fix: update mixed case dependencies in python to be normalized

[spiffcs]

Description

When generating a CycloneDX SBOM from a Python project that uses poetry.lock, Syft was failing to resolve dependency edges when the dependency name used different casing than the package name.

For example, in a poetry.lock file, dj-rest-auth declares a dependency on Django (capitalized), but the actual package is listed as django (lowercase).

Per the https://packaging.python.org/en/latest/specifications/name-normalization/, package names should be treated as case-insensitive.

Root Cause

The packageRef function in the poetry dependency resolver was not normalizing package names before using them for dependency matching.

Fix

Fix: Apply the existing normalize() function to package names and extras in packageRef(), ensuring case-insensitive matching that complies with Python packaging standards.

Before: The dependency edge dj-rest-auth@7.0.1 → django@5.2.6 was missing from the SBOM dependency graph.
After: Dependency edges are correctly resolved regardless of package name casing in poetry.lock.

Some other tests have been updated that were missing this relationship previously

Type of Change

• Bug fix (non-breaking change which fixes an issue)

Issue references
Fixes #4562

[willmurphyscode]

How do the extras interact with the resolution in requires/provides?

[spiffcs]

So here is the current behavior:

When a package requires another with extras:

1. provides is always the base package no extras in the name
2. then we always have the base package requirements without any extras so those resolutions can always happen
3. If there are extras, the extra variants also get added (now run through the normalize logic)

1

syft/syft/pkg/cataloger/python/dependency.go

Lines 24 to 27 in e8b4527

	// this package reference always includes the package name and no extras
	provides := []string{packageRef(p.Name, "")}

2

syft/syft/pkg/cataloger/python/dependency.go

Lines 34 to 37 in e8b4527

	// we always have the base package requirement without any extras to get base dependencies
	requires = append(requires, packageRef(dep.Name, ""))

3

syft/syft/pkg/cataloger/python/dependency.go

Lines 38 to 47 in e8b4527

	// if there are extras, we need to add a requirement for each extra individually
	// for example:
	// uvicorn = {version = ">=0.12.0", extras = ["standard", "else"]}
	// then we must install uvicorn with the extras "standard" and "else" to satisfy the requirement
	for _, extra := range dep.Extras {
	// always refer to extras with the package name (e.g. name[extra])
	// note: this must always be done independent of other extras (e.g. name[extra1] and name[extra2] separately
	// is correct and name[extra1,extra2] will result in dependency resolution failure)
	requires = append(requires, packageRef(dep.Name, extra))
	}

This change does not update any of the above flow. It just makes sure that we are respecting the casing correctly in both instances of creating the provides:requires and the extras variant.

[willmurphyscode]

We reviewed this offline, and I think the behavior currently in main is correct. Provides and requires are include both a plain and a with extras variant as appropriate, like mashumaro and mashumaro[orjson], and this is unit tested.

[spiffcs]

No more changes needed for this PR then and we are 🟢 ❤️