.Report) error {
 				url:              vuln.PrimaryURL,
 				resourceClass:    string(res.Class),
 				artifactLocation: path,
+				locationMessage:  fmt.Sprintf("%v: package %v@%v", path, vuln.PkgName, vuln.InstalledVersion),
 				resultIndex:      getRuleIndex(vuln.VulnerabilityID, ruleIndexes),
 				fullDescription:  html.EscapeString(fullDescription),
 				helpText: fmt.Sprintf("Vulnerability %v\nSeverity: %v\nPackage: %v\nFixed Version: %v\nLink: [%v](%v)\n%v",
@@ -167,6 +169,7 @@ func (sw SarifWriter) Write(report types.Report) error {
 				url:              misconf.PrimaryURL,
 				resourceClass:    string(res.Class),
 				artifactLocation: target,
+				locationMessage:  target,
 				startLine:        misconf.CauseMetadata.StartLine,
 				endLine:          misconf.CauseMetadata.EndLine,
 				resultIndex:      getRuleIndex(misconf.ID, ruleIndexes),
@@ -188,6 +191,7 @@ func (sw SarifWriter) Write(report types.Report) error {
 				url:              builtinRulesUrl,
 				resourceClass:    string(res.Class),
 				artifactLocation: target,
+				locationMessage:  target,
 				startLine:        secret.StartLine,
 				endLine:          secret.EndLine,
 				resultIndex:      getRuleIndex(secret.RuleID, ruleIndexes),

pkg/report/sarif_test.go

@@ -96,6 +96,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 					Message:   sarif.Message{Text: toPtr("Package: foo\nInstalled Version: 1.2.3\nVulnerability CVE-2020-0001\nSeverity: HIGH\nFixed Version: 3.4.5\nLink: [CVE-2020-0001](https://avd.aquasec.com/nvd/cve-2020-0001)")},
 					Locations: []*sarif.Location{
 						{
+							Message: "library/test: package foo@1.2.3",
 							PhysicalLocation: &sarif.PhysicalLocation{
 								ArtifactLocation: &sarif.ArtifactLocation{
 									URI:       toPtr("library/test"),
@@ -149,6 +150,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 					Message:   sarif.Message{Text: toPtr("Artifact: library/test\nType: \nVulnerability KSV001\nSeverity: HIGH\nMessage: Message\nLink: [KSV001](https://avd.aquasec.com/appshield/ksv001)")},
 					Locations: []*sarif.Location{
 						{
+							Message: "library/test",
 							PhysicalLocation: &sarif.PhysicalLocation{
 								ArtifactLocation: &sarif.ArtifactLocation{
 									URI:       toPtr("library/test"),
@@ -171,6 +173,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 					Message:   sarif.Message{Text: toPtr("Artifact: library/test\nType: \nVulnerability KSV002\nSeverity: CRITICAL\nMessage: Message\nLink: [KSV002](https://avd.aquasec.com/appshield/ksv002)")},
 					Locations: []*sarif.Location{
 						{
+							Message: "library/test",
 							PhysicalLocation: &sarif.PhysicalLocation{
 								ArtifactLocation: &sarif.ArtifactLocation{
 									URI:       toPtr("library/test"),
@@ -263,6 +266,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 					Message:   sarif.Message{Text: toPtr("Artifact: library/test\nType: \nSecret AWS Secret Access Key\nSeverity: CRITICAL\nMatch: 'AWS_secret_KEY'=\"****************************************\"")},
 					Locations: []*sarif.Location{
 						{
+							Message: "library/test",
 							PhysicalLocation: &sarif.PhysicalLocation{
 								ArtifactLocation: &sarif.ArtifactLocation{
 									URI:       toPtr("library/test"),