Merge branch 'doc-license-compliance-using-dependency-scanning' into 'master'

Document License Compliance using Dependency Scanning See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111806 Merged-by: Russell Dickenson <rdickenson@gitlab.com> Approved-by: Sam White <swhite@gitlab.com> Approved-by: Russell Dickenson <rdickenson@gitlab.com> Co-authored-by: Fabien Catteau <fcatteau@gitlab.com> Co-authored-by: Sam White <swhite@gitlab.com>

Merge branch 'doc-license-compliance-using-dependency-scanning' into 'master'
12d0f9f4 · Russell Dickenson · 02248645 · 56b90f25 · 12d0f9f4 · 12d0f9f4
--- a/doc/user/compliance/license_compliance/index.md
+++ b/doc/user/compliance/license_compliance/index.md
@@ -26,6 +26,11 @@ project's license compliance policy section. If a denied license is detected in
 GitLab blocks any merge requests containing that commit and instructs the developer to remove the
 license.

+NOTE:
+Starting with GitLab 15.9, License Compliance can detect the licenses in use
+[using Dependency Scanning CI jobs](../license_scanning_of_cyclonedx_files/index.md)
+instead of the License Scanning ones.
+
 NOTE:
 If the license compliance report doesn't have anything to compare to, no information
 is displayed in the merge request area. That is the case when you add the

--- a/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md
+++ b/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md
+---
+type: reference, howto
+stage: Secure
+group: Composition Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# License scanning of CycloneDX files **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/384932) in GitLab 15.9 [with a flag](../../../administration/feature_flags.md) named `license_scanning_sbom_scanner`. Disabled by default.
+
+FLAG:
+On self-managed GitLab, this feature is not available.
+
+To detect the licenses in use, License Compliance relies on running the
+[Dependency Scanning CI Jobs](../../application_security/dependency_scanning/index.md),
+and analyzing the [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM) generated by those jobs.
+Other 3rd party scanners may also be used as long as they produce a CycloneDX file with a list of dependencies for [one of our supported languages](#supported-languages-and-package-managers).
+This method of scanning is also capable of parsing and identifying over 500 different types of licenses
+and can extract license information from packages that are dual-licensed or have multiple different licenses that apply.
+
+To enable license detection using Dependency Scanning in a project,
+include the `Jobs/Dependency-Scanning.yml` template in its CI configuration,
+but do not include the `Jobs/License-Scanning.yml` template.
+
+## Requirements
+
+The license scanning requirements are the same as those for [Dependency Scanning](../../application_security/dependency_scanning/index.md#requirements).
+
+## Supported languages and package managers
+
+License scanning is supported for the following languages and package managers:
+
+<!-- markdownlint-disable MD044 -->
+<table class="supported-languages">
+  <thead>
+    <tr>
+      <th>Language</th>
+      <th>Package Manager</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>.NET</td>
+      <td rowspan="2"><a href="https://www.nuget.org/">NuGet</a></td>
+    </tr>
+    <tr>
+      <td>C#</td>
+    </tr>
+    <tr>
+      <td>C</td>
+      <td rowspan="2"><a href="https://conan.io/">Conan</a></td>
+    </tr>
+    <tr>
+      <td>C++</td>
+    </tr>
+    <tr>
+      <td>Go</td>
+      <td><a href="https://go.dev/">Go</a></td>
+    </tr>
+    <tr>
+      <td rowspan="2">Java</td>
+      <td><a href="https://gradle.org/">Gradle</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://maven.apache.org/">Maven</a></td>
+    </tr>
+    <tr>
+      <td rowspan="2">JavaScript and TypeScript</td>
+      <td><a href="https://www.npmjs.com/">npm</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://classic.yarnpkg.com/en/">yarn</a></td>
+    </tr>
+    <tr>
+      <td>PHP</td>
+      <td><a href="https://getcomposer.org/">Composer</a></td>
+    </tr>
+    <tr>
+      <td rowspan="4">Python</td>
+      <td><a href="https://setuptools.readthedocs.io/en/latest/">setuptools</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://pip.pypa.io/en/stable/">pip</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://pipenv.pypa.io/en/latest/">Pipenv</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://python-poetry.org/">Poetry</a></td>
+    </tr>
+    <tr>
+      <td>Ruby</td>
+      <td><a href="https://bundler.io/">Bundler</a></td>
+    </tr>
+    <tr>
+      <td>Scala</td>
+      <td><a href="https://www.scala-sbt.org/">sbt</a></td>
+    </tr>
+  </tbody>
+</table>
+<!-- markdownlint-disable MD044 -->
+
+The supported files and versions are the ones supported by
+[Dependency Scanning](../../application_security/dependency_scanning/index.md#supported-languages-and-package-managers).
+
+## Configuration
+
+To enable license scanning of CycloneDX files,
+you must configure [Dependency Scanning](../../application_security/dependency_scanning/index.md#configuration).