Add detected_at to Vulnerabilities table

What does this MR do?

This MR adds detected_at column to vulnerabilities table.

When working on !61385 (merged) we realized there's no detected_at at column and created_at was used in it's place (which made sense since up until now vulnerabilities were created by scanners so created_at == detected_at).

Now that we want to create vulnerabilities via an API there can be cases where detected_at != created_at and we want to be able to reflect this.

In case detected_at is not provided it's assumed to be the same as created_at.

Migrations

❯ bundle exec rails db:migrate        
== 20210714120600 AddDetectedAtToVulnerabilities: migrating ===================
-- add_column(:vulnerabilities, :detected_at, :datetime_with_timezone)
   -> 0.0012s
-- change_column_default(:vulnerabilities, :detected_at, #<Proc:0x000056406def2258 /home/quintasan/sauce/gdk/gitlab/db/migrate/20210714120600_add_detected_at_to_vulnerabilities.rb:9 (lambda)>)
   -> 0.0045s
== 20210714120600 AddDetectedAtToVulnerabilities: migrated (0.0163s) ==========

❯ bundle exec rails db:rollback STEP=1                                
== 20210714120600 AddDetectedAtToVulnerabilities: reverting ===================
-- remove_column(:vulnerabilities, :detected_at)
   -> 0.0044s
== 20210714120600 AddDetectedAtToVulnerabilities: reverted (0.0045s) ==========

Does this MR meet the acceptance criteria?

Conformity

• I have included changelog trailers, or none are needed. (Does this MR need a changelog?)
• I have added/updated documentation, or it's not needed. (Is documentation required?)
• I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?)
• I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?)
• I have self-reviewed this MR per code review guidelines.
• This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines)
• I have followed the style guides.
• This change is backwards compatible across updates, or this does not apply.

Availability and Testing

• I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.)
• I have tested this MR in all supported browsers, or it's not needed.
• I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.

Related to #10272 (closed)