feat(cli): Add a command to list installed plugins

[mnonnenmacher]

Add a command to list all installed plugins and their configuration options.

The command is limited to plugins using the new plugin API, missing plugins will be added once they are migrated.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.16%. Comparing base (0b24c91) to head (2c21ea4).

Additional details and impacted files

@@            Coverage Diff            @@
##               main    #9140   +/-   ##
=========================================
  Coverage     67.16%   67.16%           
  Complexity     1187     1187           
=========================================
  Files           239      239           
  Lines          7899     7899           
  Branches        915      915           
=========================================
  Hits           5305     5305           
  Misses         2225     2225           
  Partials        369      369           

Flag	Coverage Δ
funTest-docker	59.63% <ø> (ø)
funTest-non-docker	34.59% <ø> (ø)
test	36.61% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sschuberth]

For reference, output looks like this:

============================ Installed ORT Plugins ============================

------------------------------ Advice Providers -------------------------------

Nexus IQ (id: NexusIQ)
An advisor that uses Sonatype's Nexus IQ Server to determine vulnerabilities in dependencies.

Configuration options:
 * serverUrl: STRING (Required)
   The URL to use for REST API requests against the server.
 * browseUrl: STRING
   A URL to use as a base for browsing vulnerability details. If not set, the [serverUrl] is used.
 * username: SECRET
   The username to use for authentication. If not both [username] and [password] are provided, authentication is
    disabled.
 * password: SECRET
   The password to use for authentication. If not both [username] and [password] are provided, authentication is
    disabled.

OSS Index (id: OSSIndex)
An advisor that uses Sonatype's OSS Index to determine vulnerabilities in dependencies.

Configuration options:
 * serverUrl: STRING (Default: https://ossindex.sonatype.org/)
   The base URL of the OSS Index REST API.
 * username: SECRET
   The username to use for authentication. If not both [username] and [password] are provided, authentication is
    disabled.
 * password: SECRET
   The password to use for authentication. If not both [username] and [password] are provided, authentication is
    disabled.

OSV
An advisor that retrieves vulnerability information from the Open Source Vulnerabilities database.

Configuration options:
 * serverUrl: STRING (Default: https://api.osv.dev)
   The base URL of the OSV REST API. If undefined, default is the production endpoint of the official OSV.dev API.

VulnerableCode
An advisor that uses a VulnerableCode instance to determine vulnerabilities in dependencies.

Configuration options:
 * serverUrl: STRING (Default: https://public.vulnerablecode.io)
   The base URL of the VulnerableCode REST API. By default, the public VulnerableCode instance is used.
 * apiKey: SECRET
   The optional API key to use.
 * readTimeout: LONG
   The read timeout for the server connection in seconds. Defaults to whatever is the HTTP client's default value.

----------------------- Package Configuration Providers -----------------------

Default Dir Package Configuration Provider (id: DefaultDir)
A package configuration provider that loads package curations from the default directory.

Dir Package Configuration Provider (id: Dir)
Provides package configurations from a directory.

Configuration options:
 * path: STRING (Required)
   The path of the package configuration directory.
 * mustExist: BOOLEAN (Default: false)
   A flag to denote whether the path is required to exist.

Double Open Server Package Configuration Provider (id: DOS)
A package configuration provider that loads package configurations from a Double Open Server instance.

Configuration options:
 * url: STRING (Required)
   The URL where the DOS backend is running.
 * token: SECRET (Required)
   The secret token to use with the DOS backend.
 * timeout: LONG
   The timeout for communicating with the DOS backend, in seconds.

ort-config (id: ORTConfig)
A package configuration provider that loads package configurations from the ort-config repository.

------------------------- Package Curation Providers --------------------------

ClearlyDefined
Provides package curation data from the ClearlyDefined service.

Configuration options:
 * serverUrl: STRING (Default: https://api.clearlydefined.io)
   The URL of the ClearlyDefined server to use.
 * minTotalLicenseScore: INTEGER (Default: 0)
   The minimum total score for a curation to be accepted. Must lie within 0 to 100.

Default Dir Package Curation Provider (id: DefaultDir)
A package curation provider that loads package curations from the default directory.

Default File Package Curation Provider (id: DefaultFile)
A package curation provider that loads package curations from the default file.

File Package Curation Provider (id: File)
A package curation provider that loads package curations from files.

Configuration options:
 * path: STRING (Required)
   The path of the package curation file or directory.
 * mustExist: BOOLEAN (Default: false)
   A flag to denote whether the path is required to exist.

ort-config (id: ORTConfig)
A package curation provider that loads package curations from the ort-config repository.

SW360 Package Curation Provider (id: SW360)
Provides package metadata from the configured SW360 instance using the REST API.

Configuration options:
 * restUrl: STRING (Required)
   The REST API URL of SW360.
 * authUrl: STRING (Required)
   The authentication URL of your SW360 instance.
 * username: SECRET (Required)
   The username for the requests to SW360.
 * password: SECRET (Default: )
   The password of the SW360 user.
 * clientId: SECRET (Required)
   The client ID of the SW360 instance for the two-step authentication.
 * clientPassword: SECRET (Default: )
   The password of the client ID.
 * token: SECRET (Default: )
   Optional access token that can be used instead of the [authUrl], [username], [password], [clientId] and
    [clientPassword] if the token is already known.

[sschuberth]

We already have ort requirements --list=plugins. Could you please detail in the commit message what's you plan regarding the relation of these commands? I guess once all plugins are migrated, ort requirements should stop listed plugins at all, and the whole --list option to that command could be removed?

[sschuberth]

Should be 2024.

[sschuberth]

Personally, I'd omit this rule as it's clear from the command that ORT plugins are listed, and instead "promote" plugin type rules from "-" to "=", and introduce "-" rules for the individual plugins to better separate their options from the next plugin.

[mnonnenmacher]

We already have ort requirements --list=plugins. Could you please detail in the commit message what's you plan regarding the relation of these commands? I guess once all plugins are migrated, ort requirements should stop listed plugins at all, and the whole --list option to that command could be removed?

I wasn't even aware of the --list=plugins option. So would you prefer to extend the output of that option or to have the separate plugins command?

[sschuberth]

I wasn't even aware of the --list=plugins option.

It's even documented 😉

ort/cli/src/main/dist/plugin/README.md

Line 3 in a9e964e

Afterward, you can run `ort requirements --list plugins` to verify that they have been properly loaded by ORT.

So would you prefer to extend the output of that option or to have the separate plugins command?

I'm fine with having a separate command, as plugins are not really "requirements" after all (though you might expect a specific plugin to be present), and a dedicated sub-command could have more options to e.g. print out the plugin descriptor in JSON format. I probably just was too lazy to introduce a separate sub-command back then 😉

[sschuberth]

What do you think about using a table instead, with columns for the option name, type, and description?