actions · github-actions · Aug 15, 2025 · Aug 25, 2025 · Oct 23, 2025 · Oct 24, 2025
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Component detection
-        uses: advanced-security/component-detection-dependency-submission-action@v0.0.3
+        uses: advanced-security/component-detection-dependency-submission-action@v0.1.1
 ```
 
 ### Configuration options

diff --git a/componentDetection.test.ts b/componentDetection.test.ts
@@ -156,6 +156,44 @@ describe("ComponentDetection.processComponentsToManifests", () => {
     expect(manifests[0].indirectDependencies()).toHaveLength(1);
     expect(manifests[0].countDependencies()).toBe(1);
   });
+
+  test("un-escapes URL-encoded locationsFoundAt", () => {
+  const componentsFound = [
+      {
+        component: {
+          name: "test-package",
+          version: "1.0.0",
+          packageUrl: {
+            Scheme: "pkg",
+            Type: "nuget",
+            Name: "test-package",
+            Version: "1.0.0"
+          },
+          id: "test-package 1.0.0 - nuget"
+        },
+        isDevelopmentDependency: false,
+        topLevelReferrers: [], // Empty = direct dependency
+        locationsFoundAt: ["/my%20project/my%20project.csproj"]
+      }
+    ];
+
+    const dependencyGraphs: DependencyGraphs = {
+      "my project/my project.csproj": {
+        graph: { "test-package": null },
+        explicitlyReferencedComponentIds: ["test-package 1.0.0 - nuget"],
+        developmentDependencies: [],
+        dependencies: []
+      }
+    };
+
+    const manifests = ComponentDetection.processComponentsToManifests(componentsFound, dependencyGraphs);
+
+    expect(manifests).toHaveLength(1);
+    expect(manifests[0].name).toBe("my project/my project.csproj");
+    expect(manifests[0].directDependencies()).toHaveLength(1);
+    expect(manifests[0].indirectDependencies()).toHaveLength(0);
+    expect(manifests[0].countDependencies()).toBe(1);
+  });
 });
 
 describe('normalizeDependencyGraphPaths', () => {

diff --git a/componentDetection.ts b/componentDetection.ts
@@ -154,7 +154,9 @@ export default class ComponentDetection {
     packages.forEach((pkg: ComponentDetectionPackage) => {
       pkg.locationsFoundAt.forEach((location: any) => {
         // Use the normalized path (remove leading slash if present)
-        const normalizedLocation = location.startsWith('/') ? location.substring(1) : location;
+        let normalizedLocation = location.startsWith('/') ? location.substring(1) : location;
+        // Unescape the path, as upstream ComponentDetection emits locationsFoundAt in URL-encoded form
+        normalizedLocation = decodeURIComponent(normalizedLocation);
 
         if (!manifests.find((manifest: Manifest) => manifest.name == normalizedLocation)) {
           const manifest = new Manifest(normalizedLocation, normalizedLocation);