Implement hasPublicVulnerabilityDisclosure check for OSPS-VM-04

- Added function to check if security advisory publishing is enabled
- Uses SecurityAdvisories != nil to detect feature availability
- Added comprehensive test coverage with HTTP mocking
- Positioned SecurityAdvisory struct below RestData per code review

Signed-off-by: Zohayb Bhatti <zohayb23@gmail.com>

Author: zohayb23

data/rest-data.go

@@ -19,15 +19,6 @@ type HttpClient interface {
 	Do(req *http.Request) (*http.Response, error)
 }
 
-type SecurityAdvisory struct {
-	GhsaId      string `json:"ghsa_id"`
-	CveId       string `json:"cve_id"`
-	Summary     string `json:"summary"`
-	Severity    string `json:"severity"`
-	State       string `json:"state"`
-	PublishedAt string `json:"published_at"`
-}
-
 type RestData struct {
 	owner               string
 	repo                string
@@ -76,6 +67,15 @@ type WorkflowPermissions struct {
 	CanApprovePullRequest bool   `json:"can_approve_pull_request_reviews"`
 }
 
+type SecurityAdvisory struct {
+	GhsaId      string `json:"ghsa_id"`
+	CveId       string `json:"cve_id"`
+	Summary     string `json:"summary"`
+	Severity    string `json:"severity"`
+	State       string `json:"state"`
+	PublishedAt string `json:"published_at"`
+}
+
 var APIBase = "https://api.github.com"
 
 func (r *RestData) Setup() error {

evaluation_plans/osps/vuln_management/steps.go

@@ -1,7 +1,6 @@
 package vuln_management
 
 import (
-	"fmt"
 	"slices"
 
 	"github.com/ossf/gemara/layer4"
@@ -68,15 +67,11 @@ func hasPublicVulnerabilityDisclosure(payloadData any, _ map[string]*layer4.Chan
 		return layer4.Unknown, message
 	}
 
-	advisoryCount := len(data.SecurityAdvisories)
-	if advisoryCount > 0 {
-		if advisoryCount == 1 {
-			return layer4.Passed, "Found 1 published security advisory"
-		}
-		return layer4.Passed, fmt.Sprintf("Found %d published security advisories", advisoryCount)
+	if data.SecurityAdvisories != nil {
+		return layer4.Passed, "Security advisory publishing is enabled"
 	}
 
-	return layer4.Failed, "No published security advisories found"
+	return layer4.Failed, "Security advisory publishing is not enabled"
 }
 
 func hasPrivateVulnerabilityReporting(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {

evaluation_plans/osps/vuln_management/steps_test.go

@@ -169,67 +169,57 @@ func TestHasPublicVulnerabilityDisclosure(t *testing.T) {
 	tests := []struct {
 		name            string
 		payloadData     any
+		apiResponse     []byte
+		apiError        error
 		expectedResult  layer4.Result
 		expectedMessage string
 	}{
 		{
-			name:            "One published security advisory",
+			name:            "Security advisory publishing is enabled with advisories",
 			expectedResult:  layer4.Passed,
-			expectedMessage: "Found 1 published security advisory",
+			expectedMessage: "Security advisory publishing is enabled",
 			payloadData: data.Payload{
 				RestData: &data.RestData{
 					SecurityAdvisories: []data.SecurityAdvisory{
 						{
-							GhsaId:      "GHSA-xxxx-xxxx-xxxx",
-							Summary:     "Test advisory",
-							State:       "published",
-							PublishedAt: "2024-01-01T00:00:00Z",
+							GhsaId:   "GHSA-1234-5678-9012",
+							CveId:    "CVE-2024-12345",
+							Summary:  "Test advisory",
+							Severity: "high",
+							State:    "published",
 						},
 					},
 				},
 				GraphqlRepoData: &data.GraphqlRepoData{},
 			},
+			apiResponse: []byte(`[{"ghsa_id":"GHSA-1234-5678-9012","cve_id":"CVE-2024-12345","summary":"Test advisory","severity":"high","state":"published","published_at":"2024-01-01T00:00:00Z"}]`),
+			apiError:    nil,
 		},
 		{
-			name:            "Multiple published security advisories",
+			name:            "Security advisory publishing is enabled with no advisories",
 			expectedResult:  layer4.Passed,
-			expectedMessage: "Found 3 published security advisories",
+			expectedMessage: "Security advisory publishing is enabled",
 			payloadData: data.Payload{
 				RestData: &data.RestData{
-					SecurityAdvisories: []data.SecurityAdvisory{
-						{
-							GhsaId:      "GHSA-xxxx-xxxx-xxxx",
-							Summary:     "First advisory",
-							State:       "published",
-							PublishedAt: "2024-01-01T00:00:00Z",
-						},
-						{
-							GhsaId:      "GHSA-yyyy-yyyy-yyyy",
-							Summary:     "Second advisory",
-							State:       "published",
-							PublishedAt: "2024-02-01T00:00:00Z",
-						},
-						{
-							GhsaId:      "GHSA-zzzz-zzzz-zzzz",
-							Summary:     "Third advisory",
-							State:       "published",
-							PublishedAt: "2024-03-01T00:00:00Z",
-						},
-					},
+					SecurityAdvisories: []data.SecurityAdvisory{},
 				},
 				GraphqlRepoData: &data.GraphqlRepoData{},
 			},
+			apiResponse: []byte(`[]`),
+			apiError:    nil,
 		},
 		{
-			name:            "No published security advisories",
+			name:            "Security advisory publishing is not enabled",
 			expectedResult:  layer4.Failed,
-			expectedMessage: "No published security advisories found",
+			expectedMessage: "Security advisory publishing is not enabled",
 			payloadData: data.Payload{
 				RestData: &data.RestData{
-					SecurityAdvisories: []data.SecurityAdvisory{},
+					SecurityAdvisories: nil,
 				},
 				GraphqlRepoData: &data.GraphqlRepoData{},
 			},
+			apiResponse: []byte(`[]`),
+			apiError:    nil,
 		},
 		{
 			name:            "Invalid payload",
@@ -241,6 +231,11 @@ func TestHasPublicVulnerabilityDisclosure(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
+			if payload, ok := test.payloadData.(data.Payload); ok {
+				payload = data.NewPayloadWithHTTPMock(payload, test.apiResponse, 200, test.apiError)
+				test.payloadData = payload
+			}
+
 			result, message := hasPublicVulnerabilityDisclosure(test.payloadData, nil)
 			assert.Equal(t, test.expectedResult, result)
 			assert.Equal(t, test.expectedMessage, message)
@@ -370,4 +365,4 @@ func TestHasPrivateVulnerabilityReporting(t *testing.T) {
 			assert.Equal(t, test.expectedMessage, message)
 		})
 	}
-}
+}