Security report provide Scanner version, not Analyzer version

Problem to solve

The current schema contains a scanner object which has a version property. It looks like this is supposed to be the version of the underlying scanner, like any other properties of that object.

Intended users

User experience goal

Proposal

1. confirm that scanner.version is supposed to contain the version of the Scanner, not the Analyzer's version

   => YES

2. come up with a proposal to add analyzer version in the report to help to debug.

   => To be discussed in #235393 (closed)

3. think about edge cases like Container Scanning analyzer, klar, which actually depends on 2 external tools (klar and clair) (might be a follow-up)

   => use the most significant scanner for now. Discuss the possibility to extend the format in #235390

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references