Make secondary identifiers match for finding

What does this MR do and why?

This MR allows semgrep findings to take over findings for existing analyzers. This is being done in support of deprecating some Static Analysis analyzers.

Issue: #328062 (closed)

This started as a proof-of-concept for #353271 (closed)

Feature Flag: update_vuln_identifiers_flag

Database Timings

• Vulnerability Finding select for records to not take over, NOT scoped to project -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10534/commands/37839
• Vulnerability Finding select for records to not take over, scoped to project (currently implemented) -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10530/commands/37821
• Vulnerability Finding select -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10031/commands/35537
• Vulnerability Finding update ⟶ https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/10003/commands/35439
• Vulnerability Reads select -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10031/commands/35540
• Vulnerability Reads update ⟶ https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/10003/commands/35443
• Vulnerability Feedback select -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10031/commands/35538
• Vulnerability Feedback select after adding index on feedback_uuid -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10031/commands/35542
• Vulnerability Feedback select after adding latest index on feedback_uuid -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10040/commands/35586
• Vulnerability Feedback update ⟶ https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/10003/commands/35444j

Demo

https://drive.google.com/file/d/1F2J1Xjti_rm48gksU9-lg39kwatCSEX0/view?usp=sharing

This is a Quicktime video internal to GitLab. I would suggest View -> Playback Speed -> Double to speed up my ummms and awkward pauses 😅

How to set up and validate locally

1. In rails console enable the feature flag

   Feature.enable(:update_vuln_identifiers_flag)

2. Import this project locally: https://gitlab.com/rossfuhrman/insecure
3. Run a Pipeline against the main (default) branch
4. Edit the .gitlab-ci.yml on the main branch and remove semgrep from SAST_EXCLUDED_ANALYZERS
5. Ensure another pipeline runs on the main branch
6. Notice that previous vulnerabilities are now reported as semgrep vulnerabilities.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.