Generate dependency list from CycloneDX components

Proposal

The EE::Ci::Pipeline#dependency_list_report currently generates the report by parsing the dependency_scanning artifacts on the fly. With the move to continuously scanning the components in CycloneDX reports, we'll need to generate the dependency list from SBoM components instead of the dependency_files section in dependency scanning reports. This presents an opportunity to move all dependency list generation logic to the Security::DependencyListService class, and remove the EE:Ci::Pipeline#dependency_list_report method.

Affected components

EE::Ci::Pipeline#dependency_list_report: This should generate a report from the cyclonedx reports if the continuous vulnerability scanning feature flag is enabled. This method is used by Security::DependencyListService which is used to serve the /projects/:id/dependencies endpoint and the Projects::DependenciesController class, so updating the logic here will ensure we have feature parity across the two surfaces.
Sbom::DependenciesFinder: This finder is currently implemented as the resolver of project dependencies in the GraphQL API, and can most likely be re-used.

Implementation plan

TBD

Edited Mar 13, 2023 by Oscar Tovar