Add PURLs in sarif report

[axidex]

Description

Trivy's SARIF output currently does not include PURLs for detected vulnerabilities. This makes it hard for downstream tooling to correlate SARIF findings with the corresponding components in an SBOM (CycloneDX, SPDX), or with vulnerability records produced by other scanners.

Grype already provides this functionality by exposing PURLs in rules[].properties.purls, for example:

{
  "id": "GHSA-h395-qcrw-5vmq-github.com/gin-gonic/gin",
  "name": "GoModuleMatcherExactDirectMatch",
  "shortDescription": {
    "text": "GHSA-h395-qcrw-5vmq high vulnerability for github.com/gin-gonic/gin package"
  },
  "fullDescription": {
    "text": "Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin"
  },
  "helpUri": "https://github.com/anchore/grype",
  "help": {
    "text": "Vulnerability GHSA-h395-qcrw-5vmq\nSeverity: high\nPackage: github.com/gin-gonic/gin\nVersion: v1.6.3\nFix Version: 1.7.7\nType: go-module\nLocation: ../vuln-apps/govwa/govwa-master\nData Namespace: github:language:go\nLink: [GHSA-h395-qcrw-5vmq](https://github.com/advisories/GHSA-h395-qcrw-5vmq)",
    "markdown": "**Vulnerability GHSA-h395-qcrw-5vmq**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high  | github.com/gin-gonic/gin  | v1.6.3  | 1.7.7  | go-module  | ../vuln-apps/govwa/govwa-master  | github:language:go  | [GHSA-h395-qcrw-5vmq](https://github.com/advisories/GHSA-h395-qcrw-5vmq)  |\n"
  },
  "properties": {
    "purls": [
      "pkg:golang/github.com/gin-gonic/gin@v1.6.3"
    ],
    "security-severity": "7.1"
  }
}

Related PR

#10722

Target

None

Scanner

Vulnerability

[orchestr7]

Working with PURLs is one of the most fundamental parts of modern SCA ecosystems. They are effectively the common identifier layer between SBOMs, vulnerability scanners, and downstream security tooling. Most mature scanners and SARIF producers already expose them, strange that it is missing here. When I was implementing things similar to OSV-database format, we have even added it as a part of the standard.