Only gemnasium DS generates dependency_list field in report
Old parser finds dependency names from dependency_list field
and adds vulnerability data based on that. However, not all analyzers
produce that field.
For example, Retire.js only reports vulnerabilities.
This change modifies parser so that it will check vulnerabilities field
in generated report to create dependency list
and populate dependencies with vulnerabilities.