Implementation: Use merge base for security MR widget

Why are we doing this work

Depending of how quickly the default branch changes in a project, the MR security vulnerability widget can show misleading results.

The grouptesting team has successfully implemented a change for the Category:Code Quality widget where the comparison is done against the "merge base" reference.

We'd like to test if the same change would also produce better results in the Category:Vulnerability Management's MR widget.

Relevant links

• code quality issue
• code quality's Feature Flag
• Similar implementation
• Customer feedback on why the current MR security widget diff is problematic

Non-functional requirements

• Documentation: the new behaviour should be documented. Consider including git diagrams from referenced issues.
• Feature flag: vuln_mgmt_merge_base
• Testing:
  • Create two test projects; enable the FF for one of them
  • Create a set of commits/changes in each project, describing the expected results for each one's MR widget
  • Confirm the results from project using vuln_mgmt_merge_base is preferred
  • Repeat the process with a project that uses "merged results pipelines"

Implementation plan

• backend Add Gitlab::Ci::Features#compare_against_merge_base?(project: Project), make sure it uses Feature.enabled?
• backend Add Ci::CompareCodequalityReportsService to ALLOWED_TO_USE_MERGE_BASE_PIPELINE_FOR_COMPARISON to MergeRequest (app/models/merge_request.rb)