add pypi packages support

[jossef]

Similar to current coverage for npm packages, add support for PyPI packages:

• [ ] Links- (I found in SO links in this format: pypi.python.org/pypi, but it redirects to pypi.org/project)
• [ ] pip install commands
• [ ] Package name with _ will be replaced to -, for example: pip install MySQL_python will install MySQL-python.
• [ ] Python package name is case-insensitive.
• [ ] Example of a package name with a dot: kreagroup.jsi18n
• [ ] Package with version will be pip install package=version
• [ ] package can be wrapped with quotes: pip install "package=version"

This page in StackOverflow seems to contain various cases for pip install.

TODO:

• [ ] Test all the cases above on finder.
• [ ] Test the variants of the package names against each advisory.

[baruchiro]

Checking for pip. For the old easy_install, I don't think we should support it right now or ever. I also can't find heavy usage of conda install in StackOverflow.

[jossef]

yes, pip install or links to pypi.org

[baruchiro]

@GuyNachshon @jossef see this case: On this answer, the package name is in quotes pip install 'stevedore>=1.3.0,<1.4.0'.

For now, I marked the package without the quotes:

Please LTM if you think I should do it differently.

[baruchiro]

Python packages are annoying because they are case insensitive, meaning you can install pandas or PANDAS, but the package name is pandas.

Take the Pillow package as an example. You see here that all the commands are installing pillow, but in debricked and openbase you have to use the exact name. On the other hand, deps.dev will always return pillow as the name!

I'm adding a step to normalize the package name before fetching the info from the advisories.