Allow configuration of spotbugs effort level

Problem to solve

We do not currently offer an option to configure the Category:SAST spotbugs analyzer's effort value. By exposing this configuration our customers can reduce computation cost and potentially avoid OoM issues for large projects

-effort[:min|less|default|more|max]:

Set analysis effort level. The -effort:min disables several analyses that increase precision but also increase memory consumption. You may want to try this option if you find that SpotBugs with the -effort:less still runs out of memory, or takes an unusually long time to complete its analysis. The -effort:less disables some analyses that increase precision but also increase memory consumption. You may want to try this option if you find that SpotBugs with the -effort:more/-effort:default runs out of memory, or takes an unusually long time to complete its analysis. The -effort:more runs several analyses to find bugs, this is the -effort:default. The -effort:max enable analyses which increase precision and find more bugs, but which may require more memory and take more time to complete. See Effort.

Proposal

• Update analyze.go to accept ENV for modifying default behavior of effort
• Update SAST docs to describe new variable

Implementation Plan

We will accept the effort input for Spotbugs via SAST_SCANNER_ALLOWED_CLI_OPTS CI variable. Here's the implementation checklist:

• Move the parsing logic of SAST_SCANNER_ALLOWED_CLI_OPTS introduced in Semgrep repository to a common place to reuse the logic | gitlab-org/security-products/analyzers/command!48 (merged)
• Accept -effort[:min|less|default|more|max] as one of the inputs for SAST_SCANNER_ALLOWED_CLI_OPTS in the Spotbugs analyzer source | gitlab-org/security-products/analyzers/spotbugs!171 (merged)
• Update SAST docs about the above entry under Security Scanner Configuration section | !121916 (merged)