-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RubyGems package names are case sensitive. #52
Comments
In addition to these, I found a bunch of other invalid RubyGems names (see my PRs to fix them here: https://github.com/github/advisory-database/pulls?q=author%3Aoliverchang+is%3Apr) It may be worth considering some package name validation as part of the triage/curation process. |
@oliverchang thanks for surfacing this! We've got a backlogged issue to work on specific-to-ecosystem package name validation. Your PRs are a great additional data point to weigh in prioritizing that shipping that. I'll circle back and close this issue when we have it shipped, at least for RubyGems! |
This looks like it's also sort of the case for Python/PIP - while it does allow uppercase letters, the packages are ultimately expected to end up normalized which has them lowercased (the OSV spec defines packages for the e.g. right now Pillow vulnerabilities are using |
Out of all the Python/PyPip advisories in this database, here are all the ones that don't follow the OSV spec by having non-normalized names (along with their normlized name)
(Of course after posting this, I looked through what |
@G-Rath, normalized names in python are for the namespace in the python runtime. We focus on package names as they appear in pypi. |
@darakian that seems counter to the OSV spec, which says: (I can't link directly to it as it's in a table 😅) |
To offer some rationale for this in the spec: this is to make these package names more consistent and easier to consume and index on. The same package in Python can be specified in an infinite number of ways. e.g. |
👋 Hey there @oliverchang, we made the corrections in RubyGems advisories that you suggested but want to let you know that they might not appear with the correct capitalization on the advisory pages. The package names appear with correct capitalization in the .json files, but a bug prevents RubyGems package names from appearing as anything other than all lowercase on the Example with GHSA-hgmw-x865-hf9x: advisory-database/advisories/github-reviewed/2017/10/GHSA-hgmw-x865-hf9x/GHSA-hgmw-x865-hf9x.json Line 18 in 5936969
Example with GHSA-r23g-3qw4-gfh2: advisory-database/advisories/github-reviewed/2017/10/GHSA-r23g-3qw4-gfh2/GHSA-r23g-3qw4-gfh2.json Line 18 in 5936969
|
@darakian @KateCatlin @shelbyc since ossf/osv-schema#42 has been rejected, are there plans to update the Python advisories to use normalize names per the spec? |
E.g. https://github.com/github/advisory-database/blob/d6004eb8de91ad341605da869ab1b9f1e4abe433/advisories/github-reviewed/2017/10/GHSA-hgmw-x865-hf9x/GHSA-hgmw-x865-hf9x.json refers to "arabic-prawn", which is not a valid gem name according to RubyGems:
But using the correct case works:
Another instance of this is e.g. redcloth.
The text was updated successfully, but these errors were encountered: