Display file path within container image of SBOM components found by container scanning

Release notes

Problem to solve

Some SBOM components with a language PURL type, for example gem or npm, may contain a file path property when sourced from a Trivy SBOM. This file path property points to the location within the container image where you can find the package. This file path can be helpful in tracking pre-bundled dependencies with vulnerabilities, and adding this to the Dependency List page can surface this important information.

Intended users

User experience goal

If a language/application dependency is reported in a Trivy SBOM, and the SBOM is then ingested. The dependency list should surface its file path in a manner that's easy to read.

Proposal

Further details

Adding this information was initially attempted in !140282 (merged), but was removed at the time because of UX issues described in !140282 (comment 1752389773).

Permissions and Security

Documentation

Availability & Testing

Available Tier

Feature Usage Metrics

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

What is the competitive advantage or differentiation for this feature?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.