chore: integrate against new version of si-tooling

Signed-off-by: Travis Truman <trumant@gmail.com>

Author: trumant

evaluation_plans/osps/build_release/steps.go

@@ -177,37 +177,37 @@ func releaseHasUniqueIdentifier(payloadData interface{}, _ map[string]*layer4.Ch
 func getLinks(data data.Payload) []string {
 	si := data.Insights
 	links := []string{
-		si.Header.URL,
-		si.Header.ProjectSISource,
-		si.Project.Homepage,
-		si.Project.Roadmap,
-		si.Project.Funding,
-		si.Project.Documentation.DetailedGuide,
-		si.Project.Documentation.CodeOfConduct,
-		si.Project.Documentation.QuickstartGuide,
-		si.Project.Documentation.ReleaseProcess,
-		si.Project.Documentation.SignatureVerification,
-		si.Project.Vulnerability.BugBountyProgram,
-		si.Project.Vulnerability.SecurityPolicy,
-		si.Repository.URL,
-		si.Repository.License.URL,
-		si.Repository.Security.Assessments.Self.Evidence,
+		si.Header.URL.String(),
+		si.Header.ProjectSISource.String(),
+		si.Project.Homepage.String(),
+		si.Project.Roadmap.String(),
+		si.Project.Funding.String(),
+		si.Project.Documentation.DetailedGuide.String(),
+		si.Project.Documentation.CodeOfConduct.String(),
+		si.Project.Documentation.QuickstartGuide.String(),
+		si.Project.Documentation.ReleaseProcess.String(),
+		si.Project.Documentation.SignatureVerification.String(),
+		si.Project.VulnerabilityReporting.BugBountyProgram.String(),
+		si.Project.VulnerabilityReporting.SecurityPolicy.String(),
+		si.Repository.Url.String(),
+		si.Repository.License.Url.String(),
+		si.Repository.Security.Assessments.Self.Evidence.String(),
 	}
 	if data.RepositoryMetadata.OrganizationBlogURL() != nil {
 		links = append(links, *data.RepositoryMetadata.OrganizationBlogURL())
 	}
 	for _, repo := range si.Project.Repositories {
-		links = append(links, repo.URL)
+		links = append(links, repo.Url.String())
 	}
 
-	for _, repo := range si.Repository.Security.Assessments.ThirdParty {
-		links = append(links, repo.Evidence)
+	for _, repo := range si.Repository.Security.Assessments.ThirdPartyAssessment {
+		links = append(links, repo.Evidence.String())
 	}
 
 	for _, tool := range si.Repository.Security.Tools {
-		links = append(links, tool.Results.Adhoc.Location)
-		links = append(links, tool.Results.CI.Location)
-		links = append(links, tool.Results.Release.Location)
+		links = append(links, tool.Results.Adhoc.Location.String())
+		links = append(links, tool.Results.Ci.Location.String())
+		links = append(links, tool.Results.Release.Location.String())
 	}
 	return links
 }
@@ -284,8 +284,8 @@ func distributionPointsUseHTTPS(payloadData interface{}, _ map[string]*layer4.Ch
 
 	var badURIs []string
 	for _, point := range distributionPoints {
-		if insecureURI(point.URI) {
-			badURIs = append(badURIs, point.URI)
+		if insecureURI(point.Uri) {
+			badURIs = append(badURIs, point.Uri)
 		}
 	}
 	if len(badURIs) > 0 {

evaluation_plans/osps/docs/steps.go

@@ -39,7 +39,7 @@ func acceptsVulnReports(payloadData interface{}, _ map[string]*layer4.Change) (r
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Project.Vulnerability.ReportsAccepted {
+	if data.Insights.Project.VulnerabilityReporting.ReportsAccepted {
 		return layer4.Passed, "Repository accepts vulnerability reports"
 	}
 
@@ -65,7 +65,7 @@ func hasDependencyManagementPolicy(payloadData interface{}, _ map[string]*layer4
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Repository.Documentation.DependencyManagement == "" {
+	if data.Insights.Repository.Documentation.DependencyManagementPolicy.String() == "" {
 		return layer4.Failed, "Dependency management policy was NOT specified in Security Insights data"
 	}
 

evaluation_plans/osps/governance/steps.go

@@ -50,7 +50,7 @@ func hasContributionGuide(payloadData interface{}, _ map[string]*layer4.Change)
 		return layer4.Unknown, message
 	}
 
-	if data.Insights.Project.Documentation.CodeOfConduct != "" && data.Insights.Repository.Documentation.Contributing != "" {
+	if data.Insights.Project.Documentation.CodeOfConduct != "" && data.Insights.Repository.Documentation.ContributingGuide.String() != "" {
 		return layer4.Passed, "Contributing guide specified in Security Insights data (Bonus: code of conduct location also specified)"
 	}
 

evaluation_plans/osps/vuln_management/steps.go

@@ -16,7 +16,7 @@ func hasSecContact(payloadData interface{}, _ map[string]*layer4.Change) (result
 
 	// TODO: Check for a contact email in SECURITY.md
 
-	if data.Insights.Project.Vulnerability.Contact.Email != "" {
+	if data.Insights.Project.VulnerabilityReporting.Contact != nil && data.Insights.Project.VulnerabilityReporting.Contact.Email.String() != "" {
 		return layer4.Passed, "Security contacts were specified in Security Insights data"
 	}
 	for _, champion := range data.Insights.Repository.Security.Champions {
@@ -28,18 +28,17 @@ func hasSecContact(payloadData interface{}, _ map[string]*layer4.Change) (result
 	return layer4.Failed, "Security contacts were not specified in Security Insights data"
 }
 
-
 func sastToolDefined(payloadData interface{}, _ map[string]*layer4.Change) (result layer4.Result, message string) {
 	data, message := reusable_steps.VerifyPayload(payloadData)
 	if message != "" {
 		return layer4.Unknown, message
 	}
 
-	for _,tool := range data.Insights.Repository.Security.Tools {
+	for _, tool := range data.Insights.Repository.Security.Tools {
 		if tool.Type == "SAST" {
-			
-			enabled  := []bool { tool.Integration.Adhoc, tool.Integration.CI, tool.Integration.Release }
-			
+
+			enabled := []bool{tool.Integration.Adhoc, tool.Integration.Ci, tool.Integration.Release}
+
 			if slices.Contains(enabled, true) {
 				return layer4.Passed, "Static Application Security Testing documented in Security Insights"
 			}

evaluation_plans/osps/vuln_management/steps_test.go

@@ -10,24 +10,23 @@ import (
 )
 
 type testingData struct {
-	expectedResult layer4.Result
-	expectedMessage string
-	payloadData interface{}
+	expectedResult   layer4.Result
+	expectedMessage  string
+	payloadData      interface{}
 	assertionMessage string
 }
 
-
 func TestSastToolDefined(t *testing.T) {
-	
+
 	testData := []testingData{
 		{
-			expectedResult: layer4.Passed,
-			expectedMessage: "Static Application Security Testing documented in Security Insights",
+			expectedResult:   layer4.Passed,
+			expectedMessage:  "Static Application Security Testing documented in Security Insights",
 			assertionMessage: "Test for SAST integration enabled",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
-						Repository: si.Repository{
+						Repository: &si.Repository{
 							Security: si.SecurityInfo{
 								Tools: []si.Tool{
 									{
@@ -42,14 +41,13 @@ func TestSastToolDefined(t *testing.T) {
 					},
 				},
 			},
-			
 		},
 		{
-			expectedResult: layer4.Failed,
-			expectedMessage: "No Static Application Security Testing documented in Security Insights",
+			expectedResult:   layer4.Failed,
+			expectedMessage:  "No Static Application Security Testing documented in Security Insights",
 			assertionMessage: "Test for SAST integration present but not explicitly enabled",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
 						Repository: si.Repository{
 							Security: si.SecurityInfo{
@@ -63,14 +61,13 @@ func TestSastToolDefined(t *testing.T) {
 					},
 				},
 			},
-			
 		},
 		{
-			expectedResult: layer4.Failed,
-			expectedMessage: "No Static Application Security Testing documented in Security Insights",
+			expectedResult:   layer4.Failed,
+			expectedMessage:  "No Static Application Security Testing documented in Security Insights",
 			assertionMessage: "Test for Non SAST tool defined",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
 						Repository: si.Repository{
 							Security: si.SecurityInfo{
@@ -84,31 +81,28 @@ func TestSastToolDefined(t *testing.T) {
 					},
 				},
 			},
-			
 		},
 		{
-			expectedResult: layer4.Failed,
-			expectedMessage: "No Static Application Security Testing documented in Security Insights",
+			expectedResult:   layer4.Failed,
+			expectedMessage:  "No Static Application Security Testing documented in Security Insights",
 			assertionMessage: "Test for no tools defined",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
 						Repository: si.Repository{
-							Security: si.SecurityInfo{
-							},
+							Security: si.SecurityInfo{},
 						},
 					},
 				},
 			},
-			
 		},
 	}
-	
+
 	for _, test := range testData {
 		result, message := sastToolDefined(test.payloadData, nil)
 
 		assert.Equal(t, test.expectedResult, result, test.assertionMessage)
 		assert.Equal(t, test.expectedMessage, message, test.assertionMessage)
 	}
-	
-}
+
+}

evaluation_plans/reusable_steps/evaluations.go

@@ -98,7 +98,7 @@ func HasDependencyManagementPolicy(payloadData interface{}, _ map[string]*layer4
 		return layer4.Unknown, message
 	}
 
-	if len(payload.Insights.Repository.Documentation.DependencyManagement) > 0 {
+	if len(payload.Insights.Repository.Documentation.DependencyManagementPolicy) > 0 {
 		return layer4.Passed, "Found dependency management policy in documentation"
 	}
 

evaluation_plans/reusable_steps/evaluations_test.go

@@ -10,9 +10,9 @@ import (
 )
 
 type testingData struct {
-	expectedResult layer4.Result
-	expectedMessage string
-	payloadData interface{}
+	expectedResult   layer4.Result
+	expectedMessage  string
+	payloadData      interface{}
 	assertionMessage string
 }
 
@@ -21,12 +21,12 @@ func TestHasDependencyManagementPolicySomethin(t *testing.T) {
 	//Ick, remind me to never use anonymous structs in my code
 	testData := []testingData{
 		{
-			expectedResult: layer4.Passed,
+			expectedResult:  layer4.Passed,
 			expectedMessage: "Found dependency management policy in documentation",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
-						Repository: si.Repository{
+						Repository: &si.Repository{
 							Documentation: struct {
 								Contributing         string `yaml:"contributing-guide"`
 								DependencyManagement string `yaml:"dependency-management-policy"`
@@ -43,10 +43,10 @@ func TestHasDependencyManagementPolicySomethin(t *testing.T) {
 			assertionMessage: "Happy Path failed",
 		},
 		{
-			expectedResult: layer4.Failed,
+			expectedResult:  layer4.Failed,
 			expectedMessage: "No dependency management file found",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
 						Repository: si.Repository{
 							Documentation: struct {
@@ -65,10 +65,10 @@ func TestHasDependencyManagementPolicySomethin(t *testing.T) {
 			assertionMessage: "Empty string check failed",
 		},
 		{
-			expectedResult: layer4.Failed,
+			expectedResult:  layer4.Failed,
 			expectedMessage: "No dependency management file found",
-			payloadData:    data.Payload{
-				RestData: &data.RestData {
+			payloadData: data.Payload{
+				RestData: &data.RestData{
 					Insights: si.SecurityInsights{
 						Repository: si.Repository{
 							Documentation: struct {
@@ -94,5 +94,4 @@ func TestHasDependencyManagementPolicySomethin(t *testing.T) {
 		assert.Equal(t, test.expectedMessage, message, test.assertionMessage)
 	}
 
-
-}
+}

go.mod

@@ -4,7 +4,7 @@ go 1.23.4
 
 require (
 	github.com/google/go-github/v71 v71.0.0
-	github.com/ossf/si-tooling/v2 v2.0.5-0.20250328034800-657dc9aa9920
+	github.com/ossf/si-tooling/v2 v2.0.4
 	github.com/privateerproj/privateer-sdk v1.2.0
 	github.com/revanite-io/sci v0.3.4
 	github.com/rhysd/actionlint v1.7.7
@@ -15,6 +15,7 @@ require (
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/goccy/go-yaml v1.17.1 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 )
@@ -62,3 +63,5 @@ require (
 // replace github.com/privateerproj/privateer-sdk => ../../privateerproj/privateer-sdk
 
 // replace github.com/revanite-io/sci => ../sci
+
+replace github.com/ossf/si-tooling/v2 => ../si-tooling/v2

go.sum

@@ -20,6 +20,8 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
 github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/goccy/go-yaml v1.17.1 h1:LI34wktB2xEE3ONG/2Ar54+/HJVBriAGJ55PHls4YuY=
+github.com/goccy/go-yaml v1.17.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/gomarkdown/markdown v0.0.0-20250311123330-531bef5e742b h1:EY/KpStFl60qA17CptGXhwfZ+k1sFNJIUNR8DdbcuUk=
@@ -61,8 +63,6 @@ github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebG
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
 github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
-github.com/ossf/si-tooling/v2 v2.0.5-0.20250328034800-657dc9aa9920 h1:iT96I36tXMHMPcSvxLtfi6970MAEK3xlDMZGSxuhJLA=
-github.com/ossf/si-tooling/v2 v2.0.5-0.20250328034800-657dc9aa9920/go.mod h1:LVl8Dz/65RjijQHXDxgfHn1h19nRNckswUDMjBB/pWY=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=