Split properties for SARIF result

[nvuillam]

Hi,

Thanks for your great tool !

As SARIF format supports properties with any key / value in it, would it be possible, to make a result more exploitable, to add the following values in those extra properties ?

https://github.com/aquasecurity/trivy/blob/11f4f811236ca05cfb30827e25f312eec45ca097/pkg/report/sarif.go#L143

Properties could be the ones not already present as standalone value on a result item:

• packageName
• installedVersion
• fixedVersion

message: fmt.Sprintf("Package: %v\nInstalled Version: %v\nVulnerability %v\nSeverity: %v\nFixed Version: %v\nLink: [%v](%v)",
					vuln.PkgName, vuln.InstalledVersion, vuln.VulnerabilityID, vuln.Severity, vuln.FixedVersion, vuln.VulnerabilityID, vuln.PrimaryURL)

Many thanks & best regards :)

[afdesk]

@nvuillam thanks for your interest in trivy. we'll definitely consider this suggestion.

[nvuillam]

Many thanks ! :)

[nvuillam]

it seems that SARIF format returns many less details than the JSON one :/

Would it be possible to also return in "properties" SARIF item everything that is returned by JSON result ? thanks :)

Also, as we woud need that soon, would it be possible to have an estimated time for delivery of this feature ? Or if you have not enough bandwith, I coudl eventually make my first PR is GO ?

[afdesk]

@nvuillam sorry, i missed your comment.

Or if you have not enough bandwith, I coudl eventually make my first PR is GO ?

it would be great! we welcome contributors!

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[nvuillam]

Not stale :(

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[nvuillam]

Still not stale :(

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[nvuillam]

And again not stale 🤡