Export dependency list in CSV format

Release notes

https://docs.gitlab.com/ee/user/application_security/dependency_list/#download-the-dependency-list

You can now select the option of CSV format when exporting a dependency list

Problem to solve

Depending on the audience consuming a dependency list, offering formats other than JSON or CycloneDX can help make a list of dependencies easier to consume.

Proposal

Offer a CSV-formatted export option for Dependency List.

The CSV columns will include:

• Component / Package Name
• Packager
• Version
• Location/s- quoted list
• License/s Identifier (SPDX Identifier) - quoted list
• Projects/s name - quoted list
• Vulnerab ilities detected - number
• Vulnerability list IDs - quoted list of vuln IDs

If a cell needs to include a list, it will be in the same format of vuln report list-in-cell format "A1:2017 - Injection"; "Find Security Bugs-COMMAND_INJECTION"; find_sec_bugs.COMMAND_INJECTION-1; "A03:2021 - Injection"

Additional guidelines from (#407453 (closed)+):

Report should be sent via email as a downloadable link which is kept for 7 days. This will allow avoiding customer from waiting on the page https://gitlab.com/gitlab-org/gitlab/-/issues/425327#note_2264825358. This was brought up in this link https://gitlab.com/gitlab-org/gitlab/-/issues/504939+

• Group level: At the group level, the need is to concat reports and send by email. As a first step, a zip file with all generated reports can be provided. (see this thread)

Scope

1. Group Dependency List
2. Project Dependency List

Intended users

Personas are described at https://handbook.gitlab.com/handbook/product/personas/

• Amy (Application Security Engineer)
• Alex (Security Operations Engineer)

Feature Usage Metrics

Unique number of users performing CSV export for a given 28d period.

Does this feature require an audit event?