Document license scanning using licenses of CycloneDX SBOM

Proposal

Document how CycloneDX JSON SBOM with licenses fields are used by the license scanner.

Explain that the license scanner falls back to its own package metadata database when the SBOM has no licenses.

Reference compatible CycloneDX SBOM generators that provide the licenses field.

Implementation plan

Update https://docs.gitlab.com/ee/user/compliance/license_scanning_of_cyclonedx_files/index.html

Who can address the issue

Anyone familiar with the License Scanning SBOM Scanner and CycloneDX SBOM ingestion.

Other links/references

#415935 (closed)