feat: Implement Yarn Berry Analyser (#7319)

Author: segovia

core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java

@@ -26,20 +26,29 @@
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
+
 import static org.junit.Assert.assertTrue;
 
 public class YarnAuditAnalyzerIT extends BaseTest {
 
     @Test
-    public void testAnalyzePackageYarn() throws AnalysisException, InitializationException, InvalidSettingException {
+    public void testAnalyzePackageYarnClassic() throws AnalysisException, InitializationException, InvalidSettingException {
+        testAnalyzePackageYarn("yarn-classic-audit/yarn.lock");
+    }
+
+    @Test
+    public void testAnalyzePackageYarnBerry() throws AnalysisException, InitializationException, InvalidSettingException {
+        testAnalyzePackageYarn("yarn-berry-audit/yarn.lock");
+    }
 
+    private void testAnalyzePackageYarn(String yarnLockFile) throws AnalysisException {
         //Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED), is(true));
         try (Engine engine = new Engine(getSettings())) {
-            YarnAuditAnalyzer analyzer = new YarnAuditAnalyzer();
+            var analyzer = new YarnAuditAnalyzer();
             analyzer.setFilesMatched(true);
             analyzer.initialize(getSettings());
             analyzer.prepare(engine);
-            final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, "yarnaudit/yarn.lock"));
+            final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, yarnLockFile));
             analyzer.analyze(toScan, engine);
             boolean found = false;
             assertTrue("More then 1 dependency should be identified", 1 < engine.getDependencies().length);

core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java

@@ -0,0 +1,3 @@
+nodeLinker: node-modules
+
+yarnPath: .yarn/releases/yarn-4.6.0.cjs

core/src/test/resources/yarn-berry-audit/.yarn/releases/yarn-4.6.0.cjs

@@ -0,0 +1,58 @@
+{
+  "name": "owasp-nodejs-goat",
+  "private": true,
+  "version": "1.3.0",
+  "description": "A tool to learn OWASP Top 10 for node.js developers",
+  "main": "server.js",
+  "dependencies": {
+    "bcrypt-nodejs": "0.0.3",
+    "body-parser": "^1.15.1",
+    "consolidate": "^0.14.1",
+    "csurf": "^1.8.3",
+    "dont-sniff-mimetype": "^1.0.0",
+    "express": "^4.13.4",
+    "express-session": "^1.13.0",
+    "forever": "^0.15.1",
+    "helmet": "^2.0.0",
+    "marked": "0.3.5",
+    "mongodb": "^2.1.18",
+    "serve-favicon": "^2.3.0",
+    "swig": "^1.4.2",
+    "underscore": "^1.8.3"
+  },
+  "comments": {
+    "//": "a9 insecure components"
+  },
+  "engines": {
+    "node": "15.x.x",
+    "npm": "6.x.x"
+  },
+  "scripts": {
+    "start": "node server.js",
+    "test": "node node_modules/grunt-cli/bin/grunt test",
+    "db:seed": "grunt db-reset",
+    "precommit": "grunt precommit"
+  },
+  "devDependencies": {
+    "async": "^2.0.0-rc.4",
+    "grunt": "^1.0.1",
+    "grunt-cli": "^1.2.0",
+    "grunt-concurrent": "^2.3.0",
+    "grunt-contrib-jshint": "^1.0.0",
+    "grunt-contrib-watch": "^1.0.0",
+    "grunt-env": "latest",
+    "grunt-if": "https://github.com/binarymist/grunt-if/tarball/master",
+    "grunt-jsbeautifier": "^0.2.12",
+    "grunt-mocha-test": "^0.12.7",
+    "grunt-nodemon": "^0.4.2",
+    "grunt-npm-install": "^0.3.0",
+    "grunt-retire": "^0.3.12",
+    "mocha": "^2.4.5",
+    "selenium-webdriver": "^2.53.2",
+    "should": "^8.3.1",
+    "zaproxy": "^0.2.0"
+  },
+  "repository": "https://github.com/OWASP/NodejsGoat",
+  "license": "Apache 2.0",
+  "packageManager": "[email protected]"
+}