Duplicate package names

[AndriiY-SK]

What happened:

1. How to prevent duplicate package names: jinja2 and Jinja2 ?
   

2. Maybe we can build a more human path instead of full with .venv/........ ?
   

Because when we opened a vulnerability by specific dependency.
GitHub UI is building a path to a dependency that doesn't exist:
https://github.com/<ORG_NAME>/<REPO_NAME>/blob/-/.venv/lib/python3.9/site-packages/protobuf-3.19.4.dist-info/METADATA Maybe we can refer to package / repo that contains jinja ? package_name@jinja

3. Do we have a plan to add indirect dependencies for Github format ?

What you expected to happen:

1. No duplicates
2. More readable path like it Github does
   

Steps to reproduce the issue: Github workflow

name: 'Push SPDX dependency graph'
on:
  push:
    branches:
      - master
  workflow_dispatch:

jobs:
  submit:
    permissions:
        actions: read
        contents: write

    runs-on: <RUNNER>
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python 3.9
        uses: actions/setup-python@v3
        with:
          python-version: "3.9"

      - name: Install pip and pip-tools
        run: |
          pip install --upgrade pip
          python3 -m venv .venv

      - name: Install deps
        run: |
          source .venv/bin/activate
          pip install \
            -r pulumi_resources/environments/staging/requirements.txt \
            --extra-index-url="https://${user}:${pass}@<DOMAIN>/artifactory/api/pypi/PyPI-releaes/simple/" \
            --trusted-host artifactory.kenshoo-lab.com \
            --trusted-host pypi.org \
            --exists-action i

      - name: Install Syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin

      - name: Run Syft
        uses: anchore/sbom-action@v0
        with:
            syft-version: v1.14.0
            path: ./
            dependency-snapshot: true

Anything else we need to know?:

Environment:

• Output of syft version:

  Application: syft
  Version:    1.14.0
  BuildDate:  2024-10-07T20:40:39Z
  GitCommit:  ccbee94b876240284c25c8931c6233fc71a5b7fb
  GitDescription: v1.14.0
  Platform:   linux/amd64
  GoVersion:  go1.22.7
  Compiler:   gc

[kzantow]

A few observations:

• Syft should not be creating duplicate packages with different cased names (I thought this was corrected for Python; investigation needed)
• Syft could potentially have a way to surface relationships to files to edit in order to upgrade dependencies, this would be useful but difficult