Use security_findings for security MR widget report comparison
## Background context We had an [epic](https://gitlab.com/groups/gitlab-org/-/epics/8341) to move from using report artifices for vulnerability finding comparisons. That epic is complete, and the pertinent information is now available in the `finding_data` `jsonb` column on the [security_findings table](https://gitlab.com/gitlab-org/gitlab/-/blob/ef9cee18a0a4c75a0e3c691297b8d964315829cd/db/structure.sql#L1218) ## This issue The [security MR widget](https://docs.gitlab.com/ee/user/application_security/#merge-request) is one feature that relied on the original technique of using report artifacts for comparisons. As such, it can now be migrated to using the new `finding_data` column. The way this widget currently works is: 1. Builds a [`Ci::CompareSecurityReportsService`](https://gitlab.com/gitlab-org/gitlab/-/blob/f383c9300012a873ac1db94b69c02d7280da4fda/ee/app/services/ci/compare_security_reports_service.rb#L18) comparer service to compare a report generated from the MR's latest pipeline to the report generated from the default branch 1. This service uses [`Security::PipelineVulnerabilitiesFinder`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/finders/security/pipeline_vulnerabilities_finder.rb) to build the reports for comparison (it is named a finder, but returns `Security::AggregatedReport` objects) 1. This finder [finds all the findings via report artifacts](https://gitlab.com/gitlab-org/gitlab/-/blob/ef9cee18a0a4c75a0e3c691297b8d964315829cd/ee/app/finders/security/pipeline_vulnerabilities_finder.rb#L31-43) (the logic we want to migrate away from) 1. Then sorts these findings [by `severity`](https://gitlab.com/gitlab-org/gitlab/-/blob/ef9cee18a0a4c75a0e3c691297b8d964315829cd/ee/app/finders/security/pipeline_vulnerabilities_finder.rb#L58) 1. Then uses these findings [to return](https://gitlab.com/gitlab-org/gitlab/-/blob/ef9cee18a0a4c75a0e3c691297b8d964315829cd/ee/app/finders/security/pipeline_vulnerabilities_finder.rb#L45) a [`Security::AggregatedReport`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/reports/security/aggregated_report.rb) ## Implementation Plan - [x] gitlab-org/gitlab#457851+s - [x] We can use [`Security::FindingsFinder`](https://gitlab.com/gitlab-org/gitlab/-/blob/f383c9300012a873ac1db94b69c02d7280da4fda/ee/app/finders/security/findings_finder.rb#L35) to fetch the findings from the new database table 1. This finder returns the findings, not a `Security::AggregatedReport` 1. The value from this finder is paginated and scoped to 20 by default, we will need all the results to match the current behavior 1. ~the existing behavior is scoped to `all`, which includes `dismissed` findings~ not an issue as `Security::FindingsFinder` also can take a `scope: 'all'` option - [ ] Verify the [Vulnerability creation from Security Reports](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/development/sec/security_report_ingestion_overview.md#vulnerability-creation-from-security-reports) docs are still accurate ## Testing - [ ] Make sure `e2e:package-and-test` is run in the MR and review results. ## Verification steps tbd
issue