Update DAST output to include scan details in JSON output

Problem to solve

The Common Report Format schema has recently updated to include a scan object #37123 (closed). DAST should be updated to incorporate this change.

Note that this issue in isolation provides no added value to any user's using Secure products. Adding this field will enable other features to leverage the content it provides. It is expected that this scan object will evolve over time to include other useful information.

Intended users

• Sasha (Software Developer)

Proposal

The DAST project should output a scan object in the normal JSON output, as defined by the JSON schema #37123 (closed). Please make sure to use final proposal provided in the JSON Schemas repo: https://gitlab.com/gitlab-org/security-products/security-report-schemas.

Implementation

• src/report/security_report_formatter.py should be changed to include the new scan.* fields

• Fields should be added in alphabetical order by field name. It is important the report is deterministic so that DAST end to end tests always produce the same result. Alphabetical order is as good as any, and is what is used currently.
• Changes to security_report_formatter should be unit tested
• The end to end test JSON output files should be updated to include the new scan fields
• end_time and start_time should be normalized to __REMOVED__. Date/times should not be compared when comparing test results.
• scan.start_time should be captured by DAST when DAST Python code has started executing.
• scan.end_time should be captured at the time of building the report.
• scan.messages should be an empty array.
• scan.status should always be success.
• scan.type should be dast.
• scan.scanner.id should always be zap_proxy
• scan.scanner.name should always be OWASP Zed Attack Proxy (ZAP)
• scan.scanner.version should always be the version of ZAP. This can be obtained from the ZAP client API library zap.core.version().
• scan.scanner.url should always be https://www.zaproxy.org
• scan.scanned_resources must remain as is after these changes.
• The CHANGELOG should be updated to describe the new output.
• change the schema version to v2.3.3-rc1

References

• security-report-schemas project
• Issue to include scan in the Secure Report Format #37123 (closed)
• MR to merge scan into the Secure Report Format #37120 (closed)