feat: better display of NPM audit references

fixes issue #5547

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java

@@ -40,6 +40,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
@@ -454,11 +455,21 @@ protected void processResults(final List<Advisory> advisories, Engine engine,
             vuln.setName(String.valueOf(advisory.getGhsaId()));
             vuln.setUnscoredSeverity(advisory.getSeverity());
             vuln.setSource(Vulnerability.Source.NPM);
-            vuln.addReference(
-                    "NPM Advisory " + advisory.getGhsaId() + ": " + advisory.getTitle(),
-                    advisory.getReferences(),
-                    null
-            );
+            if (advisory.getReferences() != null) {
+                final String[] references = advisory.getReferences().split("\\n");
+                for (String reference : references) {
+                    if (reference.length() > 3) {
+                        String url = reference.substring(2);
+                        try {
+                            new URL(url);
+                        } catch (MalformedURLException ignored) {
+                            // reference is not a format-valid URL, so null it to make the reference be used as plaintext
+                            url = null;
+                        }
+                        vuln.addReference("NPM Advisory reference: ", url == null ? reference : url, url);
+                    }
+                }
+            }
 
             //Create a single vulnerable software object - these do not use CPEs unlike the NVD.
             final VulnerableSoftwareBuilder builder = new VulnerableSoftwareBuilder();