fix: remove duplicate rules from SARIF output

[danskmt]

Description

Deduplicates SARIF rules by problem ID in UFM output to fix duplicate rule entries. When multiple findings share the same problem ID (e.g., two generic-api-key secrets found in different files), the SARIF output previously emitted one rule per finding, producing duplicate rule IDs in the rules array. Per the SARIF v2.1.0 spec, rule IDs must be unique within the rules array.

The fix adds a deduplicateIssuesByProblemID template function that filters the issues list to one entry per unique problem ID (first-wins) for the rules loop only. The results loop is unchanged — all findings still appear as individual results referencing their shared rule.

Relevant ticket: CLI-1344

Checklist

• Tests added and all succeed (make test)
• Regenerated mocks, etc. (make generate)
• Linted (make lint)
• Test your changes work for the CLI
  1. Clone / pull the latest CLI main.
  2. Run go get github.com/snyk/go-application-framework@YOUR_LATEST_GAF_COMMIT in the cliv2 directory.
     • Tip: for local testing, you can uncomment the line near the bottom of the CLI's go.mod to point to your local GAF code.
  3. Run go mod tidy in the cliv2 directory.
  4. Run the CLI tests and do any required manual testing.
  5. Open a PR in the CLI repo now with the go.mod and go.sum changes.
  • Once this PR is merged, repeat these steps, but pointing to the latest GAF commit on main and update your CLI PR.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Regression in Rule ID Fallback 🟠 [major] The PR removes the logic that falls back to issue.GetID() if issue.GetProblemID() is empty. In the new template code, ruleId is set directly to the problem ID. If a finding lacks a problem ID (which occurs for certain scan types or custom rules), it will result in a result with an empty ruleId string. This breaks the SARIF contract which requires ruleId to be a non-empty string referencing an entry in the rules array. {{- $problemID := $issue.GetProblemID }} { "id": {{ getQuotedString $problemID }}, Filtering of Issues without ProblemID 🟠 [major] The deduplicateIssues function explicitly checks if field != "" before adding an issue to the result. Because the template now calls this function with "problemID", any finding that does not have a defined problemID will be entirely omitted from the SARIF rules array. This causes a schema violation where the results array contains findings referencing a ruleId that does not exist in the rules array. if field != "" && !seen[field] { seen[field] = true result = append(result, issue) }

📚 Repository Context Analyzed This review considered 13 relevant code sections from 10 files (average relevance: 0.92) pkg/utils/sarif/sarif.go (lines 1-248) pkg/local_workflows/local_models/transform.go (lines 1-250) pkg/local_workflows/output_workflow/ufm_tools.go (lines 1-151) pkg/utils/ufm/json_test_result.go (2 segments, lines 1-213) internal/presenters/components.go (lines 1-293) internal/ufm_helpers/remediation.go (lines 1-297) pkg/app/app.go (lines 1-234) ... and 3 more file(s)