Multitool match-results-forward does not properly preserve conversion, taxonomies, or rules

[dbjorge]

Overview

While trying out the Multitool match-results-forward command in an attempt to document how to use it alongside axe-sarif-converter, we hit a variety of blocking issues that prevent us from being able to use it with our tool's sarif output.

The SARIF output files in the microsoft/axe-sarif-converter are the motivating examples; below, the repro steps use a more minimal repro file that demonstrate all the same issues we encountered.

Repro steps:

• Download this repro SARIF file as repro.sarif
• Run the following commands to produce output.sarif:

  dotnet tool install --global sarif.multitool --version 2.1.16
  sarif match-results-forward --previous ./repro.sarif ./repro.sarif --output-file-path ./output.sarif --pretty-print

  ...or, see output.sarif
• Observe the following issues with output.sarif:
  • The original run's conversion section has been omitted
  • The original run's taxonomies section has been omitted
  • The original tool driver's rule at index 0 with id first-rule has been duplicated at index 2
  • The second result (which originally references the rule at index 1 with id second-rule) points to ruleIndex: 2, ruleId: 'second-rule', where ruleIndex 2 is actually the bogus copy of first-rule