Update/expand docs for the Dependency List

These changes align the docs with the features introduced in [1].

See also the [issue tracking the documentation changes][2].

[1]: https://gitlab.com/gitlab-org/gitlab-ee/issues/10077
[2]: https://gitlab.com/gitlab-org/gitlab-ee/issues/12986

5 files changed, 53 insertions, 8 deletions

diff --git a/doc/README.md b/doc/README.md
index c60e4eb177d..8ce5d2e240a 100644
--- a/doc/README.md
+++ b/doc/README.md
@@ -354,6 +354,7 @@ The following documentation relates to the DevOps **Secure** stage:
 | Secure Topics                                                                                         | Description                                                            |
 |:------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------|
 | [Container Scanning](user/application_security/container_scanning/index.md) **(ULTIMATE)**            | Use Clair to scan docker images for known vulnerabilities.             |
+| [Dependency List](user/application_security/dependency_list/index.md) **(ULTIMATE)**                  | View your project's dependencies and their known vulnerabilities.      |
 | [Dependency Scanning](user/application_security/dependency_scanning/index.md) **(ULTIMATE)**          | Analyze your dependencies for known vulnerabilities.                   |
 | [Dynamic Application Security Testing (DAST)](user/application_security/dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities.            |
 | [Group Security Dashboard](user/application_security/security_dashboard/index.md) **(ULTIMATE)**      | View vulnerabilities in all the projects in a group and its subgroups. |
diff --git a/doc/user/application_security/dependency_list/index.md b/doc/user/application_security/dependency_list/index.md
new file mode 100644
index 00000000000..cfff5358b59
--- /dev/null
+++ b/doc/user/application_security/dependency_list/index.md
@@ -0,0 +1,47 @@
+# GitLab Dependency List **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/10075) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0.
+
+The Dependency list allows you to see your project's dependencies, and key
+details about them, including their known vulnerabilities. To see it,
+navigate to **Security & Compliance > Dependency List** in your project's
+sidebar.
+
+## Requirements
+
+1. The [Dependency Scanning](../dependency_scanning/index.md) CI job must be
+   configured for your project.
+1. Your project uses at least one of the
+   [languages and package managers](../dependency_scanning/index.md#supported-languages-and-package-managers)
+   supported by Gemnasium.
+
+## Viewing dependencies
+
+Dependencies are displayed with the following information:
+
+| Field     | Description |
+| --------- | ----------- |
+| Status    | Displays the number of known vulnerabilities, if any |
+| Component | The dependency's name |
+| Version   | The exact locked version of the dependency your project uses |
+| Packager  | The packager used to install the depedency |
+| Location  | A link to the packager-specific lockfile in your project that declared the dependency |
+
+Dependencies shown are initially sorted by their names. They can also be sorted
+by the packager they were installed by, or by the severity of their known
+vulnerabilities.
+
+There is a second list under the `Vulnerable components` tab displaying only
+those dependencies with known vulnerabilities. If there are none, this tab is
+disabled.
+
+### Vulnerabilities
+
+If a dependency has known vulnerabilities, they can be viewed by clicking on the
+`Status` cell of that dependency. The severity and description of each
+vulnerability will then be displayed below it.
+
+## Downloading the Dependency List
+
+Your project's full list of dependencies and their details can be downloaded in
+`JSON` format by clicking on the download button.
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index 10b4d9d4c7c..01f09bde6c6 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -329,14 +329,9 @@ For more information about the vulnerabilities database update, check the
 
 ## Dependency List
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/10075) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0.
-
-An additional benefit of Dependency Scanning is the ability to get a list of your
-project's dependencies with their versions. This list can be generated only for
-[languages and package managers](#supported-languages-and-package-managers)
-supported by Gemnasium.
-
-To see the generated dependency list, navigate to your project's **Security & Compliance > Dependency List**.
+An additional benefit of Dependency Scanning is the ability to view your
+project's dependencies and their known vulnerabilities. Read more about
+the [Dependency List](../dependency_list/index.md).
 
 ## Versioning and release process
 
diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md
index 4dcb416c110..013d2c6c89d 100644
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -30,6 +30,7 @@ GitLab can scan and report any vulnerabilities found in your project.
 | [License Management](license_management/index.md) **(ULTIMATE)**             | Search your project's dependencies for their licenses.                 |
 | [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)**             | View vulnerabilities in all your projects and groups.                  |
 | [Static Application Security Testing (SAST)](sast/index.md) **(ULTIMATE)**   | Analyze source code for known vulnerabilities.                         |
+| [Dependency List](dependency_list/index.md) **(ULTIMATE)**                   | View your project's dependencies and their known vulnerabilities.      |
 
 ## Maintenance and update of the vulnerabilities database
 
diff --git a/doc/user/project/index.md b/doc/user/project/index.md
index 45e96437517..30ff0e9ff07 100644
--- a/doc/user/project/index.md
+++ b/doc/user/project/index.md
@@ -99,6 +99,7 @@ When you create a project in GitLab, you'll have access to a large number of
 - [NPM packages](packages/npm_registry.md): your private NPM package registry in GitLab. **(PREMIUM)**
 - [Code owners](code_owners.md): specify code owners for certain files **(STARTER)**
 - [License Management](../application_security/license_management/index.md): approve and blacklist licenses for projects. **(ULTIMATE)**
+- [Dependency List](../application_security/dependency_list/index.md): view project dependencies. **(ULTIMATE)**
 
 ### Project integrations