Dependency Scanning: Link users to file where vulnerability is occurring not the lock file.

Background

Today for Dependency Scanning we link users to the lock file where we've detected an issue. However, if the user wants to fix the problem then going to the lock file is considered bad practice based on conversations with @plafoucriere. We should instead, link users to the file that they should edit to fix the vulnerability.

Problem

We link users to the lock file in some cases with dependency scanning which should not be manually edited.

Solution

Link users to the file they need to edit to fix the vulnerability.