Problem to solve

The External License Database (License DB) feeds GitLab instances with license data for the components used as project dependencies, and listed in project SBOMs. However, the License DB might not have the license info for a specific component. The component might come from:

• a private a registry
• a public registry that the License DB cannot sync with
• a public registry that's not yet supported

Also, in some advanced use cases, identifying the right license in the context of the project might be difficult or impossible.

With the previous implementation of the License Scanner (License Finder analyzer), and even if this was not publicly documented as a feature, it was possible for users to modify the License scanning results by e.g. modifying the content of the report artifact before it was sent and ingested in the rails platform.

With the new implementation (License SBOM scanner) this is no longer possible. Until we develop a fully fledge feature to better managed licenses in the product, we should provide a solution for users who already do this and will lose this capability when transitioning to the new license scanner.

Proposal

The new license scanner is based on a generated CycloneDX report artifact, which format allows to provide license information. We could read the license from this report when reading the components and give precedence to this over what's reported from our License DB.

Implementation plan

1. Extract licenses fields of components when ingesting CycloneDX SBOMs. Update the License Scanning SBOM Scanner to use the licenses field when it's set, or else the shared package metadata (current behavior).
2. Update the License Scanning SBOM Scanner to use the licenses field when it's set, or else the shared package metadata (current behavior).