Feature: add line number to Pinned-Dependencies detail reporting

[laurentsimon]

add a line number to the Pinned-Dependencies, Token-Permissions checks.
Today the details contain the line content only, e.g.:
Warn: insecure (unpinned) download detected in .github/workflows/pylint-presubmit.yml: 'python -m pip install --upgrade pip'

We may want to add a line number as well.

[ristomcgehee]

I'll take this issue since I have some time now to work on scorecard now that I've settled in from my move. I'd like to have an easier issue to get back into the swing of things.

[laurentsimon]

Thank you!

FYI I'm working on adding SARIF support for scorecard, and for this I need to make some code update to support more structured data in details (line, filename, etc).
ETA for the required update is ~10 days. You can start working on the PR for sure in the meantime, you'll just need to change the call to Warn when I land my update.

[laurentsimon]

@chrismcgehee assigned issue to you, thanks again for taking this issue!

[laurentsimon]

@chrismcgehee this issue is important for the v4 (~EOY) release. Do you have cycles this quarter?
I've finished the SARIF support and you can try it using #1074 (comment)

[laurentsimon]

@chrismcgehee what's left to be done for this? Sorry, I've not kept up with all the commits :-)
It'd be awesome to have this ready for v4, just let us know if help is needed. v4 is a planned for release in Jan - flexible on the dates
Do you know if other checks need updates as well?

[ristomcgehee]

@chrismcgehee what's left to be done for this?

I'm just about ready to submit a PR that will add numbers for more places. The line numbers for anything in shell code is going to be tricky because of the way we pass shell code throughout the program. I'd be open to having help for that part.

Do you know if other checks need updates as well?

I believe Pinned Dependencies and Token Permissions are all that need updating. Asra already added proper line numbering for Dangerous Workflow.

[laurentsimon]

@chrismcgehee what's left to be done for this?

I'm just about ready to submit a PR that will add numbers for more places. The line numbers for anything in shell code is going to be tricky because of the way we pass shell code throughout the program. I'd be open to having help for that part.

sg. Let us know how we should help. I think you can start by adding the line numbers to entry functions and try to propagate them to callees? Then ask for help when things get tricky? Or would you like to proceed differently?

Do you know if other checks need updates as well?

I believe Pinned Dependencies and Token Permissions are all that need updating. Asra already added proper line numbering for Dangerous Workflow.

cc @asraa

[ristomcgehee]

LGTM. Nice work, Laurent!