Allow vulnerabilities to be identifed by URL

[leedm777]

Unfortunately, for mysterious reasons, the ids returned from the NPM audit API have been changing recently, which makes identifying the vulnerabilities difficult.

Even more unfortunately, when NPM changed the output format for npm audit --json in npm v7, they removed many of the other useful identifiers (cves, cwe, github_advisory_id). The only thing left is the URL.

This patch allows vulnerabilities in the .nsprc file to be identified by the URL instead of the sadly unstable id. This doesn't seem like a really great option to me, since all the URLs changed from npmjs.com to github.com a few months ago, and surely they'll change again. But it's the closest thing we have to a stable id at the moment, so we'll go with that.

See #60

[kyle-clark1824]

This looks like a good improvement. I don't love passing the whole URL as an "ID", but none of this is really ideal :)

I'm a little floored that they removed all the "useful" fields in v7+ but the good thing is both versions do seem to have the url. Again, the only thing I would change is using the whole URL, but either way I think this will only help.

Thanks again for getting a PR in!

[kyle-clark1824]

May want to update the README.md file with option to use URL.

[jeemok]

thanks for the PR @leedm777! As we now accept CVE, CWE, GHSA IDs it would be difficult to identify if they should be an URL. I have included the handling for checking GHSA inside the URL in the published beta version/branch, hence this PR would not be needed to merge in anymore. Please try out the beta version and create a new PR pointing to beta branch if there is an issue