Allow vulnerability_states to bypass the baseline pipeline

Describtion

A user has a Merge request approval policy rule that uses vulnerability_states under rules for a policy. The policy compares the vulnerabilities in the current merge request against a baseline report.

Now, for this policy to execute properly and automatically give approvals, it would mean that the baseline pipeline and current pipeline both should be executed and vulnerability reports generated.

The problem occurs when the baseline pipeline is stuck in a running state (this happens for unknown reasons so far), then the approval is not automatically given even if there are no new vulnerabilities on the current pipeline. This behavior might be blocking merge requests and disrupt the workflow.

Since the policy relies on the execution of 2 pipelines on 2 branches, there's no workaround available.

In case the MR scan finishes successfully and detects 0 vulnerabilities overall, the system shouldn’t be forced to wait for the baseline pipeline (because the MR scan itself is already enough to conclude there is nothing introduced as ‘new’ if there is nothing found at all).

Proposal

Add a functionality for vulnerability_states that will allow it to not wait for the base pipeline to finish completely.