Vulnerability report should use relative links if ANALYZER_TARGET_DIR is set

Problem to solve

When a user sets the ANALYZER_TARGET_DIR variable, the vulnerability report then details the location of a file relative to that variable defined directory. This in turn causes the vulnerability in the UI to generate link to the line/file that is incorrect, resulting in an "file does not exist" error.

This is an example project that can be forked. With the ANALYZER_TARGET_DIR set to subdir, the gl-sast-report.json file shows the problem file location as this:

...
      "location": {
        "file": "subtest.go",
...

The vulnerability then incorrectly populates the link to this file in the UI as /namespace/go-test/-/blob/{commit_sha}/subtest.go#L14 rather than /namespace/go-test/-/blob/{commit_sha}/subdir/subtest.go#L14, resulting in a "file does not exist" message for the user.

This example project isn't really a valid example of why someone would need to define this variable, but this sometimes is needed for users with a specific project layout (e.g. go.mod file in a separate directory).

Intended users

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

• Cameron (Compliance Manager)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

User experience goal

The user should be able to use the link from the UI to take them to a specific file/line from the vulnerability page when ANALYZER_TARGET_DIR is defined.

Proposal

If ANALYZER_TARGET_DIR is defined, the report should detail the location of the file relative to the repository root directory instead of it's location relative to the directory defined in the variable.

In the above example project, the ANALYZER_TARGET_DIR variable is set to subdir. The file location is reported as subtest.go, but it should be reported as subdir/subtest.go in order for the UI links to work.

Permissions and Security

• expected impact to Developer (30) members
• expected impact to Maintainer (40) members
• expected impact to Owner (50) members

Documentation

Update the relevant variable documentation:

• https://docs.gitlab.com/ee/user/application_security/sast/#available-variables

Availability & Testing

TBD

Available Tier

• Ultimate/Gold

What does success look like, and how can we measure that?

User's can use the links to relevant files/lines from the vulnerabilities page when ANALYZER_TARGET_DIR is set.

What is the type of buyer?

Ultimate customers.

Links / references

Discovered via support case: https://gitlab.zendesk.com/agent/tickets/197666 (internal use)