Add reported licenses support to license tab

Marcos Rocharequested to merge
mc_rocha-add-reported-licenses-tab-415935 into master

What does this MR do and why?

This MR updates the Gitlab::LicenseScanning::SbomScanner to

  1. Add components with licenses directly to the ::Gitlab::Ci::Reports::LicenseScanning::Report.
  2. Pass components that don't have licenses to PackageLicenses, and get package_licenses.
  3. Add package_licenses to report (same as before).

This change allows reported licenses to be displayed on the pipeline's license tab.

Related to: issue #415935 (closed) and MR !162631 (merged)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshot_2024-09-25_at_10.29.22_AM

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Enable the license_scanning_with_sbom_licenses feature flag on the rails console
Feature.enable(:license_scanning_with_sbom_licenses)
  1. Create a new project
  2. Add an empty Gemfile.lock file
  3. Add a file called gl-sbom-gem-bundler.cdx.json with the content
{
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:a15e529c-2113-4a11-a694-6bc3ea4e2b53",
    "version": 1,
    "metadata": {
        "timestamp": "2022-02-23T08:02:39Z",
        "tools": [
            {
                "vendor": "GitLab",
                "name": "Gemnasium",
                "version": "2.34.0"
            }
        ],
        "authors": [
            {
                "name": "GitLab",
                "email": "support@gitlab.com"
            }
        ],
        "properties": [
            {
                "name": "gitlab:dependency_scanning:input_file:path",
                "value": "Gemfile.lock"
            },
            {
                "name": "gitlab:dependency_scanning:package_manager:name",
                "value": "bundler"
            },
            {
                "name": "gitlab:meta:schema_version",
                "value": "1"
            }
        ]
    },
    "components": [
        {
            "name": "sidekiq",
            "version": "4.2.10",
            "purl": "pkg:gem/sidekiq@4.2.10",
            "type": "library",
            "bom-ref": "pkg:gem/sidekiq@4.2.10",
            "licenses": [
                {
                    "license": {
                        "name": "Custom-License"
                    }
                }
            ]
        }
    ]
}
  1. Add a .gitlab-ci.yml with the content
include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

gemnasium-dependency_scanning:
  stage: test
  script: 'pwd'
  artifacts:
    reports:
      cyclonedx: gl-sbom-gem-bundler.cdx.json
  1. Wait for the pipeline to finish
  2. Click on the licenses tab and verify the component has the license defined in the report
Edited by Marcos Rocha

Merge request reports