chore: integrate against new version of si-tooling

trumant · trumant · commit fbfbd093d16b · 2025-05-08T09:22:54.000-04:00
Signed-off-by: Travis Truman &lt;trumant@gmail.com&gt;
diff --git a/evaluation_plans/osps/build_release/steps.go b/evaluation_plans/osps/build_release/steps.go
@@ -177,37 +177,37 @@ func releaseHasUniqueIdentifier(payloadData interface{}, _ map[string]*layer4.Ch
 func getLinks(data data.Payload) []string {
 	si := data.Insights
 	links := []string{
-		si.Header.URL,
-		si.Header.ProjectSISource,
-		si.Project.Homepage,
-		si.Project.Roadmap,
-		si.Project.Funding,
-		si.Project.Documentation.DetailedGuide,
-		si.Project.Documentation.CodeOfConduct,
-		si.Project.Documentation.QuickstartGuide,
-		si.Project.Documentation.ReleaseProcess,
-		si.Project.Documentation.SignatureVerification,
-		si.Project.Vulnerability.BugBountyProgram,
-		si.Project.Vulnerability.SecurityPolicy,
-		si.Repository.URL,
-		si.Repository.License.URL,
-		si.Repository.Security.Assessments.Self.Evidence,
+		si.Header.URL.String(),
+		si.Header.ProjectSISource.String(),
+		si.Project.Homepage.String(),
+		si.Project.Roadmap.String(),
+		si.Project.Funding.String(),
+		si.Project.ProjectDocumentation.DetailedGuide.String(),
+		si.Project.ProjectDocumentation.CodeOfConduct.String(),
+		si.Project.ProjectDocumentation.QuickstartGuide.String(),
+		si.Project.ProjectDocumentation.ReleaseProcess.String(),
+		si.Project.ProjectDocumentation.SignatureVerification.String(),
+		si.Project.VulnerabilityReporting.BugBountyProgram.String(),
+		si.Project.VulnerabilityReporting.SecurityPolicy.String(),
+		si.Repository.Url.String(),
+		si.Repository.License.Url.String(),
+		si.Repository.SecurityPosture.Assessments.Self.Evidence.String(),
 	}
 	if data.RepositoryMetadata.OrganizationBlogURL() != nil {
 		links = append(links, *data.RepositoryMetadata.OrganizationBlogURL())
 	}
 	for _, repo := range si.Project.Repositories {
-		links = append(links, repo.URL)
+		links = append(links, repo.Url.String())
 	}
 
-	for _, repo := range si.Repository.Security.Assessments.ThirdParty {
-		links = append(links, repo.Evidence)
+	for _, repo := range si.Repository.SecurityPosture.Assessments.ThirdPartyAssessment {
+		links = append(links, repo.Evidence.String())
 	}
 
-	for _, tool := range si.Repository.Security.Tools {
-		links = append(links, tool.Results.Adhoc.Location)
-		links = append(links, tool.Results.CI.Location)
-		links = append(links, tool.Results.Release.Location)
+	for _, tool := range si.Repository.SecurityPosture.Tools {
+		links = append(links, tool.SecurityToolResults.Adhoc.Location.String())
+		links = append(links, tool.SecurityToolResults.Ci.Location.String())
+		links = append(links, tool.SecurityToolResults.Release.Location.String())
 	}
 	return links
 }
@@ -260,7 +260,7 @@ func insightsHasSlsaAttestation(payloadData interface{}, _ map[string]*layer4.Ch
 		return layer4.Unknown, message
 	}
 
-	attestations := data.Insights.Repository.Release.Attestations
+	attestations := data.Insights.Repository.ReleaseDetails.Attestations
 
 	for _, attestation := range attestations {
 		if attestation.PredicateURI == "https://slsa.dev/provenance/v1" {
@@ -275,17 +275,15 @@ func distributionPointsUseHTTPS(payloadData interface{}, _ map[string]*layer4.Ch
 	if message != "" {
 		return layer4.Unknown, message
 	}
-
-	distributionPoints := data.Insights.Repository.Release.DistributionPoints
-
-	if len(distributionPoints) == 0 {
+	if data.Insights.Repository.ReleaseDetails == nil || (data.Insights.Repository.ReleaseDetails != nil && len(data.Insights.Repository.ReleaseDetails.DistributionPoints) == 0) {
 		return layer4.NotApplicable, "No official distribution points found in Security Insights data"
 	}
+	distributionPoints := data.Insights.Repository.ReleaseDetails.DistributionPoints
 
 	var badURIs []string
 	for _, point := range distributionPoints {
-		if insecureURI(point.URI) {
-			badURIs = append(badURIs, point.URI)
+		if insecureURI(point.Uri) {
+			badURIs = append(badURIs, point.Uri)
 		}
 	}
 	if len(badURIs) > 0 {
diff --git a/evaluation_plans/osps/docs/steps.go b/evaluation_plans/osps/docs/steps.go
@@ -26,7 +26,7 @@ func hasUserGuides(payloadData interface{}, _ map[string]*layer4.Change) (result
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Project.Documentation.DetailedGuide == "" {
+	if data.Insights.Project.ProjectDocumentation.DetailedGuide == "" {
 		return layer4.Failed, "User guide was NOT specified in Security Insights data"
 	}
 
@@ -39,7 +39,7 @@ func acceptsVulnReports(payloadData interface{}, _ map[string]*layer4.Change) (r
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Project.Vulnerability.ReportsAccepted {
+	if data.Insights.Project.VulnerabilityReporting.ReportsAccepted {
 		return layer4.Passed, "Repository accepts vulnerability reports"
 	}
 
@@ -52,7 +52,7 @@ func hasSignatureVerificationGuide(payloadData interface{}, _ map[string]*layer4
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Project.Documentation.SignatureVerification == "" {
+	if data.Insights.Project.ProjectDocumentation.SignatureVerification == "" {
 		return layer4.Failed, "Signature verification guide was NOT specified in Security Insights data"
 	}
 
@@ -65,7 +65,7 @@ func hasDependencyManagementPolicy(payloadData interface{}, _ map[string]*layer4
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Repository.Documentation.DependencyManagement == "" {
+	if data.Insights.Repository.RepositoryDocumentation.DependencyManagementPolicy.String() == "" {
 		return layer4.Failed, "Dependency management policy was NOT specified in Security Insights data"
 	}
 
diff --git a/evaluation_plans/osps/governance/steps.go b/evaluation_plans/osps/governance/steps.go
@@ -37,7 +37,7 @@ func hasRolesAndResponsibilities(payloadData interface{}, _ map[string]*layer4.C
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Repository.Documentation.Governance == "" {
+	if data.Insights.Repository.RepositoryDocumentation.Governance == "" {
 		return layer4.Failed, "Roles and responsibilities were NOT specified in Security Insights data"
 	}
 
@@ -50,11 +50,11 @@ func hasContributionGuide(payloadData interface{}, _ map[string]*layer4.Change)
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Project.Documentation.CodeOfConduct != "" && data.Insights.Repository.Documentation.Contributing != "" {
+	if data.Insights.Project.ProjectDocumentation.CodeOfConduct != "" && data.Insights.Repository.RepositoryDocumentation.ContributingGuide.String() != "" {
 		return layer4.Passed, "Contributing guide specified in Security Insights data (Bonus: code of conduct location also specified)"
 	}
 
-	if data.Repository.ContributingGuidelines.Body != "" && data.Insights.Project.Documentation.CodeOfConduct != "" {
+	if data.Repository.ContributingGuidelines.Body != "" && data.Insights.Project.ProjectDocumentation.CodeOfConduct != "" {
 		return layer4.Passed, "Contributing guide was found via GitHub API (Bonus: code of conduct was specified in Security Insights data)"
 	}
 
@@ -71,7 +71,7 @@ func hasContributionReviewPolicy(payloadData interface{}, _ map[string]*layer4.C
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Repository.Documentation.ReviewPolicy != "" {
+	if data.Insights.Repository.RepositoryDocumentation.ReviewPolicy != "" {
 		return layer4.Passed, "Code review guide was specified in Security Insights data"
 	}
 
diff --git a/evaluation_plans/osps/vuln_management/steps.go b/evaluation_plans/osps/vuln_management/steps.go
@@ -16,10 +16,10 @@ func hasSecContact(payloadData interface{}, _ map[string]*layer4.Change) (result
 
 	// TODO: Check for a contact email in SECURITY.md
 
-	if data.Insights.Project.Vulnerability.Contact.Email != "" {
+	if data.Insights.Project.VulnerabilityReporting.Contact != nil && data.Insights.Project.VulnerabilityReporting.Contact.Email.String() != "" {
 		return layer4.Passed, "Security contacts were specified in Security Insights data"
 	}
-	for _, champion := range data.Insights.Repository.Security.Champions {
+	for _, champion := range data.Insights.Repository.SecurityPosture.Champions {
 		if champion.Email != "" {
 			return layer4.Passed, "Security contacts were specified in Security Insights data"
 		}
@@ -28,18 +28,17 @@ func hasSecContact(payloadData interface{}, _ map[string]*layer4.Change) (result
 	return layer4.Failed, "Security contacts were not specified in Security Insights data"
 }
 
-
 func sastToolDefined(payloadData interface{}, _ map[string]*layer4.Change) (result layer4.Result, message string) {
 	data, message := reusable_steps.VerifyPayload(payloadData)
 	if message != "" {
 		return layer4.Unknown, message
 	}
 
-	for _,tool := range data.Insights.Repository.Security.Tools {
+	for _, tool := range data.Insights.Repository.SecurityPosture.Tools {
 		if tool.Type == "SAST" {
-			
-			enabled  := []bool { tool.Integration.Adhoc, tool.Integration.CI, tool.Integration.Release }
-			
+
+			enabled := []bool{tool.SecurityToolIntegration.Adhoc, tool.SecurityToolIntegration.Ci, tool.SecurityToolIntegration.Release}
+
 			if slices.Contains(enabled, true) {
 				return layer4.Passed, "Static Application Security Testing documented in Security Insights"
 			}
diff --git a/evaluation_plans/osps/vuln_management/steps_test.go b/evaluation_plans/osps/vuln_management/steps_test.go
@@ -10,29 +10,28 @@ import (
 )
 
 type testingData struct {
-	expectedResult layer4.Result
-	expectedMessage string
-	payloadData interface{}
+	expectedResult   layer4.Result
+	expectedMessage  string
+	payloadData      interface{}
 	assertionMessage string
 }
 
-
 func TestSastToolDefined(t *testing.T) {
-	
+
 	testData := []testingData{
 		{
-			expectedResult: layer4.Passed,
-			expectedMessage: "Static Application Security Testing documented in Security Insights",
+			expectedResult:   layer4.Passed,
+			expectedMessage:  "Static Application Security Testing documented in Security Insights",
 			assertionMessage: "Test for SAST integration enabled",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
-						Repository: si.Repository{
-							Security: si.SecurityInfo{
-								Tools: []si.Tool{
+						Repository: &si.Repository{
+							SecurityPosture: si.SecurityPosture{
+								Tools: []si.SecurityTool{
 									{
 										Type: "SAST",
-										Integration: si.Integration{
+										SecurityToolIntegration: si.SecurityToolIntegration{
 											Adhoc: true,
 										},
 									},
@@ -42,18 +41,17 @@ func TestSastToolDefined(t *testing.T) {
 					},
 				},
 			},
-			
 		},
 		{
-			expectedResult: layer4.Failed,
-			expectedMessage: "No Static Application Security Testing documented in Security Insights",
+			expectedResult:   layer4.Failed,
+			expectedMessage:  "No Static Application Security Testing documented in Security Insights",
 			assertionMessage: "Test for SAST integration present but not explicitly enabled",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
-						Repository: si.Repository{
-							Security: si.SecurityInfo{
-								Tools: []si.Tool{
+						Repository: &si.Repository{
+							SecurityPosture: si.SecurityPosture{
+								Tools: []si.SecurityTool{
 									{
 										Type: "SAST",
 									},
@@ -63,18 +61,17 @@ func TestSastToolDefined(t *testing.T) {
 					},
 				},
 			},
-			
 		},
 		{
-			expectedResult: layer4.Failed,
-			expectedMessage: "No Static Application Security Testing documented in Security Insights",
+			expectedResult:   layer4.Failed,
+			expectedMessage:  "No Static Application Security Testing documented in Security Insights",
 			assertionMessage: "Test for Non SAST tool defined",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
-						Repository: si.Repository{
-							Security: si.SecurityInfo{
-								Tools: []si.Tool{
+						Repository: &si.Repository{
+							SecurityPosture: si.SecurityPosture{
+								Tools: []si.SecurityTool{
 									{
 										Type: "NotSast",
 									},
@@ -84,31 +81,28 @@ func TestSastToolDefined(t *testing.T) {
 					},
 				},
 			},
-			
 		},
 		{
-			expectedResult: layer4.Failed,
-			expectedMessage: "No Static Application Security Testing documented in Security Insights",
+			expectedResult:   layer4.Failed,
+			expectedMessage:  "No Static Application Security Testing documented in Security Insights",
 			assertionMessage: "Test for no tools defined",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
-						Repository: si.Repository{
-							Security: si.SecurityInfo{
-							},
+						Repository: &si.Repository{
+							SecurityPosture: si.SecurityPosture{},
 						},
 					},
 				},
 			},
-			
 		},
 	}
-	
+
 	for _, test := range testData {
 		result, message := sastToolDefined(test.payloadData, nil)
 
 		assert.Equal(t, test.expectedResult, result, test.assertionMessage)
 		assert.Equal(t, test.expectedMessage, message, test.assertionMessage)
 	}
-	
-}
+
+}
diff --git a/evaluation_plans/reusable_steps/evaluations.go b/evaluation_plans/reusable_steps/evaluations.go
@@ -98,7 +98,7 @@ func HasDependencyManagementPolicy(payloadData interface{}, _ map[string]*layer4
 		return layer4.Unknown, message
 	}
 
-	if len(payload.Insights.Repository.Documentation.DependencyManagement) > 0 {
+	if len(payload.Insights.Repository.RepositoryDocumentation.DependencyManagementPolicy.String()) > 0 {
 		return layer4.Passed, "Found dependency management policy in documentation"
 	}
 
diff --git a/evaluation_plans/reusable_steps/evaluations_test.go b/evaluation_plans/reusable_steps/evaluations_test.go
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ func hasUserGuides(payloadData interface{}, _ map[string]*layer4.Change) (result`
`26`	`26`	`return layer4.Unknown, message`
`27`	`27`	`}`
`28`	`28`
`29`		`- if data.Insights.Project.Documentation.DetailedGuide == "" {`
	`29`	`+ if data.Insights.Project.ProjectDocumentation.DetailedGuide == "" {`
`30`	`30`	`return layer4.Failed, "User guide was NOT specified in Security Insights data"`
`31`	`31`	`}`
`32`	`32`
`@@ -39,7 +39,7 @@ func acceptsVulnReports(payloadData interface{}, _ map[string]*layer4.Change) (r`
`39`	`39`	`return layer4.Unknown, message`
`40`	`40`	`}`
`41`	`41`
`42`		`- if data.Insights.Project.Vulnerability.ReportsAccepted {`
	`42`	`+ if data.Insights.Project.VulnerabilityReporting.ReportsAccepted {`
`43`	`43`	`return layer4.Passed, "Repository accepts vulnerability reports"`
`44`	`44`	`}`
`45`	`45`
`@@ -52,7 +52,7 @@ func hasSignatureVerificationGuide(payloadData interface{}, _ map[string]*layer4`
`52`	`52`	`return layer4.Unknown, message`
`53`	`53`	`}`
`54`	`54`
`55`		`- if data.Insights.Project.Documentation.SignatureVerification == "" {`
	`55`	`+ if data.Insights.Project.ProjectDocumentation.SignatureVerification == "" {`
`56`	`56`	`return layer4.Failed, "Signature verification guide was NOT specified in Security Insights data"`
`57`	`57`	`}`
`58`	`58`
`@@ -65,7 +65,7 @@ func hasDependencyManagementPolicy(payloadData interface{}, _ map[string]*layer4`
`65`	`65`	`return layer4.Unknown, message`
`66`	`66`	`}`
`67`	`67`
`68`		`- if data.Insights.Repository.Documentation.DependencyManagement == "" {`
	`68`	`+ if data.Insights.Repository.RepositoryDocumentation.DependencyManagementPolicy.String() == "" {`
`69`	`69`	`return layer4.Failed, "Dependency management policy was NOT specified in Security Insights data"`
`70`	`70`	`}`
`71`	`71`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ func hasRolesAndResponsibilities(payloadData interface{}, _ map[string]*layer4.C`
`37`	`37`	`return layer4.Unknown, message`
`38`	`38`	`}`
`39`	`39`
`40`		`- if data.Insights.Repository.Documentation.Governance == "" {`
	`40`	`+ if data.Insights.Repository.RepositoryDocumentation.Governance == "" {`
`41`	`41`	`return layer4.Failed, "Roles and responsibilities were NOT specified in Security Insights data"`
`42`	`42`	`}`
`43`	`43`
`@@ -50,11 +50,11 @@ func hasContributionGuide(payloadData interface{}, _ map[string]*layer4.Change)`
`50`	`50`	`return layer4.Unknown, message`
`51`	`51`	`}`
`52`	`52`
`53`		`- if data.Insights.Project.Documentation.CodeOfConduct != "" && data.Insights.Repository.Documentation.Contributing != "" {`
	`53`	`+ if data.Insights.Project.ProjectDocumentation.CodeOfConduct != "" && data.Insights.Repository.RepositoryDocumentation.ContributingGuide.String() != "" {`
`54`	`54`	`return layer4.Passed, "Contributing guide specified in Security Insights data (Bonus: code of conduct location also specified)"`
`55`	`55`	`}`
`56`	`56`
`57`		`- if data.Repository.ContributingGuidelines.Body != "" && data.Insights.Project.Documentation.CodeOfConduct != "" {`
	`57`	`+ if data.Repository.ContributingGuidelines.Body != "" && data.Insights.Project.ProjectDocumentation.CodeOfConduct != "" {`
`58`	`58`	`return layer4.Passed, "Contributing guide was found via GitHub API (Bonus: code of conduct was specified in Security Insights data)"`
`59`	`59`	`}`
`60`	`60`
`@@ -71,7 +71,7 @@ func hasContributionReviewPolicy(payloadData interface{}, _ map[string]*layer4.C`
`71`	`71`	`return layer4.Unknown, message`
`72`	`72`	`}`
`73`	`73`
`74`		`- if data.Insights.Repository.Documentation.ReviewPolicy != "" {`
	`74`	`+ if data.Insights.Repository.RepositoryDocumentation.ReviewPolicy != "" {`
`75`	`75`	`return layer4.Passed, "Code review guide was specified in Security Insights data"`
`76`	`76`	`}`
`77`	`77`
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ func HasDependencyManagementPolicy(payloadData interface{}, _ map[string]*layer4`
`98`	`98`	`return layer4.Unknown, message`
`99`	`99`	`}`
`100`	`100`
`101`		`- if len(payload.Insights.Repository.Documentation.DependencyManagement) > 0 {`
	`101`	`+ if len(payload.Insights.Repository.RepositoryDocumentation.DependencyManagementPolicy.String()) > 0 {`
`102`	`102`	`return layer4.Passed, "Found dependency management policy in documentation"`
`103`	`103`	`}`
`104`	`104`