Add download location when cataloging directory npm package lock (#2238)

* added download locatoin (resolved) when cataloging a directory - javascript ecosystem- npm - packag-lock Signed-off by Auston(Aoxiang) Zhang <[email protected]> Signed-off-by: Christopher Phillips <[email protected]> * chore: get DCO to fire Signed-off-by: Christopher Phillips <[email protected]> --------- Signed-off-by: Christopher Phillips <[email protected]> Co-authored-by: Auston-Zhang <[email protected]>
anchore · Oct 20, 2023 · ef43294 · ef43294
1 parent e1ad340
commit ef43294
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/syft/formats/common/spdxhelpers/download_location.go b/syft/formats/common/spdxhelpers/download_location.go
@@ -20,6 +20,8 @@ func DownloadLocation(p pkg.Package) string {
 			return NoneIfEmpty(metadata.URL)
 		case pkg.NpmPackageJSONMetadata:
 			return NoneIfEmpty(metadata.URL)
+		case pkg.NpmPackageLockJSONMetadata:
+			return NoneIfEmpty(metadata.Resolved)
 		}
 	}
 	return NOASSERTION

diff --git a/syft/formats/common/spdxhelpers/download_location_test.go b/syft/formats/common/spdxhelpers/download_location_test.go
@@ -46,6 +46,24 @@ func Test_DownloadLocation(t *testing.T) {
 			},
 			expected: NONE,
 		},
+		{
+			name: "from npm package-lock should include resolved",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackageLockJSONMetadata{
+					Resolved: "http://package-lock.test",
+				},
+			},
+			expected: "http://package-lock.test",
+		},
+		{
+			name: "from npm package-lock empty should be NONE",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackageLockJSONMetadata{
+					Resolved: "",
+				},
+			},
+			expected: NONE,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {