New DotNet detector breaking the snapshot submission

[amilochau]

Starting this morning, the advanced-security/component-detection-dependency-submission-action/v0.0.5 action does not work anymore with .NET projects.

In our GitHub Actions workflows, we now have this error:

[08:22:37 INF] Scan Manifest file: /home/runner/work/xxx/xxx/output.json
Getting manifests from results
Notice: Submitting snapshot...

/home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.5/componentDetection.ts:124
    var packageUrl = `${packageUrlJson.Scheme}:${packageUrlJson.Type}/`;
^
TypeError: Cannot read properties of null (reading 'Scheme')
    at Function.makePackageUrl (/home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.5/componentDetection.ts:124:1)
    at Function.<anonymous> (/home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.5/componentDetection.ts:78:1)
    at Generator.next (<anonymous>)
    at /home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.5/dist/index.js:36101:71
    at new Promise (<anonymous>)
    at __webpack_modules__.3202.__awaiter (/home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.5/dist/index.js:360[97](https://github.com/shift-technology/github-management/actions/runs/14750037463/job/41405149194#step:8:98):12)
    at /home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.5/componentDetection.ts:77:1
    at Array.forEach (<anonymous>)
    at Function.<anonymous> (/home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.5/componentDetection.ts:77:1)
    at Generator.next (<anonymous>)

When we look at the output.json file used by the Action, the components detected with the new DotNet detector ("type": "DotNet") have "packageUrl": null - which causes the exception:

{
  "dependencyGraphs": { /// },
  "componentsFound": [
    {
      "locationsFoundAt": [
        "/src/xxx/xxx/obj/Release/net9.0/WorkerExtensions/WorkerExtensions.csproj"
      ],
      "component": {
        "sdkVersion": "9.0.203",
        "targetFramework": "net8.0",
        "projectType": "library",
        "type": "DotNet",
        "id": "9.0.203 net8.0 library - DotNet",
        "packageUrl": null
      },
      "detectorId": "DotNet",
      "isDevelopmentDependency": null,
      "dependencyScope": null,
      "topLevelReferrers": [],
      "ancestralReferrers": [],
      "containerDetailIds": [],
      "containerLayerIds": {},
      "targetFrameworks": []
    },
    ///
  },
  ///

This error may be caused by the latest releases of microsoft/component-detection.

[baltie]

We experience the same. We worked around it by setting the detectorsFilter parameter to NuGetProjectCentric. Not something we actually want to do, but it will carry us over until this has been fixed.

      - name: Submit dependencies
        uses: advanced-security/component-detection-dependency-submission-action@v0.0.5
        with:
          detectorsFilter: NuGetProjectCentric

[felickz]

Hey there! please test out the latest pre-release of this action v0.0.6

• merges in this fix: Improve missing package URL handling #109

uses: advanced-security/component-detection-dependency-submission-action@v0.0.6

[amilochau]

That works well: I don't have the issue anymore.
Thanks for the fix!