RubyGems package names are case sensitive.

[oliverchang]

E.g. https://github.com/github/advisory-database/blob/d6004eb8de91ad341605da869ab1b9f1e4abe433/advisories/github-reviewed/2017/10/GHSA-hgmw-x865-hf9x/GHSA-hgmw-x865-hf9x.json refers to "arabic-prawn", which is not a valid gem name according to RubyGems:

> curl https://rubygems.org/api/v1/gems/arabic-prawn.json
This rubygem could not be found.%     
# Gem install will similarly fail 

But using the correct case works:

> curl https://rubygems.org/api/v1/gems/Arabic-Prawn.json
{"name":"Arabic-Prawn","downloads":5615,"version":"0.0.1","version_created_at":"2010-02-27T22:12:06.572Z","version_downloads":5615,"platform":"ruby","authors":"Dynamix Solutions","info":"Allows printing arabic to PDFs generated by prawn","licenses":null,"metadata":{},"yanked":false,"sha":"cc7d1d8259146a465c379b0aca3db2b331e992bb19694722f48159ebe294cf6b","project_uri":"https://rubygems.org/gems/Arabic-Prawn","gem_uri":"https://rubygems.org/gems/Arabic-Prawn-0.0.1.gem","homepage_uri":null,"wiki_uri":null,"documentation_uri":"https://www.rubydoc.info/gems/Arabic-Prawn/0.0.1","mailing_list_uri":null,"source_code_uri":null,"bug_tracker_uri":null,"changelog_uri":null,"funding_uri":null,"dependencies":{"development":[],"runtime":[]}}

Another instance of this is e.g. redcloth.

[oliverchang]

In addition to these, I found a bunch of other invalid RubyGems names (see my PRs to fix them here: https://github.com/github/advisory-database/pulls?q=author%3Aoliverchang+is%3Apr)

It may be worth considering some package name validation as part of the triage/curation process.

[KateCatlin]

@oliverchang thanks for surfacing this!

We've got a backlogged issue to work on specific-to-ecosystem package name validation. Your PRs are a great additional data point to weigh in prioritizing that shipping that.

I'll circle back and close this issue when we have it shipped, at least for RubyGems!

[G-Rath]

This looks like it's also sort of the case for Python/PIP - while it does allow uppercase letters, the packages are ultimately expected to end up normalized which has them lowercased (the OSV spec defines packages for the PyPI ecosystem be the normalized name).

e.g. right now Pillow vulnerabilities are using Pillow which means they're not matching what's in requirements.txt (which is pillow).

[G-Rath]

Out of all the Python/PyPip advisories in this database, here are all the ones that don't follow the OSV spec by having non-normalized names (along with their normlized name)

``` APKLeaks => apkleaks AccessControl => accesscontrol CairoSVG => cairosvg CoAPthon => coapthon CoAPthon3 => coapthon3 Django => django FedMsg => fedmsg Flask-AppBuilder => flask-appbuilder Flask-Caching => flask-caching Flask-Cors => flask-cors Flask-Security-Too => flask-security-too Flask-Unchained => flask-unchained Flask-User => flask-user Glances => glances HyperKitty => hyperkitty Jinja2 => jinja2 Kotti => kotti MLAlchemy => mlalchemy Pillow => pillow Plone => plone Products.ATContentTypes => products-atcontenttypes Products.CMFCore => products-cmfcore Products.CMFPlone => products-cmfplone Products.GenericSetup => products-genericsetup Products.PasswordResetTool => products-passwordresettool Products.PlonePAS => products-plonepas Products.PluggableAuthService => products-pluggableauthservice Products.isurlinportal => products-isurlinportal PyInstaller => pyinstaller PyYAML => pyyaml Pygments => pygments Red-DiscordBot => red-discordbot SQLAlchemy => sqlalchemy Scrapy => scrapy Twisted => twisted Weblate => weblate XML2Dict => xml2dict Zope => zope Zope2 => zope2 django_make_app => django-make-app jw.util => jw-util oslo.middleware => oslo-middleware plone.app.contenttypes => plone-app-contenttypes plone.app.dexterity => plone-app-dexterity plone.app.event => plone-app-event plone.app.theming => plone-app-theming plone.app.users => plone-app-users plone.supermodel => plone-supermodel privacyIDEA => privacyidea proxy.py => proxy-py sopel-modules.weather => sopel-modules-weather sopel-plugins.channelmgnt => sopel-plugins-channelmgnt sopel_plugins.channelmgnt => sopel-plugins-channelmgnt ```

(Of course after posting this, I looked through what requirements.txt files I have locally, and found zope.interface==5.4.0 so umm I guess they at least need to be lowercased....)

[darakian]

@G-Rath, normalized names in python are for the namespace in the python runtime. We focus on package names as they appear in pypi.

[G-Rath]

@darakian that seems counter to the OSV spec, which says:

(I can't link directly to it as it's in a table 😅)

[oliverchang]

To offer some rationale for this in the spec: this is to make these package names more consistent and easier to consume and index on.

The same package in Python can be specified in an infinite number of ways.

e.g. pip install Flask-Caching, pip install flask.caching pip install flask......caching pip install flask----caching all have the same effect and refer to the same package. Having a normalized name makes it easier to have more consistency.

[darakian]

@oliverchang

https://github.com/ossf/osv-schema/pull/42

[shelbyc]

👋 Hey there @oliverchang, we made the corrections in RubyGems advisories that you suggested but want to let you know that they might not appear with the correct capitalization on the advisory pages. The package names appear with correct capitalization in the .json files, but a bug prevents RubyGems package names from appearing as anything other than all lowercase on the github.com/advisories pages.

Example with https://github.com/advisories/GHSA-hgmw-x865-hf9x: https://github.com/github/advisory-database/blob/5936969dbe1c46cf397bcfff9b75a412a01ee483/advisories/github-reviewed/2017/10/GHSA-hgmw-x865-hf9x/GHSA-hgmw-x865-hf9x.json#L18

Example with https://github.com/advisories/GHSA-r23g-3qw4-gfh2: https://github.com/github/advisory-database/blob/5936969dbe1c46cf397bcfff9b75a412a01ee483/advisories/github-reviewed/2017/10/GHSA-r23g-3qw4-gfh2/GHSA-r23g-3qw4-gfh2.json#L18

[G-Rath]

@darakian @KateCatlin @shelbyc since https://github.com/ossf/osv-schema/pull/42 has been rejected, are there plans to update the Python advisories to use normalize names per the spec?