Store DAST scan results into the database

What does this MR do?

Add DAST parser and store DAST vulnerabilities in the database.

Updated: this discussion about location_fingerprints. https://gitlab.com/gitlab-org/gitlab-ee/issues/7062#note_131695170 is finished. It was decided that we flatten vulnerabilities, and for each instance in the report should be one occurrence in the database.

What are the relevant issue numbers?

#7062 (closed)

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the merge request performance guidelines
• Conforms to the style guides
• Conforms to the database guides
• Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process.
• EE specific content should be in the top level /ee folder
• For a paid feature, have we considered GitLab.com plans, how it works for groups, and is there a design for promoting it to users who aren't on the correct plan?
• Security reports checked/validated by reviewer

Closes #7062 (closed)

ee/spec/models/ci/build_spec.rb

@@ -206,30 +206,54 @@
       end
 
       context 'when Feature flag is disabled for Container Scanning reports parsing' do
-        before do
-          stub_feature_flags(parse_container_scanning_reports: false)
-          create(:ee_ci_job_artifact, :sast, job: job, project: job.project)
-          create(:ee_ci_job_artifact, :container_scanning, job: job, project: job.project)
+        context 'when explicitly disabled' do
+          before do
+            stub_feature_flags(parse_container_scanning_reports: false)
+            create(:ee_ci_job_artifact, :sast, job: job, project: job.project)
+            create(:ee_ci_job_artifact, :container_scanning, job: job, project: job.project)
+          end
+
+          it 'does NOT parse container scanning report' do
+            subject
+
+            expect(security_reports.reports.keys).to contain_exactly('sast')
+          end
         end
 
-        it 'does NOT parse container scanning report' do
-          subject
+        context 'with default value' do
+          let!(:artifact) { create(:ee_ci_job_artifact, :container_scanning, job: job, project: job.project) }
 
-          expect(security_reports.reports.keys).to contain_exactly('sast')
+          it 'does NOT parse container scanning report' do
+            subject
+
+            expect(security_reports.reports.keys).to be_empty
+          end
         end
       end
 
       context 'when Feature flag is disabled for DAST reports parsing' do
-        before do
-          stub_feature_flags(parse_dast_reports: false)
-          create(:ee_ci_job_artifact, :sast, job: job, project: job.project)
-          create(:ee_ci_job_artifact, :dast, job: job, project: job.project)
+        context 'with default value' do
+          let!(:artifact) { create(:ee_ci_job_artifact, :dast, job: job, project: job.project) }
+
+          it 'does NOT parse dast report' do
+            subject
+
+            expect(security_reports.reports.keys).to be_empty
+          end
         end
 
-        it 'does NOT parse dast report' do
-          subject
+        context 'when explicitly disabled' do
+          before do
+            stub_feature_flags(parse_dast_reports: false)
+            create(:ee_ci_job_artifact, :sast, job: job, project: job.project)
+            create(:ee_ci_job_artifact, :dast, job: job, project: job.project)
+          end
 
-          expect(security_reports.reports.keys).to contain_exactly('sast')
+          it 'does NOT parse dast report' do
+            subject
+
+            expect(security_reports.reports.keys).to contain_exactly('sast')
+          end
         end
       end