What would you like to be added:
I run the SBOM scanning using grype. It generated the vulnerability JSON. However, it doesn't contain location of the package installed. It is only present in the SBOMs.
If the package location can be added, then I dont have to go through where the package is coming from.

Why is this needed:
In order to resolve the vulnerability, I open the JSON, find the package affected and search the purl in the SBOMs to find where it is installed. Is there a way I can avoid that manual step ?

For containers SBOM, anyone can find the package managers location and find the version that is installed. But for file system SBOM it is difficult to find where the package is installed. Currently, I have to go back to SBOMs to manually find the purls and then location field from original SBOM provides the location.

Additional context: