From 7fdb08c0b61134ab7d85337de69a96dc3e72cd6f Mon Sep 17 00:00:00 2001
From: Kendrick <kmartinix@gmail.com>
Date: Wed, 10 Dec 2025 10:41:00 -0800
Subject: [PATCH] Validating download_url for github repositories, and updating
 if necessary  (#4390)

* Adding a second function to validate/correct urls that are just github repositories

Signed-off-by: Kendrick <kmartinix@gmail.com>

* Adding test case to capture github repositories

Signed-off-by: Kendrick <kmartinix@gmail.com>

---------

Signed-off-by: Kendrick <kmartinix@gmail.com>
---
 .../spdxutil/helpers/download_location.go         | 15 ++++++++++++++-
 .../spdxutil/helpers/download_location_test.go    | 10 ++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/syft/format/internal/spdxutil/helpers/download_location.go b/syft/format/internal/spdxutil/helpers/download_location.go
index 93fd6d69d..e65a6e0b9 100644
--- a/syft/format/internal/spdxutil/helpers/download_location.go
+++ b/syft/format/internal/spdxutil/helpers/download_location.go
@@ -1,6 +1,7 @@
 package helpers
 
 import (
+	"net/url"
 	"strings"
 
 	urilib "github.com/spdx/gordf/uri"
@@ -49,9 +50,21 @@ func isURIValid(uri string) bool {
 func URIValue(uri string) string {
 	if strings.ToLower(uri) != "none" {
 		if isURIValid(uri) {
-			return uri
+			return updateForGithub(url.Parse(uri))
 		}
 		return NOASSERTION
 	}
 	return NONE
 }
+
+// Github repository is a valid NPM location but not a valid SPDX DownloadURL
+func updateForGithub(uri *url.URL, err error) string {
+	if err != nil {
+		return NOASSERTION
+	}
+	updatedLocation := uri.String()
+	if uri.Scheme == "github" {
+		updatedLocation = "https://github.com/" + uri.Opaque
+	}
+	return updatedLocation
+}
diff --git a/syft/format/internal/spdxutil/helpers/download_location_test.go b/syft/format/internal/spdxutil/helpers/download_location_test.go
index cd69a63ec..9a2b9cd91 100644
--- a/syft/format/internal/spdxutil/helpers/download_location_test.go
+++ b/syft/format/internal/spdxutil/helpers/download_location_test.go
@@ -640,6 +640,16 @@ func Test_DownloadLocation(t *testing.T) {
 			},
 			expected: "bzr+https://bzr.myproject.org/MyProject/trunk@2019#src/somefile.c",
 		},
+
+		{
+			name: "Github Repository",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackage{
+					URL: "github:anchore/syft",
+				},
+			},
+			expected: "https://github.com/anchore/syft",
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {