tnir
diff --git a/‎app/assets/javascripts/ci/pipeline_details/graph/components/linked_pipeline.vue
+4-1 b/‎app/assets/javascripts/ci/pipeline_details/graph/components/linked_pipeline.vue
+4-1
diff --git a/‎app/assets/javascripts/groups_projects/components/tabs_with_list.vue
+39-33 b/‎app/assets/javascripts/groups_projects/components/tabs_with_list.vue
+39-33
diff --git a/‎app/assets/javascripts/projects/your_work/components/app.vue
+4 b/‎app/assets/javascripts/projects/your_work/components/app.vue
+4
diff --git a/‎app/assets/javascripts/projects/your_work/constants.js
+5 b/‎app/assets/javascripts/projects/your_work/constants.js
+5
diff --git a/‎app/views/projects/settings/ci_cd/_form.html.haml
+1 b/‎app/views/projects/settings/ci_cd/_form.html.haml
+1
diff --git a/‎danger/plugins/remote_development.rb
+2-2 b/‎danger/plugins/remote_development.rb
+2-2
diff --git a/‎db/click_house/migrate/main/20250327154508_create_ai_troubleshoot_job_events_table.rb
+28 b/‎db/click_house/migrate/main/20250327154508_create_ai_troubleshoot_job_events_table.rb
+28
diff --git a/‎doc/development/testing_guide/end_to_end/best_practices/rspec_metadata_tests.md
-1 b/‎doc/development/testing_guide/end_to_end/best_practices/rspec_metadata_tests.md
-1
diff --git a/‎doc/user/application_security/dependency_list/_index.md
+12-1 b/‎doc/user/application_security/dependency_list/_index.md
+12-1
diff --git a/‎doc/user/application_security/vulnerabilities/_index.md
+27-1 b/‎doc/user/application_security/vulnerabilities/_index.md
+27-1
@@ -300,7 +300,10 @@ export default {
         />
         <div v-else class="gl-pr-3"><gl-loading-icon size="sm" inline /></div>
         <div class="gl-flex gl-min-w-0 gl-flex-1 gl-flex-col">
-          <span class="gl-whitespace-normal" data-testid="downstream-title-content">
+          <span
+            class="gl-whitespace-normal gl-wrap-anywhere"
+            data-testid="downstream-title-content"
+          >
             {{ downstreamTitle }}
           </span>
           <div class="gl-truncate">
 
@@ -1,6 +1,6 @@
 <script>
 import { GlTabs, GlTab, GlBadge, GlFilteredSearchToken } from '@gitlab/ui';
-import { isEqual, pick } from 'lodash';
+import { isEqual, pick, get } from 'lodash';
 import { __ } from '~/locale';
 import { QUERY_PARAM_END_CURSOR, QUERY_PARAM_START_CURSOR } from '~/graphql_shared/constants';
 import { numberToMetricPrefix } from '~/lib/utils/number_utils';
@@ -9,7 +9,6 @@ import FilteredSearchAndSort from '~/groups_projects/components/filtered_search_
 import { calculateGraphQLPaginationQueryParams } from '~/graphql_shared/utils';
 import { OPERATORS_IS } from '~/vue_shared/components/filtered_search_bar/constants';
 import { ACCESS_LEVEL_OWNER_INTEGER } from '~/access_level/constants';
-import projectCountsQuery from '~/projects/your_work/graphql/queries/project_counts.query.graphql';
 import * as Sentry from '~/sentry/sentry_browser_wrapper';
 import { InternalEvents } from '~/tracking';
 import {
@@ -26,9 +25,6 @@ const trackingMixin = InternalEvents.mixin();
 // Will be made more generic to work with groups and projects in future commits
 export default {
   name: 'TabsWithList',
-  i18n: {
-    projectCountError: __('An error occurred loading the project counts.'),
-  },
   components: {
     GlTabs,
     GlTab,
@@ -98,44 +94,30 @@ export default {
         return {};
       },
     },
+    tabCountsQuery: {
+      type: Object,
+      required: false,
+      default() {
+        return {};
+      },
+    },
+    tabCountsQueryErrorMessage: {
+      type: String,
+      required: false,
+      default: __('An error occurred loading the tab counts.'),
+    },
   },
   data() {
     return {
       activeTabIndex: this.initActiveTabIndex(),
-      counts: this.tabs.reduce((accumulator, tab) => {
+      tabCounts: this.tabs.reduce((accumulator, tab) => {
         return {
           ...accumulator,
           [tab.value]: undefined,
         };
       }, {}),
     };
   },
-  apollo: {
-    counts() {
-      return {
-        query: projectCountsQuery,
-        update(response) {
-          const {
-            currentUser: { contributed, starred },
-            personal,
-            member,
-            inactive,
-          } = response;
-
-          return {
-            contributed: contributed.count,
-            starred: starred.count,
-            personal: personal.count,
-            member: member.count,
-            inactive: inactive.count,
-          };
-        },
-        error(error) {
-          createAlert({ message: this.$options.i18n.projectCountError, error, captureError: true });
-        },
-      };
-    },
-  },
   computed: {
     activeTab() {
       return this.tabs[this.activeTabIndex];
@@ -233,6 +215,30 @@ export default {
       return this.timestampTypeMap[this.activeSortOption.value];
     },
   },
+  async created() {
+    if (!Object.keys(this.tabCountsQuery).length) {
+      return;
+    }
+
+    try {
+      const { data } = await this.$apollo.query({ query: this.tabCountsQuery });
+
+      this.tabCounts = this.tabs.reduce((accumulator, tab) => {
+        const { count } = get(data, tab.countsQueryPath);
+
+        return {
+          ...accumulator,
+          [tab.value]: count,
+        };
+      }, {});
+    } catch (error) {
+      createAlert({
+        message: this.tabCountsQueryErrorMessage,
+        error,
+        captureError: true,
+      });
+    }
+  },
   methods: {
     numberToMetricPrefix,
     createSortQuery({ sortBy, isAscending }) {
@@ -267,7 +273,7 @@ export default {
       this.trackEvent(this.eventTracking.tabs, { label: tab.text });
     },
     tabCount(tab) {
-      return this.counts[tab.value];
+      return this.tabCounts[tab.value];
     },
     shouldShowCountBadge(tab) {
       return this.tabCount(tab) !== undefined;
 
@@ -16,6 +16,7 @@ import {
   TIMESTAMP_TYPE_CREATED_AT,
   TIMESTAMP_TYPE_LAST_ACTIVITY_AT,
 } from '~/vue_shared/components/resource_lists/constants';
+import projectCountsQuery from '../graphql/queries/project_counts.query.graphql';
 import { PROJECT_DASHBOARD_TABS, FIRST_TAB_ROUTE_NAMES } from '../constants';
 
 export default {
@@ -44,6 +45,7 @@ export default {
     tabs: 'click_tab_on_your_work_projects',
     sort: 'click_sort_on_your_work_projects',
   },
+  tabCountsQuery: projectCountsQuery,
   name: 'YourWorkProjectsApp',
   components: {
     TabsWithList,
@@ -75,5 +77,7 @@ export default {
     :initial-sort="initialSort"
     :programming-languages="programmingLanguages"
     :event-tracking="$options.eventTracking"
+    :tab-counts-query="$options.tabCountsQuery"
+    :tab-counts-query-error-message="__('An error occurred loading the project counts.')"
   />
 </template>
@@ -27,6 +27,7 @@ export const CONTRIBUTED_TAB = {
   query: userProjectsQuery,
   variables: { contributed: true },
   queryPath: 'currentUser.contributedProjects',
+  countsQueryPath: 'currentUser.contributed',
   emptyStateComponentProps: {
     title: s__("Projects|You haven't contributed to any projects yet."),
     description: s__(
@@ -43,6 +44,7 @@ export const STARRED_TAB = {
   query: userProjectsQuery,
   variables: { starred: true },
   queryPath: 'currentUser.starredProjects',
+  countsQueryPath: 'currentUser.starred',
   emptyStateComponentProps: {
     title: s__("Projects|You haven't starred any projects yet."),
     description: s__(
@@ -59,6 +61,7 @@ export const PERSONAL_TAB = {
   query: projectsQuery,
   variables: { personal: true },
   queryPath: 'projects',
+  countsQueryPath: 'personal',
   emptyStateComponentProps: {
     title: s__("Projects|You don't have any personal projects yet."),
   },
@@ -71,6 +74,7 @@ export const MEMBER_TAB = {
   query: projectsQuery,
   variables: { membership: true },
   queryPath: 'projects',
+  countsQueryPath: 'member',
   emptyStateComponentProps: {
     title: s__("Projects|You aren't a member of any projects yet."),
   },
@@ -83,6 +87,7 @@ export const INACTIVE_TAB = {
   query: projectsQuery,
   variables: { archived: 'ONLY', membership: true },
   queryPath: 'projects',
+  countsQueryPath: 'inactive',
   emptyStateComponentProps: {
     title: s__("Projects|You don't have any inactive projects."),
     description: s__('Projects|Projects that are archived or pending deletion will appear here.'),
 
@@ -36,6 +36,7 @@
             s_("CICD|Use separate caches for protected branches"),
             help_text: (s_('CICD|Unprotected branches will not have access to the cache from protected branches.') + ' ' + help_link_separated_caches).html_safe
 
+        = render_if_exists 'projects/settings/ci_cd/composite_identities_pipelines', form: f
         = render_if_exists 'projects/settings/ci_cd/pipeline_cancelation', form: f
 
         .form-group
 
@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
-require_relative '../../tooling/danger/remote_development/desired_config_generator'
+require_relative '../../tooling/danger/remote_development/desired_config_generator_suggestor'
 
 module Danger
   class RemoteDevelopment < ::Danger::Plugin
-    include Tooling::Danger::RemoteDevelopment::DesiredConfigGenerator
+    include Tooling::Danger::RemoteDevelopment::DesiredConfigGeneratorSuggestor
   end
 end
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class CreateAiTroubleshootJobEventsTable < ClickHouse::Migration
+  def up
+    execute <<-SQL
+      CREATE TABLE IF NOT EXISTS troubleshoot_job_events
+      (
+        user_id UInt64 NOT NULL DEFAULT 0,
+        timestamp DateTime64(6, 'UTC') NOT NULL DEFAULT now64(),
+        job_id UInt64 NOT NULL DEFAULT 0,
+        project_id UInt64 NOT NULL DEFAULT 0,
+        event UInt8 NOT NULL DEFAULT 0,
+        namespace_path String DEFAULT '',
+        pipeline_id UInt64 DEFAULT 0,
+        merge_request_id UInt64 DEFAULT 0
+      )
+      ENGINE = ReplacingMergeTree
+      PARTITION BY toYear(timestamp)
+      ORDER BY (user_id, event, timestamp)
+    SQL
+  end
+
+  def down
+    execute <<-SQL
+      DROP TABLE IF EXISTS troubleshoot_job_events
+    SQL
+  end
+end
@@ -44,7 +44,6 @@ This is a partial list of the [RSpec metadata](https://rspec.info/features/3-12/
 | `:requires_admin`              | The test requires an administrator account. Tests with the tag are excluded when run against Canary and Production environments.                                                                                                                                                                                                                                                                                                                                                                                 |
 | `:requires_git_protocol_v2`    | The test requires that Git protocol version 2 is enabled on the server. It's assumed to be enabled by default but if not the test can be skipped by setting `QA_CAN_TEST_GIT_PROTOCOL_V2` to `false`.                                                                                                                                                                                                                                                                                                            |
 | `:requires_praefect`           | The test requires that the GitLab instance uses [Gitaly Cluster](../../../../administration/gitaly/praefect.md) (a.k.a. Praefect) as the repository storage. It's assumed to be used by default but if not the test can be skipped by setting `QA_CAN_TEST_PRAEFECT` to `false`.                                                                                                                                                                                                                                    |
-| `:runner`                      | The test depends on and sets up a GitLab Runner instance, typically to run a pipeline.                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `:skip_live_env`               | The test is excluded when run against live deployed environments such as Staging, Canary, and Production.                                                                                                                                                                                                                                                                                                                                                                                                        |
 | `:skip_fips_env`               | The test is excluded when run against an environment in FIPS mode.                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 | `:skip_signup_disabled`        | The test uses UI to sign up a new user and is skipped in any environment that does not allow new user registration via the UI.                                                                                                                                                                                                                                                                                                                                                                                   |
 
@@ -52,21 +52,32 @@ Although this is not mandatory for populating the dependency list, the SBOM docu
 
 - In GitLab 17.2, the `location` field no longer links to the commit where the dependency was last detected when the feature flag `skip_sbom_occurrences_update_on_pipeline_id_change` is enabled. The flag is disabled by default.
 - In GitLab 17.3 the `location` field always links to the commit where the dependency was first detected. Feature flag `skip_sbom_occurrences_update_on_pipeline_id_change` removed.
+- View dependency paths option [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/519965) in GitLab 17.11 [with a flag](../../../administration/feature_flags.md) named `dependency_paths`. Disabled by default.
 
 {{< /history >}}
 
+{{< alert type="flag" >}}
+
+The availability of this feature is controlled by a feature flag.
+For more information, see the history.
+
+{{< /alert >}}
+
 To view the dependencies of a project or all projects in a group:
 
 1. On the left sidebar, select **Search or go to** and find your project or group.
 1. Select **Secure > Dependency list**.
+1. Optional. If there are transitive dependencies, you can also view all of the dependency paths:
+   - For a project, in the **Location** column, select **View dependency paths**.
+   - For a group, in the **Location** column, select the location, then select **View dependency paths**.
 
 Details of each dependency are listed, sorted by decreasing severity of vulnerabilities (if any). You can sort the list instead by component name, packager, or license.
 
 | Field     | Description |
 |:----------|:-----------|
 | Component | The dependency's name and version. |
 | Packager  | The packager used to install the dependency. |
-| Location  | For system dependencies, this lists the image that was scanned. For application dependencies, this shows a link to the packager-specific lock file in your project that declared the dependency. It also shows the [direct dependents](#dependency-paths) of the dependency, if any, and if supported. |
+| Location  | For system dependencies, this field lists the image that was scanned. For application dependencies, this field shows a link to the packager-specific lock file in your project that declared the dependency. It also shows the direct [dependents](#dependency-paths), if any. If there are transitive dependencies, selecting **View dependency paths** shows the full path of all dependents. Transitive dependencies are indirect dependents that have a direct dependent as an ancestor. |
 | License (for projects only) | Links to dependency's software licenses. A warning badge that includes the number of vulnerabilities detected in the dependency. |
 | Projects (for groups only) | Links to the project with the dependency. If multiple projects have the same dependency, the total number of these projects is shown. To go to a project with this dependency, select the **Projects** number, then search for and select its name. The project search feature is supported only on groups that have up to 600 occurrences in their group hierarchy. |
 
 
@@ -21,7 +21,7 @@ including:
 - Available actions
 - Linked issues
 - Actions log
-- Filename and line number of the vulnerability (if available)
+- Location
 - Severity
 
 For vulnerabilities in the [Common Vulnerabilities and Exposures (CVE)](https://www.cve.org/)
@@ -571,3 +571,29 @@ To view the security training for a vulnerability:
 1. Select **Secure > Vulnerability report**.
 1. Select the vulnerability for which you want to view security training.
 1. Select **View training**.
+
+## View the location of a vulnerability in transitive dependencies
+
+{{< history >}}
+
+- View dependency paths option [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/519965) in GitLab 17.11 [with a flag](../../../administration/feature_flags.md) named `dependency_paths`. Disabled by default.
+
+{{< /history >}}
+
+{{< alert type="flag" >}}
+
+The availability of this feature is controlled by a feature flag.
+For more information, see the history.
+
+{{< /alert >}}
+
+When managing vulnerabilities found in dependencies in the vulnerability details, under **Location**, you can view:
+
+- The location of the direct dependency where the vulnerability was found.
+- If available, the specific line number where the vulnerability occurs.
+
+If the vulnerability occurs in one or more transitive dependencies, knowing only the direct dependency may not be enough. Transitive dependencies are indirect dependencies that have a direct dependent as an ancestor.
+
+If any transitive dependencies exist, you can view the paths to all dependencies, including the transitive dependencies that contain the vulnerability. 
+
+- On the vulnerability details page, under **Location**, select **View dependency paths**. If **View dependency paths** doesn't appear, then there are no transitive dependencies.