prefer packagePath as artifactLocation in formatSarifResults to avoid GitHub duplicate alerts

[jsundqvist]

Description

From https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reporting-consistent-filepaths:

The filepath has to be consistent across the runs to enable a computation of a stable fingerprint. If the filepaths differ for the same result, each time there is a new analysis a new alert will be created, and the old one will be closed. This will cause having multiple alerts for the same result.

Motivation and Context

When using the commit sha as the image label, the fingerprint computation becomes unstable because the location (imageName) changes each commit. Using finding.packagePath is stable across commits and solves the problem of alerts being constantly closed and reopened.

How Has This Been Tested?

Manually, see screenshots below.

Screenshots (if appropriate)

Before:

After:

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)

For users having stable image tags this change will most likely cause all open alerts to be closed and reopened once.

Checklist

• [ ] I have updated the documentation accordingly.
• [ ] I have read the CONTRIBUTING document.
• [ ] I have added tests to cover my changes if appropriate.
• [ ] All new and existing tests passed.