Add support for Security Report Schema v15 to report library

Proposal

Update the report Go library so that the Secure analyzers like Gemnasium can generate reports that validate version 15-0-0 of the Security Report Schemas.

To validate Security Report Schemas 15-0-0, it should be possible to generate a report that doesn't have these fields:

.vulnerabilities[].cve
.vulnerabilities[].scanner
.vulnerabilities[].category
.remediations[].fixes[].cve

Learn more about 15-0-0 in Build and release next MODEL (aka major) versio... (#339812 - closed).

See #364828 (comment 1029513483)

Further details

Version 15-0-0 of the Security Report Schemas is being implemented in gitlab-org/security-products/security-report-schemas!100 (merged).

Version 15-0-0 removes fields from .vulnerabilities[] and .remediations[], but today these fields can't be omitted when generating reports using the report library. See https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/v3.12.2/vulnerability_test.go#L296

Vulnerability.Scanner needs to be a pointer so that it can be omitted. This is a breaking change for the analyzer projects using the report library.

Gemnasium

The gemnasium analyzers have code specific to schema version 15. To prevent removing the code that was added, the analyzer will use both v3 and v4 of the module. See this MR for more information.

Implementation plan

  • Create a new v4 branch for the report analyzer and update its module path to gitlab.com/gitlab-org/security-products/analyzers/report/v4.
  • Ensure that the v4 branch is protected.
  • Share with groupstatic analysis since the analyzers they maintain also use the report library. This can be done in this issue, in the MR, and on Slack.
  • Option A:
    • Change Vulnerability.Scanner to a pointer, and set omitempty
    • Set omitempty for Vulnerability.Category
    • Set omitempty for Vulnerability.CompareKey
    • Set omitempty for Ref.CompareKey
  • Option B:
    • Conditionally set fields to marshal using a tool like sherrif
  • Release new major version with a pre-release tag of report since omitting fields is considered a breaking change.
  • Update the .gitlab-ci.yml so that it releases a new pre-release version if v4.0.0 or higher has not been released.

/cc @brytannia @theoretick

Edited by Oscar Tovar