Results must always be present in the SARIF report (#650)

* Don't omit empty results

* Add tests

report/sarif/sarif_suite_test.go

@@ -0,0 +1,13 @@
+package sarif_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestRules(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Sarif Formatters Suite")
+}

report/sarif/sarif_test.go

@@ -0,0 +1,25 @@
+package sarif_test
+
+import (
+	"bytes"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/securego/gosec/v2"
+	"github.com/securego/gosec/v2/report/sarif"
+)
+
+var _ = Describe("Sarif Formatter", func() {
+	BeforeEach(func() {
+	})
+	Context("when converting to Sarif issues", func() {
+		It("sarif formatted report should contain the result", func() {
+			buf := new(bytes.Buffer)
+			reportInfo := gosec.NewReportInfo([]*gosec.Issue{}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")
+			err := sarif.WriteReport(buf, reportInfo, []string{})
+			result := buf.String()
+			Expect(err).ShouldNot(HaveOccurred())
+			Expect(result).To(ContainSubstring("\"results\": ["))
+		})
+	})
+})

report/sarif/types.go

@@ -1041,7 +1041,7 @@ type Run struct {
 	RedactionTokens []string `json:"redactionTokens,omitempty"`
 
 	// The set of results contained in an SARIF log. The results array can be omitted when a run is solely exporting rules metadata. It must be present (but may be empty) if a log file represents an actual scan.
-	Results []*Result `json:"results,omitempty"`
+	Results []*Result `json:"results"`
 
 	// Automation details that describe the aggregate of runs to which this run belongs.
 	RunAggregates []*RunAutomationDetails `json:"runAggregates,omitempty"`