Use licenses of CycloneDX SBOMs in license scanner

Why are we doing this work

License Scanning should use the licenses field of the CycloneDX JSON SBOM when available, and fall back to using license information imported from the external License DB.

Parsing and exposing the licenses field is covered by Ingest component licenses from CycloneDX SBOMs (#370013 - closed).

This is built on top of the License Scanning SBOM Scanner introduced in &8072 (closed), and updated in &10415 (closed).

Relevant links

• Ingest component licenses from CycloneDX SBOMs (#370013 - closed)
• Replace license-finder MVC (&8072 - closed)
• Reduce package metadata table on-disk footprint (&10415 - closed)
• https://gitlab.com/gitlab-org/gitlab/-/blob/b69e89834f42489631166c475fd3c9fb2ad2b83e/ee/lib/gitlab/license_scanning/sbom_scanner.rb#L12-33
• https://gitlab.com/gitlab-org/gitlab/-/blob/b69e89834f42489631166c475fd3c9fb2ad2b83e/ee/lib/gitlab/license_scanning/pipeline_components.rb#L10-22

Non-functional requirements

• Documentation: Document license scanning using licenses of Cyc... (#415945 - closed)
• Feature flag: license_scanning_with_sbom_licenses
• Performance: Make sure that the impact on the time it takes to load License Scanning results is negligible. To be checked in the licenses tab of the pipeline page and in the Dependency List page.
• Testing: Unit tests and E2E tests.

Implementation plan

• Update Gitlab::LicenseScanning::PipelineComponents#fetch so that it returns licenses of SBOM components in a new licenses attribute of the Hashie::Mash.
• Update Gitlab::LicenseScanning::SbomScanner#report.
  1. Add components with licenses directly to the ::Gitlab::Ci::Reports::LicenseScanning::Report.
  2. Pass components that don't have licenses to PackageLicenses, and get package_licenses.
  3. Add package_licenses to report (same as before).

Verification steps

Licenses from CycloneDX SBOM only (feature test)

• Set up a project with dependencies supported by a compatible CycloneDX JSON SBOM generator that provides licenses of components. See https://cyclonedx.org/tool-center/
• Add CI config to run the SBOM generator, and upload the resulting SBOM.
• Check licenses tab of pipeline page.
• Check licenses in Dependency List (DL) page.

Licenses from License DB (non-regression test)

• Set up a project with dependencies supported by Dependency Scanning (DS).
• Include DS CI template, and trigger a pipeline.
• Check licenses tab of pipeline page.
• Check licenses in Dependency List (DL) page.

Licenses from CycloneDX SBOM and License DB (feature test)

• Set up a project with two sets of dependencies.
  • Some dependencies are reported by DS, and License DB has license info for these.
  • Some other dependencies are reported by the SBOM generator that provided the licenses.
  • The two sets don't overlap.
• Add CI config to enable both DS and the other SBOM generator.
• Check licenses tab of pipeline page and the DL page.
  • Licenses come from the licenses field of the CycloneDX SBOM when it's set.
  • Otherwise licenses come from the package metadata tables (imported from License DB).