From aaf767f8d3e42941746e91b3d87162665cda713b Mon Sep 17 00:00:00 2001
From: Keith Zantow <kzantow@gmail.com>
Date: Fri, 4 Aug 2023 11:43:21 -0400
Subject: [PATCH] chore: improve spdx purl decoding (#1996)

Signed-off-by: Keith Zantow <kzantow@gmail.com>
---
 .../common/spdxhelpers/to_syft_model.go       |  6 +-
 .../common/spdxhelpers/to_syft_model_test.go  | 56 +++++++++++++++++++
 2 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/syft/formats/common/spdxhelpers/to_syft_model.go b/syft/formats/common/spdxhelpers/to_syft_model.go
index 4792b1f87..5ef331b22 100644
--- a/syft/formats/common/spdxhelpers/to_syft_model.go
+++ b/syft/formats/common/spdxhelpers/to_syft_model.go
@@ -467,11 +467,11 @@ func toSyftPackage(p *spdx.Package) pkg.Package {
 }
 
 func purlValue(purl packageurl.PackageURL) string {
-	p := purl.String()
-	if p == "pkg:/" {
+	val := purl.String()
+	if _, err := packageurl.FromString(val); err != nil {
 		return ""
 	}
-	return p
+	return val
 }
 
 func parseSPDXLicenses(p *spdx.Package) []pkg.License {
diff --git a/syft/formats/common/spdxhelpers/to_syft_model_test.go b/syft/formats/common/spdxhelpers/to_syft_model_test.go
index 63e6b207f..f6023f662 100644
--- a/syft/formats/common/spdxhelpers/to_syft_model_test.go
+++ b/syft/formats/common/spdxhelpers/to_syft_model_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/anchore/packageurl-go"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/pkg"
@@ -552,3 +553,58 @@ func Test_convertToAndFromFormat(t *testing.T) {
 		})
 	}
 }
+
+func Test_purlValue(t *testing.T) {
+	tests := []struct {
+		purl     packageurl.PackageURL
+		expected string
+	}{
+		{
+			purl:     packageurl.PackageURL{},
+			expected: "",
+		},
+		{
+			purl: packageurl.PackageURL{
+				Name:    "name",
+				Version: "version",
+			},
+			expected: "",
+		},
+		{
+			purl: packageurl.PackageURL{
+				Type:    "typ",
+				Version: "version",
+			},
+			expected: "",
+		},
+		{
+			purl: packageurl.PackageURL{
+				Type:    "typ",
+				Name:    "name",
+				Version: "version",
+			},
+			expected: "pkg:typ/name@version",
+		},
+		{
+			purl: packageurl.PackageURL{
+				Type:    "typ",
+				Name:    "name",
+				Version: "version",
+				Qualifiers: packageurl.Qualifiers{
+					{
+						Key:   "q",
+						Value: "v",
+					},
+				},
+			},
+			expected: "pkg:typ/name@version?q=v",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.purl.String(), func(t *testing.T) {
+			got := purlValue(test.purl)
+			require.Equal(t, test.expected, got)
+		})
+	}
+}