SARIF Results don't show container image name

[mat-sylvia-mark43]

When outputting scans to a SARIF, and subsequently uploading this to Github Advanced Security, the code scanning alert doesn't show the image name and tag. This makes it a bit cumbersome to determine what the alert is for. A path is shown, but not to the dockerfile or anything that aids in determining the corresponding image name+tag in a meaningful way.

[austimkelly]

I presume you mean the locations dictionary and the uri pointing to the build cache?

"locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "root/.cache/pypoetry/virtualenvs/ghast-VsnhxLU2-py3.10/lib/python3.10/site-packages/cryptography-37.0.4.dist-info/METADATA",
                  "uriBaseId": "ROOTPATH"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1,
                  "endLine": 1,
                  "endColumn": 1
                }
              },

So IFF the originating package file (e.g. requirements.txt) is:

1. touched so it is part of the PR and
2. can be referenced by the build

The alert will never be part of the PR. You will just get several alerts someone will have to triage at a later time.

I made a little line mapper POC (just hard-coded to pyproject.toml) and it works in a basic demo. I'm not sure all the variations that would have to be considered to make this more robust though (i.e. can it scale?)