Inconsistent package identifier format for vulnerabilities in the Swift ecosystem

[fviernau]

The vulnerability data has been imported to osv.dev, where I observed the issue which I filed
here: google/osv.dev#1923. here's the copied description:

---

Looking at the vulnerabilities linked to SwiftURL packages [1], it seems that there
are multiple variants how the canonical package name is constructed:

1. SwiftURL/https://github.com/grpc/grpc-swift.git
2. SwiftURL/https://github.com/apple/swift-nio-http2.git
3. SwiftURL/github.com/vapor/leaf-kit

In SwiftPM a canocial name is derived using some normalization which
includes amongst others:

1. Dropping .git suffix
2. Dropping the protocol
3. Lowercasing
4. Dropping port, and user info

...see also [2]. Should osv.dev normalize the IDs of the packages and specify the normalization, so that
it is straight forward to craft a query to obtain vulnerabilities for a specific swift package?

[1] https://osv.dev/list?ecosystem=SwiftURL&q=
[2] https://github.com/apple/swift-package-manager/blob/24bfdd180afdf78160e7a2f6f6deb2c8249d40d3/Sources/PackageModel/PackageIdentity.swift#L345

[KateCatlin]

Hi @fviernau!

Thanks so much for writing in and letting us know about this issue. We've shipped a fix and backfilled the former Swift advisories!

Let us know if that's working for you or if you find any other issues!