When writing package references in varying case they get listed twice by analyzer

[cz-dev-ge]

Describe the bug

When using central package management in .NET/C# and using different cased when writing package names, they get listed twice - once with and once without version number:

<!-- Directory.Packages.props -->
<Project>
    <PropertyGroup>
        <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    </PropertyGroup>
    <ItemGroup Label="Dependencies">
        <PackageVersion Include="ncrontab.signed" Version="3.3.3" />
    </ItemGroup>
</Project>

<!-- ORT1.csproj -->
<Project Sdk="Microsoft.NET.Sdk">

    <PropertyGroup>
        <OutputType>Exe</OutputType>
        <TargetFramework>net9.0</TargetFramework>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
    </PropertyGroup>

    <ItemGroup>
      <PackageReference Include="NCrontab.Signed" />
    </ItemGroup>

</Project>

To Reproduce

Steps to reproduce the behavior:

1. unpack the attached minimal example
2. run dotnet restore in the directory with the .sln
3. scan project with ort analyze -i ~/dev/ORT1 -f JSON -o ~/results
4. see error

Expected behavior

Package is listed only once.

Console / log output

Add console and / or log output that shows the error and additional context.
No screenshots of plain text please, to keep text searchable.

Running scan of: /home/user/dev/ORT1/ORT1.csproj with fallback: False
  Using project.assets.json lockfile at: /home/user/dev/ORT1/obj/project.assets.json
LockFile: NuGet.ProjectModel.LockFile
LockFile.Path: /home/user/dev/ORT1/obj/project.assets.json
[...skipping 15 lines...]
ProjectScanner > FetchDependenciesMetadata |nuget NCrontab.Signed
ProjectScanner > FetchDependenciesMetadata |nuget NCrontab.Signed
      Fetching package metadata for: NCrontab.Signed.3.3.3
      Fetching package metadata for: NCrontab.Signed.3.3.3

< ... truncated ... >

Scan completed with Errors or Warnings: JSON file created at: /tmp/ort-NuGetInspector2946731004305336106/nuget-inspector13806836367627266407.json

ERRORS at the dependencies level:
    ERRORS for dependency: NCrontab.Signed@ with purl:
    ERROR: ERROR: Cannot fetch remote metadata: Name or version cannot be empty

Environment

Or manually specify:

• ORT version: 44.0.0
• Java version: OpenJdk-21
• OS: GNU/Linux (Ubuntu 24.04)

ORT1.zip

[sschuberth]

1. unpack the appended minimal example

Is this yet missing?

JSON file created at: /tmp/ort-NuGetInspector2946731004305336106/nuget-inspector13806836367627266407.json

Would you also be able to attach that file?

[cz-dev-ge]

1. unpack the appended minimal example

Is this yet missing?

JSON file created at: /tmp/ort-NuGetInspector2946731004305336106/nuget-inspector13806836367627266407.json

Would you also be able to attach that file?

Unfortunately not. It gets deleted. I'll try to stop there.

PS: It might be that the cause is slightly different than I thought. It might happen instead if the reference is different in case from the actual package's name as seen on nuget.org.

PS: Potentially related to #9417?