Add support for Security Report Schema 15-0-0 to report library

Proposal

Update the report Go library so that the Secure analyzers like Gemnasium can generate reports that validate version 15-0-0 of the Security Report Schemas.

To validate Security Report Schemas 15-0-0, it should be possible to generate a report that doesn't have these fields:

.vulnerabilities[].cve
.vulnerabilities[].scanner
.vulnerabilities[].category
.remediations[].fixes[].cve

Learn more about 15-0-0 in Build and release next MODEL (aka major) versio... (#339812 - closed).

See #364828 (comment 1029513483)

Further details

Version 15-0-0 of the Security Report Schemas is being implemented in gitlab-org/security-products/security-report-schemas!100 (merged).

Version 15-0-0 removes fields from .vulnerabilities[] and .remediations[], but today these fields can't be omitted when generating reports using the report library. See https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/v3.12.2/vulnerability_test.go#L296

Vulnerability.Scanner needs to be a pointer so that it can be omitted. This is a breaking change for the analyzer projects using the report library.

Implementation plan

  • Share with groupstatic analysis since the analyzers they maintain also use the report library. This can be done in this issue, in the MR, and on Slack.
  • Change Vulnerability.Scanner to a pointer, and set omitempty
  • Set omitempty for Vulnerability.Category
  • Set omitempty for Vulnerability.CompareKey
  • Set omitempty for Ref.CompareKey
  • Release new minor version of report. This is a transition version, and the major version doesn't change.

/cc @gonzoyumo @theoretick

Edited by Fabien Catteau