fix: [OSM-887] Fix runtime assembly collection bug

[dotkas]

Our logic had a bug that it would take the first target in project.deps.json that had a dependencies group:

https://github.com/snyk/snyk-nuget-plugin/blob/675b208d373d7c7dce2f214929043e641c93b52d/lib/nuget-parser/runtime-assembly.ts#L46-L50

As I erroneously assumed that would always be the target we're interested in traversing. That was wrong. Since we're always publishing to a specific runtime we can assume that a runtime identifier is also present, since:

There will always at least one target in the [appname].deps.json file: the platform neutral list of runtime and compilation dependencies. In cases of a platform specific application there would be two targets: a compilation target, and a runtime target.

• Source

So we've updated the logic to look for this instead. New test added, all existing tests passing.

[snyksec]

:tada: This PR is included in version 2.3.3 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket: