Fix GitLab security report schema compliance + scan alert population

[lelia]

Summary

• Fix GitLab Dependency Scanning report (gl-dependency-scanning-report.json) failing schema validation
• Populate vulnerability data in the report when running full scans (non-diff mode)

Changes

Security report schema fixes

• Changed start_time/end_time from datetime.utcnow().isoformat() + "Z" (includes microseconds) to strftime("%Y-%m-%dT%H:%M:%S") matching the v15.0.0 schema pattern
• Added the required root-level dependency_files array, populated from alert manifest file locations with package manager mapping
• Fixed datetime.utcnow() deprecation warning by switching to datetime.now(timezone.utc)

Full scan alert population

• create_full_scan_with_report_url() now fetches SBOM data and extracts alerts into diff.new_alerts so GitLab/JSON/SARIF output formats have vulnerability data
• Gated behind enable_gitlab_security || enable_json || enable_sarif flags - no performance impact for users not using these output formats

Diff scan alert population

• GitLab report now includes both new_alerts and unchanged_alerts, so repeated scans with no dependency changes still show all known vulnerabilities in the Security Dashboard
• Other output formats (JSON, SARIF, console) are unchanged -- they show only new alerts by default, or new + existing with --strict-blocking

Commit status fix

• --enable-commit-status now counts blocking alerts from both new and unchanged alerts when --strict-blocking is enabled
• Description now distinguishes new vs existing blockers (e.g. "3 blocking alert(s) found (1 new, 2 existing)")

CLI documentation

• Added schema version compatibility note (v15.0.0 targeting, cross-version support)
• Added performance note for full scan alert fetching
• Documented alert population differences between GitLab vs JSON/SARIF output formats
• Documented comment-based ignore behavior for the GitLab Security Dashboard
• Updated troubleshooting for full scan empty vulnerabilities

E2E testing

• Consolidated all e2e CI checks into a single matrix workflow for easier troubleshooting
• Expanded e2e test coverage to include GitLab schema checks and other output forms

Testing steps

• Existing 116 unit tests pass (including 5 new GitLab format tests)
• Validate with PR preview Docker image against a GitLab CI pipeline
• Verify gl-dependency-scanning-report.json passes GitLab schema validation
• Confirm full scan with --enable-gitlab-security produces non-empty vulnerabilities array
• Confirm scan without output flags has no additional API calls (no performance regression)

[github-actions]

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.81.dev9

Docker image: socketdev/cli:pr-182

[David Larsen (dc-larsen)]

Reviewed the full diff — the repeat-scan fix connects cleanly to the existing unchanged_alerts pipeline. All three scenarios (full scan, first diff, repeat diff with no changes) produce the right output.

A few things I verified:

• GitLab report correctly merges new_alerts + unchanged_alerts; JSON/SARIF paths untouched
• _create_packages_dict_without_license_text is a good optimization for the report-only path
• getattr(diff, 'unchanged_alerts', []) handles full scan diffs gracefully
• Commit status description with "1 new, 2 existing" breakdown is a nice touch
• All 15 CI checks pass including the new e2e-gitlab matrix

Will pull the preview image and run a repeat-scan validation against our GitLab test repo to confirm end-to-end.