Implement OSPS-VM-04.01: Public vulnerability disclosure assessment

- Add hasPublicVulnerabilityDisclosure function to check for public disclosure mechanisms
- Update OSPS-VM-04.01 assessment steps (IsActive + hasPublicVulnerabilityDisclosure)
- Add comprehensive test coverage with 5 test cases:
  * GitHub security policy enabled
  * Security Insights policy URL present
  * No disclosure mechanisms available
  * Both mechanisms present (GitHub takes priority)
  * Invalid payload handling
- Add stubGraphqlRepoWithSecurityPolicy helper function following existing patterns

Closes #34

Author: zohayb23

evaluation_plans/osps/vuln_management/evaluations.go

@@ -83,7 +83,8 @@ func OSPS_VM_04() (evaluation *layer4.ControlEvaluation) {
 			"Maturity Level 3",
 		},
 		[]layer4.AssessmentStep{
-			reusable_steps.NotImplemented,
+			reusable_steps.IsActive,
+			hasPublicVulnerabilityDisclosure,
 		},
 	)
 

evaluation_plans/osps/vuln_management/steps.go

@@ -60,3 +60,20 @@ func hasVulnerabilityDisclosurePolicy(payloadData any, _ map[string]*layer4.Chan
 
 	return layer4.Passed, "Vulnerability disclosure policy was specified in Security Insights data"
 }
+
+func hasPublicVulnerabilityDisclosure(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {
+	data, message := reusable_steps.VerifyPayload(payloadData)
+	if message != "" {
+		return layer4.Unknown, message
+	}
+
+	if data.GraphqlRepoData.Repository.IsSecurityPolicyEnabled {
+		return layer4.Passed, "Public vulnerability disclosure available via GitHub security policy"
+	}
+
+	if data.Insights.Project.Vulnerability.SecurityPolicy != "" {
+		return layer4.Passed, "Public vulnerability disclosure available via security policy in Security Insights data"
+	}
+
+	return layer4.Failed, "No public vulnerability disclosure mechanism found"
+}

evaluation_plans/osps/vuln_management/steps_test.go

@@ -164,3 +164,101 @@ func TestHasVulnerabilityDisclosurePolicy(t *testing.T) {
 		})
 	}
 }
+
+func stubGraphqlRepoWithSecurityPolicy(isSecurityPolicyEnabled bool) *data.GraphqlRepoData {
+	repo := &data.GraphqlRepoData{}
+	repo.Repository.IsSecurityPolicyEnabled = isSecurityPolicyEnabled
+	return repo
+}
+
+func TestHasPublicVulnerabilityDisclosure(t *testing.T) {
+	tests := []struct {
+		name            string
+		payloadData     any
+		expectedResult  layer4.Result
+		expectedMessage string
+	}{
+		{
+			name:            "Public disclosure via GitHub security policy",
+			expectedResult:  layer4.Passed,
+			expectedMessage: "Public vulnerability disclosure available via GitHub security policy",
+			payloadData: data.Payload{
+				RestData: &data.RestData{
+					Insights: si.SecurityInsights{
+						Project: si.Project{
+							Vulnerability: si.VulnReport{
+								SecurityPolicy: "",
+							},
+						},
+					},
+				},
+				GraphqlRepoData: stubGraphqlRepoWithSecurityPolicy(true),
+			},
+		},
+		{
+			name:            "Public disclosure via Security Insights policy",
+			expectedResult:  layer4.Passed,
+			expectedMessage: "Public vulnerability disclosure available via security policy in Security Insights data",
+			payloadData: data.Payload{
+				RestData: &data.RestData{
+					Insights: si.SecurityInsights{
+						Project: si.Project{
+							Vulnerability: si.VulnReport{
+								SecurityPolicy: "https://github.com/example/repo/blob/main/SECURITY.md",
+							},
+						},
+					},
+				},
+				GraphqlRepoData: stubGraphqlRepoWithSecurityPolicy(false),
+			},
+		},
+		{
+			name:            "No public disclosure mechanism",
+			expectedResult:  layer4.Failed,
+			expectedMessage: "No public vulnerability disclosure mechanism found",
+			payloadData: data.Payload{
+				RestData: &data.RestData{
+					Insights: si.SecurityInsights{
+						Project: si.Project{
+							Vulnerability: si.VulnReport{
+								SecurityPolicy: "",
+							},
+						},
+					},
+				},
+				GraphqlRepoData: stubGraphqlRepoWithSecurityPolicy(false),
+			},
+		},
+		{
+			name:            "Both mechanisms available - GitHub policy takes priority",
+			expectedResult:  layer4.Passed,
+			expectedMessage: "Public vulnerability disclosure available via GitHub security policy",
+			payloadData: data.Payload{
+				RestData: &data.RestData{
+					Insights: si.SecurityInsights{
+						Project: si.Project{
+							Vulnerability: si.VulnReport{
+								SecurityPolicy: "https://github.com/example/repo/blob/main/SECURITY.md",
+							},
+						},
+					},
+				},
+				GraphqlRepoData: stubGraphqlRepoWithSecurityPolicy(true),
+			},
+		},
+		{
+			name:            "Invalid payload",
+			expectedResult:  layer4.Unknown,
+			expectedMessage: "Malformed assessment: expected payload type data.Payload, got string (invalid_payload)",
+			payloadData:     "invalid_payload",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			result, message := hasPublicVulnerabilityDisclosure(test.payloadData, nil)
+			assert.Equal(t, test.expectedResult, result)
+			assert.Equal(t, test.expectedMessage, message)
+		})
+	}
+}