Use merge base for security MR widget
<!--
Implementation issues are used break-up a large piece of work into small, discrete tasks that can
move independently through the build workflow steps. They're typically used to populate a Feature
Epic. Once created, an implementation issue is usually refined in order to populate and review the
implementation plan and weight.
Example workflow: https://about.gitlab.com/handbook/engineering/development/threat-management/planning/diagram.html#plan
\-->
## Why are we doing this work
<!--
A brief explanation of the why, not the what or how. Assume the reader doesn't know the
background and won't have time to dig-up information from comment threads.
\-->
Depending of how quickly the default branch changes in a project, the MR security vulnerability widget can show misleading results.
The gitlab~24181149 team has successfully implemented a change for the ~"Category:Code Quality" widget where the comparison is done against the "common base" reference as illustrated below:

Right now, to find vulnerabilities, we always look at “main tip”. The comparison of feature/main is incorrect because feature is branched from “common base”, not “main tip”.
In reality it’s slightly more complicated than the image above, but the idea is the same: we’re comparing to a ref that has extra commits. Also see: https://gitlab.com/groups/gitlab-org/-/epics/4006#note_389167115.
We'd like to test if the same change would also produce better results in the ~"Category:Vulnerability Management"'s MR widget.
## Relevant links
- [code quality issue](https://gitlab.com/gitlab-org/gitlab/-/issues/217981 "CodeQuality report should not use merged results pipeline report for comparison")
- [code quality's Feature Flag](https://gitlab.com/gitlab-org/gitlab/-/issues/263724 "[Feature flag] Enable merge_base_pipeline for comparing with merged results in the CodeQuality MR widget")
- [Similar implementation](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/44648 "Introduce MergeRequest#merge_base_pipeline for CodeQuality artifact comparison to merged results")
- [Customer feedback on why the current MR security widget diff is problematic](https://gitlab.com/gitlab-com/account-management/commercial/outschool/-/issues/59#note_1200436365)
## Non-functional requirements
<!--
Add details for required items and delete others.
\-->
* [ ] Documentation: the new behaviour should be documented. Consider including git diagrams from referenced issues.
* [ ] Feature flag: `vuln_mgmt_merge_base`
* [ ] Testing:
* [ ] Create two test projects; enable the FF for one of them
* [ ] Create a set of commits/changes in each project, describing the expected results for each one's MR widget
* [ ] Confirm the results from project using `vuln_mgmt_merge_base` is preferred
* [ ] Repeat the process with a project that uses "merged results pipelines"
## Implementation plan
* gitlab~2492649 Add `Gitlab::Ci::Features#compare_against_merge_base?(project: Project)`, make sure it uses `Feature.enabled?`
* gitlab~2492649 Add `Ci::CompareCodequalityReportsService` to `ALLOWED_TO_USE_MERGE_BASE_PIPELINE_FOR_COMPARISON` to `MergeRequest` (`app/models/merge_request.rb`)
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic