Modifications to Sbom reports - with Static reachability data

Background

As part of the Static Reachability feature after matching each package from the Advanced SAST results to packages, it is necessary to mark the package in the DS analyzer as imported and/or in use.

Implementation Plan

1. Add a new Properties field to the cyclonedx.Component struct.

   This Properties field corresponds to CycloneDX components[].properties and contains an array of Property objects with string fields Name and Value.

2. Add the new Properties field to the sbom.component with the following Name and Value:

   • Name: reachability
   • Value: one of
     • not_available: The default value, indicating the package is neither imported nor in use.
     • in_use: Indicates the package is both imported and in use.

   Note: the above Name and Value fields were implemented in Add reachability attribute to Gemnasium depende... (gitlab-org/security-products/analyzers/gemnasium!835 - merged) • Joey Khabie • 17.3, however, we later decided to do the following:

   1. Change Name from reachability to gitlab:dependency_scanning_component:reachability.
   2. Change Value from not_available to unknown.
   3. Remove in_use option from Value.

   This was implemented in a follow-up issue: Add namespace to Gemnasium CycloneDX reachabili... (#482442 - closed) • Joey Khabie • 17.4

3. Add unit tests for the above changes.

Example

The old version:

[
  {
    "name": "MarkupSafe",
    "version": "2.1.5",
    "purl": "pkg:pypi/MarkupSafe@2.1.5",
    "type": "library",
    "bom-ref": "pkg:pypi/MarkupSafe@2.1.5"
  },

New version:

[
  {
    "name": "MarkupSafe",
    "version": "2.1.5",
    "purl": "pkg:pypi/MarkupSafe@2.1.5",
    "type": "library",
    "bom-ref": "pkg:pypi/MarkupSafe@2.1.5",
    "properties": [
      {
        "name": "reachability",
        "value": "not_available"
      }
    ]
  },

cc- @or-gal