Add recommendations to compliance findings

[zcrt]

Is your feature request related to a problem? Please describe.
Items such as "The firewall may be configured in a riskful manner." are too vague.

Describe the solution you'd like
The kat_finding_types.json already includes recommendations. These could be included in the findings. Alternatively, the appendix could contain detailed information in how a conclusion was drawn.

[underdarknl]

#2569
this PR adds more details around our own findings. If you have a specific list of findings that still need more recomendations or sources, let us know.

[zcrt]

The issue here is not only the recommendations from the database (great to see those being improved :D). The example from the image about the firewall, actually has already a recommendation, it is just not available in the report

[stephanie0x00]

To make it more clear what we are talking about I've included the updated findings database for the firewall finding below.
@zcrt If I understand you correctly what you would like to see an additional column added to the table as shown in your screenshot, with contains the contents of the value 'recommendation' as shown below. Is that correct?

If we were to add this column, that would raise the question 'What ports were identified to be open', so personally I'd expect those to be available somewhere too. @noamblitz any idea how feasible it is to add a 'proof'-like column inthere as well? I can expect the report will become either messy, or it is technically difficult to currently add this data.

   "KAT-UNCOMMON-OPEN-PORT": {
        "description": "The firewall may be configured in a riskful manner.",
        "source": "https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers",
        "risk": "medium",
        "impact": "Uncommon ports are sometimes overlooked and may become unwanted entry points for attackers into an organisations network.",
        "recommendation": "Manually validate whether this port should be open."
    },

[noamblitz]

You can already add "proof": "..." (some finding types already have it)! It is not hard to add that to the report!

[zcrt]

In general: the vulnerabilities in the report take the approach of unfolding a vulnerability for more details. I can imagine that could be a solution here to, to incorporate the extra available data.

In the case of the open port; I do not think these kind of findings should exist in this chapter, since it is also clear from the Open Ports report, where it is explicitly defined which port we are talking about.