feat: add --policy flag in verify-policy command for example policies

[Demolus13]

Summary

This Pull Request introduces a new --policy flag to the verify-policy command, allowing users to run example policies by name without specifying a file path. It also adds support for policy templates.

The new --policy (-p) flag executes a predefined policy template by name. If the template exists, it populates the <PACKAGE_PURL> placeholder with the value from the --package-url (-purl) argument and runs the policy. If the template name is not found, it lists all available templates.

Example policies

1. A malware detection policy for the package (based on the malware detection tutorial)

macaron analyze -purl pkg:pypi/[email protected]
macaron verify-policy --database output/macaron.db --policy malware-detection -purl pkg:pypi/django

2. A malware detection policy for the package and all its dependencies (based on the malware detection tutorial)

python3.11 -m venv /tmp/.django_venv
/tmp/.django_venv/bin/pip install django==5.0.6
macaron analyze -purl pkg:pypi/[email protected] --python-venv "/tmp/.django_venv" --deps-depth=1  
macaron verify-policy --database output/macaron.db --policy malware-detection-dependencies -purl pkg:pypi/django

3. Analyzing GitHub Actions (tutorial)

macaron analyze -purl pkg:maven/org.apache.logging.log4j/[email protected]
macaron verify-policy --database output/macaron.db --policy check-github-actions -purl pkg:maven/org.apache.logging.log4j/log4j-core

Description of changes

• Added a --policy (-p) argument to the verify-policy CLI command, enabling users to select and run example policies from the built-in resources.
• Updated the policy loading logic to support both file-based and named example policies. If a policy name is provided, the command loads the corresponding template from the resources/policies/datalog directory.
• Added support for the --package-url (-purl) argument to substitute the <PACKAGE_PURL> placeholder in policy templates.
• Added new example policy templates for common use cases.

Related issues

N/A

Checklist

• I have reviewed the contribution guide.
• My PR title and commits follow the Conventional Commits convention.
• My commits include the "Signed-off-by" line.
• I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
• I have updated the relevant documentation, if applicable.
• I have tested my changes and verified they work as expected.