feat: Implement OSPS-VM-04.01: Public vulnerability disclosure assessment #155
Conversation
- Add hasPublicVulnerabilityDisclosure function to check for public disclosure mechanisms - Update OSPS-VM-04.01 assessment steps (IsActive + hasPublicVulnerabilityDisclosure) - Add comprehensive test coverage with 5 test cases: * GitHub security policy enabled * Security Insights policy URL present * No disclosure mechanisms available * Both mechanisms present (GitHub takes priority) * Invalid payload handling - Add stubGraphqlRepoWithSecurityPolicy helper function following existing patterns Closes revanite-io#34
Kusari Analysis Results:
No pinned version dependency changes, code issues or exposed secrets detected! Note View full detailed analysis result for more information on the output and the checks that were run.
Found this helpful? Give it a 👍 or 👎 reaction! |
| if data.Insights.Project.Vulnerability.SecurityPolicy != "" { | ||
| return layer4.Passed, "Public vulnerability disclosure available via security policy in Security Insights data" |
There was a problem hiding this comment.
Roughly the same question as above... just having a security policy doesn't necessarily mean that the project is publicly publishing data about discovered vulnerabilities.
There was a problem hiding this comment.
Oh, I see. I didn't realize that. I'm thinking about changing the message to be more accurate. WDYT?
There was a problem hiding this comment.
If you have a plan to demonstrate whether a project is "publicly publishing data about discovered vulnerabilities," then press on. I haven't put thought into measuring that, so I don't have much specific input at the moment.
There was a problem hiding this comment.
Take a look at https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory which shows some ways we can discover evidence
|
Kusari PR Analysis rerun based on - 92cf8b0 performed at: 2025-09-30T20:14:50Z - link to updated analysis |
…curity Advisories API - Replace security policy check with published security advisories check - Add SecurityAdvisory struct and REST API integration in rest-data.go - Update hasPublicVulnerabilityDisclosure to count published advisories - Add comprehensive tests for all scenarios (0, 1, multiple advisories) - Addresses Eddie's feedback about checking actual public disclosure evidence
|
Kusari PR Analysis rerun based on - 434cdee performed at: 2025-09-30T21:49:03Z - link to updated analysis |
… reference - Change data.RestData.SecurityAdvisories to data.SecurityAdvisories - Fixes golangci-lint staticcheck QF1008 error - RestData is embedded in Payload struct, so direct access is possible
|
Kusari PR Analysis rerun based on - daf8479 performed at: 2025-09-30T21:54:46Z - link to updated analysis |
| return layer4.Passed, fmt.Sprintf("Found %d published security advisories", advisoryCount) | ||
| } | ||
|
|
||
| return layer4.Failed, "No published security advisories found" |
There was a problem hiding this comment.
Is it possible that advisory publishing is active/enabled but that no advisories have been published?
That is probably a passing condition for this requirement
There was a problem hiding this comment.
@trumant Do you suggest I implement a check to see if advisory publishing is active/enabled prior to checking if advisories have been published?
- Added function to check if security advisory publishing is enabled - Uses SecurityAdvisories != nil to detect feature availability - Added comprehensive test coverage with HTTP mocking - Positioned SecurityAdvisory struct below RestData per code review Signed-off-by: Zohayb Bhatti <[email protected]>
|
Kusari PR Analysis rerun based on - c57b3be performed at: 2025-10-03T03:01:03Z - link to updated analysis |
Implements OSPS-VM-04.01 to check if projects publicly publish vulnerability data.
Closes #34