Add downloadLocation URI validation

[stgrace]

Description

Please include a summary of the changes along with any relevant motivation and context,
or link to an issue where this is explained.

• Fixes Download location is not a valid URI #3696

Type of change

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

[stgrace]

Attempted same command with changes from issue #3696, which sets it to NOASSERTION because of the validation issue

{
            "name": "@isaacs/cliui",
            "SPDXID": "SPDXRef-Package-npm--isaacs-cliui-7026ea92955de2ad",
            "versionInfo": "8.0.2",
            "supplier": "Person: Ben Coe ([email protected])",
            "originator": "Person: Ben Coe ([email protected])",
            "downloadLocation": "NOASSERTION",
            "filesAnalyzed": false,
            "sourceInfo": "acquired package info from installed node module manifest file: /usr/local/lib/node_modules/npm/node_modules/@isaacs/cliui/package.json",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "ISC",
            "copyrightText": "NOASSERTION",
            "description": "easily create complex multi-column command-line-interfaces",
            "externalRefs": [
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:\\@isaacs\\/cliui:\\@isaacs\\/cliui:8.0.2:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:npm/%40isaacs/[email protected]"
                }
            ]
        }

[kzantow]

Looks great, thanks very much @stgrace !

[kzantow]

Argh, I spoke too soon; it looks like we need some snapshots and other tests updated, but I think the core change here is the right thing. I can help with this, also fine if you'd like to do it.

make lint-fix should help the static analysis issue(s), but the naming it probably won't help with.

I may have been hasty to think about the nuance between NONE and NOASSERTION

[kzantow]

I think using NOASSERTION here actually ends up being the right thing to do. The reason is, we're not claiming that there is no download location, we're only claiming that we cannot provide one. As such, I think we should update this to: if isURIValid(uri) { return uri } return NOASSERTION, or instead get rid of this function altogether and just update the last bit of DownloadLocation to have this, and ensure isURIValid returns false for empty string. I'm happy to make these updates.

Very sorry for not giving this sufficient thought originally