Enhance artifactContent object with optional context property to accompany text property

[247arjun]

Context

If an external artifact is a text artifact, a SARIF file will include an artifactContent object inside a result.locations.region.snippet property to:

• allow a SARIF viewer to present the contents of the region even if the artifact from which it was taken is not available.
• allow an end user examining a SARIF log file to see the relevant content without opening another file.
• improve result matching

Problem

The text property can be limited in scope, especially in traditional SAST scanning scenarios where individual offending lines (or a small subset) of code are flagged. This doesn't allow a human to, with just the SARIF file, view the surrounding context within which the text exists.

Proposed Solution

An optional context property that tools can populate with a larger window of text (such as the function/method body within which the flagged line of code is implemented), which accompanies the text that is flagged by a SAST run, can help a human to understand the context within which the flagged code exists.

Additionally, when using Generative AI to aid in SAST triage, the LLM's large input context window can be leveraged by using the optional context text to give the generative model additional prompting tokens that are likely to improve the performance of the model's output.

[sthagen]

I wonder, if this feature may lead to unintended leakage of information about the source code?