feat: Add enterprise-grade suppression system and OSV provider v0.8.0

## New Features

### Suppression Engine
- Add SuppressionEngine for comprehensive finding suppression
- Support global path ignores via rules.ignore_paths config
- Support per-rule path ignores via rules.ignore_paths_by_rule
- Built-in default presets for test/example directories
- Security rules (command-injection, hardcoded-secret, etc.) can only
  be suppressed via inline comments with reason
- Default presets automatically enabled in --mode pr and --mode ci
- Suppression metadata added to Finding.properties for traceability
- SARIF output includes suppression information

### OSV Provider (Stage 2 lite)
- Add reachability confidence layer based on import detection
- Detect imports for npm (JS/TS), Go, and Rust ecosystems
- Normalize imports to package names
- Set finding.properties.reachability = "imported" or "present"
- Add import_hits count and import_files_sample (up to 3)
- Add caching with configurable TTL and offline mode
- Add cache management command: rma cache

### Other Changes
- Bump version to 0.8.0
- Update doctor command to show all providers
- Add 16+ new tests for suppression engine
- Add 5 new tests for import detection

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: bumahkib7

Cargo.lock

@@ -13,7 +13,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.7.0"
+version = "0.8.0"
 edition = "2024"
 authors = ["Rust Monorepo Analyzer Team"]
 license = "MIT OR Apache-2.0"

Cargo.toml

@@ -6,8 +6,8 @@ edition.workspace = true
 license.workspace = true
 
 [dependencies]
-rma-common = { version = "0.7.0", path = "../common" }
-rma-parser = { version = "0.7.0", path = "../parser" }
+rma-common = { version = "0.8.0", path = "../common" }
+rma-parser = { version = "0.8.0", path = "../parser" }
 anyhow.workspace = true
 thiserror.workspace = true
 tracing.workspace = true

crates/ai/Cargo.toml

@@ -149,6 +149,7 @@ impl AiFinding {
             confidence,
             category,
             fingerprint: None,
+            properties: None,
         };
         finding.compute_fingerprint();
         finding

crates/ai/src/lib.rs

@@ -6,8 +6,8 @@ edition.workspace = true
 license.workspace = true
 
 [dependencies]
-rma-common = { version = "0.7.0", path = "../common" }
-rma-parser = { version = "0.7.0", path = "../parser" }
+rma-common = { version = "0.8.0", path = "../common" }
+rma-parser = { version = "0.8.0", path = "../parser" }
 anyhow.workspace = true
 thiserror.workspace = true
 tracing.workspace = true
@@ -21,6 +21,8 @@ quick-xml = { version = "0.31", features = ["serialize"] }
 shellexpand = "3"
 rustsec.workspace = true
 walkdir.workspace = true
+reqwest = { version = "0.12", features = ["blocking", "json"] }
+toml = "0.8"
 
 # Native JS/TS linting via oxc
 oxc_linter.workspace = true

crates/analyzer/Cargo.toml

@@ -162,6 +162,26 @@ impl AnalyzerEngine {
                         );
                     }
                 }
+                ProviderType::Oxc => {
+                    let oxc = providers::OxcNativeProvider::new();
+                    if oxc.is_available() {
+                        info!(
+                            "Oxc native provider registered (version: {:?})",
+                            oxc.version()
+                        );
+                        self.provider_registry.register(Box::new(oxc));
+                    }
+                }
+                ProviderType::Osv => {
+                    let osv = providers::OsvProvider::new(config.osv.clone());
+                    if osv.is_available() {
+                        info!("OSV provider registered (version: {:?})", osv.version());
+                        self.provider_registry.register(Box::new(osv));
+                    } else {
+                        // This should never happen since OsvProvider is always available
+                        warn!("OSV provider unexpectedly unavailable");
+                    }
+                }
             }
         }
     }

crates/analyzer/src/lib.rs

@@ -208,6 +208,7 @@ impl GosecProvider {
             confidence,
             category,
             fingerprint: None,
+            properties: None,
         };
 
         finding.compute_fingerprint();