From ef43294d0e257f785533214da83f2c24619ea128 Mon Sep 17 00:00:00 2001
From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Date: Fri, 20 Oct 2023 11:40:38 -0400
Subject: [PATCH] Add download location when cataloging directory npm package
 lock (#2238)

* added download locatoin (resolved) when cataloging a directory - javascript ecosystem- npm - packag-lock
	Signed-off by Auston(Aoxiang) Zhang <auston.zhang@dal.ca>

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* chore: get DCO to fire

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Auston-Zhang <ax706429@dal.ca>
---
 .../common/spdxhelpers/download_location.go    |  2 ++
 .../spdxhelpers/download_location_test.go      | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/syft/formats/common/spdxhelpers/download_location.go b/syft/formats/common/spdxhelpers/download_location.go
index 060f78359f3e..3ce24475ce75 100644
--- a/syft/formats/common/spdxhelpers/download_location.go
+++ b/syft/formats/common/spdxhelpers/download_location.go
@@ -20,6 +20,8 @@ func DownloadLocation(p pkg.Package) string {
 			return NoneIfEmpty(metadata.URL)
 		case pkg.NpmPackageJSONMetadata:
 			return NoneIfEmpty(metadata.URL)
+		case pkg.NpmPackageLockJSONMetadata:
+			return NoneIfEmpty(metadata.Resolved)
 		}
 	}
 	return NOASSERTION
diff --git a/syft/formats/common/spdxhelpers/download_location_test.go b/syft/formats/common/spdxhelpers/download_location_test.go
index 5ae1d714adf7..40b8dc54436e 100644
--- a/syft/formats/common/spdxhelpers/download_location_test.go
+++ b/syft/formats/common/spdxhelpers/download_location_test.go
@@ -46,6 +46,24 @@ func Test_DownloadLocation(t *testing.T) {
 			},
 			expected: NONE,
 		},
+		{
+			name: "from npm package-lock should include resolved",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackageLockJSONMetadata{
+					Resolved: "http://package-lock.test",
+				},
+			},
+			expected: "http://package-lock.test",
+		},
+		{
+			name: "from npm package-lock empty should be NONE",
+			input: pkg.Package{
+				Metadata: pkg.NpmPackageLockJSONMetadata{
+					Resolved: "",
+				},
+			},
+			expected: NONE,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {