Implement security reports upgrade popover

What does this MR do?

This implements the upgrade popover in the security MR widget as described in &4394.

Addresses #273425 (closed).

Screenshots (strongly suggested)

Before (or, when user cannot discover project security)	After (when user can discover project security *⃣)
n/a

*⃣ To reproduce this locally:

• Easier way:
  1. Apply this patch
  2. Visit any merge request which has run SAST or Secret Detection jobs in a project under a non-Ultimate plan
• More "correct" way:
  1. Apply this patch
  2. Visit any merge request which has run SAST or Secret Detection jobs in a project under a non-Ultimate plan, with a user who is able to administer the project's namespace (e.g., with the root GDK user)
     • This may require also enabling the check_namespace_plan application setting, with something like curl --request PUT --header "PRIVATE-TOKEN: $YOUR_GDK_API_TOKEN" "http://YOUR_GDK_HOST/api/v4/application/settings?check_namespace_plan=true"

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• [-] Documentation (if required)
• Code review guidelines
• [-] Merge request performance guidelines
• Style guides
• [-] Database guides
• Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• [-] Tested in all supported browsers
• [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Related to #273425 (closed)