Merge pull request #33 from spdx/downloadwarning

Support for cpe data and more lenient download location
spdx · Sep 18, 2023 · eef430c · eef430c
2 parents 08ec34f + 2f52756
commit eef430c
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/src/main/java/org/spdx/cdx2spdx/CycloneSpdxConverter.java b/src/main/java/org/spdx/cdx2spdx/CycloneSpdxConverter.java
@@ -680,6 +680,13 @@ private void addPackageProperties(SpdxPackage spdxPackage,
 					purl, null);
 			spdxPackage.addExternalRef(purlRef);
 		}
+		String cpe = component.getCpe();
+		if (Objects.nonNull(cpe) && !cpe.isBlank()) {
+			ExternalRef cpeRef = spdxPackage.createExternalRef(ReferenceCategory.SECURITY, 
+					ListedReferenceTypes.getListedReferenceTypes().getListedReferenceTypeByName("cpe23Type"), 
+					cpe, null);
+			spdxPackage.addExternalRef(cpeRef);
+		}
 		Evidence evidence = component.getEvidence();
 		if (Objects.nonNull(evidence)) {
 			List<Copyright> copyrights = evidence.getCopyright();
@@ -948,7 +955,7 @@ private static void copyExternalReferences(List<ExternalReference> externalRefer
         for (ExternalReference externalRef:externalReferences) {
             ExternalReference.Type type = externalRef.getType();
             String url = externalRef.getUrl();
-            if (Objects.isNull(url) || Objects.isNull(type)) {
+            if (Objects.isNull(url) || url.isBlank() || Objects.isNull(type)) {
                 warnings.add("Skipping empty externalReference");
                 continue;
             }
@@ -1018,8 +1025,13 @@ private static void copyExternalReferences(List<ExternalReference> externalRefer
                 		new ReferenceType("http://cyclonedx.org/referenctype/support"), url, comment));
                 break;
             case DISTRIBUTION:
-                spdxPackage.setDownloadLocation(url);
-                break;
+				try {
+                  spdxPackage.setDownloadLocation(url);
+				}
+				catch (InvalidSPDXAnalysisException e) {
+					warnings.add("downloadLocation cannot be set a non-url value found in 'externalReference' of type 'distribution': " + url);
+				}  
+				break;
             case LICENSE:
             	spdxPackage.addExternalRef(spdxPackage.createExternalRef(ReferenceCategory.OTHER, 
                 		new ReferenceType("http://cyclonedx.org/referenctype/license"), url, comment));