Add WPScan or Wordfence as analyzer or mirror

[valentijnscholten]

Current Behavior

Currently Wordpress vulnerabilities are not covered completely by Dependency Tracks sources. If they have a CVE, the probably are detected.
But many plugins have vulnerabilities without a CVE (or GHSA, OSV, SNYK, .... ID).

Proposed Behavior

Popular sources for Wordpress vullnerabilities are

• WPScan
• Wordfence

The problem with WPScan is that they do not allow any mirroring and do not allow even storing vulnerabilities. Unless you have a commercial enterprise license.

Wordfence seems to have almost the same (20k) vulnerabilities, but is completely free to use including mirroring.

There are some questions to be answered:

• Vulnerabilities (WPScan + Wordfence) have a uuid as ID. This doesn't really look/fit very well in the DT UI;
• Similar to my question in Composer Repository Vulnerability Mirroring #4515 (comment) is whether we should replicate all vulnerabilities as those which have a CVE are just copies of the vulnerability from NVD.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

[...] whether we should replicate all vulnerabilities as those which have a CVE are just copies of the vulnerability from NVD.

I'd say same as #4515 (comment) for now.

Vulnerabilities (WPScan + Wordfence) have a uuid as ID. This doesn't really look/fit very well in the DT UI;

Honestly I wouldn't be too concerned about that. If a source picks UUIDs as IDs, then that's the reality we have to deal with.