fix: Set a default artifact location URI value

layer4/evaluation_log.go

@@ -7,6 +7,8 @@ import (
 	"github.com/ossf/gemara/layer2"
 )
 
+var emptyArtifactURIMessage = "no file associated with this alert"
+
 // ToSARIF converts the evaluation results into a SARIF document (v2.1.0).
 // Each AssessmentLog is emitted as a SARIF result. The rule id is derived from
 // the control id and requirement id.
@@ -104,13 +106,13 @@ func (e EvaluationLog) ToSARIF(artifactURI string, catalog *layer2.Catalog) ([]b
 			}
 
 			var physicalLocation *PhysicalLocation
-			if artifactURI != "" {
-				physicalLocation = &PhysicalLocation{
-					ArtifactLocation: ArtifactLocation{
-						URI: artifactURI,
-					},
-					// Region left nil - no line/column data available
-				}
+			if artifactURI == "" {
+				artifactURI = emptyArtifactURIMessage
+			}
+			physicalLocation = &PhysicalLocation{
+				ArtifactLocation: ArtifactLocation{
+					URI: artifactURI,
+				},
 			}
 
 			// Use the last AssessmentStep for LogicalLocation (the location is for the entire evaluation)