When using this action (or more specifically, microsoft/component-detection), the generated manifests have a location that mismatches the GitHub auto-detection. This causes duplicate entries in the GitHub dependency graph. For example, please see this screenshot:
Note how this screenshot shows a discrepancy between the two paths for the same artifact - the one found by this action has a leading / character while the one auto-detected by GitHub does not, and therefore GitHub continues to think I have 2 different manifests. I used microsoft/component-detection to confirm the JSON details:
While microsoft/component-detection is the software that's producing the initial manifest, I believe this repository is bridging the gap between general dependency manifest generation and specific uploading to GitHub. I believe either this repository should handle this discrepancy, or GitHub's dependency submission API should (but I wouldn't know where to submit such a request).
When using this action (or more specifically,
microsoft/component-detection), the generated manifests have a location that mismatches the GitHub auto-detection. This causes duplicate entries in the GitHub dependency graph. For example, please see this screenshot:Note how this screenshot shows a discrepancy between the two paths for the same artifact - the one found by this action has a leading
/character while the one auto-detected by GitHub does not, and therefore GitHub continues to think I have 2 different manifests. I usedmicrosoft/component-detectionto confirm the JSON details:I believe that these lines of code in this repository could be touched to remove the leading
/from everylocationsFoundAtvalue: https://github.com/advanced-security/component-detection-dependency-submission-action/blob/7303e5e5224cd9ba2531856cb340a27e94c34a9a/componentDetection.ts#L80-L81While
microsoft/component-detectionis the software that's producing the initial manifest, I believe this repository is bridging the gap between general dependency manifest generation and specific uploading to GitHub. I believe either this repository should handle this discrepancy, or GitHub's dependency submission API should (but I wouldn't know where to submit such a request).