chore(deps): upgrade ossf/si-tooling/v2 to v2.2.0 (#237)

Author: jmeridth

data/rest-data.go

@@ -239,7 +239,28 @@ func (r *RestData) loadSecurityInsights() {
 			r.Config.Logger.Error(fmt.Sprintf("failed to read security insights file: %s", err.Error()))
 			r.InsightsError = true
 		}
-		return
+	}
+	r.ensureInsightsInitialized()
+}
+
+func (r *RestData) ensureInsightsInitialized() {
+	if r.Insights.Repository == nil {
+		r.Insights.Repository = &si.Repository{}
+	}
+	if r.Insights.Project == nil {
+		r.Insights.Project = &si.Project{}
+	}
+	if r.Insights.Repository.Documentation == nil {
+		r.Insights.Repository.Documentation = &si.RepositoryDocumentation{}
+	}
+	if r.Insights.Repository.ReleaseDetails == nil {
+		r.Insights.Repository.ReleaseDetails = &si.ReleaseDetails{}
+	}
+	if r.Insights.Project.Documentation == nil {
+		r.Insights.Project.Documentation = &si.ProjectDocumentation{}
+	}
+	if r.Insights.Project.VulnerabilityReporting.Contact == nil {
+		r.Insights.Project.VulnerabilityReporting.Contact = &si.Contact{}
 	}
 }
 

data/rest_data_mock.go

@@ -29,6 +29,7 @@ func NewPayloadWithHTTPMock(base Payload, body []byte, statusCode int, httpErr e
 	if base.RestData == nil {
 		base.RestData = &RestData{}
 	}
+	base.ensureInsightsInitialized()
 	base.HttpClient = mock
 	return base
 }

data/security-posture.go

@@ -38,10 +38,10 @@ func buildSecurityPosture(repository *github.Repository, rd RestData) (SecurityP
 }
 
 func insightsClaimsSecretsTooling(insights si.SecurityInsights) bool {
-	if insights.Repository.Security.Tools == nil {
+	if insights.Repository.SecurityPosture.Tools == nil {
 		return false
 	}
-	for _, tool := range insights.Repository.Security.Tools {
+	for _, tool := range insights.Repository.SecurityPosture.Tools {
 		if tool.Type == "secret-scanning" {
 			return true
 		}

data/security-posture_test.go

@@ -39,7 +39,11 @@ func TestBuildSecurityPosture_SecretScanningEnabled(t *testing.T) {
 			},
 		},
 	}
-	rd := RestData{}
+	rd := RestData{
+		Insights: si.SecurityInsights{
+			Repository: &si.Repository{},
+		},
+	}
 	sp, err := buildSecurityPosture(repo, rd)
 	assert.NoError(t, err)
 	assert.True(t, sp.PreventsPushingSecrets())
@@ -56,9 +60,9 @@ func TestBuildSecurityPosture_SecretScanningDisabledButInsightsTooling(t *testin
 	}
 	rd := RestData{
 		Insights: si.SecurityInsights{
-			Repository: si.Repository{
-				Security: si.SecurityInfo{
-					Tools: []si.Tool{
+			Repository: &si.Repository{
+				SecurityPosture: si.SecurityPosture{
+					Tools: []si.SecurityTool{
 						{Type: "secret-scanning"},
 					},
 				},
@@ -73,9 +77,9 @@ func TestBuildSecurityPosture_SecretScanningDisabledButInsightsTooling(t *testin
 
 func TestInsightsClaimsSecretsTooling(t *testing.T) {
 	insights := si.SecurityInsights{
-		Repository: si.Repository{
-			Security: si.SecurityInfo{
-				Tools: []si.Tool{
+		Repository: &si.Repository{
+			SecurityPosture: si.SecurityPosture{
+				Tools: []si.SecurityTool{
 					{Type: "secret-scanning"},
 					{Type: "other-tool"},
 				},
@@ -84,11 +88,11 @@ func TestInsightsClaimsSecretsTooling(t *testing.T) {
 	}
 	assert.True(t, insightsClaimsSecretsTooling(insights))
 
-	insights.Repository.Security.Tools = []si.Tool{
+	insights.Repository.SecurityPosture.Tools = []si.SecurityTool{
 		{Type: "other-tool"},
 	}
 	assert.False(t, insightsClaimsSecretsTooling(insights))
 
-	insights.Repository.Security.Tools = nil
+	insights.Repository.SecurityPosture.Tools = nil
 	assert.False(t, insightsClaimsSecretsTooling(insights))
 }

evaluation_plans/osps/build_release/steps.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/gemaraproj/go-gemara"
+	"github.com/ossf/si-tooling/v2/si"
 	"github.com/rhysd/actionlint"
 
 	"github.com/revanite-io/pvtr-github-repo/data"
@@ -185,48 +186,60 @@ func ReleaseHasUniqueIdentifier(payloadData any) (result gemara.Result, message
 }
 
 func getLinks(data data.Payload) []string {
-	si := data.Insights
-	links := []string{
-		si.Header.URL,
-		si.Header.ProjectSISource,
-		si.Project.Homepage,
-		si.Project.Roadmap,
-		si.Project.Funding,
-		si.Project.Documentation.DetailedGuide,
-		si.Project.Documentation.CodeOfConduct,
-		si.Project.Documentation.QuickstartGuide,
-		si.Project.Documentation.ReleaseProcess,
-		si.Project.Documentation.SignatureVerification,
-		si.Project.Vulnerability.BugBountyProgram,
-		si.Project.Vulnerability.SecurityPolicy,
-		si.Repository.URL,
-		si.Repository.License.URL,
-		si.Repository.Security.Assessments.Self.Evidence,
+	ins := data.Insights
+	var links []string
+
+	addURL := func(u si.URL) { links = append(links, string(u)) }
+	addURLPtr := func(u *si.URL) {
+		if u != nil {
+			links = append(links, string(*u))
+		}
 	}
+
+	addURL(ins.Header.URL)
+	addURLPtr(ins.Header.ProjectSISource)
+	addURLPtr(ins.Project.HomePage)
+	addURLPtr(ins.Project.Roadmap)
+	addURLPtr(ins.Project.Funding)
+	addURLPtr(ins.Project.Documentation.DetailedGuide)
+	addURLPtr(ins.Project.Documentation.CodeOfConduct)
+	addURLPtr(ins.Project.Documentation.QuickstartGuide)
+	addURLPtr(ins.Project.Documentation.ReleaseProcess)
+	addURLPtr(ins.Project.Documentation.SignatureVerification)
+	addURLPtr(ins.Project.VulnerabilityReporting.BugBountyProgram)
+	addURLPtr(ins.Project.VulnerabilityReporting.Policy)
+	addURL(ins.Repository.Url)
+	addURL(ins.Repository.License.Url)
+	addURLPtr(ins.Repository.SecurityPosture.Assessments.Self.Evidence)
+
 	if data.RepositoryMetadata.OrganizationBlogURL() != nil {
 		links = append(links, *data.RepositoryMetadata.OrganizationBlogURL())
 	}
-	for _, repo := range si.Project.Repositories {
-		links = append(links, repo.URL)
+	for _, repo := range ins.Project.Repositories {
+		addURL(repo.Url)
 	}
-
-	for _, repo := range si.Repository.Security.Assessments.ThirdParty {
-		links = append(links, repo.Evidence)
+	for _, assessment := range ins.Repository.SecurityPosture.Assessments.ThirdPartyAssessment {
+		addURLPtr(assessment.Evidence)
 	}
-
-	for _, tool := range si.Repository.Security.Tools {
-		links = append(links, tool.Results.Adhoc.Location)
-		links = append(links, tool.Results.CI.Location)
-		links = append(links, tool.Results.Release.Location)
+	for _, tool := range ins.Repository.SecurityPosture.Tools {
+		if tool.Results.Adhoc != nil {
+			addURL(tool.Results.Adhoc.Location)
+		}
+		if tool.Results.CI != nil {
+			addURL(tool.Results.CI.Location)
+		}
+		if tool.Results.Release != nil {
+			addURL(tool.Results.Release.Location)
+		}
 	}
 	return links
 }
 
 func insecureURI(uri string) bool {
-	if !strings.HasPrefix(uri, "https://") ||
-		!strings.HasPrefix(uri, "ssh:") ||
-		!strings.HasPrefix(uri, "git:") ||
-		!strings.HasPrefix(uri, "git@") {
+	if strings.HasPrefix(uri, "https://") ||
+		strings.HasPrefix(uri, "ssh:") ||
+		strings.HasPrefix(uri, "git:") ||
+		strings.HasPrefix(uri, "git@") {
 		return false
 	}
 	return true
@@ -270,7 +283,7 @@ func InsightsHasSlsaAttestation(payloadData any) (result gemara.Result, message
 		return gemara.Unknown, message, confidence
 	}
 
-	attestations := data.Insights.Repository.Release.Attestations
+	attestations := data.Insights.Repository.ReleaseDetails.Attestations
 
 	for _, attestation := range attestations {
 		if attestation.PredicateURI == "https://slsa.dev/provenance/v1" {
@@ -286,16 +299,16 @@ func DistributionPointsUseHTTPS(payloadData any) (result gemara.Result, message
 		return gemara.Unknown, message, confidence
 	}
 
-	distributionPoints := data.Insights.Repository.Release.DistributionPoints
+	distributionPoints := data.Insights.Repository.ReleaseDetails.DistributionPoints
 
 	if len(distributionPoints) == 0 {
 		return gemara.NotApplicable, "No official distribution points found in Security Insights data", confidence
 	}
 
 	var badURIs []string
 	for _, point := range distributionPoints {
-		if insecureURI(point.URI) {
-			badURIs = append(badURIs, point.URI)
+		if insecureURI(point.Uri) {
+			badURIs = append(badURIs, point.Uri)
 		}
 	}
 	if len(badURIs) > 0 {

evaluation_plans/osps/docs/steps.go

@@ -26,7 +26,7 @@ func HasUserGuides(payloadData any) (result gemara.Result, message string, confi
 		return gemara.Unknown, message, confidence
 	}
 
-	if data.Insights.Project.Documentation.DetailedGuide == "" {
+	if data.Insights.Project.Documentation.DetailedGuide == nil {
 		return gemara.Failed, "User guide was NOT specified in Security Insights data", confidence
 	}
 
@@ -39,7 +39,7 @@ func AcceptsVulnReports(payloadData any) (result gemara.Result, message string,
 		return gemara.Unknown, message, confidence
 	}
 
-	if data.Insights.Project.Vulnerability.ReportsAccepted {
+	if data.Insights.Project.VulnerabilityReporting.ReportsAccepted {
 		return gemara.Passed, "Repository accepts vulnerability reports", confidence
 	}
 
@@ -52,7 +52,7 @@ func HasSignatureVerificationGuide(payloadData any) (result gemara.Result, messa
 		return gemara.Unknown, message, confidence
 	}
 
-	if data.Insights.Project.Documentation.SignatureVerification == "" {
+	if data.Insights.Project.Documentation.SignatureVerification == nil {
 		return gemara.Failed, "Signature verification guide was NOT specified in Security Insights data", confidence
 	}
 
@@ -65,7 +65,7 @@ func HasDependencyManagementPolicy(payloadData any) (result gemara.Result, messa
 		return gemara.Unknown, message, confidence
 	}
 
-	if data.Insights.Repository.Documentation.DependencyManagement == "" {
+	if data.Insights.Repository.Documentation.DependencyManagementPolicy == nil {
 		return gemara.Failed, "Dependency management policy was NOT specified in Security Insights data", confidence
 	}
 
@@ -78,7 +78,7 @@ func HasIdentityVerificationGuide(payloadData any) (result gemara.Result, messag
 		return gemara.Unknown, message, confidence
 	}
 
-	if data.Insights.Project.Documentation.SignatureVerification == "" {
+	if data.Insights.Project.Documentation.SignatureVerification == nil {
 		return gemara.Failed, "Identity verification guide was NOT specified in Security Insights data (checked signature-verification field)", confidence
 	}
 

evaluation_plans/osps/governance/steps.go

@@ -37,7 +37,7 @@ func HasRolesAndResponsibilities(payloadData any) (result gemara.Result, message
 		return gemara.Unknown, message, confidence
 	}
 
-	if data.Insights.Repository.Documentation.Governance == "" {
+	if data.Insights.Repository.Documentation.Governance == nil {
 		return gemara.Failed, "Roles and responsibilities were NOT specified in Security Insights data", confidence
 	}
 
@@ -50,11 +50,11 @@ func HasContributionGuide(payloadData any) (result gemara.Result, message string
 		return gemara.Unknown, message, confidence
 	}
 
-	if data.Insights.Project.Documentation.CodeOfConduct != "" && data.Insights.Repository.Documentation.Contributing != "" {
+	if data.Insights.Project.Documentation.CodeOfConduct != nil && data.Insights.Repository.Documentation.ContributingGuide != nil {
 		return gemara.Passed, "Contributing guide specified in Security Insights data (Bonus: code of conduct location also specified)", confidence
 	}
 
-	if data.Repository.ContributingGuidelines.Body != "" && data.Insights.Project.Documentation.CodeOfConduct != "" {
+	if data.Repository.ContributingGuidelines.Body != "" && data.Insights.Project.Documentation.CodeOfConduct != nil {
 		return gemara.Passed, "Contributing guide was found via GitHub API (Bonus: code of conduct was specified in Security Insights data)", confidence
 	}
 
@@ -73,7 +73,7 @@ func HasContributionReviewPolicy(payloadData any) (result gemara.Result, message
 	if !data.IsCodeRepo {
 		return gemara.NotApplicable, "Repository contains no code - skipping code contribution policy check", confidence
 	}
-	if data.Insights.Repository.Documentation.ReviewPolicy != "" {
+	if data.Insights.Repository.Documentation.ReviewPolicy != nil {
 		return gemara.Passed, "Code review guide was specified in Security Insights data", confidence
 	}
 

evaluation_plans/osps/quality/steps_test.go

@@ -20,10 +20,10 @@ func Test_InsightsListsRepositories(t *testing.T) {
 			payload: data.Payload{
 				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
-						Project: si.Project{
-							Repositories: []si.Repo{
-								si.Repo{
-									URL: "https://github.com/org/repo",
+						Project: &si.Project{
+							Repositories: []si.ProjectRepository{
+								{
+									Url: "https://github.com/org/repo",
 								},
 							},
 						},
@@ -38,8 +38,8 @@ func Test_InsightsListsRepositories(t *testing.T) {
 			payload: data.Payload{
 				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
-						Project: si.Project{
-							Repositories: []si.Repo{},
+						Project: &si.Project{
+							Repositories: []si.ProjectRepository{},
 						},
 					},
 				},
@@ -51,7 +51,9 @@ func Test_InsightsListsRepositories(t *testing.T) {
 			name: "insights is nil",
 			payload: data.Payload{
 				RestData: &data.RestData{
-					Insights: si.SecurityInsights{},
+					Insights: si.SecurityInsights{
+						Project: &si.Project{},
+					},
 				},
 			},
 			wantResult: gemara.Failed,

evaluation_plans/osps/sec_assessment/steps.go

@@ -65,7 +65,7 @@ func HasDesignDocumentation(payloadData any) (result gemara.Result, message stri
 	}
 
 	// Fallback: check if DetailedGuide is specified in Security Insights
-	if data.RestData != nil && data.Insights.Project.Documentation.DetailedGuide != "" {
+	if data.RestData != nil && data.Insights.Project.Documentation.DetailedGuide != nil {
 		return gemara.NeedsReview, "No design documentation file found, but detailed guide specified in Security Insights - manual review needed to confirm design documentation with actions and actors", confidence
 	}