Validating download_url for github repositories, and updating if necessary (#4390)

* Adding a second function to validate/correct urls that are just github repositories Signed-off-by: Kendrick <kmartinix@gmail.com> * Adding test case to capture github repositories Signed-off-by: Kendrick <kmartinix@gmail.com> --------- Signed-off-by: Kendrick <kmartinix@gmail.com>
2026-02-12 02:26:42 +01:00 · 2025-12-10 10:41:00 -08:00 · 2025-12-10 10:41:00 -08:00 · 7fdb08c0b6
commit 7fdb08c0b6
parent 47e1cee5a5
2 changed files with 24 additions and 1 deletions
--- a/syft/format/internal/spdxutil/helpers/download_location.go
+++ b/syft/format/internal/spdxutil/helpers/download_location.go
@ -1,6 +1,7 @@
 package helpers

 import (
+	"net/url"
 	"strings"

 	urilib "github.com/spdx/gordf/uri"
@ -49,9 +50,21 @@ func isURIValid(uri string) bool {
 func URIValue(uri string) string {
 	if strings.ToLower(uri) != "none" {
 		if isURIValid(uri) {
-			return uri
+			return updateForGithub(url.Parse(uri))
 		}
 		return NOASSERTION
 	}
 	return NONE
 }
+
+// Github repository is a valid NPM location but not a valid SPDX DownloadURL
+func updateForGithub(uri *url.URL, err error) string {
+	if err != nil {
+		return NOASSERTION
+	}
+	updatedLocation := uri.String()
+	if uri.Scheme == "github" {
+		updatedLocation = "https://github.com/" + uri.Opaque
+	}
+	return updatedLocation
+}
--- a/syft/format/internal/spdxutil/helpers/download_location_test.go
+++ b/syft/format/internal/spdxutil/helpers/download_location_test.go
@ -640,6 +640,16 @@ func Test_DownloadLocation(t *testing.T) {
 			},
 			expected: "bzr+https://bzr.myproject.org/MyProject/trunk@2019#src/somefile.c",
 		},
+
+		{
+			name: "Github Repository",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackage{
+					URL: "github:anchore/syft",
+				},
+			},
+			expected: "https://github.com/anchore/syft",
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {