CxFlow Sarif output fails many validation tests

[nleach999]

Description

Attaching example SAST XML and CxFlow Sarif output. Using the Microsoft Sarif Validator on this file produces 121 validation errors.

Expected Behavior

Produce Sarif with 0 validation errors

Actual Behavior

Multiple validation errors that indicate many Sarif consumers aren't going to properly interpret the Sarif file.

Reproduction

I executed CxFlow 1.6.45 (1.6.46 is broken and --parse does not work) against the SAST XML report using this script:

java -Xms512m -Xmx2048m -jar cx-flow-1.6.45-java11.jar --parse \
    --app=Checkmarx \
    --cx-flow.bug-tracker-impl=Sarif \
    --cx-flow.bug-tracker=Sarif \
    --cx-flow.filter-severity=High,Medium,Low,Information \
    --sarif.file-path=./offline-cx.sarif \
    --checkmarx.offline=true \
    --logging.level.com=OFF \
    --logging.level.org=OFF \
    --logging.level.javax=OFF \
    --f=$1

Environment Details

CxFlow 1.6.45
Java 17

SimplyVulnerable-[master].xml.txt
offline-cx.sarif.json

[itsKedar]

Fixed in 1.7.01