microsoft
Nuget "project centric detector" should not filter out dependencies
The project-centric detector filters out a large list of dependencies by name.
I think this should not be done because this filters out dependencies which have security advisories filed against them. For example, System.Text.RegularExpressions is filtered out, but has a High severity alert against it (https://github.com/advisories/GHSA-cmhx-cq75-c4mj) which is detected by dotnet list --vulnerable.
Yes, we currently do that because those dependencies are bundled by the dotnet SDK or runtime itself, instead of being directly defined by your project. For alert generation, that caused a lot of false positives where people were being asked to upgrade dependencies they didn't have in their project.
However, now that Component Detection is used for SBOM generation this filtering should likely be done at a different (later) stage.
