Add purls in sarif report

[GeorgeLS]

Hello there!
Seems like that purls are missing from Sarif reports of grype.
I attempted adding those in the Sarif report. In order to do that I had to copy the deriveBomRef function that is being used in CycloneDx as well.
I tried making deriveBomRef a member function of Package type in order to avoid duplication but I couldn't build the project locally.

Thanks,
George

[kzantow]

Thanks for the updates here @GeorgeLS. We should probably only add this field if we have a non-empty PURL instead of creating arrays of empty strings, like this results in -- in other words: I think the tests would be reverted because we shouldn't see "purls": [""],, and we should add something that validates when a PURL is set, it is output as expected.

[GeorgeLS]

Yeah you are right. I will change asap. 🙏

[kzantow]

This looks really close -- is there a possibility of getting a test added to validate that Syft is properly outputting this purls field? I can look at adding a test, but it will be at least a few days before I can get to it. A quick look makes me think we could adjust the packages returned here to include a specific one with a PURL

[kzantow]

Idiomatic go would probably look like this (note changing from declaring an array: [...] to a slice: []):

			if m.Package.PURL != "" {
				descriptor.Properties["purls"] = []string{m.Package.PURL}
			}

[GeorgeLS]

Again, thanks a lot for the review and your time.
Sorry for the back and forth but I'm not a golang programmer.
I will add a test and update the code.