Canonicalize versions from PyPI API (#263)

* Canonicalize versions from PyPI API * CHANGELOG: record changes * CHANGELOG: fix Co-authored-by: William Woodruff <[email protected]>
pypa · May 2, 2022 · 0decb8d · 0decb8d
1 parent 0bb6c9a
commit 0decb8d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,11 @@ All versions prior to 0.0.9 are untracked.
   a file to write output to. The default behavior of writing to `stdout`
   is unchanged ([#262](https://github.com/trailofbits/pip-audit/pull/262))
 
+### Fixed
+
+* Vulnerability sources: A bug caused by insufficient version normalization
+  was fixed ([#263](https://github.com/trailofbits/pip-audit/pull/263))
+
 ## [2.1.1] - 2022-03-29
 
 ### Fixed

diff --git a/pip_audit/_service/pypi.py b/pip_audit/_service/pypi.py
@@ -72,8 +72,8 @@ def query(self, spec: Dependency) -> Tuple[Dependency, List[VulnerabilityResult]
 
         # If the dependency has a hash explicitly listed, check it against the PyPI data
         if spec.hashes:
-            releases = response_json["releases"]
-            release = releases.get(str(spec.version))
+            releases = {Version(k): v for k, v in response_json["releases"].items()}
+            release = releases.get(spec.version)
             if release is None:
                 raise ServiceError(
                     "Could not find release to compare hashes: "