Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PyPI packages are not reported as vulnerable if name is not normalized #1633

Closed
eleftherias opened this issue Nov 13, 2023 · 0 comments · Fixed by #1634
Closed

PyPI packages are not reported as vulnerable if name is not normalized #1633

eleftherias opened this issue Nov 13, 2023 · 0 comments · Fixed by #1634
Assignees
@eleftherias
Labels
bug Something isn't working dependencies Pull requests that update a dependency file priority: high High priority

Comments

@eleftherias
Copy link
Contributor

Describe the issue

The OSV API expects python package names to be normalized.

From the OSV schema:

the name field is a normalized PyPI package name.

Their definition of normalization is:

The name should be lowercased with all runs of the characters ., -, or _ replaced with a single - character.

An example of this is the Django package.
When installing Django, the name in requirements.txt is Django with an uppercase D.

However, sending that package name to the OSV API returns empty, even when there is a vulnerability in the given version.

Example:

 curl -d  '{"package": {"ecosystem": "PyPI", "name": "Django"}, "version": "3.2.21"}' "https://api.osv.dev/v1/query"

returns empty.

While:

 curl -d  '{"package": {"ecosystem": "PyPI", "name": "django"}, "version": "3.2.21"}' "https://api.osv.dev/v1/query"

returns several vulnerabilities.

To Reproduce

No response

What version are you using?

No response
@eleftherias eleftherias added bug Something isn't working dependencies Pull requests that update a dependency file priority: high High priority labels Nov 13, 2023
@eleftherias eleftherias self-assigned this Nov 13, 2023
eleftherias added a commit to eleftherias/minder that referenced this issue Nov 13, 2023
@eleftherias
Normalize python package names before sending to OSV
cf2b2af 
Fix mindersec#1633
@eleftherias eleftherias mentioned this issue Nov 13, 2023
Merged
eleftherias added a commit that referenced this issue Nov 13, 2023
@eleftherias
Normalize python package names before sending to OSV (#1634)
fa5d6bd 
Fix #1633
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
bug Something isn't working dependencies Pull requests that update a dependency file priority: high High priority
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Normalize python package names before sending to OSV eleftherias/minder
1 participant
@eleftherias