Feature Proposal: Expose package metadata to Dependency and Container Scanning users
Problem to solve
Users of SCA tools require information about the packages that are used within their projects. Providing package metadata to users allows them to better understand the components that make up their applications.
Often times when investigating a CVE AppSec and Developer personas want to know more about the package in question. Currently users see some information on the Vulnerability Detail page but this is largely focused on the Vulnerability.
Proposal
We should start to consume and expose the following information to users:
- component age
- first published
- number of releases
- contributor counts
- popularity (downloads)
- commit frequency
- direct usage
- indirect usage
- Other?
Depending on input from development, we can MVC this with an API to provide the data. Longer term we should add this to the GitLab UI, presumably as a link off the Dependency List.
Intended users
Does this feature require an audit event?
No.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.