Static Reachability feature using new analyzer instead of Gemnasium

Background

At present, To infer if package is reachable or not ,we utilize both GitLab Advanced SAST (GLAS) and Gemnasium to evaluate dependencies and determine whether they are reachable or not. Gemnasium has been instrumental in providing this information, but with its deprecation planned for version 17.9, we need to transition fully to new dependency scanning analyzer. This new analyzer is intended to replace Gemnasium.

Open Questions:

To make the new dependency scanning analyzer match Gemnasium’s functionality, we need to determine:

1. Configuration Changes: What settings are needed for equivalent reachability detection?
2. Enrichment Adjustments: Do we need to modify enrichment code to handle new output fields?
3. Testing: How can we validate that dependency data remains consistent and accurate?

These steps will help us ensure a smooth transition to the new analyzer without loss of functionality.

Implementation Plan

• Update sca-to-sarif-matcher so that it can handle a DS report without gitlab:dependency_scanning_component:reachability attribute.
• Release a new version of sca-to-sarif-matcher
• make sure the latest version is used by the DS.latest/SAST.latest template (whatever is being used)
• Update Gemnasium by removing the gitlab:dependency_scanning_component:reachability attribute
• Verify that it works with both Gemnasium and DS analyzer