chore: use correct path to sha256 hash for versioned pypi asset

benmss · benmss · commit 4be1f9dfa441 · 2025-05-19T15:30:22.000+10:00
Signed-off-by: Ben Selwyn-Smith &lt;benselwynsmith@googlemail.com&gt;
diff --git a/src/macaron/slsa_analyzer/package_registry/pypi_registry.py b/src/macaron/slsa_analyzer/package_registry/pypi_registry.py
@@ -592,7 +592,7 @@ def get_sha256(self) -> str | None:
             artifact_hash = json_extract(self.package_json, ["urls", 0, "digests", "sha256"], str)
         else:
             artifact_hash = json_extract(
-                self.package_json, ["releases", self.component_version, "digests", "sha256"], str
+                self.package_json, ["releases", self.component_version, 0, "digests", "sha256"], str
             )
         logger.debug("Found sha256 hash: %s", artifact_hash)
         return artifact_hash

Original file line number	Diff line number	Diff line change
`@@ -592,7 +592,7 @@ def get_sha256(self) -> str \| None:`
`592`	`592`	`artifact_hash = json_extract(self.package_json, ["urls", 0, "digests", "sha256"], str)`
`593`	`593`	`else:`
`594`	`594`	`artifact_hash = json_extract(`
`595`		`- self.package_json, ["releases", self.component_version, "digests", "sha256"], str`
	`595`	`+ self.package_json, ["releases", self.component_version, 0, "digests", "sha256"], str`
`596`	`596`	`)`
`597`	`597`	`logger.debug("Found sha256 hash: %s", artifact_hash)`
`598`	`598`	`return artifact_hash`