SARIF: add partialFingerprints, tags/precision, and ensure absolute Windows paths in artifactLocation.uri

[Akindotcome]

This PR improves the SARIF formatter with the following changes:

• Added partialFingerprints (primaryLocationLineHash) for stable deduplication across runs/refactors.
• Included CWE tags and Bandit test IDs in tags for better rule categorization.
• Set precision based on Bandit’s confidence levels (HIGH/MEDIUM/LOW → high/medium/low).
• Ensured absolute Windows paths are preserved in artifactLocation.uri to match test expectations.
• Added raw original_path property for clarity and debugging.

~ All unit tests in tests/unit/formatters/ pass.
~ Functional tests are unchanged by this PR.

This should make Bandit’s SARIF output more compliant and interoperable with tools that consume SARIF logs.

Closes #646
Related to #737

[Akindotcome]

Hi, I am still hoping my PR gets reviewed

[Akindotcome]

@sigmavirus24 , @ericwb , @lukehinds
Hi - friendly ping on this SARIF improvement PR.

It adds partialFingerprints, tags/precision, preserves Windows absolute paths, and unit tests/unit/formatters/ pass.

Could one of you kindly review when you have a moment?

Thanks

[sigmavirus24]

There's a lot of particularly bad LLM slop here. I was promised they were good at writing python because of how much python was out there. I feel lied to.

[Akindotcome]

@sigmavirus24, @ericwb
Thank you for the thorough reviews and feedback. I appreciate the time and detail from everyone.

I’ll address the points you raised (docstring/reST fixes, variable naming consistency, removing the empty except, simplifying confidence/CWE handling, and trimming unnecessary comments) and push the updates immediately I have done the corrections. I’ll be available to iterate further if anything else comes up.

@gpotter2
Sorry for the misunderstanding here, I am only trying to contribute to meaningful open source projects and grow knowledge-wise as well. Thank you

[Akindotcome]

Updates:

• Docstring: Converted to valid reStructuredText with pycon usage and truncated json example. Removed ineffective noqa.
• Naming: Renamed iss -> issue in add_results() to minimize diffs.
• Exceptions: Removed empty except; only add issue.fname when present.
• Simplifications: _precision_from_confidence() uses a direct mapping; CWE extraction via issue_dict.get("issue_cwe", {}).get("id").
• Comments/docstrings: Trimmed redundant comments; tightened helper docstrings.
• Behavior: SARIF structure unchanged (rules/properties/partialFingerprints). to_uri() preserves absolute Windows paths.

Validation:

• tests/unit/formatters/test_sarif.py passes locally. Other Windows-local failures are unrelated to this formatter PR and out of scope; CI on Linux/macOS should be unaffected.

[sigmavirus24]

There is still a lot wrong here.

[sigmavirus24]

Import modules not classes or functions

import typing as t

[Akindotcome]

@sigmavirus24
Hi, I am still hoping my PR gets reviewed