generalize location field in SARIF output

[itaysk]

Reported by GitHub:

Alerts from Trivy image scanning include the sha of the source repo in the location (see CVE-2021-38604). Indeed, Trivy's setup instructions include this: image-ref: docker.io/my-organization/my-app:${{ github.sha }} . This information is then used to feed the result location. As this includes the git SHA, it changes for every single source change, meaning that we cannot match any logical alert from one analysis to the next.
Our documentation is not clear on this point for integrators, and should instead include something like:
Locations for results should aim to be deterministic and stable across runs.
In this specific case, I think the integration would work better if Trivy omitted the SHA.
Indeed, if the alert was for docker.io/my-organization/my-app rather than docker.io/my-organization/my-app:2c6912aee7bde44b84d810aed106ca84f40e2e29:1, code scanning would keep track of when it is fixed.
The impact of this on code scanning is that we end up with repositories with +100k alerts that are marked as "fixed" simply out of churn. After every analysis upload are marked as fixed and immediately recreated as open with a different location.
This leads to extremely poor performance for some users of Code Scanning and the Trivy image scanning action.

[afdesk]

@itaysk yes, we already work on this issue

[knqyf263]

@simar7 We want to deliver this fix as soon as possible. Can you bump the Trivy version in trivy-action?

[simar7]

@simar7 We want to deliver this fix as soon as possible. Can you bump the Trivy version in trivy-action?

Yes, should be available when this gets in aquasecurity/trivy-action@544b6c4