Add line-numbers to the output

[agmond]

Hi, It would be great to add the line numbers of the package in the input file to the output (at least to the JSON output). Thanks!

[G-Rath]

This has previously been mentioned here - effectively this would require implementing custom parsers for at least JSON, YAML, TOML, and XML since none of the libraries the scanner uses for those provide line numbers in any form, and that would be a huge jump in complexity.

I'm not really sure how useful line numbers would be either for most of the parsers since they're meant to be generated files.

[agmond]

Thanks, @G-Rath. If, as already mentioned in #57, one of the future directions is adding remediation capabilities, then adding the line numbers can help. Ideally, I'd want to get the line number in the non-generated form of the file. For example, get the relevant line number in the package.json file that generated the package-lock.json. Anyway, some other file formats can easily benefit from this addition directly (e.g. requirements.txt), so maybe it can be added as optional.

[oliverchang]

+1 to this being useful for remediation in the future, and enable very nice output integrations with e.g. SARIF. @another-rex thoughts?

[picatz]

I'd love to see this happen, and as @oliverchang points out, it would be useful for SARIF integration. Otherwise, currently, I have to provide fake location information (top of the file) to make this work with a SARIF viewer (GitHub's code scanning tab).

[github-actions[bot]]

This issue has not had any activity for 60 days and will be automatically closed in two weeks