Dependency path support for language dependency vulnerabilities found by container-scanning

Proposal

Container findings can contain both language dependencies (defined as dependencies that required by a programming language) and operating system dependencies. For language dependencies, the dependency path information displayed in the dependency list aids teams in identifying which dependency requires a patch, or removal. We present this for a portion of our supported dependency scanning package managers¹, and it would be beneficial to provide parity for the language dependencies discovered through container scanning.

Additional information

For continuous vulnerability scanning, this was briefly explored in !140282 (comment 1754304391), but we discovered that the UI/UX was not satisfactory when given the much larger paths produced by container scanning location. For example, a dependency scanning finding location would look something like /path/to/app/requirements.txt, but for container scanning that finding would look like container-image:example.gitlab.com/group/project@tag?path=/path/to/app/requirements.txt. This resulted in hard to read paths.

/cc @johncrowley

1. We plan to extend this support even further in &7288 (closed). ↩