Use License Scanning service
### Problem to solve Today the backend assumes that detected licenses come from parsing License Scanning JSON artifacts uploaded by CI jobs of a project pipeline. It needs to be changed to support multiple data sources, including JSON artifacts. **DRI**: @hacks4oats ### Proposal Change the backend so that the UI presents License Scanning results provided by a new `LicenseScanningService`. The following is a list of UI pages that are impacted by the change, along with controllers, controller actions, and relevant classes and methods they depend on. They are ordered from the least impacted to the most impacted. 1. License Compliance page: [`LicensesController`](ee/app/controllers/projects/licenses_controller.rb) - `#index`, `SCA::LicenseCompliance`, `Pipeline#license_scanning_report` - `#create`, `CreatePolicyService`, `SCA::LicenseCompliance#report_for` - `#update`, `UpdatePolicyService`, `SCA::LicenseCompliance#report_for` 1. Merge Request page, License Compliance widget : [`MergeRequestsController`](ee/app/controllers/ee/projects/merge_requests_controller.rb) (same impact as before) - `#license_scanning_reports`, `CompareLicenseScanningReportsService`, `Gitlab::Ci::Reports::LicenseScanning::ReportsComparer` and `Gitlab::Ci::Reports::LicenseScanning::ReportsComparer`, `SCA::LicenseCompliance` - `#license_scanning_reports_collapsed` (similar to `#license_scanning_reports`) 1. Pipeline page, Licenses tab: [`PipelinesController`](ee/app/controllers/ee/projects/pipelines_controller.rb) - `#licenses`, `Pipeline#expose_license_scanning_data?`, `SCA::LicenseCompliance` 1. Dependency List page: [`DependenciesController`](ee/app/controllers/projects/dependencies_controller.rb) - `#index`, `DependencyListService`, `Pipeline#dependency_list_report` Also, make sure that MR approvers for License Compliance are updated after the SBOMs are ingested and License Scanning possible. Right now this happens in `SyncReportsToReportApprovalRulesWorker` jobs that are triggered when pipelines transition to one of the `Pipeline.completed_statuses`. See https://gitlab.com/gitlab-org/gitlab/-/issues/377688 ### Further details Using the new `LicenseScanningService` makes it possible to switch between: - License Scanning backed by legacy License Scanning artifacts (JSON files returned by LS jobs). - License Scanning backed by the license info DB, and using components detected in SBOMs (returned by SBOM generation jobs). To make the transition easier, the new service returns a [`Ci::Reports::LicenseScanning::Report`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/ci/reports/license_scanning/report.rb) that can either result from: - parsing a License Scanning JSON artifact (legacy) - converting License Scanning results to a `Report` object (new implementation) Shared code that needs to be changed, possibly in that order: 1. `Pipeline#license_scanning_report` 2. `Pipeline#dependency_list_report` and `DependencyList#parse_licenses!` 3. `Project#license_compliance` (default value) See https://gitlab.com/gitlab-org/gitlab/-/issues/377688
epic