Add source artifact metadata to extra_data

voidpetal · voidpetal · commit 6df7fab34ec7 · 2026-05-28T16:16:33.000+02:00
Extract sdist URL, hash, and filename from PyPI response and include
in extra_data.source_artifact for downstream consumers that need
source distribution information.

Signed-off-by: Kai Hodžić &lt;hodzic.e.k@outlook.com&gt;
diff --git a/src/python_inspector/package_data.py b/src/python_inspector/package_data.py
@@ -30,6 +30,20 @@
 from python_inspector.utils_pypi import PypiSimpleRepository
 
 
+def get_sdist_from_urls(urls: list) -> Optional[dict]:
+    """Extract source distribution info from PyPI urls array."""
+    for entry in urls or []:
+        if entry.get("packagetype") == "sdist":
+            return {
+                "url": entry.get("url", ""),
+                "sha256": entry.get("digests", {}).get("sha256", ""),
+                "md5": entry.get("digests", {}).get("md5") or entry.get("md5_digest", ""),
+                "size": entry.get("size"),
+                "filename": entry.get("filename", ""),
+            }
+    return None
+
+
 async def get_pypi_data_from_purl(
     purl: str,
     environment: Environment,
@@ -88,6 +102,7 @@ async def get_pypi_data_from_purl(
     if not response:
         return None
 
+    sdist_info = get_sdist_from_urls(response.get("urls", []))
     homepage_url = info.get("home_page")
     project_urls = info.get("project_urls") or {}
     code_view_url = get_pypi_codeview_url(project_urls)
@@ -202,6 +217,7 @@ def remove_credentials_from_url(url: str):
             api_data_url=remove_credentials_from_url(api_url),
             bug_tracking_url=bug_tracking_url,
             code_view_url=code_view_url,
+            extra_data={"source_artifact": sdist_info} if sdist_info else {},
             vcs_url=vcs_url,
             license_expression=info.get("license_expression"),
             declared_license=get_declared_license(info),
