advisory-database
advisory-database copied to clipboard
github
RubyGems package names are case sensitive.
E.g. https://github.com/github/advisory-database/blob/d6004eb8de91ad341605da869ab1b9f1e4abe433/advisories/github-reviewed/2017/10/GHSA-hgmw-x865-hf9x/GHSA-hgmw-x865-hf9x.json refers to "arabic-prawn", which is not a valid gem name according to RubyGems:
> curl https://rubygems.org/api/v1/gems/arabic-prawn.json
This rubygem could not be found.%
# Gem install will similarly fail
But using the correct case works:
> curl https://rubygems.org/api/v1/gems/Arabic-Prawn.json
{"name":"Arabic-Prawn","downloads":5615,"version":"0.0.1","version_created_at":"2010-02-27T22:12:06.572Z","version_downloads":5615,"platform":"ruby","authors":"Dynamix Solutions","info":"Allows printing arabic to PDFs generated by prawn","licenses":null,"metadata":{},"yanked":false,"sha":"cc7d1d8259146a465c379b0aca3db2b331e992bb19694722f48159ebe294cf6b","project_uri":"https://rubygems.org/gems/Arabic-Prawn","gem_uri":"https://rubygems.org/gems/Arabic-Prawn-0.0.1.gem","homepage_uri":null,"wiki_uri":null,"documentation_uri":"https://www.rubydoc.info/gems/Arabic-Prawn/0.0.1","mailing_list_uri":null,"source_code_uri":null,"bug_tracker_uri":null,"changelog_uri":null,"funding_uri":null,"dependencies":{"development":[],"runtime":[]}}
Another instance of this is e.g. redcloth.
In addition to these, I found a bunch of other invalid RubyGems names (see my PRs to fix them here: https://github.com/github/advisory-database/pulls?q=author%3Aoliverchang+is%3Apr)
It may be worth considering some package name validation as part of the triage/curation process.
@oliverchang thanks for surfacing this!
We've got a backlogged issue to work on specific-to-ecosystem package name validation. Your PRs are a great additional data point to weigh in prioritizing that shipping that.
I'll circle back and close this issue when we have it shipped, at least for RubyGems!
This looks like it's also sort of the case for Python/PIP - while it does allow uppercase letters, the packages are ultimately expected to end up normalized which has them lowercased (the OSV spec defines packages for the PyPI ecosystem be the normalized name).
e.g. right now Pillow vulnerabilities are using Pillow which means they're not matching what's in requirements.txt (which is pillow).
Out of all the Python/PyPip advisories in this database, here are all the ones that don't follow the OSV spec by having non-normalized names (along with their normlized name)
APKLeaks => apkleaks
AccessControl => accesscontrol
CairoSVG => cairosvg
CoAPthon => coapthon
CoAPthon3 => coapthon3
Django => django
FedMsg => fedmsg
Flask-AppBuilder => flask-appbuilder
Flask-Caching => flask-caching
Flask-Cors => flask-cors
Flask-Security-Too => flask-security-too
Flask-Unchained => flask-unchained
Flask-User => flask-user
Glances => glances
HyperKitty => hyperkitty
Jinja2 => jinja2
Kotti => kotti
MLAlchemy => mlalchemy
Pillow => pillow
Plone => plone
Products.ATContentTypes => products-atcontenttypes
Products.CMFCore => products-cmfcore
Products.CMFPlone => products-cmfplone
Products.GenericSetup => products-genericsetup
Products.PasswordResetTool => products-passwordresettool
Products.PlonePAS => products-plonepas
Products.PluggableAuthService => products-pluggableauthservice
Products.isurlinportal => products-isurlinportal
PyInstaller => pyinstaller
PyYAML => pyyaml
Pygments => pygments
Red-DiscordBot => red-discordbot
SQLAlchemy => sqlalchemy
Scrapy => scrapy
Twisted => twisted
Weblate => weblate
XML2Dict => xml2dict
Zope => zope
Zope2 => zope2
django_make_app => django-make-app
jw.util => jw-util
oslo.middleware => oslo-middleware
plone.app.contenttypes => plone-app-contenttypes
plone.app.dexterity => plone-app-dexterity
plone.app.event => plone-app-event
plone.app.theming => plone-app-theming
plone.app.users => plone-app-users
plone.supermodel => plone-supermodel
privacyIDEA => privacyidea
proxy.py => proxy-py
sopel-modules.weather => sopel-modules-weather
sopel-plugins.channelmgnt => sopel-plugins-channelmgnt
sopel_plugins.channelmgnt => sopel-plugins-channelmgnt
(Of course after posting this, I looked through what requirements.txt files I have locally, and found zope.interface==5.4.0 so umm I guess they at least need to be lowercased....)
@G-Rath, normalized names in python are for the namespace in the python runtime. We focus on package names as they appear in pypi.
@darakian that seems counter to the OSV spec, which says:
(I can't link directly to it as it's in a table 😅)
To offer some rationale for this in the spec: this is to make these package names more consistent and easier to consume and index on.
The same package in Python can be specified in an infinite number of ways.
e.g. pip install Flask-Caching, pip install flask.caching pip install flask......caching pip install flask----caching all have the same effect and refer to the same package. Having a normalized name makes it easier to have more consistency.
👋 Hey there @oliverchang, we made the corrections in RubyGems advisories that you suggested but want to let you know that they might not appear with the correct capitalization on the advisory pages. The package names appear with correct capitalization in the .json files, but a bug prevents RubyGems package names from appearing as anything other than all lowercase on the github.com/advisories pages.
Example with https://github.com/advisories/GHSA-hgmw-x865-hf9x: https://github.com/github/advisory-database/blob/5936969dbe1c46cf397bcfff9b75a412a01ee483/advisories/github-reviewed/2017/10/GHSA-hgmw-x865-hf9x/GHSA-hgmw-x865-hf9x.json#L18
Example with https://github.com/advisories/GHSA-r23g-3qw4-gfh2: https://github.com/github/advisory-database/blob/5936969dbe1c46cf397bcfff9b75a412a01ee483/advisories/github-reviewed/2017/10/GHSA-r23g-3qw4-gfh2/GHSA-r23g-3qw4-gfh2.json#L18
@darakian @KateCatlin @shelbyc since https://github.com/ossf/osv-schema/pull/42 has been rejected, are there plans to update the Python advisories to use normalize names per the spec?