Description
When using this action (or more specifically, microsoft/component-detection), the generated manifests have a location that mismatches the GitHub auto-detection. This causes duplicate entries in the GitHub dependency graph. For example, please see this screenshot:
Note how this screenshot shows a discrepancy between the two paths for the same artifact - the one found by this action has a leading / character while the one auto-detected by GitHub does not, and therefore GitHub continues to think I have 2 different manifests. I used microsoft/component-detection to confirm the JSON details:
I believe that these lines of code in this repository could be touched to remove the leading / from every locationsFoundAt value:
While microsoft/component-detection is the software that's producing the initial manifest, I believe this repository is bridging the gap between general dependency manifest generation and specific uploading to GitHub. I believe either this repository should handle this discrepancy, or GitHub's dependency submission API should (but I wouldn't know where to submit such a request).