The download location can be parsed and matched with known package registries.
This is only done when package locators or when a PURL is present, but can also be used when if we have enough information from the package fields.
How To Reproduce
Steps to reproduce this behavior:
Attempt to parse a SPDX sbom missing an external ref
See error for missing external ref or package location
Expected Behavior
Should be able to handle sbom packages with just name, version and download location.
Overview
The download location can be parsed and matched with known package registries. This is only done when package locators or when a PURL is present, but can also be used when if we have enough information from the package fields.
How To Reproduce
Steps to reproduce this behavior:
Expected Behavior
Should be able to handle sbom packages with just name, version and download location.