Ingest, scan SBOM reports of child pipelines

Release notes

Problem to solve

For consistency with how other reports are processed, SBOM reports uploaded by child pipelines should be ingested and scanned.

Further details

The Sbom::IngestReportsWorker isn't triggered for child pipelines.

Pipeline#sbom_reports doesn't include SBOMs of child pipelines. This is used by the IngestReportsWorker and by License Scanning.

Proposal

Change Pipeline model to ingest and scan SBOM reports of child pipeline.

1. When a pipeline has children, we wait until all pipelines are complete and then ingest all reports in the hierarchy for the same project.
2. When marking vulnerabilities as resolved (or removing dependencies), we should combine all reports in the pipeline hierarchy.
3. When displaying the pipeline that the reports / vulnerabilities were detected in (e.g. latest successful scan) we should reference the root pipeline
4. Downstream pipelines on different projects are simply ignored.

See #405078 (closed)

Intended users

Feature Usage Metrics

Does this feature require an audit event?

Implementation Plan

• Update https://gitlab.com/gitlab-org/gitlab/-/blob/77da5508c83196ad70deb7f6f833efd8dbc4e8e2/ee/app/models/ee/ci/pipeline.rb#L71-78 to enqueue the job with the root pipeline id only if all pipelines in the pipeline hierarchy are complete. (Effectively, all pipelines in the hierarchy will do this check, but the job will only be enqueued when the final pipeline transitions to complete)
• Update https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/sbom/ingestion/ingest_reports_service.rb to resolve the entire pipeline hierarchy for the given root pipeline id using pipeline.self_and_project_descendants, filter pipelines for projects outside of the root pipeline's project, and aggragate the valid sbom reports. (@bwill has some pseudocode here: #421564 (comment 1650591436))

/cc @gonzoyumo @smeadzinger @hacks4oats