Add weighed vulnerability score

[stevespringett]

A weighed vulnerability score should be added to the core. It will be used in the Sonar plugin and potentially the Jenkins plugin.

Ideally, the risk of the vulnerabilities discovered would take into consideration the reliance (based on imports or usage) of the vulnerable dependency and the size of the codebase. However, since Dependency-Check cannot guarantee any visibility into this information, we need to use the information currently available in the XML report.

Potential datapoints include:

• HIGH (total high severity vulns)
• MEDIUM (total medium severity vulns)
• LOW (total low severity vulns)
• TOTAL_VULNS (total number of all vulnerabilities)
• TOTAL_DEPS (total number of dependencies scanned)
• VULN_DEPS (number of vulnerable dependencies)

[stevespringett]

For the Sonar plugin, I'm currently using the following metrics:

Inherited Risk Score (IRS)
(high * 5) + (medium * 3) + (low * 1)

The IRS is simply a weighted measurement of the vulnerabilities inherited by the application through the use of vulnerable components. It does not measure the applications actual risk due to those components. The higher the score the more risk the application inherits.

Vulnerable Component Ratio
(vulnerabilities / vulnerableComponents)

This is simply a measurement of the number of vulnerabilities to the vulnerable components (as a percentage). A higher percentage indicates that a large number of components contain vulnerabilities. Lower percentages are better.