Ingest component licenses from CycloneDX SBOMs

Why are we doing this work

We need to parse the licenses field of CycloneDX JSON SBOMs, and expose it so that it can be used by the license scanner. It doesn't need to be stored in the database.

Relevant links

• https://cyclonedx.org/use-cases/#license-compliance
• Ingest SBOM reports (&8024 - closed)
• https://gitlab.com/gitlab-org/gitlab/-/blob/481dd67c85fb51dc502785e17bfe72fd1fabc3de/lib/gitlab/ci/parsers/sbom/cyclonedx.rb#L63-76
• https://gitlab.com/gitlab-org/gitlab/-/blob/cbe260beb24249f5ba0dd2b170f64290c4ac3266/lib/gitlab/ci/reports/sbom/component.rb

Non-functional requirements

This doesn't change the user experience and doesn't need to be documented.

We might need a feature flag if parsing the licenses field of components can raise exceptions, and make the parsing of the SBOM fail.

The impact on performance when parsing a Cyclone JSON SBOM should be negligible.

• Documentation:
• Feature flag:
• Performance:
• Testing: specs

Implementation plan

• Introduce a new ::Gitlab::Ci::Reports::Sbom::License model to expose components licenses, and add specs.
• Update Gitlab::Ci::Parsers::Sbom#parse_components to also parse licenses, and update specs.
• Update ::Gitlab::Ci::Reports::Sbom::Components to expose licenses of a component, and update specs.

Verification steps

We can't have E2E tests until the licenses field is used by the license scanner.