Bug: SARIF report no accepted by GitHub

[npetzall]

Describe the bug

A SARIF report uploaded to GitHub will be rejected if locations is empty.

But I also seems like GitHub only uses the first location.

To reproduce

Create a report with advisory issues.

Since Advisory uses lock file, they are currently excluded and empty.

Also ban has no location and license is created per label which creates multiple locations but not a sensible message.

cargo-deny version

0.18.9

What OS were you running cargo-deny on?

Linux

Additional context

I've started with an implementation, but I would like some guidance.

For the ones missing locations, I've done some modifications to InclusionGraph so the location can point to something that the user can change (project cargo.toml)

And included a compact graph(stops at first project crate) in the markdown for the result.

It's work in progress.

[npetzall]

I've done some more testing and research and it didn't go too well.

The message field for a result, has a markdown attribute, it's used but the markdown formatting i limited. So the dependency graph isn't rendered in a good way.

However the rule has help text that is rendered correctly, that combined with the issue with only displaying a single locations.

I'm thinking that one rule per issue that can contain extensive information in the rule help text, and a result per violation location.

Example for Advisory would be:

Crate A has a vulnerability, that becomes a rule, with the full/compact dependency graph, advisory etc etc.

Either:
Workspace member B and C have declared dependencies for Crate A, they will end up as to results with two different locations.
Or:
Workspace member B has it as a workspace dependency and workspace Cargo.toml is one result and C has it as a direct dependency and that will be a second result.

From the documentation 25 000 rules/run are supported and 25 000 results/run.

Since this differ a lot from current implementation of the SARIF report, should this be done as a sarif-github format?

I mean if it's of interest to include in cargo-deny.

[Jake-Shadle]

I don't care about SARIF at all, so it's up to people like yourself who actually use it to provide PRs to get SARIF output to a place you like.