cordance-advise 0.1.1

//! R-secure-1 — require SECURITY.md.

use camino::Utf8PathBuf;
use cordance_core::advise::{AdviseFinding, Severity};
use cordance_core::pack::CordancePack;

use super::AdviseRule;

pub struct RSecure1;

impl AdviseRule for RSecure1 {
    fn id(&self) -> &'static str {
        "R-secure-1"
    }

    fn doctrine_anchor(&self) -> &'static str {
        "doctrine/principles/secure-development-lifecycle.md"
    }

    fn check(&self, pack: &CordancePack) -> Vec<AdviseFinding> {
        let has_security_md = pack
            .sources
            .iter()
            .any(|r| !r.blocked && r.path.as_str() == "SECURITY.md");

        if has_security_md {
            return vec![];
        }

        vec![AdviseFinding {
            id: self.id().into(),
            severity: Severity::Warning,
            summary: "SECURITY.md not found.".into(),
            doctrine_anchor: Utf8PathBuf::from(self.doctrine_anchor()),
            project_paths: vec!["SECURITY.md".into()],
            remediation: "Add SECURITY.md explaining how to report vulnerabilities.".into(),
        }]
    }
}