Show path to any dependency, and not only vulnerable ones

Blocked by #227601 (closed)

This is not technically blocked by #227601 (closed) but the work has been organized in this order and changing the order would impact the content of that issue.

Problem to solve

As a maintainer reviewing project dependencies using the dependency list, I need to know how a transient dependency relates to the top-level dependencies, so that I can assess the need for it, and possibly get rid of it.

This is a follow-up issue to #227620 (closed) which is about showing the dependency path(s) to vulnerable dependencies, and doesn't cover dependencies that are not affected by vulnerabilities.

Intended users

• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)

User experience goal

Proposal

When clicking on the Location of a component from the Dependency List, open a pop-in window that shows the all the paths connecting a dependency to the top-level dependencies. See #227601 (closed)

The Dependency Scanning report format needs to be revisited so that it can carry the full dependency graph of any lock file (or equivalent). Alternatively, we might decide to introduce a new report that represents the Bill of Materials, and contains the full dependency graph.

TBD: Decide if we extend the Dependency Scanning report format or introduce a new type of artifact.

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references