### Problem to solve LicenseFinder is being replaced as part of https://gitlab.com/groups/gitlab-org/-/epics/8072, and the [License Compliance docs](https://docs.gitlab.com/ee/user/compliance/license_compliance/) need to be adjusted. ### Further details The following sections are updated: - Introduction - `To detect the licenses in use, License Compliance uses the License Finder scan tool [..]` - `For the job to activate, License Finder needs to find a compatible package definition in the project directory. [..]` - `If the license compliance report doesn’t have anything to compare to, no information is displayed in the merge request area. That is the case when you add the license_scanning job [..]` - `The results are saved as a License Compliance report artifact that you can later download and analyze.` - Supported languages and package managers - Enable License Compliance - All sub-sections up to `Migration from license_management to license_scanning`. - Running License Compliance in an offline environment - Troubleshooting The following sections remain unchanged: - Chunks of the introduction - License expressions - License list - Policies - Enabling License Approvals within a project - Warnings License Scanning now relies on Dependency Scanning, at least until we implement the [SBOM generators](https://gitlab.com/groups/gitlab-org/-/epics/8206). We can thus refer to the following doc sections of [Dependency Scanning docs](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/): - [Requirements](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#requirements) - [Supported languages and package managers](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#supported-languages-and-package-managers) - [Configuration](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuration) - [Running dependency scanning in an offline environment](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#running-dependency-scanning-in-an-offline-environment) - [Warnings](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#warnings) - [Troubleshootings](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#troubleshooting) (The other sections of Dependency Scanning docs are specific to detecting and reporting vulnerabilities.) ### Proposal 1. Split out the docs on the **current**/"old" method of License Scanning to its own page. - Rewrite the `License Compliance` page to cover **only** that topics. That is, the page would describe the what, why, and how, of License Compliance. It would link to but **NOT** explain License Scanning. 1. Create a new page (or pages) to document the "new" method. - Explain that Dependency Scanning (DS) is a prerequisite. That way, we don't have to link to the specific DS sections. We only need to document anything that's specific to the "new" method. - Explain when the "new" method is active. 1. Update docs when the "new" method becomes the default. - State that the "new" method is now the default, and the "old" method is deprecated. - Remove the doc section that explains when the "new" method is active. - Document how to enable to the "old" method. 1. Update docs when "old" method is no longer supported. - Remove the doc page that covers the "old" method. See https://gitlab.com/gitlab-org/gitlab/-/issues/384936#note_1232271457 When the "new" method is introduced, it's active when these two conditions are met: - The Dependency Scanning CI template is included. There are jobs that upload Cyclone SBOMs. - The License Scanning CI template is NOT included. There are no jobs uploading License Scanning artifacts. See migration plan in https://gitlab.com/gitlab-org/gitlab/-/issues/383521#note_1231233552 Definitions - The "new" method is the License Scanning SBOM Scanner. It uses the Cyclone SBOMs uploaded by the Dependency Scanning jobs, and thus requires the Dependency Scanning CI template. - The "old" method is the License Scanning Artifact Scanner. It uses the License Scanning artifacts uploaded by the `license_scanning` job (which runs [`license-finder`](https://gitlab.com/gitlab-org/security-products/analyzers/license-finder/)), and thus requires the License Scanning CI template. ### Who can address the issue Anyone ### Other links/references <!-- E.g. related GitLab issues/MRs -->