bug(nuget): Trivy doesn’t detect vulns when the case of the found package differs from the package in the GitHub advisory database.

[DmitriyLewen]

Description

The GitHub advisory database contains different cases for the same packages (e.g. Microsoft.NetCore.App.Runtime.linux-musl-x64 and Microsoft.NETCore.App.Runtime.linux-musl-x64).
We talked about automation with GitHub to fix this (see github/advisory-database#4440), but it looks like similar cases still exist:

Microsoft doesn’t state this directly, but there is indirect evidence that .NET packages are case-sensitive:

• All XML element names in the .nuspec file are case-sensitive, as is the case for XML in general (see https://learn.microsoft.com/en-us/nuget/reference/nuspec).
• nuget: different package names for the same packages nuget: different package names fo same packages github/advisory-database#4440 (comment).

Solution

• We need to convert nuget advisories to lowercase in trivy-db.
• Use lowercase for nuget packages when finding advisories.

Related Discussions

• Trivy is not reporting CVE-2025-30399 in .NET container #9445
• CVE-2024-30045 detection #6712

[DmitriyLewen]

trivy-db contains the following duplicates from GHSA:

• "cefsharp.offscreen.netcore" — total: 2; variants: CefSharp.OffScreen.NETCore | CefSharp.OffScreen.NetCore
• "cefsharp.winforms.netcore" — total: 2; variants: CefSharp.WinForms.NetCore | CefSharp.WinForms.NETCore
• "cefsharp.wpf.netcore" — total: 2; variants: CefSharp.Wpf.NETCore | CefSharp.Wpf.NetCore
• "jquery" — total: 2; variants: jQuery | jquery
• "microsoft.netcore.app.runtime.linux-arm" — total: 2; variants: Microsoft.NETCore.App.Runtime.linux-arm | Microsoft.NetCore.App.Runtime.linux-arm
• "microsoft.netcore.app.runtime.linux-arm64" — total: 2; variants: Microsoft.NETCore.App.Runtime.linux-arm64 | Microsoft.NetCore.App.Runtime.linux-arm64
• "microsoft.netcore.app.runtime.linux-musl-arm" — total: 2; variants: Microsoft.NetCore.App.Runtime.linux-musl-arm | Microsoft.NETCore.App.Runtime.linux-musl-arm
• "microsoft.netcore.app.runtime.linux-musl-arm64" — total: 2; variants: Microsoft.NETCore.App.Runtime.linux-musl-arm64 | Microsoft.NetCore.App.Runtime.linux-musl-arm64
• "microsoft.netcore.app.runtime.linux-musl-x64" — total: 2; variants: Microsoft.NETCore.App.Runtime.linux-musl-x64 | Microsoft.NetCore.App.Runtime.linux-musl-x64
• "microsoft.netcore.app.runtime.linux-x64" — total: 2; variants: Microsoft.NETCore.App.Runtime.linux-x64 | Microsoft.NetCore.App.Runtime.linux-x64
• "microsoft.netcore.app.runtime.osx-arm64" — total: 2; variants: Microsoft.NETCore.App.Runtime.osx-arm64 | Microsoft.NetCore.App.Runtime.osx-arm64
• "microsoft.netcore.app.runtime.osx-x64" — total: 2; variants: Microsoft.NetCore.App.Runtime.osx-x64 | Microsoft.NETCore.App.Runtime.osx-x64
• "microsoft.netcore.app.runtime.win-arm" — total: 2; variants: Microsoft.NetCore.App.Runtime.win-arm | Microsoft.NETCore.App.Runtime.win-arm
• "microsoft.netcore.app.runtime.win-arm64" — total: 2; variants: Microsoft.NETCore.App.Runtime.win-arm64 | Microsoft.NetCore.App.Runtime.win-arm64
• "microsoft.netcore.app.runtime.win-x64" — total: 2; variants: Microsoft.NETCore.App.Runtime.win-x64 | Microsoft.NetCore.App.Runtime.win-x64
• "microsoft.netcore.app.runtime.win-x86" — total: 2; variants: Microsoft.NETCore.App.Runtime.win-x86 | Microsoft.NetCore.App.Runtime.win-x86
• "mongodb.driver" — total: 2; variants: MongoDB.Driver | mongodb.driver
• "sscms" — total: 2; variants: SSCMS | sscms
• "umbraco.cms" — total: 2; variants: Umbraco.CMS | Umbraco.Cms
• "umbraco.cms.web.backoffice" — total: 2; variants: Umbraco.Cms.Web.BackOffice | Umbraco.Cms.Web.Backoffice
• "umbracocms" — total: 2; variants: UmbracoCMS | UmbracoCms
• "umbracocms.core" — total: 2; variants: UmbracoCMS.Core | UmbracoCms.Core
• "umbracocms.web" — total: 2; variants: UmbracoCMS.Web | UmbracoCms.Web