Track License Scanning scan results

Problem to solve

Right now we don't have metrics for License Scanning.

• We don't know how often it reports licenses for project dependencies, instead of unknown.
• We don't know how often it returns licenses extracted from the CycloneDX SBOM.

Also, we can't spot a regression where License Scanning would return more unknowns than it used to, globally or for a specific package type.

Proposal

Use GitLab internal analytics to count project dependencies processed by License Scanning during a single scan.

• dependencies being scanned (total)
• dependencies with licenses extracted from the SBOM
• dependencies with scan results
• dependencies with no scan results (unknowns)

Group these counts per PURL type, and publish one event per PURL type.

Implementation plan

• Define event.
  • name: 'license_scanning_scan'
  • project
  • additional_properties
    • label: purl_type
    • start_time, end_time
    • components (total)
    • components_with_licenses_from_sbom
    • components_with_scan_results
    • components_without_scan_results
• Define metrics based on that event.
• Update LicenseScanning::PackageLicenses and it specs.
  • Count components with licenses from CDX SBOM.
  • Count components with scan results.
  • Count components without scan results (unknown license).
  • Group counts per PURL type.
  • Publish one event per PURL type using Gitlab::InternalEventsTracking.
• Create a PI Chart Help issue, and ask for a Net-new chart.