Add download location when cataloging directory npm package lock (#2238)

* added download locatoin (resolved) when cataloging a directory - javascript ecosystem- npm - packag-lock
	Signed-off by Auston(Aoxiang) Zhang <auston.zhang@dal.ca>

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* chore: get DCO to fire

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Auston-Zhang <ax706429@dal.ca>

syft/formats/common/spdxhelpers/download_location.go

@@ -20,6 +20,8 @@ func DownloadLocation(p pkg.Package) string {
 			return NoneIfEmpty(metadata.URL)
 		case pkg.NpmPackageJSONMetadata:
 			return NoneIfEmpty(metadata.URL)
+		case pkg.NpmPackageLockJSONMetadata:
+			return NoneIfEmpty(metadata.Resolved)
 		}
 	}
 	return NOASSERTION

syft/formats/common/spdxhelpers/download_location_test.go

@@ -46,6 +46,24 @@ func Test_DownloadLocation(t *testing.T) {
 			},
 			expected: NONE,
 		},
+		{
+			name: "from npm package-lock should include resolved",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackageLockJSONMetadata{
+					Resolved: "http://package-lock.test",
+				},
+			},
+			expected: "http://package-lock.test",
+		},
+		{
+			name: "from npm package-lock empty should be NONE",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackageLockJSONMetadata{
+					Resolved: "",
+				},
+			},
+			expected: NONE,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {