Propagate scan result rules related attributes

What does this MR do and why?

Current state: Source rules can be null if project approval rules are deleted or recreated. Blocking MR as those approvals won't be dismissed.

Proposed solution: Propagate scan result rules related attributes to the merge request level. This covers the case of orphan rules and will allow for the removal of logic related to approval project rule as a follow-up.

Report here: https://gitlab.com/gitlab-com/account-management/emea/travis-perkins/tp-pov/-/issues/18#note_967925201

Migration

$ bundle exec rails db:rollback:main

WARNING: This version of GitLab depends on gitlab-shell 14.7.1, but you're running 14.3.0. Please update gitlab-shell.
main: == 20220601223501 AddVulnerabilityRelatedColumns: reverting ===================
main: -- remove_column(:approval_merge_request_rules, :vulnerability_states, :text, {:array=>true, :null=>false, :default=>["newly_detected"]})
main:    -> 0.0065s
main: -- remove_column(:approval_merge_request_rules, :severity_levels, :text, {:array=>true, :null=>false, :default=>[]})
main:    -> 0.0007s
main: -- remove_column(:approval_merge_request_rules, :vulnerabilities_allowed, :integer, {:limit=>2, :null=>false, :default=>0})
main:    -> 0.0007s
main: -- remove_column(:approval_merge_request_rules, :scanners, :text, {:array=>true, :null=>false, :default=>[]})
main:    -> 0.0006s
main: == 20220601223501 AddVulnerabilityRelatedColumns: reverted (0.0158s) ==========

$ bundle exec rails db:migrate

WARNING: This version of GitLab depends on gitlab-shell 14.7.1, but you're running 14.3.0. Please update gitlab-shell.
main: == 20220601223501 AddVulnerabilityRelatedColumns: migrating ===================
main: -- add_column(:approval_merge_request_rules, :scanners, :text, {:array=>true, :null=>false, :default=>[]})
main:    -> 0.0053s
main: -- add_column(:approval_merge_request_rules, :vulnerabilities_allowed, :integer, {:limit=>2, :null=>false, :default=>0})
main:    -> 0.0013s
main: -- add_column(:approval_merge_request_rules, :severity_levels, :text, {:array=>true, :null=>false, :default=>[]})
main:    -> 0.0010s
main: -- add_column(:approval_merge_request_rules, :vulnerability_states, :text, {:array=>true, :null=>false, :default=>["newly_detected"]})
main:    -> 0.0011s
main: == 20220601223501 AddVulnerabilityRelatedColumns: migrated (0.0107s) ==========

Database-lab

exec ALTER TABLE approval_merge_request_rules
    ADD vulnerability_states text[] NOT NULL DEFAULT '{newly_detected}'::text[];
Session: 10447
The query has been executed. Duration: 15.814 ms (edited)

exec ALTER TABLE approval_merge_request_rules
    ADD severity_levels text[] NOT NULL DEFAULT '{}'::text[];
Session: 10447
The query has been executed. Duration: 2.813 ms

exec ALTER TABLE approval_merge_request_rules
    ADD vulnerabilities_allowed smallint NOT NULL DEFAULT 0;
Session: 10447
The query has been executed. Duration: 11.137 ms

exec ALTER TABLE approval_merge_request_rules
    ADD scanners text[] NOT NULL DEFAULT '{}'::text[];
Session: 10447
The query has been executed. Duration: 2.466 ms

How to set up and validate locally

1. Create a security project as described in the docs
2. Create a new scan result policy with the project owner (set scanners to anything but container scanning)
3. In rails console leave the following ready: Project.find(<PROJECT-ID>).approval_rules.scan_finding.delete_all
4. Push a new MR with gitlab-ci.yml the following changes:

include:
  - template: Security/Container-Scanning.gitlab-ci.yml
variables:
  DOCKER_IMAGE: python:3.4-alpine

1. As soon as the MR is created, commit the changes typed (on step 3) in rails console.
2. Prior to this change: Approval is required.
3. After this change: Approval is not required.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.