Remove dual code path for dependency scan results reads

Summary

As a final stage of the rollout for Avoid triggering a re-scan when dependencies ha... (#562694) • Igor Frenkel • 18.10 • Needs attention, we need to remove the dual code path that currently allows reading dependency scan results from either the legacy location SbomScan.result_file or the new location SbomScan.result.

This issue tracks the cleanup and consolidation work for the final stage of the rollout once caching is deployed and validated.

Background

  • Avoid triggering a re-scan when dependencies ha... (#562694) • Igor Frenkel • 18.10 • Needs attention introduced:
    • A new storage / retrieval path for dependency scan results.
    • A dual-read behavior so that results can be served from both the legacy and new locations.
  • The dual code path adds complexity and ongoing maintenance overhead and can obscure debugging when behaviors diverge.
  • Metrics and logs from earlier stages will be used to confirm that:
    • All supported configurations are successfully using the new path.
    • There are no regressions in correctness or performance.

Proposal

  • Remove conditional logic that selects between legacy and new read paths.
  • Remove any feature flags, configuration toggles, or environment checks that are only used to control dual-read behavior.
  • Update any helper methods, services, or workers to assume the new storage format / location as the single source of truth.
  • Delete now-dead code related to:
    • Legacy read path.
    • Fallback reads or migration shims used during rollout.
  • Update or remove tests that:
    • Assert behavior of the legacy path, or
    • Cover the dual-path behavior.
  • Add/adjust tests to:
    • Confirm dependency scan results are always read from the new location.
    • Validate behavior across key scenarios (e.g., initial scan, unchanged dependencies, changed dependencies).

Preconditions

  • Feature has been fully rolled out and stable across relevant tiers and deployment targets.
  • Error rates, scan completeness, and performance metrics are comparable or improved vs. legacy path.
  • Production console check shows no SbomScan with result_file populated.

Steps

  1. Verify that all remaining references to the feature flag(s) and legacy read path are safe to remove.
  2. Implement code changes to remove the dual path and associated toggles.
  3. Deploy behind normal release process and monitor:

Acceptance Criteria

  • All dependency scan result reads go through a single, new code path.
  • No feature flags or configuration toggles remain that control legacy vs. new read behavior.
  • Legacy read-path code and migration shims are removed.
  • Test suite passes and includes coverage that validates reads from the new location only.
  • No increase in related errors or regressions observed after deployment (based on agreed metrics / dashboards).

/cc @gonzoyumo