No user notification when SBOM vulnerability scanning fails due to missing metadata
## Problem
When required metadata properties are missing from an SBOM (e.g., `gitlab:dependency_scanning:input_file:path`), **dependency scanning completes successfully**, but **vulnerability scanning silently fails**. This particularly affects SBOMs that have been merged using the CycloneDX merge function, which strips essential metadata properties.
**Key issues:**
1. Vulnerability scanning (CVE detection) fails silently - no vulnerabilities are reported
2. No customer-facing output/warnings indicating the vulnerability scan failed
3. The CycloneDX merge function (currently recommended in documentation) removes critical metadata properties needed for successful ingestion.
## Impact
* Customers have no visibility into scanning failures
* Security vulnerabilities may go undetected
* Security ingestion process reliability is affected
* Unable to track frequency and cause of failures
## Implementation plan
- [ ] Create reproduction test case for silent failures due to the missing required properties.
- [ ] Surface validation errors to users in the Pipeline Security tab when SBOM ingestion fails due to missing properties.
- [ ] Implement error handling for the `Gitlab::VulnerabilityScanning::FindingBuilder::MissingPropertiesError` in the same way other security report errors are displayed.
- [ ] Update documentation to stop recommending the CycloneDX merge function as it causes silent failures.
* [ ] Remove the example from https://docs.gitlab.com/user/application_security/dependency_scanning/#merging-multiple-cyclonedx-sboms.
## Workaround
For the time being, we recommend not using the [cyclonedx merge function provided in the docs](https://docs.gitlab.com/user/application_security/dependency_scanning/#merging-multiple-cyclonedx-sboms).
issue