Docs: Write Dependency Scanning migration tutorials for all supported projects

Problem to solve

With Deprecate build support on Dependency Scanning ... (&14146 - closed) we are deprecating the existing Dependency Scanning analyzer which has been in use for many years. To assist users in understanding the impact on their projects and how to migrate them to the new implementation, we must provide a migration guide.

Proposal

For each supported languages and package managers, write a migration tutorial that highlights the impact of the change and how to migrate from the existing to the new CI configuration.

This tutorial could then be referenced in deprecation and removal announcements, blog posts, etc.

Example:

Maven

Impact

Support is provided using the gemnasium-maven-dependency_scanning CI job and its ability to extract the dependencies from the pom.xml file. This approach is deprecated and will be removed in 18.0.

If you have manually overridden the gemnasium-maven-dependency_scanning CI job to customize it, you should remove it from your CI configuration.

If you have used any of these variables to customize the analyzer configuration, you can remove them too: DS_JAVA_VERSION, MAVEN_CLI_OPTS, etc.

New implementation

1. Using Maven dependency:tree plugin and the new DS analyzer:
   • Ensure your pipeline has a build job that executes the maven dependency:tree pluging to generates a maven.graph.json CI job artifact.
   • Include the CI/CD component for Dependency Scanning
   • Check https://docs.gitlab.com/ee/user/application_security/dependency_scanning/dependency_scanning_sbom/#maven for more details.
2. Using your own CycloneDX SBOM document:
   • Ensure your pipeline has a CI job that generates a compatible CycloneDX CI job artifact.
   • Check [TODO write tutorial for bring your own SBOM] for more details.