Improve consistency of vulnerability name, message in Dependency Scanning

Follow-up for https://gitlab.com/gitlab-org/gitlab-ee/issues/5908

In the Dependency Scanning (DS) reports, message and name both give a short description of the vulnerability (some kind of title) with this distinction:

message must include the name of the package.
name must be "location free".

If the scanner returns a title with package name (bundler-audit) then:

message is set to the title.
name is left empty.

If the scanner returns a title with NO package name (gemnasium, retire.js) then:

message is set to {title} in {package_name}.
name is set to the title.

If the scanner returns NO title then (retire.js in some cases):

message is set to Vulnerability in {package_name}.
name is left empty.

We assume that the package name is always known.

We may implement these rules in the common library to enforce consistency.

Edited Nov 30, 2018 by Fabien Catteau