fix(ufm): render alll finding locations, report URL and target file info

[j-luong]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Updates the UFM SARIF rendering template to include all finding locations, where applicable, instead of just the first location

LE: Also includes a fix to render all finding locations in the SARIF output from the UFM presenter, along with the WebUI report URL when the TestResult metadata for reportUrl is being set.

Where should the reviewer start?

Related GAF PRs:

• fix: support for rendering multiple locations to SARIF go-application-framework#587
• feat: Render WebUI report URL for secrets --report [CLI-1429] go-application-framework#592
• chore: add target file to UFM human readable summary go-application-framework#596

How should this be manually tested?

For a product that supports multiple finding locations (e.g. secrets) run a test command with --sarif flag applied. If a project has findings with multiple finding locations, they should be output correctly.

Adding the --report flag to the command above should also show up with the WebUI links to the scanned project page.

An open source scan with the --reachability and --all-projects enabled should make it easier to distinguish which Test Summary is for which subproject. The Target file label should present the manifest file being scanned for the subprojects.

What's the product update that needs to be communicated to CLI users?

N/A at this time around.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

	Warnings
⚠️	"fix(ufm): render alll finding locations, report URL and target file info" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against 59017f3

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 No relevant tests

🔒 No security concerns identified

⚡ No major issues detected

📚 Repository Context Analyzed This review considered 4 relevant code sections from 2 files (average relevance: 0.80) scripts/upgrade-snyk-go-dependencies.go (lines 1-135) package-lock.json (3 segments, lines 19895-20201)