Add download location when cataloging directory npm package lock (#2238)

* added download locatoin (resolved) when cataloging a directory - javascript ecosystem- npm - packag-lock Signed-off by Auston(Aoxiang) Zhang <auston.zhang@dal.ca> Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * chore: get DCO to fire Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> --------- Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: Auston-Zhang <ax706429@dal.ca>
2025-11-17 16:33:21 +01:00 · 2023-10-20 11:40:38 -04:00 · 2023-10-20 11:40:38 -04:00 · ef43294d0e
commit ef43294d0e
parent e1ad340c2d
2 changed files with 20 additions and 0 deletions
--- a/syft/formats/common/spdxhelpers/download_location.go
+++ b/syft/formats/common/spdxhelpers/download_location.go
@ -20,6 +20,8 @@ func DownloadLocation(p pkg.Package) string {
 			return NoneIfEmpty(metadata.URL)
 		case pkg.NpmPackageJSONMetadata:
 			return NoneIfEmpty(metadata.URL)
+		case pkg.NpmPackageLockJSONMetadata:
+			return NoneIfEmpty(metadata.Resolved)
 		}
 	}
 	return NOASSERTION
--- a/syft/formats/common/spdxhelpers/download_location_test.go
+++ b/syft/formats/common/spdxhelpers/download_location_test.go
@ -46,6 +46,24 @@ func Test_DownloadLocation(t *testing.T) {
 			},
 			expected: NONE,
 		},
+		{
+			name: "from npm package-lock should include resolved",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackageLockJSONMetadata{
+					Resolved: "http://package-lock.test",
+				},
+			},
+			expected: "http://package-lock.test",
+		},
+		{
+			name: "from npm package-lock empty should be NONE",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackageLockJSONMetadata{
+					Resolved: "",
+				},
+			},
+			expected: NONE,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {