`artifactLocation` in SARIF output is ambiguous when scanning multiple directories

[ian-oneleet]

Hi,

I've run into the following ambiguity in Gosec's SARIF output. Say there are two directories, a and b, each containing a main.go file. I scan them like this:

gosec -fmt=sarif -out=./gosec.sarif ./a ./b

The output looks like (greatly simplified):

						{
							"physicalLocation": {
								"artifactLocation": {
									"uri": "main.go"
								},
								"region": {
									...
								}
							}
						}
...
						{
							"physicalLocation": {
								"artifactLocation": {
									"uri": "main.go"
								},
								"region": {
									...
								}
							}
						}

That is, both results have identical looking physicalLocation.artifactLocation.uri. This makes it quite difficult to figure out which result applies to which main.go file.

I believe this is caused by this logic:

gosec/report/sarif/formatter.go

Lines 187 to 191 in a58917f

	for _, rootPath := range rootPaths {
	if strings.HasPrefix(i.File, rootPath) {
	filePath = strings.Replace(i.File, rootPath+"/", "", 1)
	}
	}

which makes perfect sense when only scanning one directory, but creates this ambiguity when scanning multiple. I'd really appreciate some way to disambiguate – perhaps some option to indicate "this is the root dir I want all result paths to be relative to", or else an option to make all output paths absolute (as I already have to deal with absolute file paths from other SARIF-producing tools).

Happy to work on the code if you'd like, but I'll need guidance on how you'd prefer to resolve this.

Thank you!