cbom reporting contextRegion line numbers, instead of specific line number (from region)

[mtcolman]

In the cbom.json, instead of reporting the specifc line of the finding, I get multiple lines:

"detectionContext": [
    {
        "additionalContext": "from hashlib import md5",
        "filePath": "sqli/dao/dummy.py",
        "lineNumbers": [
            1,
            2,
            3
        ]
    },

My output.sarif file gives two sections of detail on the finding: region and contextRegion. region gives the precise line(s) and this would be more useful in the cbom (in my opinion).

"detectionContext": [
    {
        "additionalContext": "from hashlib import md5",
        "filePath": "sqli/dao/dummy.py",
        "lineNumbers": [
            1
        ]
    },

Have created #5 with code update for this.

[emilejq]

This really is by design. Using a single line number would lose information that provides important additional context about the crypto asset, such as modes and padding schemes for algorithms, key sizes, cryptographic operations and just generally the wider context in which the asset is used.

It's quite easy for someone to find an exact line in the wider code snippet using the additional information that is provided. In the case of algorithms for instance, the specific algorithm is still given in the variant field, so it's quite easy for someone to pinpoint the precise location whilst still benefitting from having the additional context of the code either side of it