Allow setting location of vulnerability to software definitions in omnibus-gitlab

What does this MR do?

Provide an option for omnibus-gitlab to control what puts as location in a vulnerability report. As seen from https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/6441, using version-manifest.json as a value takes you to a non-existent location, because that file is not checked in to the repo, and instead is an artifact. A better value would be the software definition file of the component, which is synonymous to Gemfile.lock or yarn.lock for other "package managers".

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer