Add malicious-package-report MISP object template for OSV (OpenSSF malicious-packages)

[adulau]

Motivation

• Provide a structured MISP object to represent malicious open-source package reports published in OSV format (e.g., OpenSSF malicious-packages) that the generic software-package object does not fully model.
• Preserve feed-specific metadata and IoCs by mapping database_specific.iocs and database_specific.malicious-packages-origins into first-class MISP attributes for ingestion and correlation.
• Enable analysts to capture report lifecycle and provenance (report identifiers, modified timestamps, origin source and sha256) alongside behavioral analysis details.

Description

• Added objects/malicious-package-report/definition.json containing attributes ecosystem, package-name, affected-version, affected-range, analysis, ioc-domain, ioc-ip, ioc-url, reference, report-id, report-modified, origin-source, origin-sha256, and state.
• Attributes are mapped to MISP types (e.g., domain, ip-dst, url, sha256, link, datetime) and the object sets requiredOneOf to package-name or report-id with meta-category: misc and version: 1.
• Design is additive and non-breaking so existing templates such as software-package can still be used in parallel and relationship links can be created when both generic package context and malicious-report context are desired.

Testing

• Ran ./validate_all.sh, which failed in this environment due to a missing uuidparse dependency required by the repository validation scripts.
• The ./jq_all_the_things.sh step invoked during validation aborted for the same missing tooling, not due to JSON schema syntax.
• No automated test output indicated a syntax error in the new objects/malicious-package-report/definition.json file.

---

Codex Task