Add SARIF 2.1.0 direct upload foundation (parser, enums, schema validator)

Replaced with !227968 (merged) and !227970 (merged)

What does this MR do and why?

Adds the backend foundation for SARIF v2.1.0 CI artifact uploads (as artifacts:reports:sarif).

This MR covers the non-activating foundation: enum registration, schema validation, the parser and location class, and supporting infrastructure.

The parser is intentionally not enabled in the parser registry (ee/lib/ee/gitlab/ci/parsers.rb) so no SARIF findings will be ingested until the follow-up MR adds the registry entry and feature flag .

What's included:

• sarif Added to Ci::JobArtifact file_type enum, SECURITY_REPORT_FILE_TYPES, Enums::Vulnerability report_types, and Security::Scan scan_type
• sarif mapped to :sast in LICENSED_PARSER_FEATURES
• ci_max_artifact_size_sarif column added to plan_limits (DEFAULT 0)
• artifacts:reports:sarif allowed in CI YAML config, build metadata schema, and CI editor schema
• Vendored SARIF v2.1.0 JSON schema + SarifSchemaValidator (mirrors CycloneDX pattern)
• Gitlab::Security::Parsers::Sarif producing Security::Finding objects from SARIF runs[].results[]
• @scanners registry and add_scanner on Security::Report for multi-run attribution (no-op for all existing parsers)
• MergeReportsService propagates the scanners registry through report merges (no-op until MR 2)

Key parser design decisions:

• One Security::Report per SARIF file (not per run)
• Severity priority: result.rank → security-severity (×10 scale) → result/rule level (error → high, not critical)
• Primary identifier: sarif-rule-id; secondary: CWE/CVE tags from rule.properties.tags
• Suppressed results (suppressions all accepted/external) are skipped
• Parser lives in Gitlab::Security::Parsers namespace (not Gitlab::Ci::Parsers::Security) — avoids rails-backend CODEOWNERS co-ownership

References

• https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
• Part 1 of 2 — MR 2 will add the parser registry entry, feature flag, service-layer multi-scanner wiring, and security dashboard/MR widget integration

Screenshots or screen recordings

N/A — no user-visible changes in this MR (parser is not registered).

How to set up and validate locally

This MR intentionally produces no user-visible behaviour. Validate via specs below or you can test the PoC directly with all changes.

# Parser unit specs
bundle exec rspec ee/spec/lib/gitlab/security/parsers/sarif_spec.rb

# Schema validator specs
bundle exec rspec ee/spec/lib/gitlab/security/parsers/validators/sarif_schema_validator_spec.rb

# Location class specs
bundle exec rspec ee/spec/lib/gitlab/ci/reports/security/locations/sarif_spec.rb

# Migration
bundle exec rails db:migrate

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.