Download location is not a valid URI

[stgrace]

What happened:

Syft created an SBOM with packages containing an invalid URI for downloadLocation. This happens with npm packages using spdx spec spdx-json

Example incompliant package:

{
      "name": "@isaacs/cliui",
      "SPDXID": "SPDXRef-Package-npm--isaacs-cliui-7026ea92955de2ad",
      "versionInfo": "8.0.2",
      "supplier": "Person: Ben Coe (ben@npmjs.com)",
      "originator": "Person: Ben Coe (ben@npmjs.com)",
      "downloadLocation": "yargs/cliui",
      "filesAnalyzed": false,
      "sourceInfo": "acquired package info from installed node module manifest file: /usr/local/lib/node_modules/npm/node_modules/@isaacs/cliui/package.json",
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "ISC",
      "copyrightText": "NOASSERTION",
      "description": "easily create complex multi-column command-line-interfaces",
      "externalRefs": [
        {
          "referenceCategory": "SECURITY",
          "referenceType": "cpe23Type",
          "referenceLocator": "cpe:2.3:a:\\@isaacs\\/cliui:\\@isaacs\\/cliui:8.0.2:*:*:*:*:*:*:*"
        },
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:npm/%40isaacs/cliui@8.0.2"
        }
      ]
    }

What you expected to happen:

A package with a downloadLocation compliant to the spdx spec.

Steps to reproduce the issue:

syft scan redis/redisinsight:2.60.0 -o spdx-json=scan.json

Environment:

• Output of syft version: v1.20.0
• OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.5 LTS