Merge pull request #1057 from actions/juxtin/case-sensitivity

Make purl comparisons case insensitive

Author: juxtin

__tests__/purl.test.ts

@@ -225,3 +225,25 @@ test('purlsMatch matches packages without namespaces', () => {
   const b = parsePURL('pkg:npm/lodash@5.0.0')
   expect(purlsMatch(a, b)).toBe(true)
 })
+
+test('purlsMatch is case-insensitive for GitHub Actions', () => {
+  const a = parsePURL('pkg:githubactions/MyOrg/MyAction@1.0.0')
+  const b = parsePURL('pkg:githubactions/myorg/myaction@1.0.0')
+  expect(purlsMatch(a, b)).toBe(true)
+})
+
+test('purlsMatch is case-insensitive for scoped npm packages', () => {
+  const a = parsePURL('pkg:npm/@MyScope/MyPackage')
+  const b = parsePURL('pkg:npm/@myscope/mypackage')
+  expect(purlsMatch(a, b)).toBe(true)
+})
+
+test('purlsMatch is case-insensitive for GitHub Actions with file paths', () => {
+  const a = parsePURL(
+    'pkg:githubactions/MyOrg/MyWorkflows/.github/workflows/general.yml'
+  )
+  const b = parsePURL(
+    'pkg:githubactions/myorg/myworkflows/.github/workflows/general.yml'
+  )
+  expect(purlsMatch(a, b)).toBe(true)
+})

dist/index.js

@@ -86,9 +86,12 @@ function fullName(purl: PackageURL): string | null {
 // namespace/name splits. This handles the case where a PURL like
 // 'pkg:npm/%40scope%2Fname' is parsed as {namespace: null, name: '@scope/name'}
 // while 'pkg:npm/%40scope/name' is parsed as {namespace: '@scope', name: 'name'}.
+//
+// The comparison is case-insensitive because most ecosystems and registries
+// treat names that way (npm, PyPI, GitHub org/repo names, etc.).
 export function purlsMatch(a: PackageURL, b: PackageURL): boolean {
-  if (a.type !== b.type) {
+  if (a.type.toLowerCase() !== b.type.toLowerCase()) {
     return false
   }
-  return fullName(a) === fullName(b)
+  return fullName(a)?.toLowerCase() === fullName(b)?.toLowerCase()
 }