Match and display policies to licenses that are already detected in a project
### Problem to solve
Problem: there is no clear way to tell if licenses detected in the project are in compliance with the policies defined.
Context: this issue is based on discovery work done in https://gitlab.com/gitlab-org/gitlab-ee/issues/12941 and is a follow up to https://gitlab.com/gitlab-org/gitlab/issues/14061. Users can see licenses in a project (per scanning) and policies (per admin classifying license) separately, but not how they relate to each other. For example, in the policies section, a user may see that an LPL 1.2 license is denied, but if that same license is detected in a project, the user wouldn't know it's denied unless matching the lists (detected/policy) manually.
:film_projector: [view walkthrough with context and iteration](https://youtu.be/Qg7FmoBCDbw)
### Intended users
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)\
* Legal and/or person responsible for orgs compliance
### Further details
##### Job's to be done
* *User that is responsible for compliance:* When my organization has policies with licenses, I want to be aware of my companies policies, so I can make sure my project licenses are in compliance with my orgs compliance.
* *User that is accountable for compliance:* When I need to enforce our organization's licenses restrictions, I want to be able to view them and define policies, so that I can ensure a project's compliance.
### Proposal ideation
If policies have been created for a project, match them if/when to license that exist in a project. Display the matching license classification policies in the "detected in project" list.
##### Iteration iv: UX ready for development

<details><summary>iteration iii</summary>

* Likes version ii, surfacing licenses to the top
* Banner is helpful; but update copy to present tense
* Consider version iii later
</details>
<details><summary>iteration ii</summary>

Iteration ii feedback from [UX team review](https://docs.google.com/document/d/1xwwLHLq1fW0_6tegt54n1DZseZ_IAIC0-M95n01tCs0/edit?usp=sharing) and [SCA team review](https://docs.google.com/document/d/1nmNKkWS9qmEidsqWswFZzKAQL9YVCFRitQxow5C9pbY/edit?usp=sharing):
* Consider creating additional columns for the violation
* Better display why a license is being surfaced
* Explore using the blue and/or green value for the background
* There may be labels with text and icon in the library to use for `policy violation`
* Let’s look at how to identify where/when this was found to show later. Related: [audit log](https://gitlab.com/gitlab-org/gitlab/issues/199228) or maybe can leverage `git-blame`.
* Need to solve the problem of finding the particular dependency correlated with MR
* Ideally we’d have the info for all the dependencies name/version and would know the MR where it has been introduced
</details>
<details><summary>old iteration: scoped down</summary>
| Developer UI (*design updated in progress*) |
| ------ |
|  |
| Developer UI | Maintainer UI |
| ------ | ------ |
|  |  |
* due to de-prioritization de-scoped, removed user ability to add policy to existing license
</details>
### Permissions and Security
* Developers view may view policies, but can't adjust them
* Public projects policy section is not visible to non-project participants (https://gitlab.com/gitlab-org/gitlab/issues/33659)
### Documentation
..
### Testing
ToDo
<!-- What risks does this change pose? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? See the test engineering process for further help: https://about.gitlab.com/handbook/engineering/quality/test-engineering/ -->
### What does success look like, and how can we measure that?
* Developer lands on the page and can determine if there are denied licenses that exists in the project
### What is the type of buyer?
Ultimate
### Links / references
* https://gitlab.com/gitlab-org/gitlab/issues/12941
### Implementation Plan
#### Backend
* [x] Combine licenses from the latest scan report with the policies configured for the project.
* [x] Serve the combined licenses from the `/projects/-/licenses.json` endpoint.
* [ ] Add `order_by` filter to sort by `classification`. https://gitlab.com/gitlab-org/gitlab/-/issues/213592
### UX
* [ ] []()
### Frontend - person
* [ ] []()
### Documentation - person
* [ ] [User Documentation]()
### Product Management - @NicoleSchwartz
* [ ] [Release Post]()
issue