As I erroneously assumed that would always be the target we're interested in traversing. That was wrong. Since we're always publishing to a specific runtime we can assume that a runtime identifier is also present, since:
There will always at least one target in the [appname].deps.json file: the platform neutral list of runtime and compilation dependencies. In cases of a platform specific application there would be two targets: a compilation target, and a runtime target.
Our logic had a bug that it would take the first target in
project.deps.json
that had adependencies
group:https://github.com/snyk/snyk-nuget-plugin/blob/675b208d373d7c7dce2f214929043e641c93b52d/lib/nuget-parser/runtime-assembly.ts#L46-L50
As I erroneously assumed that would always be the target we're interested in traversing. That was wrong. Since we're always publishing to a specific runtime we can assume that a runtime identifier is also present, since:
So we've updated the logic to look for this instead. New test added, all existing tests passing.