Dependency and vulnerability lists should link to file evidence in the repo
Problem to solve
This issue came up recently (issue) on several projects generating lock files as pipeline artifacts to pass to the Dependency Scanning analyzer for analysis. Because these files were dynamically generated but not committed, the links in the Dependency List and Vulnerability Report point to non-existent files in the repository.
For projects that don't commit lock files, this will be a user experience issue and a solution is needed.
Example
In a recent issue a gradle project only had build.gradle committed the lock file (using the nebula plugin) was generated dynamically. Because the generated sbom pointed the gitlab:dependency_scanning:input_file as dependencies.lock, the vulnerability report and dependency list linked this file and the links were broken as a result.
To solve this, we added a post-processing step to update the gitlab:dependency_scanning:input_file after the sbom was generated.
Proposal
TBC (see discussion threads)