Code scanning doesn't contain all violations from PMD

[adangel]

PMD produces a SARIF file with multiple location entries per result. It appears that on GitHub only the first location is used.

Example file: pmd-report.sarif.txt
In this case, we have in total 24 violations in 6 files. The violations are from one of 9 different rules.
In the end, we don't have 24 alerts but only 9 alerts after uploading. This is also visible in the build log: "num_results_in_sarif":9.

Code scanning alerts: https://github.com/pmd/pmd-github-action-tests/security/code-scanning?query=branch%3Ajava
Test case, see https://github.com/pmd/pmd-github-action-tests/tree/java#code-scanning-alerts

Sarif feature in PMD: https://pmd.github.io/latest/pmd_userdocs_report_formats.html#sarif

Sarif Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html

3.14.23 results property
... an array of zero or more result objects (§3.27) each of which represents a single result detected in the course of the run

Could be interpreted in the way, that since we have 24 violations, each of these violations should be a single result...

3.27.12 locations property
a) A result object SHOULD contain a property named locations whose value is an array of zero or more location objects (§3.28) each of which specifies a location where the result occurred.
b) The locations array SHALL NOT contain more than one element unless the condition indicated by the result, if any, can only be corrected by making a change at every location specified in the array.
c) The locations array SHALL NOT be used to specify distinct occurrences of the same result which can be corrected independently.

ok, a) is what PMD does. All locations where a specific rule was violated.
sentence b) is probably violated: every location must be fixed to in order to correct the result
sentence c) is also violated: PMD only produces distinct results and they usually can be corrected independently.

So, I guess, that's a bug in PMD: pmd/pmd#3768.