@@ -43,16 +43,18 @@ function getManifestFromSpdxFile(document, fileName) {
4343 document . packages ?. forEach ( pkg => {
4444 let packageName = pkg . name ;
4545 let packageVersion = pkg . packageVersion ;
46- let purl = pkg . externalRefs ?. find ( ref => ref . referenceCategory === "PACKAGE-MANAGER" && ref . referenceType === "purl" ) ?. referenceLocator ;
46+ // SPDX 2.3 defines a purl field
47+ let purl = pkg . purl ;
48+
4749 if ( purl == null || purl == undefined ) {
50+ purl = pkg . externalRefs ?. find ( ref => ref . referenceCategory === "PACKAGE-MANAGER" && ref . referenceType === "purl" ) ?. referenceLocator ;
51+ } else if ( purl == null || purl == undefined ) {
4852 purl = `pkg:generic/${ packageName } ${ packageVersion } ;
49- } else {
50- // Working around weird encoding issues from an SBOM generator
51- // Find the last instance of %40 and replace it with @
52- purl = replaceVersionEscape ( purl ) ;
53- }
54-
55-
53+ }
54+
55+ // Working around weird encoding issues from an SBOM generator
56+ // Find the last instance of %40 and replace it with @
57+ purl = replaceVersionEscape ( purl ) ;
5658
5759 let relationships = document . relationships ?. find ( rel => rel . relatedSpdxElement == pkg . SPDXID && rel . relationshipType == "DEPENDS_ON" && rel . spdxElementId != "SPDXRef-RootPackage" ) ;
5860 if ( relationships != null && relationships . length > 0 ) {
@@ -83,6 +85,7 @@ function searchFiles() {
8385
8486// Fixes issues with an escaped version string
8587function replaceVersionEscape ( purl ) {
88+ //If there's an "@" in the purl, then we don't need to do anything.
8689 if ( ! purl . includes ( "@" ) ) {
8790 let index = purl . lastIndexOf ( "%40" ) ;
8891 if ( index > 0 ) {
0 commit comments