The issue here is Veracode is falsely reporting an error. Your format string specifies two arguments and you supplied two arguments so it is incorrect.
I hope you see that your arguments will be an empty string since cs was never set to anything. As an experiment, try this :
PCTSTR arg = "report name";
const int bufferSize = 1023;
char buffer[ bufferSize+1 ] = { 0 };
sprintf_s( buffer, bufferSize, format_string, arg, arg );
Sometimes tools can get confused by casts so this approach has no casts.