From 2f52756868b15cd5e76b550e6fc4b874537791a2 Mon Sep 17 00:00:00 2001
From: Gary O'Neall <gary@sourceauditor.com>
Date: Mon, 18 Sep 2023 00:33:00 -0700
Subject: [PATCH] Support for cpe data and more lenient download location

Implements code changes in issue #32

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
---
 .../spdx/cdx2spdx/CycloneSpdxConverter.java    | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/spdx/cdx2spdx/CycloneSpdxConverter.java b/src/main/java/org/spdx/cdx2spdx/CycloneSpdxConverter.java
index d538d2c..284a500 100644
--- a/src/main/java/org/spdx/cdx2spdx/CycloneSpdxConverter.java
+++ b/src/main/java/org/spdx/cdx2spdx/CycloneSpdxConverter.java
@@ -680,6 +680,13 @@ private void addPackageProperties(SpdxPackage spdxPackage,
 					purl, null);
 			spdxPackage.addExternalRef(purlRef);
 		}
+		String cpe = component.getCpe();
+		if (Objects.nonNull(cpe) && !cpe.isBlank()) {
+			ExternalRef cpeRef = spdxPackage.createExternalRef(ReferenceCategory.SECURITY, 
+					ListedReferenceTypes.getListedReferenceTypes().getListedReferenceTypeByName("cpe23Type"), 
+					cpe, null);
+			spdxPackage.addExternalRef(cpeRef);
+		}
 		Evidence evidence = component.getEvidence();
 		if (Objects.nonNull(evidence)) {
 			List<Copyright> copyrights = evidence.getCopyright();
@@ -948,7 +955,7 @@ private static void copyExternalReferences(List<ExternalReference> externalRefer
         for (ExternalReference externalRef:externalReferences) {
             ExternalReference.Type type = externalRef.getType();
             String url = externalRef.getUrl();
-            if (Objects.isNull(url) || Objects.isNull(type)) {
+            if (Objects.isNull(url) || url.isBlank() || Objects.isNull(type)) {
                 warnings.add("Skipping empty externalReference");
                 continue;
             }
@@ -1018,8 +1025,13 @@ private static void copyExternalReferences(List<ExternalReference> externalRefer
                 		new ReferenceType("http://cyclonedx.org/referenctype/support"), url, comment));
                 break;
             case DISTRIBUTION:
-                spdxPackage.setDownloadLocation(url);
-                break;
+				try {
+                  spdxPackage.setDownloadLocation(url);
+				}
+				catch (InvalidSPDXAnalysisException e) {
+					warnings.add("downloadLocation cannot be set a non-url value found in 'externalReference' of type 'distribution': " + url);
+				}  
+				break;
             case LICENSE:
             	spdxPackage.addExternalRef(spdxPackage.createExternalRef(ReferenceCategory.OTHER, 
                 		new ReferenceType("http://cyclonedx.org/referenctype/license"), url, comment));