Lockfile Poisoning Analyser Bug in Path Handling

[abhisek]

There is a case where strip-ansi-cjs resolves to https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz. This is a potential Lockfile Poisoning attempt because the package name does not match the conventional URL for the artifact. We need to do the following

1. Review npm specification on various conventions for URLs
2. Update --trusted-registries option handling to handle such conventions

Currently vet throws error

** Package `strip-ansi-cjs` resolved to an URL `https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz` that does 
not follow the package name path convention
** Package `wrap-ansi-cjs` resolved to an URL `https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz` that does not
follow the package name path convention
** Package `string-width-cjs` resolved to an URL `https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz` that
does not follow the package name path convention

[abhisek]

@insaaniManav This test case can reproduce the bug

diff --git a/pkg/analyzer/lfp_npm_test.go b/pkg/analyzer/lfp_npm_test.go
index d5cee31..1969ef9 100644
--- a/pkg/analyzer/lfp_npm_test.go
+++ b/pkg/analyzer/lfp_npm_test.go
@@ -160,6 +160,13 @@ func TestNpmIsUrlFollowsPathConvention(t *testing.T) {
                        []string{"https://registry.npmjs.org/base", "https://registry.npmjs.org/base1"},
                        true,
                },
+               {
+                       "strip_ansi_cjs package path matches trusted url path",
+                       "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+                       "strip-ansi-cjs",
+                       []string{"https://registry.npmjs.org/strip-ansi"},
+                       true,
+               },
        }
 
        for _, test := range cases {