Microsoft.Sbom.Targets lists generated package twice in SBOM

[Malcolmnixon]

Description

When using Microsoft.Sbom.Targets 4.1.5 to generate an SBOM for even a simple csproj file, the package is listed as both the "RootPackage" and a second time under a different package SPDXID as its own dependency. Additionally the "RootPackage" version has a whacky PURL package reference locator - presumably due to the artificial package-collision.

Expected Behavior

The SBOM for a single package should contain that package only once as the RootPackage.

Steps to Reproduce

1. Place the following files (Test.cs and TestProject.csproj) in a folder
2. Run dotnet pack in that folder
3. Unzip the corresponding nuget package and view the manifest.spdx.json
4. Observe two packages named "TestProject" with different SPDXIDs and a DEPENDS_ON relationship between them

Test.cs:

namespace TestProject;

static class Test
{
    public static int Add(int a, int b) => a + b;
}

TestProject.csproj:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>

    <!-- NuGet Package Configuration -->
    <PackageId>TestProject</PackageId>
    <Version>0.0.0</Version>
    <Authors>Test Author</Authors>
    <Company>Test Company</Company>
    <Description>Test Project</Description>

    <!-- Symbol Package Configuration -->
    <IncludeSymbols>true</IncludeSymbols>
    <SymbolPackageFormat>snupkg</SymbolPackageFormat>

    <!-- SBOM Configuration -->
    <GenerateSBOM>true</GenerateSBOM>
    <SBOMPackageName>$(PackageId)</SBOMPackageName>
    <SBOMPackageVersion>$(Version)</SBOMPackageVersion>
    <SBOMPackageSupplier>Organization: $(Company)</SBOMPackageSupplier>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.Sbom.Targets" Version="4.1.5" PrivateAssets="All" />
  </ItemGroup>

</Project>

[Malcolmnixon]

I've added PR #1427 which allows specifying the additional component detection arguments.

This issue may be solved by excluding the erroneous nuget package - via:

    <SbomGenerationAdditionalComponentDetectorArgs>--DirectoryExclusionList "**/TestProject*.nuget"</SbomGenerationAdditionalComponentDetectorArgs>

If this turns out to be the problem, then it would be nice for the Microsoft.Sbom.Targets to automatically exclude the nuget file it just unzipped from.