From b101f44aba03b1fa301f0d58056d854f26b86d97 Mon Sep 17 00:00:00 2001
From: Laurent Goderre <laurent.goderre@docker.com>
Date: Tue, 9 Jul 2024 12:01:58 -0400
Subject: [PATCH] Map the downloadLocation field for PHP Composer packages
 (#3011)

Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
---
 .../spdxutil/helpers/download_location.go     |  4 ++
 .../helpers/download_location_test.go         | 44 +++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/syft/format/internal/spdxutil/helpers/download_location.go b/syft/format/internal/spdxutil/helpers/download_location.go
index 894306dea..3ed1c9ed6 100644
--- a/syft/format/internal/spdxutil/helpers/download_location.go
+++ b/syft/format/internal/spdxutil/helpers/download_location.go
@@ -22,6 +22,10 @@ func DownloadLocation(p pkg.Package) string {
 			return NoneIfEmpty(metadata.URL)
 		case pkg.NpmPackageLockEntry:
 			return NoneIfEmpty(metadata.Resolved)
+		case pkg.PhpComposerLockEntry:
+			return NoneIfEmpty(metadata.Dist.URL)
+		case pkg.PhpComposerInstalledEntry:
+			return NoneIfEmpty(metadata.Dist.URL)
 		}
 	}
 	return NOASSERTION
diff --git a/syft/format/internal/spdxutil/helpers/download_location_test.go b/syft/format/internal/spdxutil/helpers/download_location_test.go
index 7ccbed44c..2cbbaa30e 100644
--- a/syft/format/internal/spdxutil/helpers/download_location_test.go
+++ b/syft/format/internal/spdxutil/helpers/download_location_test.go
@@ -64,6 +64,50 @@ func Test_DownloadLocation(t *testing.T) {
 			},
 			expected: NONE,
 		},
+		{
+			name: "from php installed.json",
+			input: pkg.Package{
+				Metadata: pkg.PhpComposerInstalledEntry{
+					Dist: pkg.PhpComposerExternalReference{
+						URL: "http://package-lock.test",
+					},
+				},
+			},
+			expected: "http://package-lock.test",
+		},
+		{
+			name: "empty",
+			input: pkg.Package{
+				Metadata: pkg.PhpComposerInstalledEntry{
+					Dist: pkg.PhpComposerExternalReference{
+						URL: "",
+					},
+				},
+			},
+			expected: "NONE",
+		},
+		{
+			name: "from php composer.lock",
+			input: pkg.Package{
+				Metadata: pkg.PhpComposerLockEntry{
+					Dist: pkg.PhpComposerExternalReference{
+						URL: "http://package-lock.test",
+					},
+				},
+			},
+			expected: "http://package-lock.test",
+		},
+		{
+			name: "empty",
+			input: pkg.Package{
+				Metadata: pkg.PhpComposerLockEntry{
+					Dist: pkg.PhpComposerExternalReference{
+						URL: "",
+					},
+				},
+			},
+			expected: "NONE",
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {