fix(#15): Fix invalid SARIF content if container-scan returns no vulnerabilities

This sets the 'runs.results' field to an empty array in the resulting SARIF
if container scan returned no vulnerabilities or best practices violations,
instead of setting such field to 'null'.
Otherwise, the SARIF report is considered as invalid by the 'upload-sarif'
GitHub Action.

Author: rm3l

pkg/converter/converter.go

@@ -38,6 +38,10 @@ func NewSarifReportFromContainerScanReport(containerScanReport containerscan.Rep
 	containerImageNameToPathUri := toPathUri(containerScanReport.ImageName)
 	var rulesMap = map[string]sarif.RunToolDriverRule{}
 	var partialFingerPrintsMap = map[string]string{}
+
+	nbVulns := len(containerScanReport.Vulnerabilities)
+	nbPracticesViolations := len(containerScanReport.BestPracticeViolations)
+	sarifReportRun.Results = make([]sarif.RunResult, 0, nbVulns+nbPracticesViolations)
 	//Trivy Vulnerabilities
 	for _, vulnerability := range containerScanReport.Vulnerabilities {
 		var level string
@@ -161,6 +165,7 @@ func NewSarifReportFromContainerScanReport(containerScanReport containerscan.Rep
 		}
 		sarifReportRun.Results = append(sarifReportRun.Results, sarifRunResult)
 	}
+
 	sarifReportRun.Tool.Driver = sarifReportRunDriver
 	rules := make([]sarif.RunToolDriverRule, 0, len(rulesMap))
 	for _, rule := range rulesMap {