Add support for Security Report Schema 15-0-0 to report library
Proposal
Update the report Go library so that the Secure analyzers like Gemnasium can generate reports that validate version 15-0-0 of the Security Report Schemas.
To validate Security Report Schemas 15-0-0, it should be possible to generate a report that doesn't have these fields:
.vulnerabilities[].cve
.vulnerabilities[].scanner
.vulnerabilities[].category
.remediations[].fixes[].cve
Learn more about 15-0-0 in Build and release next MODEL (aka major) versio... (#339812 - closed).
See #364828 (comment 1029513483)
Further details
Version 15-0-0 of the Security Report Schemas is being implemented in gitlab-org/security-products/security-report-schemas!100 (merged).
Version 15-0-0 removes fields from .vulnerabilities[] and .remediations[], but today these fields can't be omitted when generating reports using the report library. See https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/v3.12.2/vulnerability_test.go#L296
Vulnerability.Scanner needs to be a pointer so that it can be omitted. This is a breaking change for the analyzer projects using the report library.
Implementation plan
- Share with groupstatic analysis since the analyzers they maintain also use the
reportlibrary. This can be done in this issue, in the MR, and on Slack. - Change
Vulnerability.Scannerto a pointer, and setomitempty - Set
omitemptyforVulnerability.Category - Set
omitemptyforVulnerability.CompareKey - Set
omitemptyforRef.CompareKey - Release new minor version of
report. This is a transition version, and the major version doesn't change.