SARIF: add partialFingerprints, tags/precision, and ensure absolute Windows paths in artifactLocation.uri

[Akindotcome]

This PR improves the SARIF formatter with the following changes:

• Added partialFingerprints (primaryLocationLineHash) for stable deduplication across runs/refactors.
• Included CWE tags and Bandit test IDs in tags for better rule categorization.
• Set precision based on Bandit’s confidence levels (HIGH/MEDIUM/LOW → high/medium/low).
• Ensured absolute Windows paths are preserved in artifactLocation.uri to match test expectations.
• Added raw original_path property for clarity and debugging.

~ All unit tests in tests/unit/formatters/ pass.
~ Functional tests are unchanged by this PR.

This should make Bandit’s SARIF output more compliant and interoperable with tools that consume SARIF logs.

Closes #646
Related to #737

[Akindotcome]

Hi, I am still hoping my PR gets reviewed

[Akindotcome]

@sigmavirus24 , @ericwb , @lukehinds
Hi - friendly ping on this SARIF improvement PR.

It adds partialFingerprints, tags/precision, preserves Windows absolute paths, and unit tests/unit/formatters/ pass.

Could one of you kindly review when you have a moment?

Thanks

[ericwb]

Any reason why you moved this to a new line?

[sigmavirus24]

None of these examples are valid restructuredtext.

[ericwb]

Let's keep the same variable names to minimizing diffs.

Suggested change

	for iss in issues:
	for issue in issues:

[ericwb]

Bandit itself would raise an issue about an empty except block.

[sigmavirus24]

There's a lot of particularly bad LLM slop here. I was promised they were good at writing python because of how much python was out there. I feel lied to.

[sigmavirus24]

This is too long and needs to be rewritten

[sigmavirus24]

Why add this comment?

[sigmavirus24]

Why add a noqa here? It does absolutely nothing. Remove it

[sigmavirus24]

This is unnecessarily inefficient

[sigmavirus24]

These comments really are unnecessary. They're explaining what happens which the function names do a decent job of already

[sigmavirus24]

Also you repeated that comment here. One or both should disappear and be explained with one very clear explanation of why some windows test needs a raw filename (whatever that is)

[sigmavirus24]

Another useless comment

[sigmavirus24]

More invalid, poorly written, style-inconsistent docstrings

[sigmavirus24]

This is not a helpful comment

[sigmavirus24]

Again, this is unnecessarily bad python code. Just,

Suggested change

	cwe_id = (issue_dict.get("issue_cwe") or {}).get("id")
	cwe_id = issue_dict.get("issue_cwe", {}).get("id")

I don't know why I have to give you feedback for your LLM to process at this point.

[gpotter2]

I was wondering if it was just us getting spammed by this user so I went see what other PRs they made and found this. It looks suspiciously AI generated, glad you came to the same conclusion.

(4 PRs about the same topic in a week ! each time growing exponentially)
secdev/scapy#4843
secdev/scapy#4844
secdev/scapy#4845
secdev/scapy#4848

Anyway good luck. Personally I think I'll throw in a 30days ban.

[Akindotcome]

@sigmavirus24, @ericwb
Thank you for the thorough reviews and feedback. I appreciate the time and detail from everyone.

I’ll address the points you raised (docstring/reST fixes, variable naming consistency, removing the empty except, simplifying confidence/CWE handling, and trimming unnecessary comments) and push the updates immediately I have done the corrections. I’ll be available to iterate further if anything else comes up.

@gpotter2
Sorry for the misunderstanding here, I am only trying to contribute to meaningful open source projects and grow knowledge-wise as well. Thank you