Track source of license information provided by License Scanning

Release notes

Problem to solve

When scanning project dependencies, information on licenses might come from:

• package registry, like npmjs.com
• package metadata, like package.json
• package files, like a LICENSE.md file

As a user, I might want to know where a license reported by License Scanning was detected, so that I can double check the information.

Proposal

• Change License Scanning to report where license information was detected
• Change the GitLab UI to show that information

/cc @NicoleSchwartz