Open oliverchang opened 2 years ago
In addition to these, I found a bunch of other invalid RubyGems names (see my PRs to fix them here: https://github.com/github/advisory-database/pulls?q=author%3Aoliverchang+is%3Apr)
It may be worth considering some package name validation as part of the triage/curation process.
@oliverchang thanks for surfacing this!
We've got a backlogged issue to work on specific-to-ecosystem package name validation. Your PRs are a great additional data point to weigh in prioritizing that shipping that.
I'll circle back and close this issue when we have it shipped, at least for RubyGems!
This looks like it's also sort of the case for Python/PIP - while it does allow uppercase letters, the packages are ultimately expected to end up normalized which has them lowercased (the OSV spec defines packages for the PyPI
ecosystem be the normalized name).
e.g. right now Pillow vulnerabilities are using Pillow
which means they're not matching what's in requirements.txt
(which is pillow
).
(Of course after posting this, I looked through what requirements.txt
files I have locally, and found zope.interface==5.4.0
so umm I guess they at least need to be lowercased....)
@G-Rath, normalized names in python are for the namespace in the python runtime. We focus on package names as they appear in pypi.
@darakian that seems counter to the OSV spec, which says:
(I can't link directly to it as it's in a table 😅)
To offer some rationale for this in the spec: this is to make these package names more consistent and easier to consume and index on.
The same package in Python can be specified in an infinite number of ways.
e.g. pip install Flask-Caching
, pip install flask.caching
pip install flask......caching
pip install flask----caching
all have the same effect and refer to the same package. Having a normalized name makes it easier to have more consistency.
@oliverchang
👋 Hey there @oliverchang, we made the corrections in RubyGems advisories that you suggested but want to let you know that they might not appear with the correct capitalization on the advisory pages. The package names appear with correct capitalization in the .json files, but a bug prevents RubyGems package names from appearing as anything other than all lowercase on the github.com/advisories
pages.
Example with https://github.com/advisories/GHSA-hgmw-x865-hf9x: https://github.com/github/advisory-database/blob/5936969dbe1c46cf397bcfff9b75a412a01ee483/advisories/github-reviewed/2017/10/GHSA-hgmw-x865-hf9x/GHSA-hgmw-x865-hf9x.json#L18
Example with https://github.com/advisories/GHSA-r23g-3qw4-gfh2: https://github.com/github/advisory-database/blob/5936969dbe1c46cf397bcfff9b75a412a01ee483/advisories/github-reviewed/2017/10/GHSA-r23g-3qw4-gfh2/GHSA-r23g-3qw4-gfh2.json#L18
@darakian @KateCatlin @shelbyc since https://github.com/ossf/osv-schema/pull/42 has been rejected, are there plans to update the Python advisories to use normalize names per the spec?
E.g. https://github.com/github/advisory-database/blob/d6004eb8de91ad341605da869ab1b9f1e4abe433/advisories/github-reviewed/2017/10/GHSA-hgmw-x865-hf9x/GHSA-hgmw-x865-hf9x.json refers to "arabic-prawn", which is not a valid gem name according to RubyGems:
But using the correct case works:
Another instance of this is e.g. redcloth.