Update SARIF format

[another-rex]

Fixes #216 with a new format that separates out individual vulnerabilities.

Each vulnerability is now it's own rule violation. The aliased vulnerabilities are grouped together as one rule violation, with an ID picked in this priority (CVE -> [Eco Specific] -> GHSA).

[codecov-commenter]

Codecov Report

Merging #534 (941f031) into main (a659b3b) will increase coverage by 1.31%.
The diff coverage is 91.24%.

@@            Coverage Diff             @@
##             main     #534      +/-   ##
==========================================
+ Coverage   77.05%   78.36%   +1.31%     
==========================================
  Files          76       77       +1     
  Lines        5129     5251     +122     
==========================================
+ Hits         3952     4115     +163     
+ Misses       1011      971      -40     
+ Partials      166      165       -1     

Files Changed	Coverage Δ
cmd/osv-reporter/main.go	4.02% <0.00%> (ø)
internal/output/result.go	83.33% <83.33%> (ø)
internal/output/sarif.go	90.76% <94.50%> (+4.10%)	⬆️
cmd/osv-scanner/main.go	79.03% <100.00%> (ø)
internal/output/githubannotation.go	86.95% <100.00%> (+86.95%)	⬆️
internal/output/identifiers.go	100.00% <100.00%> (ø)
pkg/models/results.go	82.22% <100.00%> (+1.26%)	⬆️

... and 2 files with indirect coverage changes

[oliverchang]

Should we have an end-to-end test here that includes CVE, Ecosystem ID examples etc?

[another-rex]

Added a bigger test with CVE's and multiple ecosystems, not as an end-to-end test but a unit test since it makes the path resolution easier. It already found some problems with CVEs not actually being the display ID, which should be fixed now.

Do you still want a bigger end-to-end test as well?