Document license scanning using licenses of CycloneDX SBOM
Proposal
Document how CycloneDX JSON SBOM with licenses fields are used by the license scanner.
Explain that the license scanner falls back to its own package metadata database when the SBOM has no licenses.
Reference compatible CycloneDX SBOM generators that provide the licenses field.
Implementation plan
Update https://docs.gitlab.com/ee/user/compliance/license_scanning_of_cyclonedx_files/index.html
Who can address the issue
Anyone familiar with the License Scanning SBOM Scanner and CycloneDX SBOM ingestion.
Other links/references
Edited by Fabien Catteau