Open Bluubb opened 1 week ago
Thank you for the issue and the repro project. My initial guess is there is an issue with how we report the dependencies as the job starts, specifically from file_parser.rb
, but more investigation will need to be done.
Is there an existing issue for this?
Package ecosystem
Nuget
Package manager version
No response
Language version
latest C#
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
When using Central Package Management as mentioned in this link: https://devblogs.microsoft.com/nuget/introducing-central-package-management/
The versions in the Dependency Graph SBOM are set to >=0 instead of the defined version. By the reason of this the security alerts are not triggered since missing version information.
Steps to reproduce:
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Smallest manifest that reproduces the issue
DependencyGraph_NoVersion_When_Central_Package_Management.zip