npm group and name should have / and not : when stitching the spdx name together

[flemminglau]

We are seeing that an NPM package like
"@angular/router" in the cyclonedx file is represented as

"group": "@angular"
"name": "router"

When the converter constructs the SPDX "name" value it does

                if (Objects.nonNull(group) && !group.isBlank()) {
                        name = group + ":" + name;

yielding an SPDX name of "name": "@angular:router"

For java this works fine as the delimiter between group and name in java is ":"
But for NPM it is a "/" which is implicit in the cyclonedx.

Would it make sense to check the purl to find the package manager or what would be a good strategy?

[goneall]

Would it make sense to check the purl to find the package manager or what would be a good strategy?

Makes sense. We should follow the conventions of the package manager.

@flemminglau - would you like to create a PR?

[flemminglau]

I have the code needed but I cannot figure out how to get the test working.
So I guess my change would be unwelcome.
Line 487 of CycloneSpdxConverter.java:

		String group = component.getGroup();
		if (Objects.nonNull(group) && !group.isBlank()) {
			String purl = component.getPurl();
			if (Objects.nonNull(purl) && purl.startsWith("pkg:npm")) {
				name = group + "/" + name;
			} else {
			    name = group + ":" + name;
			}
		}

My point is that the test validates that the ":" is always a ":".
But actually for npm it must be a "/" so the test fails.

So the test must be taught to distinguish between java and npm.