BE - [License Approvals] - Extend Scan Result Policies to process License Approval Policies

Why are we doing this work

Currently we are only processing Scan Result Policies with scan_finding rule type. In scope of this issue we want to change it to also support Scan Result Policies with license_finding rule type. This will require changes in the code to support it.

Currently License Approvals are configured in the Project's Settings -> Merge Requests -> Merge request approvals, you can specify there branches, approvers and how many approvals are needed. Any additional software license policies are configured in Security & Compliance -> License Compliance -> Policies tab (see https://gitlab.com/gitlab-org/gitlab/-/licenses#policies). With this feature we want to support it in one place, as License Approval Policy under Scan Result Policy.

We want to currently work on this feature behind existing feature flag (license_scanning_policies), so policy will be only processed when this feature flag is enabled for the project.

Relevant links

Related issue with proposed format Epic

Non-functional requirements

• Documentation: documentation should be updated with new type of Scan Result Policies after this feature is available for users.
• [-] Feature flag:
• [-] Performance:
• Testing:

Implementation plan

• backend modify ee/app/models/concerns/security/scan_result_policy.rb with method to delete software license policies related to given Security::OrchestrationPolicyConfiguration,
• backend make sure methods for deleting approval rules defined in ee/app/models/concerns/security/scan_result_policy.rb will work for license_finding approval rules,
• backend modify create_new_approval_rules method in ee/app/services/security/security_orchestration_policies/process_scan_result_policy_service.rb to support creating approval rules with license_finding type,
• backend add method to create software_license_policies based on the license_finding scan_result_policy and call RefreshLicenseComplianceChecksWorker after creating them,
• backend modify ee/app/services/software_license_policies/create_service.rb to allow skiping authorization and skiping calling RefreshLicenseComplianceChecksWorker when it is called from ProcessScanResultPolicyService,
• backend modify ee/app/workers/security/process_scan_result_policy_worker.rb to call delete_software_license_policies_for_project defined in first step,

Verification steps

• Create new project with Gemfile/Gemfile.lock and couple gems included,
• Create new .gitlab-ci.yml file and include Security/License-Scanning.yml template,
• Wait for pipeline to finish.
• Create new Scan Result Policy (Security & Compliance -> Policies) and test couple scenarios:
  • License matching selected license type and is newly detected and the license is included in newly added dependency,
  • License matching selected license type and is newly detected and the license is not included in newly added dependency,
  • License matching selected license type and is pre-existing and the license is included in newly added dependency,
  • License matching selected license type and is pre-existing and the license is not included in newly added dependency,
  • License excluding selected license type and is newly detected and the license is included in newly added dependency,
  • License excluding selected license type and is newly detected and the license is not included in newly added dependency,
  • License excluding selected license type and is pre-existing and the license is included in newly added dependency,
  • License excluding selected license type and is pre-existing and the license is not included in newly added dependency,
• Test it also when policy is defined on Group-level,
• Test it additionally when policy is defined on Group-level and new project is added to this group and check if approval rules are added to new MRs in this project,