fix: use classpath constant for commercial average template resource lookup (#268)

BenchmarkScore.java:965 passed scoreCardDir (a java.io.File representing
the filesystem output directory) to getResourceAsStream(), which expects a
classpath resource path. With the default config (resultsfileordir: "results"),
File.toString() accidentally produces "scorecard" — matching the classpath
prefix. But any nested resultsfileordir path (e.g. "some/dir/results") causes
getParent() to return a non-null prefix, producing an invalid classpath like
"some/dir/scorecard/commercialAveTemplate.html", which resolves to null and
throws NullPointerException.

Fix: use the SCORECARDDIRNAME constant ("scorecard"), consistent with
ToolReport.java:64 and the vulntemplate loading at line 910.

Author: TheAuditorTool

plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java

@@ -962,7 +962,7 @@ private static void generateVulnerabilityScorecards(
                                         + commercialAveragesTable.filename());
                 // Resources in a jar file have to be loaded as streams. Not directly as Files.
                 InputStream vulnTemplateStream =
-                        CL.getResourceAsStream(scoreCardDir + "/commercialAveTemplate.html");
+                        CL.getResourceAsStream(SCORECARDDIRNAME + "/commercialAveTemplate.html");
                 String html = IOUtils.toString(vulnTemplateStream, StandardCharsets.UTF_8);
                 html = html.replace("${testsuite}", BenchmarkScore.TESTSUITENAME.fullName());
                 html = html.replace("${version}", TESTSUITEVERSION);

plugin/src/test/java/org/owasp/benchmarkutils/score/BenchmarkScoreTest.java

@@ -18,9 +18,11 @@
 package org.owasp.benchmarkutils.score;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
 import java.io.PrintStream;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -109,4 +111,16 @@ void throwsExceptionAndInformsAboutUsageOnTwoElementsArraySecondNull() {
 
         expectUsageMessage();
     }
+
+    @Test
+    void commercialAveTemplateResolvesViaClasspathConstant() {
+        String resourcePath =
+                BenchmarkScore.SCORECARDDIRNAME + "/commercialAveTemplate.html";
+        InputStream stream =
+                BenchmarkScore.class.getClassLoader().getResourceAsStream(resourcePath);
+
+        assertNotNull(
+                stream,
+                "commercialAveTemplate.html must be loadable via SCORECARDDIRNAME classpath lookup");
+    }
 }