Support custom Artifactory repositories for package metadata

voidpetal · voidpetal · commit c5e2dc580ee5 · 2026-03-11T15:13:46.000+01:00
When using --index-url with a custom Artifactory repository, dependency resolution works but the packages array comes back empty. This happens because get_pypi_data_from_purl() hardcodes https://pypi.org/pypi for the JSON API endpoint. Internal packages that don't exist on PyPI.org return 404 and are silently skipped. The fix includes deriving the JSON API base URL from the provided repository instead of hardcoding PyPI.org. It is also necessary to match distribution files by filename (standardized per PEP 427/491) instead of full URL, since URL paths can differ between Simple API and JSON API endpoints. Signed-off-by: Kai Hodžić <hodzic.e.k@outlook.com>
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -7,6 +7,8 @@ v0.15.0
 - Drop support for python3.9 and add support for python3.14
 - Ensure that cached file is not empty before use https://github.com/aboutcode-org/python-inspector/pull/251
 - Filter out empty values from install_requires https://github.com/aboutcode-org/python-inspector/pull/250
+- Support custom Artifactory repositories for package metadata by trying each
+  repo's JSON API endpoint before falling back to PyPI.org
 
 v0.14.4
 -----------
diff --git a/src/python_inspector/package_data.py b/src/python_inspector/package_data.py
@@ -9,9 +9,11 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
+import posixpath
 from typing import Dict
 from typing import List
 from typing import Optional
+from urllib.parse import urlparse
 
 from packageurl import PackageURL
 
@@ -43,12 +45,26 @@ async def get_pypi_data_from_purl(
     version = parsed_purl.version
     if not version:
         raise Exception("Version is not specified in the purl")
-    base_path = "https://pypi.org/pypi"
-    api_url = f"{base_path}/{name}/{version}/json"
+
+    # Build list of JSON API URLs to try: each repo's /pypi endpoint, then PyPI.org as fallback.
+    # For Artifactory, the /simple endpoint has a corresponding /pypi JSON API endpoint.
+    api_urls = []
+    for repo in repos:
+        base_path = repo.index_url.replace("/simple", "/pypi")
+        api_urls.append(f"{base_path}/{name}/{version}/json")
+    api_urls.append(f"https://pypi.org/pypi/{name}/{version}/json")
 
     from python_inspector.utils import get_response_async
 
-    response = await get_response_async(api_url)
+    # Try each API URL until one succeeds
+    response = None
+    api_url = None
+    for url in api_urls:
+        response = await get_response_async(url)
+        if response:
+            api_url = url
+            break
+
     if not response:
         return None
 
@@ -83,14 +99,22 @@ async def get_pypi_data_from_purl(
         if wheel_url:
             valid_distribution_urls.insert(0, wheel_url)
 
-    urls = {url.get("url"): url for url in response.get("urls") or []}
+    # Index by filename for matching since distribution URLs from /simple may have
+    # different paths than URLs from /pypi JSON API (especially with Artifactory)
+    urls_by_filename = {}
+    for url_entry in response.get("urls") or []:
+        entry_url = url_entry.get("url")
+        if entry_url:
+            filename = posixpath.basename(urlparse(entry_url).path)
+            urls_by_filename[filename] = url_entry
+
     # iterate over the valid distribution urls and return the first
     # one that is matching.
     for dist_url in valid_distribution_urls:
-        if dist_url not in urls:
+        filename = posixpath.basename(urlparse(dist_url).path)
+        url_data = urls_by_filename.get(filename)
+        if not url_data:
             continue
-
-        url_data = urls.get(dist_url)
         digests = url_data.get("digests") or {}
 
         return PackageData(
diff --git a/tests/data/test_get_pypi_data_from_purl_matches_by_filename-expected.json b/tests/data/test_get_pypi_data_from_purl_matches_by_filename-expected.json
@@ -0,0 +1,36 @@
+{
+  "type": "pypi",
+  "namespace": null,
+  "name": "requests",
+  "version": "2.28.0",
+  "qualifiers": {},
+  "subpath": null,
+  "primary_language": "Python",
+  "description": "",
+  "release_date": "2022-06-29T15:30:00",
+  "parties": [],
+  "keywords": [],
+  "homepage_url": "https://requests.readthedocs.io",
+  "download_url": "https://repo.example.com/simple/../packages/ab/cd/requests-2.28.0-py3-none-any.whl",
+  "size": 62500,
+  "sha1": null,
+  "md5": "789xyz",
+  "sha256": "abc123def456",
+  "sha512": null,
+  "bug_tracking_url": null,
+  "code_view_url": null,
+  "vcs_url": null,
+  "copyright": null,
+  "license_expression": "Apache-2.0",
+  "declared_license": {},
+  "notice_text": null,
+  "source_packages": [],
+  "file_references": [],
+  "extra_data": {},
+  "dependencies": [],
+  "repository_homepage_url": null,
+  "repository_download_url": null,
+  "api_data_url": "https://repo.example.com/pypi/requests/2.28.0/json",
+  "datasource_id": null,
+  "purl": "pkg:pypi/requests@2.28.0"
+}
diff --git a/tests/test_package_data.py b/tests/test_package_data.py
@@ -0,0 +1,178 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# ScanCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/python-inspector for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import os
+from unittest import mock
+
+import pytest
+from commoncode.testcase import FileDrivenTesting
+from test_cli import check_data_results
+
+from python_inspector.package_data import get_pypi_data_from_purl
+from python_inspector.utils_pypi import Environment
+from python_inspector.utils_pypi import PypiSimpleRepository
+
+test_env = FileDrivenTesting()
+test_env.test_data_dir = os.path.join(os.path.dirname(__file__), "data")
+
+
+@pytest.mark.asyncio
+@mock.patch("python_inspector.package_data.get_sdist_download_url")
+@mock.patch("python_inspector.package_data.get_wheel_download_urls")
+@mock.patch("python_inspector.utils.get_response_async")
+async def test_get_pypi_data_from_purl_tries_repos_in_order(
+    mock_get_response, mock_get_wheels, mock_get_sdist
+):
+    mock_get_sdist.return_value = None
+    mock_get_wheels.return_value = []
+
+    call_urls = []
+
+    async def track_calls(url):
+        call_urls.append(url)
+        return None
+
+    mock_get_response.side_effect = track_calls
+
+    repo1 = PypiSimpleRepository(index_url="https://repo1.example.com/simple")
+    repo2 = PypiSimpleRepository(index_url="https://repo2.example.com/simple")
+    env = Environment(python_version="310", operating_system="linux")
+
+    await get_pypi_data_from_purl(
+        purl="pkg:pypi/requests@2.28.0",
+        environment=env,
+        repos=[repo1, repo2],
+        prefer_source=False,
+    )
+
+    assert call_urls == [
+        "https://repo1.example.com/pypi/requests/2.28.0/json",
+        "https://repo2.example.com/pypi/requests/2.28.0/json",
+        "https://pypi.org/pypi/requests/2.28.0/json",
+    ]
+
+
+@pytest.mark.asyncio
+@mock.patch("python_inspector.package_data.get_sdist_download_url")
+@mock.patch("python_inspector.package_data.get_wheel_download_urls")
+@mock.patch("python_inspector.utils.get_response_async")
+async def test_get_pypi_data_from_purl_stops_on_first_success(
+    mock_get_response, mock_get_wheels, mock_get_sdist
+):
+    mock_get_sdist.return_value = None
+    mock_get_wheels.return_value = []
+
+    call_urls = []
+
+    async def return_success_on_second(url):
+        call_urls.append(url)
+        if "repo2" in url:
+            return {"info": {}, "urls": []}
+        return None
+
+    mock_get_response.side_effect = return_success_on_second
+
+    repo1 = PypiSimpleRepository(index_url="https://repo1.example.com/simple")
+    repo2 = PypiSimpleRepository(index_url="https://repo2.example.com/simple")
+    env = Environment(python_version="310", operating_system="linux")
+
+    await get_pypi_data_from_purl(
+        purl="pkg:pypi/requests@2.28.0",
+        environment=env,
+        repos=[repo1, repo2],
+        prefer_source=False,
+    )
+
+    assert call_urls == [
+        "https://repo1.example.com/pypi/requests/2.28.0/json",
+        "https://repo2.example.com/pypi/requests/2.28.0/json",
+    ]
+
+
+@pytest.mark.asyncio
+@mock.patch("python_inspector.package_data.get_sdist_download_url")
+@mock.patch("python_inspector.package_data.get_wheel_download_urls")
+@mock.patch("python_inspector.utils.get_response_async")
+async def test_get_pypi_data_from_purl_falls_back_to_pypi_org(
+    mock_get_response, mock_get_wheels, mock_get_sdist
+):
+    mock_get_sdist.return_value = None
+    mock_get_wheels.return_value = []
+
+    call_urls = []
+
+    async def track_calls(url):
+        call_urls.append(url)
+        return None
+
+    mock_get_response.side_effect = track_calls
+
+    env = Environment(python_version="310", operating_system="linux")
+
+    await get_pypi_data_from_purl(
+        purl="pkg:pypi/requests@2.28.0",
+        environment=env,
+        repos=[],
+        prefer_source=False,
+    )
+
+    assert call_urls == ["https://pypi.org/pypi/requests/2.28.0/json"]
+
+
+@pytest.mark.asyncio
+@mock.patch("python_inspector.package_data.get_sdist_download_url")
+@mock.patch("python_inspector.package_data.get_wheel_download_urls")
+@mock.patch("python_inspector.utils.get_response_async")
+async def test_get_pypi_data_from_purl_matches_by_filename(
+    mock_get_response, mock_get_wheels, mock_get_sdist
+):
+    mock_get_sdist.return_value = None
+    mock_get_wheels.return_value = [
+        "https://repo.example.com/simple/../packages/ab/cd/requests-2.28.0-py3-none-any.whl"
+    ]
+
+    async def return_json_response(url):
+        if "pypi" in url:
+            return {
+                "info": {
+                    "name": "requests",
+                    "version": "2.28.0",
+                    "home_page": "https://requests.readthedocs.io",
+                    "license_expression": "Apache-2.0",
+                },
+                "urls": [
+                    {
+                        "url": "../../packages/xy/zz/requests-2.28.0-py3-none-any.whl",
+                        "digests": {"sha256": "abc123def456", "md5": "789xyz"},
+                        "size": 62500,
+                        "upload_time": "2022-06-29T15:30:00",
+                    }
+                ],
+            }
+        return None
+
+    mock_get_response.side_effect = return_json_response
+
+    repo = PypiSimpleRepository(index_url="https://repo.example.com/simple")
+    env = Environment(python_version="310", operating_system="linux")
+
+    result = await get_pypi_data_from_purl(
+        purl="pkg:pypi/requests@2.28.0",
+        environment=env,
+        repos=[repo],
+        prefer_source=False,
+    )
+
+    expected_file = test_env.get_test_loc(
+        "test_get_pypi_data_from_purl_matches_by_filename-expected.json",
+        must_exist=False,
+    )
+    check_data_results(results=result.to_dict(), expected_file=expected_file)
