codeaudit 1.4.0__tar.gz → 1.4.1__tar.gz

{codeaudit-1.4.0 → codeaudit-1.4.1}/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Change Log
 
+## Version 1.4.1: Bug fixes
+
+🚀 New Features & Enhancements
+* Remote PyPI Auditing: The codeaudit overview command now supports packages hosted directly on PyPI.org.
+
+
+🛠 Bug Fixes
+* Improved sdist Resilience: Enhanced error handling for scenarios where a package exists on PyPI but a source distribution (sdist) is unavailable. 
+
+
+📝 Documentation & UI Updates
+* CLI Improvements: Refined terminal text and messaging for better clarity during operation.
+* Manual Update: The user manual has been updated to reflect new command capabilities and workflows.
+
+
 ## Version 1.4: Changes and Updates
 
 

{codeaudit-1.4.0 → codeaudit-1.4.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.4.0
+Version: 1.4.1
 Summary: Simplified static security checks for Python 
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues
@@ -74,17 +74,12 @@ Python Code Audit has the following features:
 
 ## Installation
 
-```console
-pip install codeaudit
-```
-
-or use:
-
 ```console
 pip install -U codeaudit
 ```
 
-If you have installed Python `codeaudit` in the past and want to make sure you use the latest new validations and features.
+If you have installed **Python Code Audit** previously and want to ensure you are using the latest validations and features, simply run this command again. Python Code Audit is frequently updated with new checks.
+
 
 ## Usage
 
@@ -106,34 +101,33 @@ This will show all commands:
 Python Code Audit - A modern Python security source code analyzer based on distrust.
 
 Commands to evaluate Python source code:
-Usage: codeaudit COMMAND [PATH or FILE]  [OUTPUTFILE] 
+Usage: codeaudit COMMAND <directory|package>  [report.html] 
 
-Depending on the command, a directory or file name must be specified. The output is a static HTML file to be examined in a browser. Specifying a name for the output file is optional.
+Depending on the command, you must specify a local directory, a Python file, or a package name hosted on PyPI.org.Reporting: The results are generated as a static HTML report for viewing in a web browser.
 
 Commands:
-  overview             Reports Complexity and statistics per Python file from a directory.
-  filescan             Scans Python files or directories(packages) for vulnerabilities and reports potential issues.
+  overview             Reports complexity and security statistics of a Python project or package on PyPI.org.
+  filescan             Scans Python code or packages on PyPI.org for security weaknesses.
   modulescan           Reports module vulnerability information.
   checks               Creates an HTML report of all implemented security checks.
   version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
 
 Use the Codeaudit documentation to check the security of Python programs and make your Python programs more secure!
 Check https://simplifysecurity.nocomplexity.com/ 
-
 ```
 
 ## Example
 
-By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **70 validations** implemented. 
+By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **80 validations** implemented. 
 
 The `codeaudit filescan` command shows all **potential** security issues that are detected in the source file in a HTML-report.
 
 Per line a the in construct that can cause a security risks is shown, along with the relevant code lines where the issue is detected.
 
-To scan a Python file on possible security issues, do:
+To scan a Python package on PyPI.org on possible security issues, do:
 
 ```bash
-codeaudit filescan ../codeaudit/tests/validationfiles/allshit.py 
+codeaudit filescan <package-name> [reportname.html]
 
 =====================================================================
 Codeaudit report file created!

{codeaudit-1.4.0 → codeaudit-1.4.1}/README.md

@@ -46,17 +46,12 @@ Python Code Audit has the following features:
 
 ## Installation
 
-```console
-pip install codeaudit
-```
-
-or use:
-
 ```console
 pip install -U codeaudit
 ```
 
-If you have installed Python `codeaudit` in the past and want to make sure you use the latest new validations and features.
+If you have installed **Python Code Audit** previously and want to ensure you are using the latest validations and features, simply run this command again. Python Code Audit is frequently updated with new checks.
+
 
 ## Usage
 
@@ -78,34 +73,33 @@ This will show all commands:
 Python Code Audit - A modern Python security source code analyzer based on distrust.
 
 Commands to evaluate Python source code:
-Usage: codeaudit COMMAND [PATH or FILE]  [OUTPUTFILE] 
+Usage: codeaudit COMMAND <directory|package>  [report.html] 
 
-Depending on the command, a directory or file name must be specified. The output is a static HTML file to be examined in a browser. Specifying a name for the output file is optional.
+Depending on the command, you must specify a local directory, a Python file, or a package name hosted on PyPI.org.Reporting: The results are generated as a static HTML report for viewing in a web browser.
 
 Commands:
-  overview             Reports Complexity and statistics per Python file from a directory.
-  filescan             Scans Python files or directories(packages) for vulnerabilities and reports potential issues.
+  overview             Reports complexity and security statistics of a Python project or package on PyPI.org.
+  filescan             Scans Python code or packages on PyPI.org for security weaknesses.
   modulescan           Reports module vulnerability information.
   checks               Creates an HTML report of all implemented security checks.
   version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
 
 Use the Codeaudit documentation to check the security of Python programs and make your Python programs more secure!
 Check https://simplifysecurity.nocomplexity.com/ 
-
 ```
 
 ## Example
 
-By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **70 validations** implemented. 
+By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **80 validations** implemented. 
 
 The `codeaudit filescan` command shows all **potential** security issues that are detected in the source file in a HTML-report.
 
 Per line a the in construct that can cause a security risks is shown, along with the relevant code lines where the issue is detected.
 
-To scan a Python file on possible security issues, do:
+To scan a Python package on PyPI.org on possible security issues, do:
 
 ```bash
-codeaudit filescan ../codeaudit/tests/validationfiles/allshit.py 
+codeaudit filescan <package-name> [reportname.html]
 
 =====================================================================
 Codeaudit report file created!

{codeaudit-1.4.0 → codeaudit-1.4.1}/docs/CLIcommands.ipynb

@@ -90,7 +90,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 16,
+   "execution_count": null,
    "id": "bf6afe56-e0f7-4fa2-a3a5-968bad11bf9c",
    "metadata": {},
    "outputs": [],
@@ -101,7 +101,7 @@
     "                \"checks\" : 'report_implemented_tests',\n",
     "               \"version\" : 'display_version'} \n",
     "for key, value in commands.items():    \n",
-    "    output += f'## Code Audit {key}\\n' # newlines matter when creating markdown\n",
+    "    output += f'## codeaudit {key}\\n' # newlines matter when creating markdown\n",
     "    output += '```text\\n' # raw display    \n",
     "    func_name = value\n",
     "    output += getattr(codeaudit, func_name).__doc__\n",

{codeaudit-1.4.0 → codeaudit-1.4.1}/docs/codeauditcommands.md

@@ -1,6 +1,6 @@
 % THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!
 # Commands Overview
-Python Code Audit commands for: version: 1.3.0
+Python Code Audit commands for: version: 1.4.0
 ```
 ----------------------------------------------------
  _                    __             _             
@@ -11,13 +11,13 @@ Python Code Audit commands for: version: 1.3.0
 Python Code Audit - A modern Python security source code analyzer based on distrust.
 
 Commands to evaluate Python source code:
-Usage: codeaudit COMMAND [PATH or FILE]  [OUTPUTFILE] 
+Usage: codeaudit COMMAND <directory|package>  [report.html] 
 
-Depending on the command, a directory or file name must be specified. The output is a static HTML file to be examined in a browser. Specifying a name for the output file is optional.
+Depending on the command, you must specify a local directory, a Python file, or a package name hosted on PyPI.org.Reporting: The results are generated as a static HTML report for viewing in a web browser.
 
 Commands:
-  overview             Reports complexity and statistics for Python files in a project directory.
-  filescan             Scans Python code or packages on PyPI.org on security weaknesses.
+  overview             Reports complexity and security statistics of a Python project or package on PyPI.org.
+  filescan             Scans Python code or packages on PyPI.org for security weaknesses.
   modulescan           Reports module vulnerability information.
   checks               Creates an HTML report of all implemented security checks.
   version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
@@ -26,9 +26,9 @@ Use the Codeaudit documentation to check the security of Python programs and mak
 Check https://simplifysecurity.nocomplexity.com/ 
 
 ```
-## Code Audit overview
+## codeaudit overview
 ```text
-Reports complexity and statistics for Python files in a project directory.
+Reports complexity and security statistics of a Python project or package on PyPI.org.
 
 Parameters:
     directory (str): Path to the directory to scan.
@@ -44,7 +44,7 @@ or repr(object).
 encoding defaults to 'utf-8'.
 errors defaults to 'strict'.
 ```
-## Code Audit modulescan
+## codeaudit modulescan
 ```text
 Reports module vulnerability information.str(object='') -> str
 str(bytes_or_buffer[, encoding[, errors]]) -> str
@@ -57,9 +57,9 @@ or repr(object).
 encoding defaults to 'utf-8'.
 errors defaults to 'strict'.
 ```
-## Code Audit filescan
+## codeaudit filescan
 ```text
-Scans Python code or packages on PyPI.org on security weaknesses.
+Scans Python code or packages on PyPI.org for security weaknesses.
     
 This function performs security validations on the specified file or directory, 
 formats the results into an HTML report, and writes the output to an HTML file. 
@@ -84,7 +84,7 @@ or repr(object).
 encoding defaults to 'utf-8'.
 errors defaults to 'strict'.
 ```
-## Code Audit checks
+## codeaudit checks
 ```text
 
 Creates an HTML report of all implemented security checks.
@@ -115,7 +115,7 @@ or repr(object).
 encoding defaults to 'utf-8'.
 errors defaults to 'strict'.
 ```
-## Code Audit version
+## codeaudit version
 ```text
 Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].str(object='') -> str
 str(bytes_or_buffer[, encoding[, errors]]) -> str

{codeaudit-1.4.0 → codeaudit-1.4.1}/docs/codeauditoverview.md

@@ -1,12 +1,23 @@
 
 # Command `codeaudit overview`
 
-The command:
 
+
+Use this command to generate a quick security relevant assessment of a Python project or package. It provides an overview of important security metrics for the project.
+
+Usage
+```Bash
+codeaudit overview <package-path|package-name> [report-name.html]
 ```
-codeaudit overview
-```
-is created to give a quick insights in possible security concerns.
+
+Arguments:
+* `<package-path|package-name>` (Required)
+Specify either a local directory containing Python files or the name of a Python package hosted on PyPI.org.
+
+* `[report-name.html]` (Optional)
+The filename for the generated security report. If omitted, the tool will use a default filename. If you provide a custom name, ensure it ends with the `.html` extension.
+
+
 
 For every Python file the following **security** relevant statistics are determined:
 

{codeaudit-1.4.0 → codeaudit-1.4.1}/docs/examples/demoscan.json

@@ -1,7 +1,7 @@
 {
   "name": "Python_Code_Audit",
-  "version": "1.3.0",
-  "generated_on": "2025-12-13 15:38",
+  "version": "1.4.0",
+  "generated_on": "2025-12-23 16:15",
   "file_security_info": {
     "0": {
       "FileName": "demofile.py",

{codeaudit-1.4.0 → codeaudit-1.4.1}/docs/intro.md

@@ -73,7 +73,7 @@ The availability of good, maintained FOSS SAST tools for Python is limited. Whil
 :::{note}
 This `Python Code Audit` tool is built to be fast, lightweight, and easy to use.
 
-By default, the tool scans Python code against more than **70 rules** to detect potential security vulnerabilities. These rules target unsafe constructs of the standard Python libraries that could pose a security risk. 
+By default, the tool scans Python code against more than **80 rules** to detect potential security vulnerabilities. These rules target unsafe constructs of the standard Python libraries that could pose a security risk. 
 
 :::
 

{codeaudit-1.4.0 → codeaudit-1.4.1}/docs/whysast.md

@@ -79,9 +79,9 @@ Static application security testing (SAST) tools , like this [**Python Code Audi
 :::
 
  
-[**Python Code Audit**](https://nocomplexity.com/codeaudit/)  is specifically designed for Python codebases. It is tailored to Python’s syntax and unique constructs, enabling it to identify potential security issues effectively.
+[**Python Code Audit**](https://nocomplexity.com/codeaudit/) is designed for Python codebases. It is tailored to Python’s syntax and unique constructs, enabling it to identify potential security issues effectively.
 
-The **Python Code Audit** SAST tool is an advanced security solution that automates the review of Python source code to identify potential security vulnerabilities."
+**Python Code Audit** SAST tool is an advanced security solution that automates the review of Python source code to identify potential security vulnerabilities.
 
 At a function level, Python Code Audit makes use of a common technique to scan the Python source files by making use of **'Abstract Syntax Tree(AST)'** to do in-depth checks on possible vulnerable constructs. 
 

{codeaudit-1.4.0 → codeaudit-1.4.1}/src/codeaudit/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Maikel Mardjan <mike@bm-support.org>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
-__version__ = "1.4.0"
+__version__ = "1.4.1"

{codeaudit-1.4.0 → codeaudit-1.4.1}/src/codeaudit/codeaudit.py

@@ -36,8 +36,8 @@ def display_help():
     print(codeaudit_ascii_art)
     print("Python Code Audit - A modern Python security source code analyzer based on distrust.\n")
     print("Commands to evaluate Python source code:")
-    print('Usage: codeaudit COMMAND [PATH or FILE]  [OUTPUTFILE] \n')
-    print('Depending on the command, a directory or file name must be specified. The output is a static HTML file to be examined in a browser. Specifying a name for the output file is optional.\n')
+    print('Usage: codeaudit COMMAND <directory|package>  [report.html] \n')
+    print('Depending on the command, you must specify a local directory, a Python file, or a package name hosted on PyPI.org.Reporting: The results are generated as a static HTML report for viewing in a web browser.\n')
     print('Commands:')
     commands = ["overview", "filescan", "modulescan",  "checks","version"]  # commands on CLI
     functions = [overview_report, scan_report, report_module_information, report_implemented_tests,display_version]  # Related functions relevant for help

{codeaudit-1.4.0 → codeaudit-1.4.1}/src/codeaudit/pypi_package_scan.py

@@ -51,39 +51,38 @@ def get_pypi_download_info(package_name):
     """Retrieves the sdist download URL
     Using the PyPI JSON API to get the sdist download URL (https://docs.pypi.org/api/json/)
     Note JSON API result is a nested dict with all release info published, so finding the correct sdist download URL needs logic.
-    """
-    if get_pypi_package_info(package_name) :
-        data = get_pypi_package_info(package_name)   
-        releases_dict = data['releases']
-        # Convert the key-value pairs (items) into a list and get the last one
-        last_item = list(releases_dict.items())[-1] #last_item is a Python tuple
-        sdist_download_url = find_download_url(last_item,'source') # We want the download URL of the source, so *.tar.gz file
-        release_info = last_item[0] 
-        pypi_package_info= { "download_url" : sdist_download_url ,
-                            "release" : release_info}
-        return pypi_package_info
-    else:
-        #package does not exist
-        return False
-
-def find_download_url(data, source):
-    """
-    Given the PyPI release tuple and a python_version string,
-    return the URL of the first matching item.
     """    
-    items = data[1] # Access the list of items directly via index 1 , data is a tuple    
-
-    for item in items:
-        if item.get("python_version") == source:
-            return item.get("url")
+    data = get_pypi_package_info(package_name)    
+    if not data:
+        return False
+    # Get the official "latest" version string from the API metadata
+    latest_version = data.get('info', {}).get('version')
+    if not latest_version:
+        return False
 
-    return None  # if no match found`
+    # Access the files associated with that specific version
+    releases_list = data.get('releases', {}).get(latest_version, [])
+    
+    sdist_download_url = None
+    
+    # Explicitly look for the source distribution (sdist)
+    for file_info in releases_list:
+        if file_info.get('packagetype') == 'sdist':
+            url = file_info.get('url')
+            if url and url.endswith(".tar.gz"): #PEP527 I only extract .tar.gz files, older source formats not supported.
+                sdist_download_url = url
+                break # Found it, stop looking
+
+    return {
+        "download_url": sdist_download_url,
+        "release": latest_version
+    }
 
 
 def get_package_source(url, nocxheaders=NOCX_HEADERS, nocxtimeout=10):
     """Retrieves a package source and extract so SAST scanning can be applied
     Make sure to cleanup the temporary dir!! Using e.g. `tmp_handle.cleanup()`  # deletes everything
-    """
+    """    
     try:
         request = Request(url, headers=nocxheaders or {})
         with urlopen(request, timeout=nocxtimeout) as response:

{codeaudit-1.4.0 → codeaudit-1.4.1}/src/codeaudit/reporting.py

@@ -41,24 +41,40 @@ SIMPLE_CSS_FILE = files('codeaudit') / 'simple.css'
 DEFAULT_OUTPUT_FILE = 'codeaudit-report.html'
 
 def overview_report(directory, filename=DEFAULT_OUTPUT_FILE):
-    """Reports complexity and statistics for Python files in a project directory.
+    """Reports complexity and security statistics of a Python project or package on PyPI.org.
     
     Parameters:
         directory (str): Path to the directory to scan.
         filename (str): Output filename for the HTML report.
-    """
-    if not os.path.exists(directory):
-        print(f"ERROR: Directory '{directory}' does not exist.")
-        print(f"This function only works for directories which contains one or more Python source code files (*.py). ")
-        exit(1)
-    if not os.path.isdir(directory):
-        print(f"ERROR: '{directory}' is not a directory (maybe you try to run it for a single file)")
-        print(f"This function only works for directories which contains one or more Python source code files (*.py). ")
-        exit(1)
-    #Check if the directory has Python files
-    if not has_python_files(directory):
-        print(f'Error: Directory path {directory} contains no Python files.')
-        exit(1)
+    """    
+    clean_up = False
+    if os.path.exists(directory):
+        # Check if the path is actually a directory
+        if not os.path.isdir(directory):
+            print(f"ERROR: '{directory}' is not a directory.")
+            print("This function only works for directories containing Python files (*.py).")
+            exit(1)      
+        # Check if the directory contains any .py files
+        if not has_python_files(directory):
+            print(f"ERROR: Directory '{directory}' contains no Python files.")
+            exit(1)
+    elif get_pypi_download_info(directory):
+        # If local path doesn't exist, try to treat it as a PyPI package
+        print(f"No local directory with name:{directory} found locally. Checking if package exist on PyPI...")  
+        package_name = directory #The variable input_path is now equal to the package name
+        print(f"Package: {package_name} exist on PyPI.org!")        
+        pypi_data = get_pypi_download_info(package_name)
+        url = pypi_data['download_url']
+        release = pypi_data['release']
+        if url is not None:
+            print(f'Creating Python Code Audit overview for package:\n{url}')            
+            src_dir, tmp_handle = get_package_source(url)                    
+            directory = src_dir
+            clean_up = True            
+    else:
+        # Neither a local directory nor a valid PyPI package
+        print(f"ERROR: '{directory}' is not a local directory or a valid PyPI package.")
+        exit(1)    
     result = get_statistics(directory)
     modules = total_modules(directory)    
     df = pd.DataFrame(result)
@@ -66,7 +82,11 @@ def overview_report(directory, filename=DEFAULT_OUTPUT_FILE):
     df['External-Modules'] = modules['External-Modules']
     overview_df = overview_count(df)
     html = '<h1>' + f'Python Code Audit overview report' + '</h1><br>'
-    html += f'<p>Codeaudit overview scan of the directory:<b> {directory}</b></p>' 
+    if clean_up:
+        html += f'<p>Codeaudit overview scan of package:<b> {package_name}</b></p>' 
+        html += f'<p>Version:<b>{release}</b></p>'
+    else:
+        html += f'<p>Codeaudit overview scan of the directory:<b> {directory}</b></p>' 
     html += f'<h2>Summary</h2>'
     html += overview_df.to_html(escape=True,index=False)
     html += '<br><br>'
@@ -83,6 +103,8 @@ def overview_report(directory, filename=DEFAULT_OUTPUT_FILE):
     html += '<br>'
     ## Module overview    
     modules_discovered = get_all_modules(directory)
+    if clean_up:
+        tmp_handle.cleanup() #Clean up tmp directory if overview is created directly from PyPI package
     html += '<details>' 
     html += '<summary>Click to see all discovered modules.</summary>'         
     html+=dict_to_html(modules_discovered)
@@ -107,7 +129,7 @@ def overview_report(directory, filename=DEFAULT_OUTPUT_FILE):
         
 
 def scan_report(input_path , filename=DEFAULT_OUTPUT_FILE):
-    """Scans Python code or packages on PyPI.org on security weaknesses.
+    """Scans Python code or packages on PyPI.org for security weaknesses.
         
     This function performs security validations on the specified file or directory, 
     formats the results into an HTML report, and writes the output to an HTML file. 
@@ -146,12 +168,16 @@ def scan_report(input_path , filename=DEFAULT_OUTPUT_FILE):
         pypi_data = get_pypi_download_info(package_name)
         url = pypi_data['download_url']
         release = pypi_data['release']
-        print(url)
-        print(release)
-        src_dir, tmp_handle = get_package_source(url)
-        directory_scan_report(src_dir , filename , package_name, release ) #create scan report for a package or directory
-        # Cleaning up temp directory 
-        tmp_handle.cleanup()  # deletes everything from temp directory                
+        if url is not None:
+            print(url)
+            print(release)
+            src_dir, tmp_handle = get_package_source(url)
+            directory_scan_report(src_dir , filename , package_name, release ) #create scan report for a package or directory
+            # Cleaning up temp directory 
+            tmp_handle.cleanup()  # deletes everything from temp directory
+        else:
+            print(f'Error:A source distribution (sdist in .tar.gz format) for package: {package_name} can not be found or does not exist on PyPi.org.\n')
+            print(f"Make a local git clone of the {package_name} using `git clone` and run `codeaudit filescan <directory-with-src-cloned-of-{package_name}>` to check for weaknesses.")
     else:
         #File is NOT a valid Python file, can not be parsed or directory is invalid.
         print(f"Error: '{input_path}' isn't a valid Python file, directory path to a package or a package on PyPI.org.")
@@ -235,7 +261,8 @@ def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE , pac
     name_of_package = get_filename_from_path(directory_to_scan)
     if package_name is not None:
         #Use real package name and retrieved release info
-        html += f'<p>Below the result of the Codeaudit scan of the package - Release :<b> {package_name} - {release} </b></p>'
+        html += f'<p>Below the result of the Codeaudit scan of (Package name - Release):</p>'
+        html += f'<p><b> {package_name} - {release} </b></p>'
     else:
         html += f'<p>Below the result of the Codeaudit scan of the directory:<b> {name_of_package}</b></p>' 
     html += f'<p>Total Python files found: <b>{len(files_to_check)}</b></p>'
@@ -262,6 +289,8 @@ def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE , pac
     html += '<p>The Python files with no security issues <b>detected</b> by codeaudit are:<p>'        
     html += dict_list_to_html_table(collection_ok_files)     
     html += '<br>'
+    if package_name is not None:
+        html += f'<p><b>Note:</b><i>Since this check is done on a package on PyPI.org, the temporary local directories are deleted. To examine the package in detail, you should download the sources locally and run the command:<code>codeaudit filescan</code> again.</i></p>'
     html += '<p><b>Disclaimer:</b><i>Only Python source files are taken into account for this scan. Sometimes security issues are present in configuration files, like ini,yaml or json files!</i></p>'
     html += DISCLAIMER_TEXT
     create_htmlfile(html,filename)  

codeaudit-1.4.1/tests/test_pypiscan.py

@@ -0,0 +1,69 @@
+import pytest
+
+from codeaudit.pypi_package_scan import get_pypi_download_info
+
+#Note This testfunction does NOT make real API calls to PyPI! So check if testdata is still correct in cause of errors.
+
+from unittest.mock import patch
+
+@pytest.fixture
+def mock_pypi_response():
+    """Provides a template for a successful PyPI API response."""
+    return {
+        "info": {"version": "1.2.3"},
+        "releases": {
+            "1.2.3": [
+                {
+                    "packagetype": "bdist_wheel",
+                    "url": "https://files.pythonhosted.org/package-1.2.3-py3-none-any.whl"
+                },
+                {
+                    "packagetype": "sdist",
+                    "url": "https://files.pythonhosted.org/package-1.2.3.tar.gz"
+                }
+            ]
+        }
+    }
+
+@patch('codeaudit.pypi_package_scan.get_pypi_package_info')
+def test_get_pypi_download_info_success(mock_get, mock_pypi_response):
+    """Test successful retrieval of sdist URL."""
+    mock_get.return_value = mock_pypi_response
+    
+    result = get_pypi_download_info("some-package")
+    
+    assert result["release"] == "1.2.3"
+    assert result["download_url"] == "https://files.pythonhosted.org/package-1.2.3.tar.gz"
+
+@patch('codeaudit.pypi_package_scan.get_pypi_package_info')
+def test_get_pypi_download_info_no_package(mock_get):
+    """Test behavior when the package does not exist (returns False)."""
+    mock_get.return_value = False
+    
+    result = get_pypi_download_info("non-existent-package")
+    
+    assert result is False
+
+@patch('codeaudit.pypi_package_scan.get_pypi_package_info')
+def test_get_pypi_download_info_no_sdist(mock_get, mock_pypi_response):
+    """Test when the version exists but no sdist (.tar.gz) is available."""
+    # Remove the sdist entry from the mock data
+    mock_pypi_response["releases"]["1.2.3"] = [
+        {"packagetype": "bdist_wheel", "url": "https://files...whl"}
+    ]
+    mock_get.return_value = mock_pypi_response
+    
+    result = get_pypi_download_info("some-package")
+    
+    assert result["release"] == "1.2.3"
+    assert result["download_url"] is None
+
+@patch('codeaudit.pypi_package_scan.get_pypi_package_info')
+def test_get_pypi_download_info_wrong_extension(mock_get, mock_pypi_response):
+    """Test when an sdist exists but is not a .tar.gz file."""
+    mock_pypi_response["releases"]["1.2.3"][1]["url"] = "https://files...source.zip"
+    mock_get.return_value = mock_pypi_response
+    
+    result = get_pypi_download_info("some-package")
+    
+    assert result["download_url"] is None