Sarif output doesn't refer to final version of schema

[john-d8r]

Description

When validating the sarif output generated by trivy (using https://sarifweb.azurewebsites.net/Validation) it complain about the $schema not pointing to the final version of SARIF 2.1.0 schema

SARIF1011: $schema: The '$schema' property value 'https://json.schemastore.org/sarif-2.1.0-rtm.5.json' does not refer to the final version of the SARIF 2.1.0 schema. If you are using an earlier version of the SARIF format, consider upgrading your analysis tool to produce the final version. If this file does in fact conform to the final version of the schema, upgrade the tool to populate the '$schema' property with a URL that refers to the final version of the schema.

What did you expect to happen?

Sarif output validated with no error. (i.e) $schema pointing to the final version
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",

What happened instead?

Sarif output validated with one error. Due to the version the $schema points to
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",

Output of run with -debug:

(paste your output here)

Output of trivy -v:

Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-28 12:23:07.618855714 +0000 UTC
  NextUpdate: 2023-03-28 18:23:07.618855414 +0000 UTC
  DownloadedAt: 2023-03-28 12:29:12.483755586 +0000 UTC

Additional details (base image name, container registry info...):

base image name: node

Sarif report

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "fullName": "Trivy Vulnerability Scanner",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "name": "Trivy",
          "rules": [
            {...

[DmitriyLewen]

Hello @john-d8r
Thanks for your report!

Looks like sarif-2.1.0-rtm.5.json is latest version.
I created #58 to sort out this case.

Regards, Dmitriy