[BUG] Vulnerability, License and ScoreCard Info missing for API Dependency Submission

**Describe the bug**

When submitting dependencies via the Dependency Submission API, License and ScoreCard Info is empty.

**To Reproduce**
Steps to reproduce the behavior:

1. Report Dependencies via API. Example Snapshot: https://api.github.com/repos/erlef/mix-dependency-submission/dependency-graph/snapshots/25157313

```json
// ...
          "nimble_parsec": {
            "package_url": "pkg:hex/nimble_parsec@1.4.2?checksum=sha256:4b21398942dda052b403bbe1da991ccd03a053668d147d53fb8c4e0efe09c973&download_url=https:%2F%2Frepo.hex.pm%2Ftarballs%2Fnimble_parsec-1.4.2.tar.gz&vcs_url=https:%2F%2Fgithub.com%2Fdashbitco%2Fnimble_parsec",
            "metadata": {
              "license": "Apache-2.0"
            },
            "relationship": "indirect",
            "scope": "runtime"
          },
// ...
```

As you can see, we provided a `vcs_url` qualifier with the Package URL as well as an SPDX License Expression in `metadata.license`.

2. Run this action

When calling the the dependency graph compare API by hand, we can see:

https://api.github.com/repos/erlef/mix-dependency-submission/dependency-graph/compare/a534dacf276a29a6cf9cb4e989496b0c3c380c1f...81ba5ac7847ad5cd8df6f8d40709b9be4de70f94

```json
// ...
  {
    "change_type": "added",
    "manifest": "mix.exs",
    "ecosystem": "unknown",
    "name": "nimble_parsec",
    "version": "1.4.2",
    "package_url": "pkg:hex/nimble_parsec@1.4.2?checksum=sha256:4b21398942dda052b403bbe1da991ccd03a053668d147d53fb8c4e0efe09c973&download_url=https:%2F%2Frepo.hex.pm%2Ftarballs%2Fnimble_parsec-1.4.2.tar.gz&vcs_url=https:%2F%2Fgithub.com%2Fdashbitco%2Fnimble_parsec",
    "license": null,
    "source_repository_url": null,
    "scope": "runtime",
    "vulnerabilities": [

    ]
  },
// ...
```

**Expected behavior**

GitHub should be able to detect the source repository backing the purl based on the `vcs_url`. Based on that it should be able to defer both the license and also the ScoreCard Score.

It works for neither `hex` and `github` purl types.

**Screenshots**

https://github.com/erlef/mix-dependency-submission/actions/runs/14682945374?pr=118

![Image](https://github.com/user-attachments/assets/c1389620-d94f-4404-971b-478a5d7e7701)

![Image](https://github.com/user-attachments/assets/18c04beb-fbb6-451c-b871-53fda00f166f)

**Action version**

`4.6.0`

**Examples**

* Dependency Submission: https://github.com/erlef/mix-dependency-submission/blob/81ba5ac7847ad5cd8df6f8d40709b9be4de70f94/action.yml
* Dependency Review: https://github.com/erlef/mix-dependency-submission/blob/81ba5ac7847ad5cd8df6f8d40709b9be4de70f94/.github/workflows/pr.yml#L56-L72


**Additional context**

* Snapshot: https://api.github.com/repos/erlef/mix-dependency-submission/dependency-graph/snapshots/25157313
* Compare API: https://api.github.com/repos/erlef/mix-dependency-submission/dependency-graph/compare/a534dacf276a29a6cf9cb4e989496b0c3c380c1f...81ba5ac7847ad5cd8df6f8d40709b9be4de70f94

`vcs_url` and the `license` metadat were introduced in #118. The latest release (`v1.1.0`) does not yet contain the functionality.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[BUG] Vulnerability, License and ScoreCard Info missing for API Dependency Submission #923

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[BUG] Vulnerability, License and ScoreCard Info missing for API Dependency Submission #923

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions