From 4ea5fa2d6de2511ee8f9c6e29f71a9e3d3697a61 Mon Sep 17 00:00:00 2001
From: Chuang Wang <chuangw@google.com>
Date: Wed, 23 Aug 2023 08:54:00 -0400
Subject: [PATCH] Fix SPDX format function (#904)

Prior, the function prepends `git+` and appends `.git` regardless of whether
the original url has the prefix or suffix already.

Now, it only prepends & appends if they don't exist.

Signed-off-by: Chuang Wang <chuangw@google.com>
---
 pkg/chains/formats/slsa/attest/attest.go             | 12 +++++++++---
 .../formats/slsa/internal/material/material_test.go  |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/pkg/chains/formats/slsa/attest/attest.go b/pkg/chains/formats/slsa/attest/attest.go
index c16a8eee84..c1e1dca9d2 100644
--- a/pkg/chains/formats/slsa/attest/attest.go
+++ b/pkg/chains/formats/slsa/attest/attest.go
@@ -116,11 +116,17 @@ func convertConfigSource(source *v1beta1.RefSource) slsa.ConfigSource {
 }
 
 // supports the SPDX format which is recommended by in-toto
-// ref: https://spdx.dev/spdx-specification-21-web-version/#h.49x2ik5
+// ref: https://spdx.github.io/spdx-spec/v2-draft/package-information/#773-examples
 // ref: https://github.com/in-toto/attestation/blob/849867bee97e33678f61cc6bd5da293097f84c25/spec/field_types.md
 func SPDXGit(url, revision string) string {
+	if !strings.HasPrefix(url, artifacts.GitSchemePrefix) {
+		url = artifacts.GitSchemePrefix + url
+	}
+	if !strings.HasSuffix(url, ".git") {
+		url = url + ".git"
+	}
 	if revision == "" {
-		return artifacts.GitSchemePrefix + url + ".git"
+		return url
 	}
-	return artifacts.GitSchemePrefix + url + fmt.Sprintf("@%s", revision)
+	return url + fmt.Sprintf("@%s", revision)
 }
diff --git a/pkg/chains/formats/slsa/internal/material/material_test.go b/pkg/chains/formats/slsa/internal/material/material_test.go
index 409c27248a..cdd2073011 100644
--- a/pkg/chains/formats/slsa/internal/material/material_test.go
+++ b/pkg/chains/formats/slsa/internal/material/material_test.go
@@ -161,7 +161,7 @@ func TestTaskMaterials(t *testing.T) {
 				},
 			},
 			{
-				URI: artifacts.GitSchemePrefix + "https://github.com/GoogleContainerTools/distroless@my-revision",
+				URI: artifacts.GitSchemePrefix + "https://github.com/GoogleContainerTools/distroless.git@my-revision",
 				Digest: common.DigestSet{
 					"sha1": "50c56a48cfb3a5a80fa36ed91c739bdac8381cbe",
 				},