Emit fixes local to the result, not as an aggregate

[kristof-mattei]

Fix for #5421

Testing https://github.com/returntocorp/semgrep/blob/5dbf6dd47ab4fda6e9dc8dec42b90fce24d1fd82/semgrep/tests/e2e/snapshots/test_output/test_sarif_output_with_autofix/results.sarif against https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/CommitteeSpecifications/2.1.0/sarif-schema-2.1.0.json validates 100%.

I don't want to use that url though as the $schema in the files we generate, as that is not the spec.

PR checklist:

• Documentation is up-to-date
• Changelog is up-to-date
  didn't update as the prefix 'fixes' is still under 'unreleased': https://github.com/returntocorp/semgrep/blob/develop/CHANGELOG.md#added
• Change has no security implications (otherwise, ping security team)

[CLAassistant]

All committers have signed the CLA.

[kristof-mattei]

@ajbt200128 trying with https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json, which is the latest version.

[ajbt200128]

@ajbt200128 trying with https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json, which is the latest version.

Great, if it works, make sure to regenerate the tests so the output contains the new schema url :)

[kristof-mattei]

@ajbt200128 had to join text into a single string as the scheme doesn't allow for []. Ran tests, merged in changes. LMK.

[ajbt200128]

@ajbt200128 had to join text into a single string as the scheme doesn't allow for []. Ran tests, merged in changes. LMK.

Good catch, can you escape the newlines though instead of removing them? That'd be in accordant w/ the json specs. After that we should be good

[kristof-mattei]

@ajbt200128 I didn't remove them. text is an array when it comes from semgrep, and then they are joined with \n:
https://github.com/returntocorp/semgrep/pull/5425/files#diff-9a6ebaf633a3e083e4a7792fb44df39b96d443dc8641055c8cabc5f50bf8f3baR75

[ajbt200128]

@kristof-mattei my bad, I misread, but either way, they should be joined with escaped new lines, as per the json spec

[kristof-mattei]

@ajbt200128 they are escaped in the rendered output:

❯ python3
Python 3.10.4 (main, Mar 23 2022, 20:25:24) [GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import json
>>> foo = ["hello", "world"]
>>> bar = { "foo": "\n".join(foo) }
>>> bar
{'foo': 'hello\nworld'}
>>> json.dumps(bar)
'{"foo": "hello\\nworld"}'
>>>

[ajbt200128]

great!

[ajbt200128]

Looks good!

[aryx]

@ajbt200128 can you push this on the finish line?

[michael-schwarz]

It would be nice if this could be merged soon, it's quite annoying to have the CI jobs fail on every commit because of this. 😄