improve data available for troubleshooting purposes

Release notes

Problem to solve

Proposal

extracted from #331936 (comment 601024270)

A given version of an analyzer should points to a specific git tag in the corresponding repository which gives a specific point in time that allows to know the exact state of the analyzer, and "most of the time" the version of the underlying scanner that is being used. But "most of the time" doesn't means it always works this way.

For instance, our retire.js analyzer on version 2.11.3 is matching this git tag: https://gitlab.com/gitlab-org/security-products/analyzers/retire.js/-/blob/v2.11.3. From there we can see that the version of the Retire.js used is 2.2.4. In this specific case, it also means that the "definitions" version is the same as this scanner bundles the definitions: https://github.com/RetireJS/retire.js/tree/2.2.4/repository.

Though, this could be handled differently in some situations (e.g. Offline environment, or anytime a custom advisory DB is provided using the *ADVISORY_DB* env variables) so it might indeed be interesting to specify this clearly at runtime.

Another example: with the gemnasium analyzer, we fetch the advisory DB at runtime, so the version of the definitions is never directly tied to the version of the analyzer itself.

Things might become even trickier when leveraging rules customization like what SAST offers. This will have per project specifics which might be difficult to trace. At least, if it comes down to a config file stored in the project repository, I assume the SAST analyzer could also advertise this and point to the corresponding file.

have the analyzer outputing what it knows about its components version (engine, DB, rules, custom configs, etc.) in the job log output, at the beginning of the execution. This allows to have the information available somewhere right now instead of waiting to update the JSON schema structure, which might take way more time.

Documentation

maybe in troubleshooting?

Availability & Testing

would this be easy to test?

Is this a cross-stage feature?

yes within secure and maybe protect