Universal Package Metadata Extractor - Extract metadata from various package formats

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for alkamod from gravatar.com alkamod

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Oscar Valenzuela B.
  • Maintainer: Oscar Valenzuela B.
  • Tags package , metadata , extractor , license , detection , python , npm , maven , jar , wheel , pypi
  • Requires: Python >=3.8
  • Provides-Extra: dev , ml , all
Classifiers
Report project as malware

This project has been archived.

The maintainers of this project have marked this project as archived. No new releases are expected.

Project description

UPMEX - Universal Package Metadata Extractor

Extract metadata and license information from various package formats with a single tool.

Features

Core Capabilities

  • Universal Package Support: Extract metadata from 13 package ecosystems
  • Multi-Format Detection: Automatic package type identification
  • Standardized Output: Consistent JSON structure across all formats
  • Native Extraction: No dependency on external package managers
  • High Performance: Process packages up to 500MB in under 10 seconds

Supported Ecosystems

  • Python: wheel (.whl), sdist (.tar.gz, .zip)
  • NPM/Node.js: .tgz, .tar.gz packages
  • Java/Maven: .jar, .war, .ear with POM support
  • Gradle: build.gradle, build.gradle.kts files
  • CocoaPods: .podspec, .podspec.json files
  • Conda: .conda (zip), .tar.bz2 packages
  • Perl/CPAN: .tar.gz, .zip with META.json/yml
  • Conan C/C++: conanfile.py, conanfile.txt, .tgz packages
  • Ruby Gems: .gem packages
  • Rust Crates: .crate packages
  • Go Modules: .zip archives, go.mod files
  • NuGet/.NET: .nupkg packages
  • Linux: (Planned) Debian .deb, RPM .rpm

Enhanced License Detection Engine

  • Comprehensive SPDX Support: 400+ official SPDX license texts with fuzzy matching
  • Multi-Layer Detection:
    • SPDX-License-Identifier exact matching
    • Fuzzy hash (LSH) matching against normalized license texts
    • Dice-Sørensen coefficient for similarity matching
    • Regex-based pattern matching with alias support (GPL-3.0, GPLv3, etc.)
    • Full text similarity comparison using SequenceMatcher
    • Confidence scoring (0.0-1.0) with detection method tracking
  • Smart File Discovery: Automatic LICENSE/COPYING/COPYRIGHT/NOTICE file extraction
  • Text Normalization: Removes variables, dates, and copyright notices for better matching
  • Multi-license Support: Detects dual/multiple licensing with individual confidence scores
  • Provenance Tracking: Records detection method and source for attestation

API Integrations

  • ClearlyDefined: License and compliance data enrichment
  • Ecosyste.ms: Package registry metadata and dependencies
  • Maven Central: Parent POM resolution and inheritance
  • Offline-First: All features work without internet connectivity

Advanced Features

  • NO-ASSERTION Handling: Clear indication for unavailable data
  • Parent POM Resolution: Automatic Maven inheritance processing
  • Dependency Mapping: Full dependency tree with version constraints
  • Author Parsing: Intelligent name/email extraction and normalization
  • Repository Detection: Automatic VCS URL extraction
  • Platform Support: Architecture and OS requirement detection
  • Package URL (PURL): Generate standard Package URLs for all packages
  • File Hashing: SHA-1, MD5, and fuzzy hash (TLSH/LSH) for package files
  • JSON Organization: Structured output with package, metadata, people, licensing sections
  • Data Provenance: Track source of each data field for attestation

Installation

# Install from source
git clone https://github.com/oscarvalenzuelab/semantic-copycat-upmex.git
cd semantic-copycat-upmex
pip install -e .

# Install with all features
pip install -e ".[all]"

# Install for development
pip install -e ".[dev]"

Quick Start

from upmex import PackageExtractor

# Create extractor
extractor = PackageExtractor()

# Extract metadata from a package
metadata = extractor.extract("path/to/package.whl")

# Access metadata
print(f"Package: {metadata.name} v{metadata.version}")
print(f"Type: {metadata.package_type.value}")
print(f"License: {metadata.licenses[0].spdx_id if metadata.licenses else 'Unknown'}")

# Convert to JSON
import json
print(json.dumps(metadata.to_dict(), indent=2))

CLI Usage

# Basic extraction (offline mode - default)
upmex extract package.whl

# Online mode - fetches parent POMs and queries APIs
upmex extract --online package.jar

# With pretty JSON output
upmex extract --pretty package.whl

# Output to file
upmex extract package.whl -o metadata.json

# Text format output
upmex extract --format text package.tar.gz

# Detect package type
upmex detect package.jar

# Extract license information with confidence scores
upmex license package.tgz --confidence

Configuration

Configuration can be done via JSON files or environment variables:

Environment Variables

# API Keys
export PME_CLEARLYDEFINED_API_KEY=your-api-key
export PME_ECOSYSTEMS_API_KEY=your-api-key

# Settings
export PME_LOG_LEVEL=DEBUG
export PME_CACHE_DIR=/path/to/cache
export PME_LICENSE_METHODS=regex,dice_sorensen
export PME_OUTPUT_FORMAT=json

Configuration File

Create a config.json:

{
  "api": {
    "clearlydefined": {
      "enabled": true,
      "api_key": null
    }
  },
  "license_detection": {
    "methods": ["regex", "dice_sorensen"],
    "confidence_threshold": 0.85
  },
  "output": {
    "format": "json",
    "pretty_print": true
  }
}

Supported Package Types

Ecosystem Formats Detection Metadata Online Mode Tested
Python .whl, .tar.gz, .zip API enrichment
NPM .tgz, .tar.gz API enrichment
Java .jar, .war, .ear Parent POM fetch
Maven .jar with POM Parent POM fetch
Gradle build.gradle(.kts) API enrichment
CocoaPods .podspec(.json) API enrichment
Conda .conda, .tar.bz2 API enrichment
Perl/CPAN .tar.gz, .zip API enrichment
Conan conanfile.py/.txt -
Ruby .gem API enrichment
Rust .crate API enrichment
Go .zip, .mod, go.mod API enrichment
NuGet .nupkg API enrichment

Changelog

See CHANGELOG.md for a detailed history of changes.

License

MIT License - see LICENSE file for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for alkamod from gravatar.com alkamod

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Oscar Valenzuela B.
  • Maintainer: Oscar Valenzuela B.
  • Tags package , metadata , extractor , license , detection , python , npm , maven , jar , wheel , pypi
  • Requires: Python >=3.8
  • Provides-Extra: dev , ml , all
Classifiers

Release history Release notifications | RSS feed

1.6.5

1.6.2

1.6.1

1.6.0

1.5.9

1.5.8

1.5.7

This version

1.5.6

1.5.5

1.5.1

1.5.0

1.1.2

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

semantic_copycat_upmex-1.5.6.tar.gz (751.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

semantic_copycat_upmex-1.5.6-py3-none-any.whl (1.3 MB view details)

Uploaded Python 3

File details

Details for the file semantic_copycat_upmex-1.5.6.tar.gz.

File metadata

  • Download URL: semantic_copycat_upmex-1.5.6.tar.gz
  • Upload date:
  • Size: 751.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for semantic_copycat_upmex-1.5.6.tar.gz
Algorithm Hash digest
SHA256 90112895fae30e2b7fc09665903b212b3512926263f00001a4204f424d406836
MD5 c0d78decede4168ef26c5bca03d30440
BLAKE2b-256 09c96f719cfbd6df4f8f2bc20727b992a555ae4d1a718d42e6c3b5c0e03474e3

See more details on using hashes here.

Provenance

The following attestation bundles were made for semantic_copycat_upmex-1.5.6.tar.gz:

Publisher: python-publish.yml on oscarvalenzuelab/semantic-copycat-upmex

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file semantic_copycat_upmex-1.5.6-py3-none-any.whl.

File metadata

File hashes

Hashes for semantic_copycat_upmex-1.5.6-py3-none-any.whl
Algorithm Hash digest
SHA256 5be902be5fd4f270efe49d9618aadb5e5c2037b250119ec85ec7318e261364eb
MD5 d4fc5be7c314dfd7bbcee70f9b56e733
BLAKE2b-256 0d9e8cd3dc6a8edd0f2b80eed5cce1c1c1a7daf5c59978b3dae938e4388eef37

See more details on using hashes here.

Provenance

The following attestation bundles were made for semantic_copycat_upmex-1.5.6-py3-none-any.whl:

Publisher: python-publish.yml on oscarvalenzuelab/semantic-copycat-upmex

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page