Expand Advanced Vulnerability Tracking to SAST analyzers/languages where it is currently unavailable

Problem

Advanced vulnerability tracking (AVT, for purposes of this issue) supports a subset of analyzers and a subset of languages within those analyzers.

This means that people who use other languages are inconvenienced with findings that are confusingly labeled as "Resolved" when code moves, only to be presented with a corresponding "New" finding in the same MR.

Proposal

Roll out AVT support to analyzers that are:

Currently supported in Tracking-Calculator, like C#...
But that don't yet use the AVT logic.

If these languages are actually already supported without additional code or config changes, then we should add this to the supported languages list in the AVT docs section.

Auto-Summary 🤖

Discoto Usage

Points

Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive) point:. For example, the following are all valid points:

#### POINT: This is a point

* point: This is a point

+ Point: This is a point

- pOINT: This is a point

point: This is a **point**

Note that any markdown used in the point text will also be propagated into the topic summaries.

Topics

Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.

Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive) topic:. For example, the following are all valid topics:

# Topic: Inline discussion topic 1

## TOPIC: **{+A Green, bolded topic+}**

### tOpIc: Another topic

Quick Actions

Action Description

/discuss sub-topic TITLE Create an issue for a sub-topic. Does not work in epics

/discuss link ISSUABLE-LINK Link an issuable as a child of this discussion

Action	Description
`/discuss sub-topic TITLE`	Create an issue for a sub-topic. Does not work in epics
`/discuss link ISSUABLE-LINK`	Link an issuable as a child of this discussion

Last updated by this job

TOPIC Rollout #373921 (comment 1339819882)
TOPIC Language support #373921 (comment 1339820812)
TOPIC Integration into other analyzers #373921 (comment 1339821613)

Discoto Settings

---
summary:
  max_items: -1
  sort_by: created
  sort_direction: ascending

See the settings schema for details.

Implementation Plan:

Add tracking calculator to:

~~brakeman~~ already installed
flawfinder gitlab-org/security-products/analyzers/flawfinder!105 (merged)
nodejs-scan gitlab-org/security-products/analyzers/nodejs-scan!144 (merged)
mobsf gitlab-org/security-products/analyzers/mobsf!86 (merged)
spotsbugs gitlab-org/security-products/analyzers/spotbugs!177 (merged)
~~kics gitlab-org/security-products/analyzers/kics!82 (closed)~~ #373921 (comment 1502201775)

Ensure tracking calculator is up to date

gitlab-org/security-products/analyzers/flawfinder!109 (merged)
gitlab-org/security-products/analyzers/brakeman!137 (merged)
Update documentation - https://docs.gitlab.com/ee/user/application_security/sast/#advanced-vulnerability-tracking - !128953 (merged)
Add spotbugs to documentation - !130005 (merged)

Edited Aug 23, 2023 by Craig Smith