Add `licenses` column to `sbom_occurrences` table
What does this MR do and why?
This change adds a licenses column to the sbom_occurrences table so that we can display software licenses for detected packages on the group level dependency list page. There will be a follow-up MR that updates the SBOM ingestion process and writes data to this column. This was inspired by the proof of concept developed in !129504 (closed).
Alternatively we could join with data from the package metadata database to produce this result at the time of reading the data rather than computing this data and storing it in the sbom_occurrences table.
e.g.
Each sbom_occurrences record is for a specific package name, version and purl type. We could query for the licenses for each occurrence via complex join inspired by the below:
SELECT pm_licenses.spdx_identifier
FROM pm_packages
INNER JOIN pm_package_versions ON pm_package_versions.pm_package_id = pm_packages.id
INNER JOIN pm_package_version_licenses ON pm_package_version_licenses.pm_package_version_id = pm_package_versions.id
INNER JOIN pm_licenses ON pm_licenses.id = pm_package_version_licenses.pm_license_id
WHERE pm_packages.name = 'activerecord'
AND pm_packages.purl_type = 3
AND pm_package_versions.version = '1.0.0';Or we can denormalize the data by computing the software licenses for each sbom_occurrences record at the time of ingestion to remove the need to manage complex joins during read time. The complex join (or an alternative solution) can be used during write time.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.