chore: improve spdx purl decoding (#1996)

Signed-off-by: Keith Zantow <kzantow@gmail.com>

syft/formats/common/spdxhelpers/to_syft_model.go

@@ -467,11 +467,11 @@ func toSyftPackage(p *spdx.Package) pkg.Package {
 }
 
 func purlValue(purl packageurl.PackageURL) string {
-	p := purl.String()
-	if p == "pkg:/" {
+	val := purl.String()
+	if _, err := packageurl.FromString(val); err != nil {
 		return ""
 	}
-	return p
+	return val
 }
 
 func parseSPDXLicenses(p *spdx.Package) []pkg.License {

syft/formats/common/spdxhelpers/to_syft_model_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/anchore/packageurl-go"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/pkg"
@@ -552,3 +553,58 @@ func Test_convertToAndFromFormat(t *testing.T) {
 		})
 	}
 }
+
+func Test_purlValue(t *testing.T) {
+	tests := []struct {
+		purl     packageurl.PackageURL
+		expected string
+	}{
+		{
+			purl:     packageurl.PackageURL{},
+			expected: "",
+		},
+		{
+			purl: packageurl.PackageURL{
+				Name:    "name",
+				Version: "version",
+			},
+			expected: "",
+		},
+		{
+			purl: packageurl.PackageURL{
+				Type:    "typ",
+				Version: "version",
+			},
+			expected: "",
+		},
+		{
+			purl: packageurl.PackageURL{
+				Type:    "typ",
+				Name:    "name",
+				Version: "version",
+			},
+			expected: "pkg:typ/name@version",
+		},
+		{
+			purl: packageurl.PackageURL{
+				Type:    "typ",
+				Name:    "name",
+				Version: "version",
+				Qualifiers: packageurl.Qualifiers{
+					{
+						Key:   "q",
+						Value: "v",
+					},
+				},
+			},
+			expected: "pkg:typ/name@version?q=v",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.purl.String(), func(t *testing.T) {
+			got := purlValue(test.purl)
+			require.Equal(t, test.expected, got)
+		})
+	}
+}