The [`PacakgeMetada::CveEnrichmentSyncWorker`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/initializers/1_settings.rb#L1081) runs every hour however the data it consumes is updated on a daily basis, ref: https://gitlab.com/gitlab-org/gitlab/-/issues/581332#note_2962261724 From https://gitlab.com/gitlab-org/gitlab/-/issues/581332#note_2993972194 : We need to update `Security::FindingEnrichment` records when the package metadata is refreshed and update MR approvals based on the updated data. Possible Steps: 1. Queries `security_policies` with KEV/EPSS filters 2. Gets their associated projects via `security_policy_project_links` 3. Creates `security_finding_enrichments` by correlating the updated `pm_cve_enrichment` CVE with each project's `security_findings` This approach minimizes the number of `security_findings` we need to query, but we parallelize them for each projects which should be fine as we've index for it. **Known limitation:** If a policy adds a KEV/EPSS filter _after_ a CVE was introduced in `pm_cve_enrichment`, matching MRs won't be blocked even though they should be. But I think, We can document this edge case for the initial iteration. ## Acceptance Criteria - [ ] Cron job frequency is optimized based on actual data update schedule - [ ] `Security::FindingEnrichment` records are updated when package metadata refreshes - [ ] MR approvals are recalculated based on updated enrichment data - [ ] Performance impact is minimized through efficient querying and parallelization References: https://gitlab.com/gitlab-org/gitlab/-/issues/581332#note_2993972194