Gemnasium not PEP 426 compliant when searching for affected Python packages
Summary
When listing the security advisories of a Python package, the name of the package is case sensitive, but it should be case insensitive. This is a serious issue because it may result in vulnerabilities not reported. This may happen with both setuptools' setup.py
and pip's requirements.txt
.
More generally speaking, Gemnasium does NOT comply with PEP 426 when searching for Python packages:
All comparisons of distribution names MUST be case insensitive, and MUST consider hyphens and underscores to be equivalent.
This blocks the implementation of Pipfile.lock
support and poetry.lock
support because all names are lowercase in these lock files.
Steps to reproduce
Create a Python project that depends on affecting version of Django, and where it's named django
. For instance, create a requirements.txt
file with django==1.11
. In in its current version Gemnasium will find no advisories.
It shouldn't make any difference because ultimately pip handles both the same:
$ pip download django==2.2.6
Collecting django==2.2.6
Downloading https://files.pythonhosted.org/packages/b2/79/df0ffea7bf1e02c073c2633702c90f4384645c40a1dd09a308e02ef0c817/Django-2.2.6-py3-none-any.whl (7.5MB)
What is the current bug behavior?
Finds no vulnerability for django
.
What is the expected correct behavior?
Finds the same vulnerabilities for both Django
and django
.
Possible fixes
The fix is to be implemented in gemnasium: it should comply with PEP 426 when looking for the advisories (YAML files) associated for a given Python package.