Clarify difference in `name` and `message` fields in JSON common security report format

Problem to solve

The current JSON common report format we use for security reports needs improvements to drive broader adoption, particularly by 3rd-party security vendors looking to integrate.

Intended users

• Sasha (Software Developer)

Further details

Proposal

Disambiguate name vs message, possibly deprecate name if we can't rely on it for all scanners.

Permissions and Security

Documentation

Need to update scanner documentation to reflect field change and more clearly articulate what data we expect in each of the above fields.

Testing

What does success look like, and how can we measure that?

New version of JSON common security report format that includes either replacement for name field or improved documentation to clarify the difference and purpose of name and message field. Ideally, if name is deprecated, new versions of the report will continue to accept it (and silently ignore or log a warning).

We can have at least one interested security vendor self-serve on our documentation and correctly populate the name and message field with the right information. If name is deprecated, we can have an existing vendor update their integration to use the new report version successfully.

What is the type of buyer?

Links / references

• https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#reports-json-format
• https://docs.gitlab.com/ee/user/application_security/sast/#reports-json-format
• https://gitlab.com/gitlab-org/security-products/analyzers/common