MR Widget fails to display vulnerabilities from child pipelines after cache expiration

Summary

The Merge Request Widget successfully displays security vulnerabilities from child pipelines immediately after the pipeline completes. However, after approximately a day, refreshing the merge request page shows no vulnerabilities detected, even though the code has not changed.

Steps to reproduce

1. Create a merge request with a parent pipeline that triggers child pipelines containing security scans
2. Wait for the pipeline to complete successfully
3. Verify that the MR Widget displays the detected vulnerabilities correctly
4. Wait approximately 24 hours
5. Refresh the merge request page
6. Observe that the MR Widget no longer displays the vulnerabilities

Expected behavior

The MR Widget should consistently display vulnerabilities from child pipelines regardless of how much time has passed since the pipeline completed.

Actual behavior

After cache expiration, the MR Widget fails to display vulnerabilities from child pipelines.

Root cause analysis

The issue appears to be related to cache expiration in the security report comparison service:

• CompareSecurityReportsService uses a 2-hour cache TTL
• Security::Scans::IngestReportsService uses a 1-hour cache TTL
• After cache expiration, the system may not properly traverse the pipeline hierarchy to re-fetch security reports from child pipelines

Relevant code locations:

• ee/app/services/vulnerabilities/compare_security_reports_service.rb
• ee/app/services/security/scans/ingest_reports_service.rb
• ee/app/models/ee/merge_request.rb

Related

Epic: &18377 (closed) Feature flag: show_child_security_reports_in_mr_widget