Add ability to list plugins from CLI

[dosisod]

Currently there is no CLI flag/command to view supported plugins, nor whether a plugin is enabled by default. This leads to confusion such as google/osv-scalibr#618 (comment), in which I saw .csproj file detection was supported, but only if you explicitly enable it.

Perhaps a plugin command could solve this? For example:

$ osv-scanner plugin ls
javascript/packagejson (enabled)
dotnet/csproj (disabled)

Or, if --experimental-plugins is used without a value, it could list the available plugins:

$ osv-scanner --experimental-plugins
Available plugins:
...

$ osv-scanner --experimental-no-default-plugins --experimental-plugins
No plugins available

[Ly-Joey]

I think listing available plugins in CLI is a good idea!
But I'm hesitant to do the same for experimental plugins. Technically, you can put any plugin from osv-scalibr's supported plugins page into the flag, but there is no guarantee that osv-scanner can fully support them (e.g. parsing and displaying the results properly). So listing experimental plugins from osv-scanner CLI might lead to confusion.

[dosisod]

One idea is to mimic Ruff's preview mode, which allows you to opt-in to experimental features. The agreement is that if you use preview features, you acknowledge there may be false positives, bugs, crashes, required config changes, renames or other side effects. This may be desirable if you A) don't mind tweaking your config file between OSV updates, or B) you'd rather have experimental plugins that mostly work than not having any scanning capabilities at all.

Ruff also has a pretty robust rule selection mechanism, allowing you to enable/disable classes of rules, or enable/disable subsections of them.

For example, a top-level osv-scanner.toml configuration file might look something like this:

# Allows for enabling of preview/experimental rules
preview = true

enable = [
  # enable everything
  # "*",

  # enable all JS rules
  "javascript/*",

  # enable all Python rules
  "python/*",

  # enable specific .NET rules
  "dotnet/csproj",
]

disable = [
  # disable specific Python rules
  "python/wheelegg",  
]

You would need to document which method takes priority (enable or disable), but this would provide a lot of flexibility.