Inroducing perl cpanfile dependency analyzer

[harj-the-dev]

Fixes Issue

No. This is for a new feature I required and wanted to share.

Description of Change

Added perl scanner using dependencies listed in the cpanfile. Feature is hidden behind the --enableExperimental flag.
Example usage:

java -classpath "/path/*" -Dapp.name="dependency-check" -Dapp.repo="/hob" -Dapp.home="/path/" -Dbasedir="/path/" org.owasp.dependencycheck.App -s . --enableExperimental

Have test cases been added to cover the new functionality?

yes

[harj-the-dev]

Hiya, Is there anything I can do to help get this feature included?

[jeremylong]

The design of this analyzer does not follow how dependency-check is intended to work. A FileTypeAnalyzer job is to create the dependency objects - in this case based off of the cpan file. The original cpan dependency should like be removed (see how the PIP analyzer works); you then create virtual dependencies from the 'required', 'recommended'. etc. entries from the CPAN file. Each dependency that gets created would have as much evidence as can be extracted (at least one entry in each 'vendor', 'product', and 'version' bucket - in addition one would want to add a PURL identifier (again see how the PIP analyzer works).

Once this is done the other analyzers in the pipeline (CPE Analyzer, NVD CVE Analyzer, OSS Index Analyzer, etc.) will populate the vulnerability information.

The only analyzers that actually add vulnerabilities directly to the dependency object are those that are actually running some form of SCA vulnerability analysis such as Ruby Bundle Audit or npm audit.

[jeremylong]

Thanks for the base code. I have updated the code and created a new PR based on your original PR (see #3378).