SARF report output report violate specification setting startLine to -1

[JLLeitschuh]

KCIS will generate SARIF reports that are invalid according to the SARIF specification. In particular, this part of the specification:

3.30.5 startLine property
When a region object represents a text region specified by line/column properties, it SHALL contain a property named startLine whose value is a positive integer equal to the line number of the line containing the first character in the region.

Expected Behavior

kics should not output an invalid SARF report that violates the SARIF specification.

Actual Behavior

KICS will generate SARIF reports where startLine: -1 is set.

As an example, here is the invalid output line:

				{
					"ruleId": "fd54f200-402c-4333-a5a4-36ef6709af2f",
					"ruleIndex": 1,
					"kind": "fail",
					"message": {
						"text": "The 'Dockerfile' does not contain any 'USER' instruction"
					},
					"locations": [
						{
							"physicalLocation": {
								"artifactLocation": {
									"uri": "enterprise/src/docker/company_directory/Dockerfile"
								},
								"region": {
									"startLine": -1
								}
							}
						}
					]
				},

When running the generated SARIF report through the GitHub SARIF uploader, validation errors like this will be reported:

Error details: instance.runs[0].results[1].locations[0].physicalLocation.region.startLine must have a minimum value of 1
  {
    "property": "instance.runs[0].results[1].locations[0].physicalLocation.region.startLine",
    "message": "must have a minimum value of 1",
    "schema": {
      "description": "The line number of the first character in the region.",
      "type": "integer",
      "minimum": 1
    },
    "instance": -1,
    "name": "minimum",
    "argument": 1,
    "stack": "instance.runs[0].results[1].locations[0].physicalLocation.region.startLine must have a minimum value of 1"
  }

Specifications

(N/A if not applicable)

• Version: 1.3
• Platform: GitHub Actions