Vulnerability to package visibility

[PhilipCattanach]

As I understand, and I'm happy to be corrected, is that in V2 packages can be ingested from both SBOMs and Advisories.
In version 1 all packages would originate from ingested SBOMs.
That is all fine.

However in V2, if there is a vulnerability affecting a package that does not belong to an SBOM, then it not possible to see via the UI which package the vulnerability is associated with.

This vulnerability to package data is exposed on the SBOM Detail screen Vulnerabilities tab.

I would suggest we need a third tab (Related packages) on the Vulnerabilities detail screen.

[mrizzi]

It might help to further clarify the potential UX improvement.

In the package details page, trustify provides the list of the vulnerabilities affecting it

On the other side, in the vulnerability details page there's no way to know the affected package(s) if they are not inside an already ingested SBOM

In this context, having a Related package tab in the vulnerability details page would help the browsing from packages to vulnerabilities and viceversa.