Add additional fields to issues created via DAST security scanning results

Problem to solve

When an issue is created as a result of a DAST scanning vulnerability finding we automatically add some information from the finding to the resulting issue:

The issue contains the following fields:

• Description
• Solution
• Identifiers
• Links
• Scanner

However the vulnerability finding contains some additional fields that may be useful for the users, such as:

• Method
• URL
• Request
• Actual Response

These fields are currently not shown on the issue.

Proposal

Include the following fields when creating a issue as a result from DAST scanning:

• Method
• URL
• Request
• Actual Response

This should also include the fields if the issue is to be created in an external system such as JIRA, via our JIRA integration.

We may also provide some customization options to include/exclude fields when issues are created using this mechanism.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Implementation Plan

• Update issue template with the additional fields - ee/app/views/vulnerabilities/issue_description.md.erb
• Update jira issue template with the additional fields - ee/app/views/vulnerabilities/jira_issue_description.md.erb
• Create a helper method for it, if possible

Additional fields

1. Method
2. URL
3. Request
4. Response

Note: These fields are not directly accessible from the Vulnerability object present in the aforementioned templates. The reason is that they don't belong to StandardVulnerability class

So probably, we'd need to parse the Vulnerability findings data and construct these fields unless already present?

• method from vulnerability.location
• URL from vulnerability.location
• Request from vulnerability.evidence.request
• Response from vulnerability.evidence.response

Verification

To verify this without actually creating an issue, https://gitlab.com/gitlab-org/gitlab/-/issues/new?vulnerability_id=1 endpoint can be used.