Sync Fork with Upstream

README.md

@@ -2,7 +2,7 @@
 
 This GitHub Action runs the [microsoft/component-detection](https://github.com/microsoft/component-detection) library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems.
 
-### Example workflow
+### Example workflows
 
 ```yaml
 
@@ -22,7 +22,34 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Component detection
-        uses: advanced-security/component-detection-dependency-submission-action@v0.0.3
+        uses: advanced-security/component-detection-dependency-submission-action@v0.1.1
+```
+
+Additional `Experimental` and `DefaultOff`  detectors:
+- For a list of experimental and default-off detectors that require explicit enablement, see the [Detectors README](https://github.com/microsoft/component-detection/blob/main/docs/detectors/README.md). See [enable-default-off.md](https://github.com/microsoft/component-detection/blob/main/docs/enable-default-off.md) for more details.
+
+```yaml
+name: Component Detection
+
+on:
+  workflow_dispatch:
+  push:
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  dependency-submission:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Component detection
+        uses: advanced-security/component-detection-dependency-submission-action@v0.1.1
+        with:
+          # Experimental detectors: Poetry, UvLock, NpmLockfile3, Ivy
+          # Default-off detectors: ConanLock, CondaLock, Dockerfile, Pip, SimplePip, Spdx22, SwiftResolved
+          detectorArgs: Poetry=EnableIfDefaultOff,UvLock=EnableIfDefaultOff,NpmLockfile3=EnableIfDefaultOff,Ivy=EnableIfDefaultOff,ConanLock=EnableIfDefaultOff,CondaLock=EnableIfDefaultOff,Dockerfile=EnableIfDefaultOff,Pip=EnableIfDefaultOff,SimplePip=EnableIfDefaultOff,Spdx22=EnableIfDefaultOff,SwiftResolved=EnableIfDefaultOff
 ```
 
 ### Configuration options
@@ -31,7 +58,7 @@ jobs:
 | --- | --- | --- |
 filePath | The path to the directory containing the environment files to upload. Defaults to Actions working directory. | `'.'`
 directoryExclusionList | Filters out specific directories following a minimatch pattern. | `test`
-detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff`
+detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is `Experimental` or `DefaultOff` to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff`
 dockerImagesToScan |Comma separated list of docker image names or hashes to execute container scanning on |  ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab |
 detectorsFilter | A comma separated list with the identifiers of the specific detectors to be used. | `Pip, RustCrateDetector`
 detectorsCategories | A comma separated list with the categories of components that are going to be scanned. The detectors that are going to run are the ones that belongs to the categories. | `NuGet,Npm`

componentDetection.test.ts

@@ -156,6 +156,44 @@ describe("ComponentDetection.processComponentsToManifests", () => {
     expect(manifests[0].indirectDependencies()).toHaveLength(1);
     expect(manifests[0].countDependencies()).toBe(1);
   });
+
+  test("un-escapes URL-encoded locationsFoundAt", () => {
+  const componentsFound = [
+      {
+        component: {
+          name: "test-package",
+          version: "1.0.0",
+          packageUrl: {
+            Scheme: "pkg",
+            Type: "nuget",
+            Name: "test-package",
+            Version: "1.0.0"
+          },
+          id: "test-package 1.0.0 - nuget"
+        },
+        isDevelopmentDependency: false,
+        topLevelReferrers: [], // Empty = direct dependency
+        locationsFoundAt: ["/my%20project/my%20project.csproj"]
+      }
+    ];
+
+    const dependencyGraphs: DependencyGraphs = {
+      "my project/my project.csproj": {
+        graph: { "test-package": null },
+        explicitlyReferencedComponentIds: ["test-package 1.0.0 - nuget"],
+        developmentDependencies: [],
+        dependencies: []
+      }
+    };
+
+    const manifests = ComponentDetection.processComponentsToManifests(componentsFound, dependencyGraphs);
+
+    expect(manifests).toHaveLength(1);
+    expect(manifests[0].name).toBe("my project/my project.csproj");
+    expect(manifests[0].directDependencies()).toHaveLength(1);
+    expect(manifests[0].indirectDependencies()).toHaveLength(0);
+    expect(manifests[0].countDependencies()).toBe(1);
+  });
 });
 
 describe('normalizeDependencyGraphPaths', () => {

componentDetection.ts

@@ -14,7 +14,6 @@ import tar from 'tar'
 import fs from 'fs'
 import * as exec from '@actions/exec';
 import dotenv from 'dotenv'
-import { Context } from '@actions/github/lib/context'
 import { unmockedModulePathPatterns } from './jest.config'
 import path from 'path';
 dotenv.config();
@@ -154,7 +153,9 @@ export default class ComponentDetection {
     packages.forEach((pkg: ComponentDetectionPackage) => {
       pkg.locationsFoundAt.forEach((location: any) => {
         // Use the normalized path (remove leading slash if present)
-        const normalizedLocation = location.startsWith('/') ? location.substring(1) : location;
+        let normalizedLocation = location.startsWith('/') ? location.substring(1) : location;
+        // Unescape the path, as upstream ComponentDetection emits locationsFoundAt in URL-encoded form
+        normalizedLocation = decodeURIComponent(normalizedLocation);
 
         if (!manifests.find((manifest: Manifest) => manifest.name == normalizedLocation)) {
           const manifest = new Manifest(normalizedLocation, normalizedLocation);