Fallback to License Scanning SBOM Scanner when no License Scanning artifacts

Why are we doing this work

In order to roll out the new License Scanning SBOM Scanner without impacting projects where the legacy License Scanning has been configured (i.e. License Scanning CI template is included), the SBOM Scanner should be used as a fallback when the project pipeline has no License Scanning artifacts.

Users who want to try out the new License Scanning SBOM Scanner should then update their CI configurations, and do the following.

• Include the Dependency Scanning CI template if it's missing.
• Remove the License Scanning CI template.

See #384936 (comment 1232242999)

Proposal

Fallback logic in LicenseScanning.scanner_for_project:

1. Initialize an ArtifactScanner and return it if Feature.enabled?(:license_scanning_sbom_scanner) returns false.
2. Get ArtifactScanner.latest_pipeline for project.
3. If it returns no pipeline then return a SbomScanner.
4. Else:
   1. Get SbomScanner.latest_pipeline for project.
   2. Compare dates or sequential IDs of the two pipelines.
   3. If artifact-based pipeline is more recent, then return an ArtifactScanner.
   4. Else return a SbomScanner.

Fallback logic in LicenseScanning.scanner_for_pipeline:

1. Initialize an ArtifactScanner and return it if Feature.enabled?(:license_scanning_sbom_scanner) returns false.
2. Return the ArtifactScanner if it has_data?.
3. Else return a SbomScanner.

Relevant links

Implementation plan

• Update ::Gitlab::LicenseScanning.scanner_for_project and add specs.
• Update ::Gitlab::LicenseScanning.scanner_for_pipeline and add specs.

Verification steps

1. Set up License Scanning (LS) and Dependency Scanning in a project.
2. Identify differences between licenses info provided by:
   • legacy implementation license-scanning job (Artifact Scanner)
   • new implementation using SBOMs and License DB (SBOM Scanner)
3. Enable feature flag for SBOM Scanner for that project.
4. Create an MR that target the default branch.
5. Check all license features. License info comes from LS artifacts.
   • Check License Compliance page.
   • Check Licenses tab of pipeline page.
   • Check MR page. There's no diff in the licenses.
6. In the MR, remove License Scanning from CI config.
7. Check MR page.
   • License info for the source branch comes from the SBOMs.
   • There's a diff in the licenses b/c it's compared with license info coming from LS artifacts.
8. Merge the MR into the default branch.
9. Check License Compliance page.
   • License info comes from the SBOMs.