Audit SAST analyzers to ensure they are 14.0.x schema compatible

Proposal

We need to ensure all SAST analyzers are emitting 14.0+ schemas which face deprecation within &6968 (closed)

16 projects

• https://gitlab.com/gitlab-org/security-products/analyzers/bandit | #350814 (comment 835025215)
• https://gitlab.com/gitlab-org/security-products/analyzers/brakeman | #350814 (comment 835025397)
• https://gitlab.com/gitlab-org/security-products/analyzers/eslint | #350814 (comment 835025447)
• https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder | #350814 (comment 835025769)
• https://gitlab.com/gitlab-org/security-products/analyzers/gosec | #350814 (comment 835025796)
• https://gitlab.com/gitlab-org/security-products/analyzers/kics | #350814 (comment 835025837)
• https://gitlab.com/gitlab-org/security-products/analyzers/kubesec | #350814 (comment 835025873)
• https://gitlab.com/gitlab-org/security-products/analyzers/mobsf | #350814 (comment 836540926)
• https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan | #350814 (comment 835025908)
• https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit | #350814 (comment 836531611)
• https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex | #350814 (comment 835025964)
• https://gitlab.com/gitlab-org/security-products/analyzers/secrets | #350814 (comment 835025995)
• https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan | #350814 (comment 835026024)
• https://gitlab.com/gitlab-org/security-products/analyzers/semgrep | #350814 (comment 835026039)
• https://gitlab.com/gitlab-org/security-products/analyzers/sobelow | #350814 (comment 835026073)
• https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs | #350814 (comment 835026097)

Plan

The go report dependency is responsible for creating reports for our analyzers. report@v2.0.0 used schema version 3.0.0 while report@v2.1.0 uses schema version 14.0.0. Therefore, we need to double check the following for each project:

• Analyzer uses report dependency version 2.1.0 or newer.
• Analyzer uses the report dependency to create the report (it used to be the common dep)

I will create a comment below for each analyzer as I check them off with a link to the comment in this description.