feat: implement OSPS-VM-01.01 vulnerability disclosure policy assessment (#153)

- Add hasVulnerabilityDisclosurePolicy function to check SecurityPolicy field
- Update OSPS-VM-01.01 assessment steps: IsActive -> HasSecurityInsightsFile -> hasVulnerabilityDisclosurePolicy
- Add comprehensive tests for policy present/missing/invalid payload scenarios
- Validates project documentation includes vulnerability reporting policy

Closes #32

Author: zohayb23

evaluation_plans/osps/vuln_management/evaluations.go

@@ -21,7 +21,9 @@ func OSPS_VM_01() (evaluation *layer4.ControlEvaluation) {
 			"Maturity Level 3",
 		},
 		[]layer4.AssessmentStep{
-			reusable_steps.NotImplemented,
+			reusable_steps.IsActive,
+			reusable_steps.HasSecurityInsightsFile,
+			hasVulnerabilityDisclosurePolicy,
 		},
 	)
 

evaluation_plans/osps/vuln_management/steps.go

@@ -47,3 +47,16 @@ func sastToolDefined(payloadData interface{}, _ map[string]*layer4.Change) (resu
 
 	return layer4.Failed, "No Static Application Security Testing documented in Security Insights"
 }
+
+func hasVulnerabilityDisclosurePolicy(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {
+	data, message := reusable_steps.VerifyPayload(payloadData)
+	if message != "" {
+		return layer4.Unknown, message
+	}
+
+	if data.Insights.Project.Vulnerability.SecurityPolicy == "" {
+		return layer4.Failed, "Vulnerability disclosure policy was NOT specified in Security Insights data"
+	}
+
+	return layer4.Passed, "Vulnerability disclosure policy was specified in Security Insights data"
+}

evaluation_plans/osps/vuln_management/steps_test.go

@@ -106,3 +106,61 @@ func TestSastToolDefined(t *testing.T) {
 	}
 
 }
+
+func TestHasVulnerabilityDisclosurePolicy(t *testing.T) {
+	tests := []struct {
+		name            string
+		payloadData     any
+		expectedResult  layer4.Result
+		expectedMessage string
+	}{
+		{
+			name:            "Vulnerability disclosure policy present",
+			expectedResult:  layer4.Passed,
+			expectedMessage: "Vulnerability disclosure policy was specified in Security Insights data",
+			payloadData: data.Payload{
+				RestData: &data.RestData{
+					Insights: si.SecurityInsights{
+						Project: si.Project{
+							Vulnerability: si.VulnReport{
+								SecurityPolicy: "https://example.com/SECURITY.md",
+							},
+						},
+					},
+				},
+				GraphqlRepoData: &data.GraphqlRepoData{},
+			},
+		},
+		{
+			name:            "Vulnerability disclosure policy missing",
+			expectedResult:  layer4.Failed,
+			expectedMessage: "Vulnerability disclosure policy was NOT specified in Security Insights data",
+			payloadData: data.Payload{
+				RestData: &data.RestData{
+					Insights: si.SecurityInsights{
+						Project: si.Project{
+							Vulnerability: si.VulnReport{
+								SecurityPolicy: "",
+							},
+						},
+					},
+				},
+				GraphqlRepoData: &data.GraphqlRepoData{},
+			},
+		},
+		{
+			name:            "Invalid payload",
+			expectedResult:  layer4.Unknown,
+			expectedMessage: "Malformed assessment: expected payload type data.Payload, got string (invalid_payload)",
+			payloadData:     "invalid_payload",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			result, message := hasVulnerabilityDisclosurePolicy(test.payloadData, nil)
+			assert.Equal(t, test.expectedResult, result)
+			assert.Equal(t, test.expectedMessage, message)
+		})
+	}
+}