Gemnasium not PEP 426 compliant when searching for affected Python packages

Summary

When listing the security advisories of a Python package, the name of the package is case sensitive, but it should be case insensitive. This is a serious issue because it may result in vulnerabilities not reported. This may happen with both setuptools' setup.py and pip's requirements.txt.

More generally speaking, Gemnasium does NOT comply with PEP 426 when searching for Python packages:

All comparisons of distribution names MUST be case insensitive, and MUST consider hyphens and underscores to be equivalent.

This blocks the implementation of Pipfile.lock support and poetry.lock support because all names are lowercase in these lock files.

Steps to reproduce

Create a Python project that depends on affecting version of Django, and where it's named django. For instance, create a requirements.txt file with django==1.11. In in its current version Gemnasium will find no advisories.

It shouldn't make any difference because ultimately pip handles both the same:

$ pip download django==2.2.6
Collecting django==2.2.6
  Downloading https://files.pythonhosted.org/packages/b2/79/df0ffea7bf1e02c073c2633702c90f4384645c40a1dd09a308e02ef0c817/Django-2.2.6-py3-none-any.whl (7.5MB)

What is the current bug behavior?

Finds no vulnerability for django.

What is the expected correct behavior?

Finds the same vulnerabilities for both Django and django.

Possible fixes

The fix is to be implemented in gemnasium: it should comply with PEP 426 when looking for the advisories (YAML files) associated for a given Python package.