Add Locations to the Docker scan results on Sarif output

[davidka91]

Using the jfrog cli to scan a docker image using '--format sarif' produces a sarif file not accepted by GitHub Security Centre due to the locations field missing for the results set [GH1001]

Steps To Reproduce:

Prerequisite: use a jfrog instance setup with a remote docker repository (https://registry-1.docker.io/)

1. Pull nginx:latest - jf docker pull <rt_instance>/nginx:latest
2. Scan nginx:latest using sarif format,
   jf docker scan <rt_instance>/nginx:latest --format sarif
3. Upload sarif output to https://sarifweb.azurewebsites.net/Validation and select 'GitHub Integration rules' there are a few issues, the one which GitHub explicitly complains about is GH1001 in the results.

Expected:
GH1001 issue is addressed so the Sarif output is accepted by GitHub when uploaded to GitHub Security Centre

Other:
Example of sarif file of nginx is attached
jfrog-docker-scan-of-nginx-latest-2.50.2.sarif.json.gz

[Jiri-Stary]

I think there actually might be some kind of issue i was running jfrog cli for sarif and if i run the same command and then i switched from older docker to newer cli and the location in sarif was no longer present, however i was using "jf s image.tar" command instead.

So tl;dr i am having similar issue and it is quite annoying

[Jiri-Stary]

@davidka91 try downgrading to version 2.48.0 if it helps

[ipowellBT]

@Jiri-Stary thanks, downgrading to 2.48.0 produced a SARIF file that GitHub accepted.

This ticket appears to be a duplicate of bug #2270.