#### Overview This epic is for tracking the manifest parsing and scanning work for Java and Python required to reach the [General Availability (GA) level](https://docs.gitlab.com/ee/policy/experiment-beta-support.html#generally-available-ga) for [Dependency Scanning by using SBOM](https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/) currently released as Limited Availability. See linked items for additional context. #### Problem to Solve The current workflow requires users to generate lock _(Python)_ or graph _(Java)_ files and store them in their repository to be picked up for dependency scanning. When a lock or graph file the DS Analyzer will not successfully scan a project and provide users with their vulnerable dependencies. This creates friction for users when adopting DS Analyzer as not all users generate lock/graph files and users require insight into potentially vulnerable dependencies in their projects.. Implementing manifest scanning will allow users to resolve and scan direct dependencies when a lock or graph file is not present for Java or Python projects. #### Scope * https://gitlab.com/gitlab-org/gitlab/-/issues/586921+ * https://gitlab.com/gitlab-org/gitlab/-/issues/585886+ * https://gitlab.com/gitlab-org/gitlab/-/issues/588788+ ####