component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard
verified publisher icon microsoft

locationsFoundAt specifies URL-encoded paths

Open lxop opened this issue 3 months ago • 0 comments

As per the title, e.g.:

{
  "dependencyGraphs": {
    "C:\\src\\my project\\my project.csproj": {
      ...
    }
  },
  "componentsFound": [
    {
      "locationsFoundAt": [
        "/my%20project/my%20project.csproj"
      ],
      ...
    }
  ]
}

This behaviour means that paths including spaces are mangled. This affects downstream uses like https://github.com/advanced-security/component-detection-dependency-submission-action - because the paths are different between "dependencyGraphs" and "componentsFound", it fails to link them, and I get a bunch of warnings like

 Warning: No dependency graph entry found for manifest location: my%20project/my%20project.csproj

I have identified where this URL-encoding is being applied, and have a fix that I will push soon.

lxop avatar Oct 23 '25 22:10 lxop