[SARIF Multitool] merge command generates SARIF with multiple runs

[eddynaka]

How to simulate:

Use the attached example.zip and execute the command: sarif merge *.sarif --output-file merged.sarif --force

Current behavior:

The merged SARIF file creates one run with one rule for each distinct rules/results/tool you have in the SARIF.

Expected behavior:

The merged SARIF should contain:

• multiple runs if we have multiple versions of tools
• single run if we have multiple SARIFs with the same tool/versioning but different results

[eddynaka]

@marmegh this is one of the issues that I saw when running the E2E pipeline.

[marmegh]

@yongyan-gh, this is one of the issues discussed today.
cc: @EasyRhinoMSFT, @shaopeng-gh

[yongyan-gh]

There is a command argument merge-runs for merge command is to merge multiple runs by same tool + version. But it's not working properly.

sarif-sdk/src/Sarif.Multitool.Library/MergeOptions.cs

Lines 33 to 37 in 698adb6

	[Option(
	"merge-runs",
	HelpText = "Merge runs of the same tool + verion combination (requires " +
	"eliding run-specific details such as invocations data.")]
	public bool MergeRuns { get; set; }

So I created the fix PR based on the assumption:

• By default, the merge command merges multiple runs by rule id + tool + version.
• If merge-runs argument is set, the merge command merges multiple runs by tool + version.

Please review detail fix in the PR.

Thanks