Remove command sub-package from analyzers/common library
Summary
The command sub-package of the common library shared by SAST, Dependency Scanning, and Container Scanning analyzers causes unnecessary complexity and constraints that could be avoided by defining the CLI sub-commands from scratch in the analyzer projects.
Also, we should consider removing the search and convert sub-commands. These commands work but they are not used.
Further details
The command.Config Go struct requires a Match function, a Convert function, and an Analyze function, but these are not always relevant.
The Match function was needed to implement early detection in the Docker-in-Docker (DinD) setup, but this setup is now deprecated. Scanning jobs are now triggered based on the value of CI_REPOSITORY_LANGUAGES, and we can assume they're compatible with the scanned repository.
The Run function analyzes a directory, based on the path returned by the Match function. But in the case of Dependency Scanning, the Analyze function ultimately processes a dependency file, and not a directory. This limitation significantly increases the complexity of gemnasium-maven, gemnasium-python, and others.
The Convert function is not needed for Gemnasium-based analyzers because the analyzer directly generates the expected output, with no need to "convert" any document. See gemnasium, gemnasium-maven, and gemnasium-python.
Oftentimes the behavior of the Match function and the Convert function depends on the CLI flags, but these are not propagated. Right now the workaround is to read the environment variables in this function, which introduces repetitions and is not a good design. See gitlab-org/security-products/analyzers/gemnasium-python!33 (diffs) for instance.
We could address this issues by improving the command sub-package but it's probably not worth it.
Improvements
Removing the command package would make the analyzer projects more self-contained, and ultimately easier to read.
Risks
There are no integration tests for the search and convert sub-commands of the CLIs. We need integration tests if we decide to keep these.
Involved components
Optional: Intended side effects
Analyzers won't expose the search and convert sub-command unless they provide a real value.
Optional: Missing test coverage
See Risks
/cc @gonzoyumo @twoodham @dsearles @ifrenkel @rossfuhrman @theoretick