Fetch latest license scanning build from `LicenseScanning` scanner class

Oscar Tovarrequested to merge
refactor-license-compliance-scan-link-generation into master

Dependent MRs

  1. Implement License Scanning SBOM scanner (!109447 - merged)
  2. Fetch latest license scanning build from `Licen... (!109723 - merged) - 👈 You are here

These MRs are constructed so that they can be reviewed individually, but all the changes will be merged in the final MR. See !109447 (comment 1255025150) for more context.

What does this MR do and why?

Describe in detail what your merge request does and why.

This MR delegates fetching the latest license scanning build to the concrete classes for LicenseScanning::BaseScanner. If a project has the SBoM based license scanning enabled, the LicenseScanning::SbomScanner will fetch the latest build on the default branch that contains a cyclonedx report. Otherwise, the LicenseScanning::ArtifactScanner will fetch the last build on the default branch with a license scanning report.

Additional Info

A scanner should, but may not always, have a pipeline that's on the default branch. To account for this edge case, the implementations in both classes check if the instance's pipeline belongs to the default branch and fetches the latest pipeline for the default branch if it does not. The previous implementation within SCA::LicenseCompliance#latest_build_for_default_branch did not handle this edge case, so this has been addressed in the refactor.

Additionally, it was previously possible for the scanner to be initialized with a nil project. This is because creating a scanner with LicenseScanning.scanner_for_pipeline could be called with a nil pipeline (when no license scanning pipeline has run) and as a result the project would also be nil. To work around this, I updated the initializing method to take both a project and a pipeline and updated their call sites respectively. This ensures that we always have either the project, or both the project and pipeline.

Relates to #385127 (closed)

Inspecting cyclonedx fixtures

The cyclonedx fixtures are composed of concatenated CycloneDX SBoMs in JSON format which makes the file opaque. To view the file contents, use the zcat utility.

# On MacOS, zcat will forcefully look for files that end in .Z
# so it's necessary to use the stdin approach.
#
# Example: zcat < ee/spec/fixtures/sbom/gl-sbom.cdx.json.gz
zcat < [PATH_TO_FIXTURE]

Updating or creating cyclonedx fixtures

For instructions on this process, refer to !109447 (comment 1254995746).

Specs to update

The following specs will be updated to test when the license_scanning_sbom_scanner feature flag is true:

  1. ee/spec/controllers/projects/dependencies_controller_spec.rb (Oscar)
  2. ee/spec/controllers/projects/licenses_controller_spec.rb (Adam)
  3. ee/spec/controllers/projects/merge_requests_controller_spec.rb (Oscar)
  4. ee/spec/controllers/projects/pipelines_controller_spec.rb (Oscar)
  5. ee/spec/features/projects/licenses/maintainer_views_policies_spec.rb (Adam)
  6. ee/spec/features/projects/pipelines/pipeline_spec.rb (Adam)
  7. ee/spec/lib/gitlab/license_scanning_spec.rb (Adam)
  8. ee/spec/models/approval_merge_request_rule_spec.rb (Oscar)
  9. ee/spec/models/ci/pipeline_spec.rb (Oscar)
  10. ee/spec/models/merge_request_spec.rb (Oscar)
  11. ee/spec/models/sca/license_compliance_spec.rb (Oscar)
  12. ee/spec/requests/api/dependencies_spec.rb (Oscar)
  13. ee/spec/serializers/licenses_list_entity_spec.rb (Adam)
  14. ee/spec/services/ci/compare_license_scanning_reports_collapsed_service_spec.rb (Oscar)
  15. ee/spec/services/ci/compare_license_scanning_reports_service_spec.rb (Oscar)
  16. ee/spec/workers/refresh_license_compliance_checks_worker_spec.rb (Adam)

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Create a project w/ dependency files supported by both Dependency Scanning and License Scanning.
  2. Run a pipeline for the default branch.
  3. Go to the License Compliance page, and check that the latest successful scan links to the latest Dependency Scanning job when the SBOM Scanner is disabled.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Oscar Tovar

Merge request reports