Consider latest security report if base pipeline does not exist

Why are we doing this work

As discussed in this issue currently scan result policy related rules (scan finding) do not use any security report as a base of comparison whenever the base pipeline is not available for merge request diff sha.

This behavior can be also found in code coverage and license scanning rules.

As a solution the latest pipeline for branch targeted by the MR in question should be used.

Current State

Desired State

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

• backend Similar to base pipeline logic, create a new method that query based only on ref. If the first iteration of this solution only aims to solve for scan result policies then the new method can be added in EE file:

def latest_pipeline
  @latest_pipeline ||= project.ci_pipelines
      .order(id: :desc)
      .find_by(ref: target_branch)
end

• backend Update all instances of base pipeline to also consider the latest related pipeline if available.

NOTE: in this solution the base report will only be ignored whenever there isn't any available pipeline in the first place.

Verification steps