[DEBATED] License Scanning using SBOM components stored in DB for default branch
NOTE: This issue might overlap with Use database for project dependency list (&8293 - closed), and might no longer be relevant as we implement that epic. See &8293 (comment 1313215578)
Problem to solve
The License Scanning SBOM scanner implemented in &9400 (closed) should fetch the SBOM components from the DB when that's possible, instead of parsing the SBOM reports: this is more efficient, it saves resources, and it should also improve the response time. SBOM components for the default branch are now stored in the DB; see Reduce sbom_occurrences table growth (#373781 - closed) and !106894 (merged).
Proposal
- Change the
BranchComponents
class implemented in !105994 (merged) so that it fetches SBOM components from the DB when the given branch is the project default branch. - Stop using
LicenseScanning.scanner_for_pipeline
to initialize a scanner for the default branch. This is covered by SCA::LicenseCompliance for branches initialized... (#386898).
There's no need to refresh the MR approvals when the SBOM components change in the database (insert or update) because:
- The license policies apply to the the source branch of the MR.
- The source branch shouldn't be the default branch.
- The DB only tracks the SBOM components of the default branch.
See #377420 (comment 1229835792)
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.