DAST vulnerabilities show the URL

Note: the ZAP evidence part of this issue has been moved to #37027 (closed).

Problem to solve

When a vulnerability is found by DAST, the vulnerability can be found on the Security MR Widget, the Security Pipeline view and on the Security Dashboard.

Viewing the vulnerability on the Dashboard does not show any of the information that would allow a user to verify whether or not the vulnerability is a false positive. The user also cannot resolve the vulnerability, because they wouldn't know which part of their application to change. At the very least, the URL of the page that was accessed and the "evidence" as supplied by the DAST scanner should be displayed.

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)

Proposal

• The ZAProxy URL and evidence fields should be displayed on the Dashboard, Pipeline view and MR. These are found in the DAST report under sites[]/alerts[]/instances[]/uri and sites[]/alerts[]/instances[]/evidence.
• At the time of writing, the MR widget is being migrated from a frontend report comparison to a backend report ccomparison. Following the migration the Dashboard, Pipeline view and the MR should have a similar user experience when viewing a DAST vulnerability.

Example

At the moment, the MR widget displays the URL and the evidence on a vulnerability. This is expected to change when the report comparisons are moved to the backend, but can be used an example of how this might look. Note that there will never be more than one instance per vulnerability (each instance becomes a separate vulnerability of the same type going forward).

What does success look like, and how can we measure that?

Presumably users of DAST will complain if they are unable to determine the source of a vulnerability. Improving the user experience should lead to more people using DAST over time.

What is the type of buyer?

Gold

/cc @matt_wilson @sethgitlab @andyvolpe