Store DAST scan results into the database

What does this MR do?

Add DAST parser and store DAST vulnerabilities in the database.

Updated: this discussion about location_fingerprints. https://gitlab.com/gitlab-org/gitlab-ee/issues/7062#note_131695170 is finished. It was decided that we flatten vulnerabilities, and for each instance in the report should be one occurrence in the database.

What are the relevant issue numbers?

#7062 (closed)

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the merge request performance guidelines
• Conforms to the style guides
• Conforms to the database guides
• Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process.
• EE specific content should be in the top level /ee folder
• For a paid feature, have we considered GitLab.com plans, how it works for groups, and is there a design for promoting it to users who aren't on the correct plan?
• Security reports checked/validated by reviewer

Closes #7062 (closed)

ee/lib/gitlab/ci/parsers/security/dast.rb

@@ -5,32 +5,19 @@ module Ci
     module Parsers
       module Security
         class Dast < Common
-          extend ::Gitlab::Utils::Override
-          DEPRECATED_REPORT_VERSION = "1.3".freeze
-          override :parse_report
-          def parse_report(json_data)
-            report = super
-
-            if report.is_a?(Array)
-              report = {
-                "version" => DEPRECATED_REPORT_VERSION,
-                "vulnerabilities" => report
-              }
-            end
-
-            report
-          end
 
+          # FIXME: find real value
+          DEPRECATED_REPORT_VERSION = "1.0".freeze
 
           def parse!(json_data, report)
             vulnerabilities = format_report(JSON.parse!(json_data))
             vulnerabilities.each do |vulnerability|
               create_vulnerability(report, vulnerability, DEPRECATED_REPORT_VERSION)
             end
-          # rescue JSON::ParserError
-          #   raise SecurityReportParserError, 'JSON parsing failed'
-          # rescue
-          #   raise SecurityReportParserError, "#{report.type} security report parsing failed"
+          rescue JSON::ParserError
+            raise SecurityReportParserError, 'JSON parsing failed'
+          rescue
+            raise SecurityReportParserError, "#{report.type} security report parsing failed"
           end
 
           private
@@ -52,9 +39,9 @@ def format_vulnerability(vulnerability)
               'message' => vulnerability['name'],
               'description' => vulnerability['desc'],
               'cve' => 'unknown',
-              'severity' => vulnerability['riskdesc'].match(/(.*) \(/)[0],
+              'severity' => severity(vulnerability['riskdesc']),
               'solution' => vulnerability['solution'],
-              'confidence' => vulnerability['riskdesc'].match(/\((.*)\)/)[0],
+              'confidence' => confidence(vulnerability['riskdesc']),
               'scanner' => { 'id' => 'zaproxy', 'name' => 'ZAProxy' },
               'identifiers' => [
                 {
@@ -65,7 +52,7 @@ def format_vulnerability(vulnerability)
                 }
               ],
               'links' => [{ 'url' => vulnerability['instances'].first['uri'] }],
-              'priority' => 'Unknown',
+              'priority' => 'unknown',
               # 'url' => vulnerability['link'],
               'tool' => 'zaproxy'
             }
@@ -74,6 +61,16 @@ def format_vulnerability(vulnerability)
           def generate_location_fingerprint(location)
             'aaa_test'
           end
+
+          def severity(risk)
+            parsed_risk = risk.match(/(.*) \((.*)\)/)
+            parsed_risk ? parsed_risk[1].downcase : 'unknown'
+          end
+
+          def confidence(risk)
+            parsed_risk = risk.match(/(.*) \((.*)\)/)
+            parsed_risk ? parsed_risk[2].downcase : 'unknown'
+          end
         end
       end
     end