Improve handling of reports with 0 CVES

[terriko]

From an email:

We generate CVE reports based on previously prepared .json file and there are two corner cases that make tracking CVEs difficult.

• When .json file contain the 3rd party components that do not have any CVEs
• When .json file contain the 3rd party component that does not exist in NVD database.

According to above, we propose to (in all 3 types of reports: .json, .html, .pdf):

1. If report have 0 CVEs
   • do not generate empty report
   • do generate report with appropriate info that there is 0 CVEs (I suggest listing all 3rd party components that were scanned by CVE BIN Tool; maybe in additional section?)
2. If 3rd party component has 0 CVEs
   • do generate report with appropriate info that 3rd party component has 0 CVEs (I suggest listing all 3rd party components that were scanned by CVE BIN Tool; maybe in additional section?)
3. If 3rd party component does not exist in database - I propose to include appropriate info – to inform user that component was not found

We've had similar discussions about how to handle empty reports, but I think this nicely puts it all in one place.

The issue here is that for teams that maintain some sort of auditable data (e.g. to prove that their code was ready to release), they often want a way to show that

1. They scanned their code for known vulnerabilities,
2. Ideally, none were found,
3. What components were checked. (this can be used to help validate that the scan was done correctly -- if you found 0 components a cve-free scan doesn't mean much. It can also be validated against other component lists if needed.)

Many of the teams I work with need some sort of file as output that can then be automatically uploaded to a location for future audit, so "get a screenshot of the console" is more of a pain to do programmatically than having a pre-prepared report with the correct info.