Allow scanner to accept an arbitrary value for a project's location
Problem to solve
The scanner package under gemnasium sets a location for each discovered project when generating a Dependency Scanning report. The location is then set in the DS report and linked when viewing the report in the UI.
This is difficult to do today when choosing to link an arbitrary file (e.g. need to create a fake File struct) and impossible to do for directories.
It currently prevents sbt projects with multiple sub-projects from linking to the sub-project directory which is specified in the parent.
Proposal
Add a way for project to accept a location from the caller, e.g.: project.SetLocation("./proj1") which will be linked in the DS report.
Further details
Here is an example project: https://gitlab.com/gitlab-org/security-products/tests/scala-sbt-multiproject
Sub-projects proj1 and proj2 are only specified in ./build.sbt and are rooted at ./proj1 and ./proj2. The correct links in the Dependency Scanning report for dependencies ought to be to ./scala-sbt-multiproject/proj1/ and ./scala-sbt-multiproject/proj2/.
But because of the constraints of the scanner package in gemnasium the location must be specified as a file and even if linking an arbitrary file you have to read the internals of scanner to figure this out.
You have to know that you need to produce linkable file for your project type that is also of type FileTypeGraphExport. This is done so that scanner chooses an alternative file of FileTypeRequirements: https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/master/scanner/scanner.go#L110