Use parent-child pipelines for scan result policy comparison

Why are we doing this work

Currently, when enforcing approvals through scan result policy we don't consider parent-child pipelines in both source and target branch. But, security MR widget uses results from parent-child pipelines which causes inconsistencies. As a part of this issue we want to include parent-child pipelines too for SRP comparison.

Relevant links

• Epic

Non-functional requirements

• Documentation:
• Feature flag:
  • Create scan_result_policy_parent_child_pipeline feature flag and implement the changes behind the feature flag
• Performance:
• Testing:

Implementation plan

• backend Update Security::ScanResultPolicies::UpdateApprovalsService#related_pipeline_sources to use parent_pipeline source too
• backend Update Security::RelatedPipelinesFinder to use Ci::Pipeline#self_and_project_descendants
• Add the changes behind a feature flag. This way we can capture any performance issues caused due to a huge number of child pipelines.

Verification steps

• Create a new project (reference project: https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/test-child-pipeline-2) without any already existing vulnerabilities and create a parent-child pipeline configuration
• Enable the approval_policy_parent_child_pipeline feature flag for the project
• Create a scan result policy to require approval when a new vulnerability is detected
• Create a new MR targeting default branch and make a child pipeline to introduce a new vulnerability
• Verify if the MR widget shows the new vulnerability and approval is required