diff --git a/syft/formats/common/spdxhelpers/download_location.go b/syft/formats/common/spdxhelpers/download_location.go index 060f78359f3e..3ce24475ce75 100644 --- a/syft/formats/common/spdxhelpers/download_location.go +++ b/syft/formats/common/spdxhelpers/download_location.go @@ -20,6 +20,8 @@ func DownloadLocation(p pkg.Package) string { return NoneIfEmpty(metadata.URL) case pkg.NpmPackageJSONMetadata: return NoneIfEmpty(metadata.URL) + case pkg.NpmPackageLockJSONMetadata: + return NoneIfEmpty(metadata.Resolved) } } return NOASSERTION diff --git a/syft/formats/common/spdxhelpers/download_location_test.go b/syft/formats/common/spdxhelpers/download_location_test.go index 5ae1d714adf7..40b8dc54436e 100644 --- a/syft/formats/common/spdxhelpers/download_location_test.go +++ b/syft/formats/common/spdxhelpers/download_location_test.go @@ -46,6 +46,24 @@ func Test_DownloadLocation(t *testing.T) { }, expected: NONE, }, + { + name: "from npm package-lock should include resolved", + input: pkg.Package{ + Metadata: pkg.NpmPackageLockJSONMetadata{ + Resolved: "http://package-lock.test", + }, + }, + expected: "http://package-lock.test", + }, + { + name: "from npm package-lock empty should be NONE", + input: pkg.Package{ + Metadata: pkg.NpmPackageLockJSONMetadata{ + Resolved: "", + }, + }, + expected: NONE, + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) {