Expose report status for security_reports endpoint

Summary

When the parsing is still not complete, the /:project/-/merge_requests/:id/security_reports endpoint do not return a status property. By returning an empty response, the frontend thinks the parsing is complete and displays a No vulnerabilities found message that causes this issue: Misleading message when pipeline is complete (#468867 - closed) • Unassigned • Backlog.

As @bwill speficied:

There is already a status object on the backend but we do not expose this in the response.

This issue is about exposing this property in the API response.

Context

See thread for more information.