feat(licenses): add LicenseDB as source option for XML import workflows

[zz10965-alt]

Summary

Add LicenseDB as an optional data source for XML-based license and obligation import workflows, replacing direct SPDX/OSADL imports when configured.

This PR is part of GSoC 2026: Integration of SW360 and LicenseDB.

• Which issue is this pull request belonging to and how is it solving it?
  Fixes [Feature] Update XML import workflows to use LicenseDB as source #3840 - Updates XML import workflows to optionally fetch from LicenseDB instead of SPDX/OSADL directly.

• Did you add or update any new dependencies that are required for your change?
  Yes - added datahandler, spring-boot-starter-webflux, and mockwebserver (test only) to backend-licenses-core/pom.xml.

Issue

Fixes #3840

How To Test?

1. Set licensedb.import.source=licensedb in sw360.properties
2. Set licensedb.url to your LicenseDB instance URL
3. Set licensedb.access.token if authentication is required
4. Trigger SPDX import via REST API: POST /api/licenses/spdxLicenses
5. Trigger OSADL import via REST API: POST /api/licenses/osadlLicenses
6. Verify licenses/obligations are fetched from LicenseDB instead of SPDX/OSADL

Checklist

Must:

• All related issues are referenced in commit messages and in PR
• License headers added to new files
• Tests added for new functionality (LicenseDBConnectorTest.java)
• Existing functionality preserved as fallback

[ADITYA-CODE-SOURCE]

@zz10965-alt
Nice work on the LicenseDB connector! A few suggestions:

1. Adding spring-boot-starter-webflux to backend/licenses-core mixes Spring WebClient with the Thrift backend layer. The rest of the backend uses THttpClient. Consider using the same pattern for consistency.
2. The GSoC spec requires OAuth 2.0 M2M flow (client_credentials with auto-refresh), not a static licensedb.access.token. Static tokens expire and need manual rotation.
3. Issue [Feature] Update XML import workflows to use LicenseDB as source #3840 is about XML import workflows (CycloneDxBOMImporter, SpdxBOMImporter). This PR modifies LicenseDatabaseHandler - consider also updating the XML importers to use this connector.
   Happy to collaborate! I've been working on the LicenseDB integration
   (PRs feat(config): Add LicenseDB connection configuration properties #3686,
   feat(client): add LicenseDB sync methods to SW360LicenseClient #3768,
   feat(importer): Add LicenseDB as source option in LicsImporter #3770,
   feat(licensedb): Add data transformation layer for LicenseDB integration #3898,
   feat(licensedb): Add conflict resolution module for data synchronization #3911).

[zz10965-alt]

@ADITYA-CODE-SOURCE
Thanks for the detailed feedback!

1. The choice of WebClient is intentional — LicenseDB exposes a REST API, not a Thrift service, so THttpClient is not applicable here. I'm open to feedback on whether there's a preferred pattern for external REST calls in this codebase.

2. After reviewing LicenseDB's API documentation, it uses a JWT-based authentication model via /login and /refresh-token endpoints, rather than standard OAuth 2.0 Client Credentials. JWT with automatic token refresh is also a valid M2M authentication approach, and the static token in this PR was a starting point to validate the integration. Full lifecycle management with auto-refresh is the planned direction.

3. Good point! My PR focuses on LicenseDatabaseHandler as the trigger entry point for the existing importAllSpdxLicenses() and importAllOSADLLicenses() methods. I'll take a closer look at the issue scope based on your suggestion.

Happy to collaborate!