Add support for CEL policy conditions

[nscuro]

Description

This PR adds support for policy conditions using the Common Expression Language (CEL), as originally brought up in DependencyTrack/dependency-track#2673.

Corresponding frontend changes are here: https://github.com/nscuro/dependency-track-frontend/tree/cel-policies-hyades

TODOs

• Implement remaining CelPolicyScriptSourceBuilders for compatibility with legacy conditions:
  • @VithikaS Coordinates
    • Bare-bones implementation already exists, but is missing proper version handling
  • ComponentAge
    • Can be implemented once the published date logic for a component has been updated via the issue: Support component integrity verification hyades#699
  • @VithikaS Version
• Implement tests for all CelPolicyScriptSourceBuilders
  • Won't be done; We have tests for the actual conditions now
• @nscuro Reduce code duplication in CelPolicyEngine that was introduced during initial implementation
• @nscuro Implement thorough test suite for CelPolicyEngine, that exercises:
  • All legacy policy conditions (new implementations should behave exactly like legacy ones)
  • All custom functions defined in CelPolicyLibrary
  • Loading of all fields defined in policy.proto
• @nscuro Write documentation, including:
  • Overview of CEL
  • What variables, fields, functions, etc. are available
  • Example policies
  • Will be done in a separate PR in the hyades repository

Addressed Issue

N/A

Additional Details

CEL Language Definition: https://github.com/google/cel-spec/blob/master/doc/langdef.md
CEL-Java implementation by Project Nessie: https://github.com/projectnessie/cel-java

Example expressions

// Spring Framework components affected by CVE-2022-22965,
// where the project is packaged as WAR, and embedded Tomcat
// is present in the project.
vulns.exists(vuln, vuln.id == "CVE-2022-22965") 
  && component.name.matches("^spring-.*")
  && project.purl.contains("type=war")
  && project.depends_on(org.dependencytrack.policy.v1.Component{
       group: "org.apache.tomcat.embed",
       name: "tomcat-embed-core"
     })

// Components in public-facing projects, with at least one HIGH or CRITICAL 
// vulnerability, where the CVSSv3 attack vector is "Network".
"public-facing" in project.tags
  && vulns.exists(vuln, 
       vuln.severity in ["HIGH", "CRITICAL"] 
       && vuln.cvssv3_vector.matches(".*/AV:N/.*")
     )

// "Blacklist" of specific, high-profile vulnerabilities in projects acquired from a third party.
"3rd-party" in project.tags
  && vulns.exists(vuln, vuln.id in [
       "CVE-2017-5638",  // struts RCE
       "CVE-2021-44228", // log4shell
       "CVE-2022-22965", // spring4shell
     ])

// Components where the PURL matches a certain pattern,
// and the version matches a given range.
// 
// Supports PURL version range notation with 1-N (potentially ecosystem-specific) constraints:
//   https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst
component.purl.matches("^pkg:maven/com.acme/acme-lib\\b.*") 
   && component.matches_range("vers:maven/>0|<1|!=0.2.4")

// Components with non-permissive licenses.
component.resolved_license.groups.exists(licenseGroup, licenseGroup.name == "Permissive")

Behavior changes over legacy policy engine

• Each policy condition can now only yield one violation per component. Previously, evaluators like SeverityPolicyEvaluator and VulnerabilityIdPolicyEvaluator could yield multiple violations; One for each matched vulnerability. Because violations are attached to components, not individual vulnerabilities, this behavior did not make sense. It is thus not carried over to the CEL policy engine.

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have added corresponding update logic
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly