fix: exclude deprecations from Yarn Berry audit results

[chadlwilson]

Description of Change

Currently deprecations are included within the yarn berry results. They do not format properly, and there seems to be some API consistency as to when they are included/excluded leading to some inconsistency in ODC results from one run to another.

They do not format properly as they are missing normal metadata/descriptions and have null vulnerabilityNames, no identifiers etc so you can't suppress them properly either. (Suppressing vulnerablityName = null is very dodgy)

One or more dependencies were identified with known vulnerabilities in project:

yarn.lock?debuglog (pkg:npm/debuglog@1.0.1) : null
yarn.lock?glob (pkg:npm/glob@7.2.3) : null
yarn.lock?inflight (pkg:npm/inflight@1.0.6) : null
yarn.lock?osenv (pkg:npm/osenv@0.1.5) : null
yarn.lock?read-installed (pkg:npm/read-installed@4.0.3) : null
yarn.lock?read-package-json (pkg:npm/read-package-json@2.1.2) : null
yarn.lock?readdir-scoped-modules (pkg:npm/readdir-scoped-modules@1.1.0) : null
yarn.lock?rimraf (pkg:npm/rimraf@3.0.2) : null
yarn.lock?tslint (pkg:npm/tslint@6.1.3) : null

Since deprecated doesn't mean vulnerable; and I think ODC should focus on vulnerabilities (outside dedicated analyzers such as retirejs); although my main concern is that the scanning seems unstable and sometimes deprecations will be included, and sometimes excluded from the API.

Also improves the error reporting when the correct yarn version cannot be determined, e.g due to misconfiguration.

Related issues

N/A

Have test cases been added to cover the new functionality?

yes

The --no-deprecations flag was introduced in Yarn 2.0 which means all Berry (2.0+) versions support it.

[Copilot]

Pull request overview

This PR updates the Yarn Berry audit integration to exclude deprecation findings from audit output (since they are not vulnerabilities and can produce malformed entries), and improves diagnostics when Yarn version detection fails.

Changes:

• Add --no-deprecations to the Yarn Berry (yarn npm audit) invocation to prevent deprecation items from appearing in results.
• Improve Yarn version detection failure reporting by including process exit code and captured output.
• Update/add Yarn Berry test fixtures and integration tests to cover “no vulnerabilities”, “exclude deprecations”, and “bad yarnPath/packageManager” scenarios.

Reviewed changes

Copilot reviewed 11 out of 16 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java	Adds --no-deprecations and improves yarn version failure diagnostics.
core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java	Refactors Yarn audit ITs, adds new Berry test cases for deprecations and bad configuration.
core/src/test/resources/yarn/yarn-berry-audit/package.json	Bumps test fixture packageManager Yarn version.
core/src/test/resources/yarn/yarn-berry-audit/.yarnrc.yml	Updates Yarn Berry config used by the fixture.
core/src/test/resources/yarn/yarn-berry-audit-no-vulnerability/package.json	Bumps test fixture packageManager Yarn version.
core/src/test/resources/yarn/yarn-berry-audit-no-vulnerability/.yarnrc.yml	Updates Yarn Berry config used by the fixture.
core/src/test/resources/yarn/yarn-berry-audit-no-vulnerability/.yarn/install-state.gz	Adds/updates Yarn state for fixture execution.
core/src/test/resources/yarn/yarn-berry-audit-no-deprecations/*	Adds a minimal fixture used to verify deprecations are excluded.
core/src/test/resources/yarn/yarn-berry-audit-bad-package-manager/*	Adds a fixture used to validate improved error reporting for misconfigured Yarn.
core/src/test/resources/yarn/.gitignore	Ignores .yarn/ and node_modules/ under yarn test resources.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chadlwilson]

This is OK now, but I am still working on the error handling for fallback to Yarn Classic to see if it can be improved.