Add support for new SAST report version

This adds support for the new report syntax to SAST. We add support by
wrapping the old simple array in a hash within a `vulnerabilities` key.

ee/app/assets/javascripts/vue_shared/security_reports/store/constants.js

 export const LOADING = 'LOADING';
 export const ERROR = 'ERROR';
 export const SUCCESS = 'SUCCESS';
+
+export const DEPRECATED_SAST_REPORT_VERSION = '1.2';

ee/app/assets/javascripts/vue_shared/security_reports/store/utils.js

@@ -2,6 +2,9 @@ import sha1 from 'sha1';
 import _ from 'underscore';
 import { stripHtml } from '~/lib/utils/text_utility';
 import { n__, s__, sprintf } from '~/locale';
+import {
+  DEPRECATED_SAST_REPORT_VERSION,
+} from 'ee/vue_shared/security_reports/store/constants';
 
 /**
  * Returns the index of an issue in given list
@@ -62,7 +65,7 @@ function fileUrl(location, pathPrefix) {
  * @param {Object} issue
  * @returns {Object}
  */
-function adaptDeprecatedFormat(issue) {
+function adaptDeprecatedIssueFormat(issue) {
   // Skip issue with new format (old format does not have a location property)
   if (issue.location) {
     return issue;
@@ -90,18 +93,37 @@ function adaptDeprecatedFormat(issue) {
   return adapted;
 }
 
+/**
+ *
+ * Wraps old report formats (plain array of vulnerabilities).
+ *
+ * @param {Array|Object} report
+ * @param {String} deprecatedReportVersion
+ * @returns {Object}
+ */
+function adaptDeprecatedReportFormat(report, deprecatedReportVersion) {
+  if (Array.isArray(report)) {
+    return {
+      version: deprecatedReportVersion,
+      vulnerabilities: report,
+    };
+  }
+
+  return report;
+}
+
 /**
  * Parses SAST results into a common format to allow to use the same Vue component.
  *
- * @param {Array} issues
+ * @param {Array|Object} report
  * @param {Array} feedback
  * @param {String} path
  * @returns {Array}
  */
-export const parseSastIssues = (issues = [], feedback = [], path = '') =>
-  issues.map(issue => {
+export const parseSastIssues = (report = [], feedback = [], path = '') =>
+  adaptDeprecatedReportFormat(report, DEPRECATED_SAST_REPORT_VERSION).vulnerabilities.map(issue => {
     const parsed = {
-      ...adaptDeprecatedFormat(issue),
+      ...adaptDeprecatedIssueFormat(issue),
       category: 'sast',
       project_fingerprint: sha1(issue.cve),
       title: issue.message,

ee/spec/javascripts/vue_shared/security_reports/mock_data.js

@@ -113,6 +113,11 @@ export const sastIssues = [
   },
 ];
 
+export const sastIssuesMajor2 = {
+  version: '2.0',
+  vulnerabilities: sastIssues,
+};
+
 export const oldSastIssues = [
   {
     tool: 'bundler_audit',

ee/spec/javascripts/vue_shared/security_reports/store/utils_spec.js

@@ -13,6 +13,7 @@ import {
 import {
   oldSastIssues,
   sastIssues,
+  sastIssuesMajor2,
   sastFeedbacks,
   dependencyScanningIssues,
   dependencyScanningFeedbacks,
@@ -75,6 +76,18 @@ describe('security reports utils', () => {
       expect(parsed.project_fingerprint).toEqual(sha1(sastIssues[0].cve));
     });
 
+    it('should parse the received issues with new JSON format (2.0)', () => {
+      const raw = sastIssues[0];
+      const parsed = parseSastIssues(sastIssuesMajor2, [], 'path')[0];
+
+      expect(parsed.title).toEqual(raw.message);
+      expect(parsed.path).toEqual(raw.location.file);
+      expect(parsed.location.start_line).toEqual(raw.location.start_line);
+      expect(parsed.location.end_line).toEqual(raw.location.end_line);
+      expect(parsed.urlPath).toEqual('path/Gemfile.lock#L5-10');
+      expect(parsed.project_fingerprint).toEqual(sha1(raw.cve));
+    });
+
     it('generate correct path to file when there is no line', () => {
       const parsed = parseSastIssues(sastIssues, [], 'path')[1];