[Sarif] Add a "fixes" section to the Sarif output

[TaylorHo]

The actual Sarif export doesn't have a "fixes" section in the results (ex. upgrading a package or changing its version). We can add this section using the below structure (with not-so-important parts omitted):

Click here to expand the example structure.

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "audit-export"
        }
      },
      "results": [
        {
          "ruleId": "Prototype Pollution in Ajv",
          "fixes": [
            {
              "description": {
                "text": "Update ajv to version 8.1.2 or later."
              },
              "artifactChanges": [
                {
                  "artifactLocation": {
                    "uri": "https://www.npmjs.com/package/ajv/v/8.1.2"
                  },
                  "replacements": [
                    {
                      "deletedRegion": {
                        "snippet": {
                          "text": "8.1.1"
                        }
                      },
                      "insertedContent": {
                        "text": "8.1.2"
                      }
                    }
                  ]
                }
              ]
            }
          ]
        }
      ]
    }
  ]
}

Details