[BUG] Does not understand NuGet centralised version management or GlobalPackageReference #1055
Description
Describe the bug
This component does not understand NuGet centralised package management.
To Reproduce
Steps to reproduce the behavior:
Create a dot net solution, let's say a command line tool.
In the solution folder, add a file called Directory.Packages.props, containing this
<Project>
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
<ItemGroup>
<PackageVersion Include="coverlet.collector" Version="6.0.4" />
</ItemGroup>
<ItemGroup>
<GlobalPackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.556">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</GlobalPackageReference>
</ItemGroup>
</Project>The coverlet.collector line is an example where it is declaring the version to be used for that package (you would do this for all the packages being referenced). The actual PackageReference tag in the project file would no longer contain the Version part.
When dependency-review-action reports on the addition of a PackageReference to coverlet.collector to one of the projects, it says Version >=0 (which is incorrect)
Also note the GlobalPackageReference entry in this example, which is a slightly different thing: it effectively adds that package reference to every project in the solution (without needing any change to the project files). This is actually being missed by this tool, even though it is adding a package reference, this is not being reported.
Expected behavior
Changes to the version numbers within this file are relevant to this tool, and should be considered/reported.
Adding a GlobalPackageReference is relevant to this tool, and should be considered/reported.
Action version
v4
Examples
Sorry, not public.