microsoft / component-detection

Scans your project to determine what components you use
MIT License
430 stars 90 forks source link

Component paths being duplicated and containing "/.." in detected components #824

Open linwen-h opened 1 year ago

linwen-h commented 1 year ago

We noticed in some pipelines running CG that the Component Detection task was sending us weird paths for components that contained /../../.. either in the start of the path or in the middle, when the paths did not actually contain the "/.." in the repositories.

These paths were also duplicates of other paths detected for the component, with the only difference being the additional "/.." in the path.

For example:

--- Component: ---
github.com/ghodss/yaml v1.0.0 - Go
--- Found at: ---
/s/src/1/2/3
/../../../../someotherpath
/../../../../s/src/1/2/3
/someotherpath

AB#2109910

cobya commented 11 months ago

Pending follow up from linwen on build which repros this issue.

cobya commented 10 months ago

@linwen-h I was unable to reproduce the issue locally using the repository you mentioned - I was only seeing the non-relative paths (without ../).

I pushed a potential fix to cobya/RelativeDupe if you have a local repro.