feat: add Yarn Audit analyzer

[ssthom]

Fixes Issue

Fixes: #2842
Fixes: #2814
Fixes: #2641

Description of Change

Updated the NodeAuditAnalyzer to be able to process the yarn.lock file. It uses yarn audit --verbose to get the request it sends to the Node Audit API and process that as if it was from the NPM lock file. It also uses the yarn audit groups param to be able to handle DependencyCheck's --nodeAuditSkipDevDependencies param

Have test cases been added to cover the new functionality?

yes and also tested against my local yarn project

[ssthom]

@jeremylong First time developing in this repo. Let me know if this is the right approach for this?

[jeremylong]

Thanks for the PR - and there are things in here that will be used but I would like to see this re-structured a bit. When we add a reliance on an external tool we should put this into an entirely separate analyzer; so in this case like YarnAuditAnalyzer and possibly extracting out some of the duplicate code into a parent class for both yarn and node audit analyzers.

One of the main reasons is so we can test to see if the tool is installed and working in the prepareFileTypeAnalyzer() method and output an appropriate warning if it is not, such as with

DependencyCheck/core/src/main/java/org/owasp/dependencycheck/analyzer/GolangModAnalyzer.java

Line 270 in 48a6bda

throw new InitializationException(String.format("Go executable not found. Disabling %s: %s", ANALYZER_NAME, exitValue));

In this case, if no yarn.lock is in the scan then the prepareFileTypeAnalyzer() would not be called. If a yarn.lock existed and yarn was not installed we can throw the error during setup with sufficient instructions for an end user to know they need to install yarn to be able to complete the scan.

[ssthom]

@jeremylong How about this? I separated it into it's own Analyzer and moved some of the common code into AbstractNpmAnalyzer

It now prints the following to the user if Yarn isn't installed

[WARN] The Yarn Audit Analyzer has been disabled. Yarn executable was not found.

[jeremylong]

@ssthom initial review - this looks great. really appreciate such a complete PR. I will do some testing over the weekend, merge the PR, and then publish a release. You don't have to worry about this as I'll handle it (just writing it down so I have notes); update to include:

• Standardize process output Standardize Handling Process output #2979
• Update the README.md section on development pre-reqs to include yarn.

[josefschabasser]

Hi!
Sorry to interrupt you, but will this work with the docker image (owasp/dependency-check)?
Best regards!

[jeremylong]

Current branch can be found here: https://github.com/jeremylong/DependencyCheck/tree/ssthom-yarnAudit

It looks like we also need to add yarnPath - as such, it might take a little bit longer. Also, we likely need to install yarn in the docker image as well.

[jeremylong]

@ssthom testing is finding more issues... As I'm using a newer version of node then you were in testing I'm getting the following from yarn audit --offline:

error owasp-nodejs-goat@1.3.0: The engine "node" is incompatible with this module. Expected version "12.x.x". Got "15.6.0"
error Found incompatible module.