feat: Add RustFS artifact object store and migration tool

- Implemented RustFsArtifactObjectStore for managing artifacts in RustFS.
- Added unit tests for RustFsArtifactObjectStore functionality.
- Created a RustFS migrator tool to transfer objects from S3 to RustFS.
- Introduced policy preview and report models for API integration.
- Added fixtures and tests for policy preview and report functionality.
- Included necessary metadata and scripts for cache_pkg package.

samples/policy/policy-preview-unknown.json

@@ -1,98 +1,151 @@
-{
-  "previewRequest": {
-    "imageDigest": "sha256:7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234",
-    "findings": [
-      {
-        "id": "library:pkg/openssl@1.1.1w",
-        "severity": "Unknown",
-        "source": "NVD",
-        "tags": [
-          "trust:vendor",
-          "reachability:unknown",
-          "unknown-age-days:5"
-        ]
-      },
-      {
-        "id": "library:pkg/zlib@1.3.1",
-        "severity": "High",
-        "source": "NVD",
-        "tags": [
-          "state:unknown",
-          "reachability:runtime",
-          "unknown-since:2025-10-10T00:00:00Z",
-          "observed-at:2025-10-19T12:00:00Z"
-        ]
-      }
-    ]
-  },
-  "previewResponse": {
-    "success": true,
-    "policyDigest": "8a0f72f8dc5c51c46991db3bba34e9b3c0c8e944a7a6d0a9c29a9aa6b8439876",
-    "revisionId": "rev-42",
-    "changed": 2,
-    "diffs": [
-      {
-        "findingId": "library:pkg/openssl@1.1.1w",
-        "baseline": {
-          "findingId": "library:pkg/openssl@1.1.1w",
-          "status": "Pass",
-          "score": 0,
-          "configVersion": "1.0"
-        },
-        "projected": {
-          "findingId": "library:pkg/openssl@1.1.1w",
-          "status": "Blocked",
-          "ruleName": "Block vendor unknowns",
-          "ruleAction": "block",
-          "score": 19.5,
-          "configVersion": "1.0",
-          "inputs": {
-            "severityWeight": 50,
-            "trustWeight": 0.65,
-            "reachabilityWeight": 0.6,
-            "baseScore": 19.5,
-            "trustWeight.vendor": 0.65,
-            "reachability.unknown": 0.6,
-            "unknownConfidence": 0.55,
-            "unknownAgeDays": 5
-          },
-          "unknownConfidence": 0.55,
-          "confidenceBand": "medium",
-          "unknownAgeDays": 5
-        },
-        "changed": true
-      },
-      {
-        "findingId": "library:pkg/zlib@1.3.1",
-        "baseline": {
-          "findingId": "library:pkg/zlib@1.3.1",
-          "status": "Pass",
-          "score": 0,
-          "configVersion": "1.0"
-        },
-        "projected": {
-          "findingId": "library:pkg/zlib@1.3.1",
-          "status": "Warned",
-          "ruleName": "Runtime mitigation required",
-          "ruleAction": "warn",
-          "score": 33.75,
-          "configVersion": "1.0",
-          "inputs": {
-            "severityWeight": 75,
-            "trustWeight": 1,
-            "reachabilityWeight": 0.45,
-            "baseScore": 33.75,
-            "reachability.runtime": 0.45,
-            "warnPenalty": 15,
-            "unknownConfidence": 0.35,
-            "unknownAgeDays": 9
-          },
-          "unknownConfidence": 0.35,
-          "confidenceBand": "medium",
-          "unknownAgeDays": 9
-        },
-        "changed": true
-      }
-    ]
-  }
-}
+{
+  "previewRequest": {
+    "imageDigest": "sha256:7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234",
+    "findings": [
+      {
+        "id": "library:pkg/openssl@1.1.1w",
+        "severity": "Unknown",
+        "source": "NVD",
+        "tags": [
+          "trust:vendor",
+          "reachability:unknown",
+          "unknown-age-days:5"
+        ]
+      },
+      {
+        "id": "library:pkg/zlib@1.3.1",
+        "severity": "High",
+        "source": "NVD",
+        "tags": [
+          "state:unknown",
+          "reachability:runtime",
+          "unknown-since:2025-10-10T00:00:00Z",
+          "observed-at:2025-10-19T12:00:00Z"
+        ]
+      }
+    ],
+    "baseline": [
+      {
+        "findingId": "library:pkg/openssl@1.1.1w",
+        "status": "Pass",
+        "score": 0,
+        "configVersion": "1.0",
+        "inputs": {
+          "severityWeight": 25,
+          "trustWeight": 1,
+          "reachabilityWeight": 0.45,
+          "baseScore": 11.25
+        },
+        "quiet": false
+      },
+      {
+        "findingId": "library:pkg/zlib@1.3.1",
+        "status": "Pass",
+        "score": 0,
+        "configVersion": "1.0",
+        "inputs": {
+          "severityWeight": 75,
+          "trustWeight": 1,
+          "reachabilityWeight": 0.45,
+          "baseScore": 33.75
+        },
+        "quiet": false
+      }
+    ]
+  },
+  "previewResponse": {
+    "success": true,
+    "policyDigest": "8a0f72f8dc5c51c46991db3bba34e9b3c0c8e944a7a6d0a9c29a9aa6b8439876",
+    "revisionId": "rev-42",
+    "changed": 2,
+    "diffs": [
+      {
+        "findingId": "library:pkg/openssl@1.1.1w",
+        "baseline": {
+          "findingId": "library:pkg/openssl@1.1.1w",
+          "status": "Pass",
+          "score": 0,
+          "configVersion": "1.0",
+          "inputs": {
+            "severityWeight": 25,
+            "trustWeight": 1,
+            "reachabilityWeight": 0.45,
+            "baseScore": 11.25
+          },
+          "quiet": false
+        },
+        "projected": {
+          "findingId": "library:pkg/openssl@1.1.1w",
+          "status": "Blocked",
+          "ruleName": "Block vendor unknowns",
+          "ruleAction": "block",
+          "notes": "Unknown vendor telemetry — medium confidence band.",
+          "score": 19.5,
+          "configVersion": "1.0",
+          "inputs": {
+            "severityWeight": 50,
+            "trustWeight": 0.65,
+            "reachabilityWeight": 0.6,
+            "baseScore": 19.5,
+            "trustWeight.vendor": 0.65,
+            "reachability.unknown": 0.6,
+            "unknownConfidence": 0.55,
+            "unknownAgeDays": 5
+          },
+          "quietedBy": null,
+          "quiet": false,
+          "unknownConfidence": 0.55,
+          "confidenceBand": "medium",
+          "unknownAgeDays": 5,
+          "sourceTrust": "vendor",
+          "reachability": "unknown"
+        },
+        "changed": true
+      },
+      {
+        "findingId": "library:pkg/zlib@1.3.1",
+        "baseline": {
+          "findingId": "library:pkg/zlib@1.3.1",
+          "status": "Pass",
+          "score": 0,
+          "configVersion": "1.0",
+          "inputs": {
+            "severityWeight": 75,
+            "trustWeight": 1,
+            "reachabilityWeight": 0.45,
+            "baseScore": 33.75
+          },
+          "quiet": false
+        },
+        "projected": {
+          "findingId": "library:pkg/zlib@1.3.1",
+          "status": "Warned",
+          "ruleName": "Runtime mitigation required",
+          "ruleAction": "warn",
+          "notes": "Runtime reachable unknown — mitigation window required.",
+          "score": 18.75,
+          "configVersion": "1.0",
+          "inputs": {
+            "severityWeight": 75,
+            "trustWeight": 1,
+            "reachabilityWeight": 0.45,
+            "baseScore": 33.75,
+            "reachability.runtime": 0.45,
+            "warnPenalty": 15,
+            "unknownConfidence": 0.35,
+            "unknownAgeDays": 13
+          },
+          "quietedBy": null,
+          "quiet": false,
+          "unknownConfidence": 0.35,
+          "confidenceBand": "medium",
+          "unknownAgeDays": 13,
+          "sourceTrust": "NVD",
+          "reachability": "runtime"
+        },
+        "changed": true
+      }
+    ],
+    "issues": []
+  }
+}

samples/policy/policy-report-unknown.json

@@ -0,0 +1,141 @@
+{
+  "reportRequest": {
+    "imageDigest": "sha256:7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234",
+    "findings": [
+      {
+        "id": "library:pkg/openssl@1.1.1w",
+        "severity": "Unknown",
+        "source": "NVD",
+        "tags": [
+          "trust:vendor",
+          "reachability:unknown",
+          "unknown-age-days:5"
+        ]
+      },
+      {
+        "id": "library:pkg/zlib@1.3.1",
+        "severity": "High",
+        "source": "NVD",
+        "tags": [
+          "state:unknown",
+          "reachability:runtime",
+          "unknown-since:2025-10-10T00:00:00Z",
+          "observed-at:2025-10-19T12:00:00Z"
+        ]
+      }
+    ],
+    "baseline": [
+      {
+        "findingId": "library:pkg/openssl@1.1.1w",
+        "status": "Pass",
+        "score": 0,
+        "configVersion": "1.0",
+        "inputs": {
+          "severityWeight": 25,
+          "trustWeight": 1,
+          "reachabilityWeight": 0.45,
+          "baseScore": 11.25
+        },
+        "quiet": false
+      },
+      {
+        "findingId": "library:pkg/zlib@1.3.1",
+        "status": "Pass",
+        "score": 0,
+        "configVersion": "1.0",
+        "inputs": {
+          "severityWeight": 75,
+          "trustWeight": 1,
+          "reachabilityWeight": 0.45,
+          "baseScore": 33.75
+        },
+        "quiet": false
+      }
+    ]
+  },
+  "reportResponse": {
+    "report": {
+      "reportId": "report-9f8cde21aab54321",
+      "imageDigest": "sha256:7dbe0c9a5d4f1c8184007e9d94dbe55928f8a2db5ab9c1c2d4a2f7bbcdfe1234",
+      "generatedAt": "2025-10-23T15:32:22Z",
+      "verdict": "blocked",
+      "policy": {
+        "revisionId": "rev-42",
+        "digest": "8a0f72f8dc5c51c46991db3bba34e9b3c0c8e944a7a6d0a9c29a9aa6b8439876"
+      },
+      "summary": {
+        "total": 2,
+        "blocked": 1,
+        "warned": 1,
+        "ignored": 0,
+        "quieted": 0
+      },
+      "verdicts": [
+        {
+          "findingId": "library:pkg/openssl@1.1.1w",
+          "status": "Blocked",
+          "ruleName": "Block vendor unknowns",
+          "ruleAction": "block",
+          "notes": "Unknown vendor telemetry — medium confidence band.",
+          "score": 19.5,
+          "configVersion": "1.0",
+          "inputs": {
+            "severityWeight": 50,
+            "trustWeight": 0.65,
+            "reachabilityWeight": 0.6,
+            "baseScore": 19.5,
+            "trustWeight.vendor": 0.65,
+            "reachability.unknown": 0.6,
+            "unknownConfidence": 0.55,
+            "unknownAgeDays": 5
+          },
+          "quietedBy": null,
+          "quiet": false,
+          "unknownConfidence": 0.55,
+          "confidenceBand": "medium",
+          "unknownAgeDays": 5,
+          "sourceTrust": "vendor",
+          "reachability": "unknown"
+        },
+        {
+          "findingId": "library:pkg/zlib@1.3.1",
+          "status": "Warned",
+          "ruleName": "Runtime mitigation required",
+          "ruleAction": "warn",
+          "notes": "Runtime reachable unknown — mitigation window required.",
+          "score": 18.75,
+          "configVersion": "1.0",
+          "inputs": {
+            "severityWeight": 75,
+            "trustWeight": 1,
+            "reachabilityWeight": 0.45,
+            "baseScore": 33.75,
+            "reachability.runtime": 0.45,
+            "warnPenalty": 15,
+            "unknownConfidence": 0.35,
+            "unknownAgeDays": 13
+          },
+          "quietedBy": null,
+          "quiet": false,
+          "unknownConfidence": 0.35,
+          "confidenceBand": "medium",
+          "unknownAgeDays": 13,
+          "sourceTrust": "NVD",
+          "reachability": "runtime"
+        }
+      ],
+      "issues": []
+    },
+    "dsse": {
+      "payloadType": "application/vnd.stellaops.report+json",
+      "payload": "eyJyZXBvcnQiOnsicmVwb3J0SWQiOiJyZXBvcnQtOWY4Y2RlMjFhYWI1NDMyMSJ9fQ==",
+      "signatures": [
+        {
+          "keyId": "scanner-report-signing",
+          "algorithm": "hs256",
+          "signature": "MEQCIGHscnJ2bm9wYXlsb2FkZXIAIjANBgkqhkiG9w0BAQsFAAOCAQEASmFja3Nvbk1ldGE="
+        }
+      ]
+    }
+  }
+}