[SARIF Multitool] match-results-forward command generates invalid SARIF when results contain SubRuleId

[eddynaka]

How to simulate:

Use the attached example.zip and execute the command: sarif match-results-forward .\original.sarif --previous .\previous.sarif -o baselined.sarif --force

Current behavior:

The rules are duplicated after executing the command, generating an invalid SARIF.

Expected behavior:

After executing the command, the SARIF must have the baselined data and be a valid SARIF.

[eddynaka]

@marmegh this is one of the issues that I saw when running the E2E pipeline.

[michaelcfanning]

@marmegh @EasyRhinoMSFT these issues filed by Eddy are important for working scenarios and it would be good to make them a priority. do we have a result matching expert blessed? this area is going to get some attention moving forward, for sure.

[marmegh]

@yongyan-gh, this is one of the issues discussed today.
cc: @EasyRhinoMSFT, @shaopeng-gh

[yongyan-gh]

The issue of invalid Sarif produced by match-results-forward command is that the Sarif contains duplicated rule definitions in rules array, if the Sarif to be merged contain results which use a sub ruleId.

E.g. if there are 2 results' ruleId is "TESTRULE/001/SUB001", both reference to parent rule "TESTRULE/001", the command will produce a Sarif which rules array contains 2 duplicated rules of "TESTRULE/001".

Have a fix in #2505 pls review