In sarif: how to get the vulnerable package without parsing free text?

[northdpole]

Hey, thanks for creating osv-scanner it looks great!
I'm trying to extract the vulnerable package name and version as either a purl or just text so that i can point the user to file and line that needs changing.

I'm using sarif as output, can you please tell me how to do this?

[another-rex]

If you want to get the package name and versions in a machine readable format, please use the --format=json output format.