Validating download_url for github repositories, and updating if necessary (#4390)

* Adding a second function to validate/correct urls that are just github repositories

Signed-off-by: Kendrick <kmartinix@gmail.com>

* Adding test case to capture github repositories

Signed-off-by: Kendrick <kmartinix@gmail.com>

---------

Signed-off-by: Kendrick <kmartinix@gmail.com>

syft/format/internal/spdxutil/helpers/download_location.go

@@ -1,6 +1,7 @@
 package helpers
 
 import (
+	"net/url"
 	"strings"
 
 	urilib "github.com/spdx/gordf/uri"
@@ -49,9 +50,21 @@ func isURIValid(uri string) bool {
 func URIValue(uri string) string {
 	if strings.ToLower(uri) != "none" {
 		if isURIValid(uri) {
-			return uri
+			return updateForGithub(url.Parse(uri))
 		}
 		return NOASSERTION
 	}
 	return NONE
 }
+
+// Github repository is a valid NPM location but not a valid SPDX DownloadURL
+func updateForGithub(uri *url.URL, err error) string {
+	if err != nil {
+		return NOASSERTION
+	}
+	updatedLocation := uri.String()
+	if uri.Scheme == "github" {
+		updatedLocation = "https://github.com/" + uri.Opaque
+	}
+	return updatedLocation
+}

syft/format/internal/spdxutil/helpers/download_location_test.go

@@ -640,6 +640,16 @@ func Test_DownloadLocation(t *testing.T) {
 			},
 			expected: "bzr+https://bzr.myproject.org/MyProject/trunk@2019#src/somefile.c",
 		},
+
+		{
+			name: "Github Repository",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackage{
+					URL: "github:anchore/syft",
+				},
+			},
+			expected: "https://github.com/anchore/syft",
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {