Support custom Artifactory repositories for package metadata

voidpetal · voidpetal · commit e5ddeeb7dbe6 · 2026-03-11T14:35:03.000+01:00
When using --index-url with a custom Artifactory repository, dependency resolution works but the packages array comes back empty. This happens because get_pypi_data_from_purl() hardcodes https://pypi.org/pypi for the JSON API endpoint. Internal packages that don't exist on PyPI.org return 404 and are silently skipped. Changes: - Try each repo's JSON API endpoint (converting /simple to /pypi) before falling back to PyPI.org - Match distribution files by filename instead of full URL, since paths can differ between Simple API and JSON API endpoints Signed-off-by: Kai Hodžić <hodzic.e.k@outlook.com>
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -7,6 +7,8 @@ v0.15.0
 - Drop support for python3.9 and add support for python3.14
 - Ensure that cached file is not empty before use https://github.com/aboutcode-org/python-inspector/pull/251
 - Filter out empty values from install_requires https://github.com/aboutcode-org/python-inspector/pull/250
+- Support custom Artifactory repositories for package metadata by trying each
+  repo's JSON API endpoint before falling back to PyPI.org
 
 v0.14.4
 -----------
diff --git a/src/python_inspector/package_data.py b/src/python_inspector/package_data.py
@@ -9,9 +9,11 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
+import posixpath
 from typing import Dict
 from typing import List
 from typing import Optional
+from urllib.parse import urlparse
 
 from packageurl import PackageURL
 
@@ -43,12 +45,26 @@ async def get_pypi_data_from_purl(
     version = parsed_purl.version
     if not version:
         raise Exception("Version is not specified in the purl")
-    base_path = "https://pypi.org/pypi"
-    api_url = f"{base_path}/{name}/{version}/json"
+
+    # Build list of JSON API URLs to try: each repo's /pypi endpoint, then PyPI.org as fallback.
+    # For Artifactory, the /simple endpoint has a corresponding /pypi JSON API endpoint.
+    api_urls = []
+    for repo in repos:
+        base_path = repo.index_url.replace("/simple", "/pypi")
+        api_urls.append(f"{base_path}/{name}/{version}/json")
+    api_urls.append(f"https://pypi.org/pypi/{name}/{version}/json")
 
     from python_inspector.utils import get_response_async
 
-    response = await get_response_async(api_url)
+    # Try each API URL until one succeeds
+    response = None
+    api_url = None
+    for url in api_urls:
+        response = await get_response_async(url)
+        if response:
+            api_url = url
+            break
+
     if not response:
         return None
 
@@ -83,14 +99,22 @@ async def get_pypi_data_from_purl(
         if wheel_url:
             valid_distribution_urls.insert(0, wheel_url)
 
-    urls = {url.get("url"): url for url in response.get("urls") or []}
+    # Index by filename for matching since distribution URLs from /simple may have
+    # different paths than URLs from /pypi JSON API (especially with Artifactory)
+    urls_by_filename = {}
+    for url_entry in response.get("urls") or []:
+        entry_url = url_entry.get("url")
+        if entry_url:
+            filename = posixpath.basename(urlparse(entry_url).path)
+            urls_by_filename[filename] = url_entry
+
     # iterate over the valid distribution urls and return the first
     # one that is matching.
     for dist_url in valid_distribution_urls:
-        if dist_url not in urls:
+        filename = posixpath.basename(urlparse(dist_url).path)
+        url_data = urls_by_filename.get(filename)
+        if not url_data:
             continue
-
-        url_data = urls.get(dist_url)
         digests = url_data.get("digests") or {}
 
         return PackageData(
diff --git a/tests/data/test_get_pypi_data_from_purl_matches_by_filename-expected.json b/tests/data/test_get_pypi_data_from_purl_matches_by_filename-expected.json
@@ -0,0 +1,36 @@
+{
+  "type": "pypi",
+  "namespace": null,
+  "name": "requests",
+  "version": "2.28.0",
+  "qualifiers": {},
+  "subpath": null,
+  "primary_language": "Python",
+  "description": "",
+  "release_date": "2022-06-29T15:30:00",
+  "parties": [],
+  "keywords": [],
+  "homepage_url": "https://requests.readthedocs.io",
+  "download_url": "https://repo.example.com/simple/../packages/ab/cd/requests-2.28.0-py3-none-any.whl",
+  "size": 62500,
+  "sha1": null,
+  "md5": "789xyz",
+  "sha256": "abc123def456",
+  "sha512": null,
+  "bug_tracking_url": null,
+  "code_view_url": null,
+  "vcs_url": null,
+  "copyright": null,
+  "license_expression": "Apache-2.0",
+  "declared_license": {},
+  "notice_text": null,
+  "source_packages": [],
+  "file_references": [],
+  "extra_data": {},
+  "dependencies": [],
+  "repository_homepage_url": null,
+  "repository_download_url": null,
+  "api_data_url": "https://repo.example.com/pypi/requests/2.28.0/json",
+  "datasource_id": null,
+  "purl": "pkg:pypi/requests@2.28.0"
+}
diff --git a/tests/test_package_data.py b/tests/test_package_data.py
@@ -0,0 +1,178 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# ScanCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/python-inspector for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import os
+from unittest import mock
+
+import pytest
+from commoncode.testcase import FileDrivenTesting
+from test_cli import check_data_results
+
+from python_inspector.package_data import get_pypi_data_from_purl
+from python_inspector.utils_pypi import Environment
+from python_inspector.utils_pypi import PypiSimpleRepository
+
+test_env = FileDrivenTesting()
+test_env.test_data_dir = os.path.join(os.path.dirname(__file__), "data")
+
+
+@pytest.mark.asyncio
+@mock.patch("python_inspector.package_data.get_sdist_download_url")
+@mock.patch("python_inspector.package_data.get_wheel_download_urls")
+@mock.patch("python_inspector.utils.get_response_async")
+async def test_get_pypi_data_from_purl_tries_repos_in_order(
+    mock_get_response, mock_get_wheels, mock_get_sdist
+):
+    mock_get_sdist.return_value = None
+    mock_get_wheels.return_value = []
+
+    call_urls = []
+
+    async def track_calls(url):
+        call_urls.append(url)
+        return None
+
+    mock_get_response.side_effect = track_calls
+
+    repo1 = PypiSimpleRepository(index_url="https://repo1.example.com/simple")
+    repo2 = PypiSimpleRepository(index_url="https://repo2.example.com/simple")
+    env = Environment(python_version="310", operating_system="linux")
+
+    await get_pypi_data_from_purl(
+        purl="pkg:pypi/requests@2.28.0",
+        environment=env,
+        repos=[repo1, repo2],
+        prefer_source=False,
+    )
+
+    assert call_urls == [
+        "https://repo1.example.com/pypi/requests/2.28.0/json",
+        "https://repo2.example.com/pypi/requests/2.28.0/json",
+        "https://pypi.org/pypi/requests/2.28.0/json",
+    ]
+
+
+@pytest.mark.asyncio
+@mock.patch("python_inspector.package_data.get_sdist_download_url")
+@mock.patch("python_inspector.package_data.get_wheel_download_urls")
+@mock.patch("python_inspector.utils.get_response_async")
+async def test_get_pypi_data_from_purl_stops_on_first_success(
+    mock_get_response, mock_get_wheels, mock_get_sdist
+):
+    mock_get_sdist.return_value = None
+    mock_get_wheels.return_value = []
+
+    call_urls = []
+
+    async def return_success_on_second(url):
+        call_urls.append(url)
+        if "repo2" in url:
+            return {"info": {}, "urls": []}
+        return None
+
+    mock_get_response.side_effect = return_success_on_second
+
+    repo1 = PypiSimpleRepository(index_url="https://repo1.example.com/simple")
+    repo2 = PypiSimpleRepository(index_url="https://repo2.example.com/simple")
+    env = Environment(python_version="310", operating_system="linux")
+
+    await get_pypi_data_from_purl(
+        purl="pkg:pypi/requests@2.28.0",
+        environment=env,
+        repos=[repo1, repo2],
+        prefer_source=False,
+    )
+
+    assert call_urls == [
+        "https://repo1.example.com/pypi/requests/2.28.0/json",
+        "https://repo2.example.com/pypi/requests/2.28.0/json",
+    ]
+
+
+@pytest.mark.asyncio
+@mock.patch("python_inspector.package_data.get_sdist_download_url")
+@mock.patch("python_inspector.package_data.get_wheel_download_urls")
+@mock.patch("python_inspector.utils.get_response_async")
+async def test_get_pypi_data_from_purl_falls_back_to_pypi_org(
+    mock_get_response, mock_get_wheels, mock_get_sdist
+):
+    mock_get_sdist.return_value = None
+    mock_get_wheels.return_value = []
+
+    call_urls = []
+
+    async def track_calls(url):
+        call_urls.append(url)
+        return None
+
+    mock_get_response.side_effect = track_calls
+
+    env = Environment(python_version="310", operating_system="linux")
+
+    await get_pypi_data_from_purl(
+        purl="pkg:pypi/requests@2.28.0",
+        environment=env,
+        repos=[],
+        prefer_source=False,
+    )
+
+    assert call_urls == ["https://pypi.org/pypi/requests/2.28.0/json"]
+
+
+@pytest.mark.asyncio
+@mock.patch("python_inspector.package_data.get_sdist_download_url")
+@mock.patch("python_inspector.package_data.get_wheel_download_urls")
+@mock.patch("python_inspector.utils.get_response_async")
+async def test_get_pypi_data_from_purl_matches_by_filename(
+    mock_get_response, mock_get_wheels, mock_get_sdist
+):
+    mock_get_sdist.return_value = None
+    mock_get_wheels.return_value = [
+        "https://repo.example.com/simple/../packages/ab/cd/requests-2.28.0-py3-none-any.whl"
+    ]
+
+    async def return_json_response(url):
+        if "pypi" in url:
+            return {
+                "info": {
+                    "name": "requests",
+                    "version": "2.28.0",
+                    "home_page": "https://requests.readthedocs.io",
+                    "license_expression": "Apache-2.0",
+                },
+                "urls": [
+                    {
+                        "url": "../../packages/xy/zz/requests-2.28.0-py3-none-any.whl",
+                        "digests": {"sha256": "abc123def456", "md5": "789xyz"},
+                        "size": 62500,
+                        "upload_time": "2022-06-29T15:30:00",
+                    }
+                ],
+            }
+        return None
+
+    mock_get_response.side_effect = return_json_response
+
+    repo = PypiSimpleRepository(index_url="https://repo.example.com/simple")
+    env = Environment(python_version="310", operating_system="linux")
+
+    result = await get_pypi_data_from_purl(
+        purl="pkg:pypi/requests@2.28.0",
+        environment=env,
+        repos=[repo],
+        prefer_source=False,
+    )
+
+    expected_file = test_env.get_test_loc(
+        "test_get_pypi_data_from_purl_matches_by_filename-expected.json",
+        must_exist=False,
+    )
+    check_data_results(results=result.to_dict(), expected_file=expected_file)
