Skip OS components when parsing licenses from SBOM

Why are we doing this work

We must skip OS components (reported by CS job) when parsing licenses from SBOM. OS packages have not yet been tested for license scanning support, enabling this could cause undesired behavior for customers.

For instance, it seems Trivy can report a lot of different licenses for a given package, including what looks like conflicting results 🤔

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

Apply the same logic as when we have disabled CS purl types for License Scanning when we encountering issues with unknown license in the context of license approval policies: !158831 (diffs)

• update add_components_with_license method to skip unsupported purl type

Verification steps

1. clone https://gitlab.com/gitlab-org/secure/tests/olivier/os-package-licenses/ on your gdk
2. let the pipeline run on the default branch
3. all licenses for OS components should be unknown