From 48725d9a1fc4a9b6af82ddfe2e0cd30d67609f5e Mon Sep 17 00:00:00 2001
From: Carl Flottmann <carl.flottmann@oracle.com>
Date: Fri, 6 Dec 2024 09:35:47 +1000
Subject: [PATCH] refactor: inspector link now generated using standard in pypi
 inspector source code

---
 .../pypi_heuristics/metadata/wheel_absence.py | 25 ++++++++++++-------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/src/macaron/malware_analyzer/pypi_heuristics/metadata/wheel_absence.py b/src/macaron/malware_analyzer/pypi_heuristics/metadata/wheel_absence.py
index 450093465..6108ae50f 100644
--- a/src/macaron/malware_analyzer/pypi_heuristics/metadata/wheel_absence.py
+++ b/src/macaron/malware_analyzer/pypi_heuristics/metadata/wheel_absence.py
@@ -24,8 +24,10 @@ class WheelAbsenceAnalyzer(BaseHeuristicAnalyzer):
     """
 
     WHEEL: str = "bdist_wheel"
-    INSPECTOR_PREFIX = "https://inspector.pypi.io/project/"
-    PYPI_PREFIX = "https://files.pythonhosted.org/"
+    # as per https://github.com/pypi/inspector/blob/main/inspector/main.py line 125
+    INSPECTOR_TEMPLATE = (
+        "https://inspector.pypi.io/project/{name}/{version}/packages/{first}/{second}/{rest}/{filename}"
+    )
 
     def __init__(self) -> None:
         super().__init__(
@@ -81,16 +83,21 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
                     logger.debug(error_msg)
                     raise HeuristicAnalyzerValueError(error_msg)
 
-                # include the pypi inspector link, which uses the same suffix of
-                # packages/{blake2b_256}/file_name
-                inspector_prefix = f"{self.INSPECTOR_PREFIX}{name.lower()}/{version}/"
-                inspector_link = release_metadata["url"].replace(self.PYPI_PREFIX, inspector_prefix)
+                blake2b_256 = release_metadata["digests"]["blake2b_256"]
+                inspector_link = self.INSPECTOR_TEMPLATE.format(
+                    name=name,
+                    version=version,
+                    first=blake2b_256[0:2],
+                    second=blake2b_256[2:4],
+                    rest=blake2b_256[4:],
+                    filename=release_metadata["filename"],
+                )
 
                 # use a head request because we don't care about the response contents
                 if send_head_http_raw(inspector_link) is None:
-                    inspector_link = None
-
-                inspector_links.append(inspector_link)
+                    inspector_links.append(None)
+                else:
+                    inspector_links.append(inspector_link)
 
         except KeyError as error:
             error_msg = f"The version {version} is not available as a release."