License approval works incorrectly when the target branch pipeline does not have dependency scanning

Problem

Currently, license approval policy in MR works by selecting the latest pipeline in the target branch that is in finished state(success, failed, canceled). If the pipeline does not have dependency scanning job (a scheduled pipeline that runs only a specific scan or a pipeline from scheduled scan execution policy), the license approval policy does not enforce approvals correctly.

Solution

• Use the pipeline that has dependency scan job

Implementation plan

• backend Create a new method in ee/app/models/ee/merge_request.rb to get the latest pipeline for the target branch with results from dependency scanning (sbom)

def latest_target_branch_pipeline_with_sbom
  project.all_pipelines.finished.newest_first(ref: target_branch).with_reports(::Ci::JobArtifact.of_report_type(:sbom)).take
end

• backend Use the method in Security::SyncLicenseScanningRulesService instead of latest_finished_target_branch_pipeline_for_scan_result_policy

Verification steps

• Create a project with dependency scanning enabled
• Create a license approval policy to require approval on pre-existing licenses and make sure that the project contains those license in the default branch (or any protected branch)
• Create a scheduled pipeline that does not execute dependency scanning job and make sure that it the latest pipeline in the default branch
• Create a MR that does not update any dependencies and check that if approval is enforced