Establish Secure versioning convention when bumping underlying analyzer tool versions
Problem to solve
We have unclear conventions on when to use minor vs patch releases within our security products. It is generally sem-ver, but not entirely as we are currently pinned to the major version of all of our tools.
Recently this question came up on whether or not to use a minor or patch bump when updating the underlying bandit tool for our python sast analyzer and we have no clear agreement on the approach.
Intended users
Further details
Proposal
I propose we stick with a "shift-right" strategy where a minor-or-lower version of the underlying tool results in a patch-bump of our analyzer. this gives us more flexibility in our own versioning while capturing the updates of the underlying tool.