Use normalized package_name during

pm_affected_package ingestion and on CVS. EE: true Changelog: fixed

Use normalized package_name during
47a734bb · Zamir Martins · GitLab · 0eddea5b · 47a734bb · 47a734bb
--- a/ee/app/finders/sbom/possibly_affected_occurrences_finder.rb
+++ b/ee/app/finders/sbom/possibly_affected_occurrences_finder.rb
@@ -43,7 +43,7 @@ def package_identity
              end

      scope
-        .by_purl_type_and_name(purl_type, package_name)
+        .by_purl_type_and_name(purl_type, normalized_name(purl_type, package_name))
        .select(:id)
        .first
    end
@@ -60,5 +60,11 @@ def search_scope
      end
    end
    strong_memoize_attr :search_scope
+
+    # This can be removed after `UpdatePackageNameInPmAffectedPackages` has been completed.
+    # See: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183732
+    def normalized_name(purl_type, package_name)
+      ::Sbom::PackageUrl::Normalizer.new(type: purl_type, text: package_name).normalize_name
+    end
  end
 end
--- a/ee/app/services/package_metadata/ingestion/advisory/affected_package_ingestion_task.rb
+++ b/ee/app/services/package_metadata/ingestion/advisory/affected_package_ingestion_task.rb
@@ -50,7 +50,7 @@ def affected_packages
            data_object.affected_packages.map do |affected_package|
              PackageMetadata::AffectedPackage.new(
                purl_type: affected_package.purl_type,
-                package_name: affected_package.package_name,
+                package_name: normalized_name(affected_package.purl_type, affected_package.package_name),
                solution: affected_package.solution,
                affected_range: affected_package.affected_range,
                fixed_versions: affected_package.fixed_versions,
@@ -68,6 +68,10 @@ def affected_packages
        def now
          @now ||= Time.zone.now
        end
+
+        def normalized_name(purl_type, package_name)
+          ::Sbom::PackageUrl::Normalizer.new(type: purl_type, text: package_name).normalize_name
+        end
      end
    end
  end

--- a/ee/spec/finders/sbom/possibly_affected_occurrences_finder_spec.rb
+++ b/ee/spec/finders/sbom/possibly_affected_occurrences_finder_spec.rb
@@ -106,6 +106,24 @@ def possibly_affected_occurrences

    it_behaves_like 'non-matching component'
    it_behaves_like 'matching component'
+
+    context 'with pypi-related package names' do
+      let_it_be(:purl_type) { 'pypi' }
+      let_it_be(:package_name) { 'Matching_package' }
+      let_it_be(:normalized_name) do
+        ::Sbom::PackageUrl::Normalizer.new(type: purl_type, text: package_name).normalize_name
+      end
+
+      let_it_be(:matching_component) { create(:sbom_component, name: normalized_name, purl_type: purl_type) }
+
+      let_it_be(:matching_occurrences) do
+        create_list(:sbom_occurrence, 3, component: matching_component, project: project)
+      end
+
+      it 'returns the possibly affected occurrences' do
+        expect(possibly_affected_occurrences).to match_array(matching_occurrences)
+      end
+    end
  end

  context 'when the component purl_type is for container scanning' do

--- a/ee/spec/services/package_metadata/ingestion/advisory/affected_package_ingestion_task_spec.rb
+++ b/ee/spec/services/package_metadata/ingestion/advisory/affected_package_ingestion_task_spec.rb
@@ -5,13 +5,18 @@
 RSpec.describe PackageMetadata::Ingestion::Advisory::AffectedPackageIngestionTask, feature_category: :software_composition_analysis do
  describe '.execute' do
    let_it_be(:advisory_xid) { 'some-uuid-value' }
+    let_it_be(:purl_type) { 'pypi' }
+    let_it_be(:package_name) { 'Matching_name' }
+    let_it_be(:normalized_name) do
+      ::Sbom::PackageUrl::Normalizer.new(type: purl_type, text: package_name).normalize_name
+    end

    let!(:existing_advisory) do
      create(:pm_advisory, advisory_xid: advisory_xid)
    end

    let!(:existing_affected_package) do
-      create(:pm_affected_package, advisory: existing_advisory)
+      create(:pm_affected_package, advisory: existing_advisory, purl_type: purl_type, package_name: normalized_name)
    end

    let(:import_data) do
@@ -19,7 +24,8 @@
        build(:pm_advisory_data_object, advisory_xid: advisory_xid,
          affected_packages: [
            build(:pm_affected_package_data_object,
-              package_name: existing_affected_package.package_name,
+              purl_type: purl_type,
+              package_name: package_name,
              fixed_versions: %w[9.9.9],
              versions: [{ 'number' => '1.2.4',
                           'commit' => { 'tags' => ['v1.2.4-tag'], 'sha' => '295cf0778821bf08681e2bd0ef0e6cad04fc3001',