Update Dependency-Scanning.latest.gitlab-ci.yml CI template to replace Gemnasium jobs with the new DS analyzer

Why are we doing this work

As part of the process to migrate to the new DS analyzer, we must "disable" the CI jobs that try to build the project to export the list of dependencies.

To prevent entirely breaking CI pipelines for customers, we should follow a gradual removal process rather that immediately removing the job definition, which we've already applied in the past, e.g. when removing the License Scanning job.

We might also consider the impact of the change and possibly a opportunity to quickly revert the change if necessary.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

• Don't try to use the CI/CD component (see details in this thread)
• remove CI_GITLAB_FIPS_MODE handling. There is a single image for both FIPS and non FIPS modes for the new DS analyzer.
• introduce a new CI/CD variable DS_ENFORCE_NEW_ANALYZER with default value set to false
• Run gemnasium-maven on the same conditions as today, unless DS_ENFORCE_NEW_ANALYZER is set to true.
• Run gemnasium-python on the same conditions as today, unless DS_ENFORCE_NEW_ANALYZER is set to true.
• Run gemnasium (main) on the same conditions as today, unless DS_ENFORCE_NEW_ANALYZER is set to true.
• Run DS analyzer:
  • if DS_ENFORCE_NEW_ANALYZER is set to true.
  • OR if the repository contains any file that is only supported by the new DS analyzer, but ensure to not scan anything already supported by the gemnasium analyzers using DS_EXCLUDED_PATHS.

See Adjust rollout strategy for the new DS analyzer... (#517653 - closed) for further discussions on the rollout strategy.

Verification steps