The last few commits fix and improve the output's SARIF spec conformance.

Here are some screenshots of how the results look in the GitHub Security Center:

I'm also working on an update to the action.yml for Legitify to upload the SARIF results (see the sarif-action-support branch).

A simple demonstration is available at https://github.com/XpiritUSA/test-legitify.

@chtzvt thanks a lot for this PR! your effort is really appreciated!
Most of my comments are pretty minor. let me know if you have any questions.

It seems that the tests are failing.
one issue is the Aux being nil (see the comment on that), but another issue is that output_format_test.go should have a case for sarif now. Ideally we'll have a thorough tests for that output, but for now would be great to add a "TODO add dedicated tests for sarif output" there

@gal-legit Thanks for your feedback!

I've implemented the changes you've requested, as well as working tests that validate Legitify's SARIF output against the SARIF specification JSON schema.

@chtzvt
Thanks for all your effort! Also, I love the sarif test you added!
We'll add support for code-scanning results in legitify's action based shortly :)

Fantastic! Glad to see it ship.

I started work on the SARIF action in the sarif-action-support branch. If that looks like the direction you'd want to go with, I can open another PR.

@chtzvt
Ahh, I just realized that I missed the fact that you mentioned that in your original comment too.
I already implemented it today actually (see gofri/sarif-action branch).
Sorry for not alerting before.

We don't want the SARIF output to replace the existing output, but rather to come on top of it.
TBH that was the original motive for implementing the convert command in the first place.

Anyway, I'd love to hear your thoughts on this.
I'm gonna test the action to make sure that everything works as expected and I'll open a PR then.