pip_audit/dependency_source: match candidate names against project

pip_audit/_dependency_source/resolvelib/pypi_provider.py

@@ -310,6 +310,13 @@ def find_matches(self, identifier, requirements, incompatibilities):
                 )
                 if candidate.version not in bad_versions
                 and all(candidate.version in r.specifier for r in requirements)
+                # HACK(ww): Additionally check that each candidate's name matches the
+                # expected project name (identifier).
+                # This technically shouldn't be required, but parsing distribution names
+                # from package indices is imprecise/unreliable when distribution filenames
+                # are PEP 440 compliant but not normalized.
+                # See: https://github.com/pypa/packaging/issues/527
+                and candidate.name == identifier
             ],
             key=attrgetter("version", "is_wheel"),
             reverse=True,