Clarify license approval policy conditions and prerequisites
Problem to solve
It's not entirely clear in the license approval policy documentation that dependency scanning is a prerequisite.
A license approval policy relies on output of a dependency scanning (DS) job to verify the policy's requirements have been met. If a DS job has not been run, the policy has no data with which to verify the policy's requirements, so enforces approval.
Proposal
Add to the license approval policy documentation that dependency scanning is a prerequisite. The recommended method of doing so is to enforce DS by using a scan execution policy. The scan execution policy's scope should be the same as that of the license approval policy, otherwise DS must be enabled per project.
Who can address the issue
Anyone.