Gosec is generating invalid sarif files

[felipe-avelar]

Summary

I came across some issues regarding the SARIF format and, when trying to validate on sarif validator. Basically there is three issues:

1. $schema is outdated, should be https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json or https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json;
2. driver object in tools should contains version or semanticVersion, following §3.19.2 standard rule;
3. rules array's elements in driver must be unique, so it can be referenced on results .

Steps to reproduce the behavior

1. Generate a sarif file from an analysis, preferable with many occurrences from same rule
2. Validate it on sarif validator

gosec version

v 2.0

Go version (output of 'go version')

go version go1.15.6 linux/amd64

Operating system / Environment

Linux Ubuntu 20.04

Expected behavior

The file should be validated without issues

Actual behavior

The file has the issues described above

[ccojocar]

Thanks for reporting this issue.

@olfeidau Might be this related to your recent changes in the sarif formatter? Thanks