Include code flows in finding description when importing SARIF

[kdyck-cb]

Each finding in a SARIF file can contain a codeFlows property that can refer to multiple source code locations relevant to the finding. SAST tools often use this property to document how data flows from input to output.

Currently, the SARIF parser discards all of this information when building a finding. It includes only the location in the locations property.

As a developer investing a finding, having the full data flow makes it much easier to triage an issue. Without it, developers have to determine from potentially many execution flows which one exhibits the reported vulnerability. Having the information in the description would immediately identify the code flow that requires investigation.

[damiencarol]

@kdyck-cb this is a long term enhancement I wanted to introduce in Dojo. make the file+path something outside findings. This way you can have 1..n relation between the file and the finding. The code flow could be an attribute of the relation between the file and the finding. This modification is hard to implmeent according to the other core project members.