Introduce a new artifact file type called `security_findings`

Why are we doing this work

We will start validating the report artifacts but we don't want to break the ingestion process for the existing security-related ci jobs. Therefore, we want to introduce a new artifact type called security_findings to be validated in the future.

Relevant links

Related issue: #34654 (closed)

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:
- When schema doesn't validate, do not ingest the report and fail the job (note: allow_failure defaults to True in security scan jobs so the pipeline itself won't fail)

Implementation plan

Introduce a new artifact type called security_findings by adding it to the list of secure related artifacts in EE::Ci::JobArtifact::SECURITY_REPORT_FILE_TYPES

Technical notes

We need to change the design of EE::Ci::Build#collect_security_reports! as it is currently relying on the file type of the artifact to determine the report type which can not be done for security_findings artifacts as they can contain any type.

The new artifact type will look something similar to the below one in gitlab-ci.yml;

my-secruity-build:
  variables:
    ANALYZER_NAME: spotbugs
    REPORT_NAME: gl-sast-report.json
  script:
    - wget -O "${CI_JOB_NAME}.json" "https://gitlab.com/gitlab-org/security-products/analyzers/${ANALYZER_NAME}/-/raw/master/test/expect/${REPORT_NAME}"
  artifacts:
    reports:
      security_findings: "${CI_JOB_NAME}.json"

Important Note: This will break the usage reports as they are currently relying on the file type attribute of the JobArtifact entity but this is already communicated with @thiagocsf.

Edited Mar 26, 2021 by Mehmet Emin INAC