Normalize GitHub repos to lowercase (#2199)

Problem: #2182 made checks for existing commits case-insensitive by repo, but left the underlying repo string alone. There are a lot of mixed-case GitHub repos in existence, because `cves.extractGitCommit()` takes the repo verbatim. `vulns.AddPkgInfo()` aggregates events by repo, case insensitively, so was producing incorrect GIT events. GitHub repo names are known to be case insensitive, so this is safe for them. It's definitively less safe for other URLs, so limit to just them for now.
google · May 10, 2024 · f67f746 · f67f746
1 parent 0dad37e
commit f67f746
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/vulnfeeds/cves/versions.go b/vulnfeeds/cves/versions.go
@@ -41,6 +41,13 @@ type AffectedCommit struct {
 }
 
 func (ac *AffectedCommit) SetRepo(repo string) {
+	// GitHub.com repos are demonstrably case-insensitive, and frequently
+	// expressed in URLs with varying cases, so normalize them to lowercase.
+	// vulns.AddPkgInfo() treats repos case sensitively, and this can result in
+	// incorrect behaviour.
+	if strings.Contains(strings.ToLower(repo), "github.com") {
+		repo = strings.ToLower(repo)
+	}
 	ac.Repo = repo
 }
 

diff --git a/vulnfeeds/cves/versions_test.go b/vulnfeeds/cves/versions_test.go
@@ -593,7 +593,7 @@ func TestExtractGitCommit(t *testing.T) {
 			inputLink:       "https://github.com/uWebSockets/uWebSockets/commit/37deefd01f0875e133ea967122e3a5e421b8fcd9",
 			inputCommitType: Fixed,
 			expectedAffectedCommit: AffectedCommit{
-				Repo:  "https://github.com/uNetworking/uWebSockets",
+				Repo:  "https://github.com/unetworking/uwebsockets",
 				Fixed: "37deefd01f0875e133ea967122e3a5e421b8fcd9",
 			},
 		},