What would you like to be added:
I would like to have package information in the Sarif report.

Why is this needed:
If this information is present, then someone can correlate known vulnerabilities with packages they are using.

Additional context:
I've already opened a PR (#2254) to try and implement that feature.