libverify_core/controls/
security_policy.rs1use crate::control::{Control, ControlFinding, ControlId, builtin};
2use crate::evidence::EvidenceBundle;
3
4pub struct SecurityPolicyControl;
16
17impl Control for SecurityPolicyControl {
18 fn id(&self) -> ControlId {
19 builtin::id(builtin::SECURITY_POLICY)
20 }
21
22 fn description(&self) -> &'static str {
23 "A security policy (SECURITY.md) with responsible disclosure process must exist"
24 }
25
26 fn evaluate(&self, evidence: &EvidenceBundle) -> Vec<ControlFinding> {
27 let posture = match ControlFinding::extract_posture(self.id(), evidence) {
28 Ok(p) => p,
29 Err(findings) => return findings,
30 };
31
32 if !posture.security_policy_present {
33 return vec![ControlFinding::violated(
34 self.id(),
35 "No SECURITY.md or security policy file found",
36 vec!["SECURITY.md".to_string()],
37 )];
38 }
39
40 if posture.security_policy_has_disclosure {
41 vec![ControlFinding::satisfied(
42 self.id(),
43 "Security policy exists with responsible disclosure process",
44 vec!["SECURITY.md".to_string()],
45 )]
46 } else {
47 vec![ControlFinding::violated(
48 self.id(),
49 "Security policy exists but lacks a responsible disclosure process",
50 vec!["SECURITY.md".to_string()],
51 )]
52 }
53 }
54}
55
56#[cfg(test)]
57mod tests {
58 use super::*;
59 use crate::control::ControlStatus;
60 use crate::evidence::{EvidenceGap, EvidenceState, RepositoryPosture};
61
62 fn posture(present: bool, disclosure: bool) -> RepositoryPosture {
63 RepositoryPosture {
64 security_policy_present: present,
65 security_policy_has_disclosure: disclosure,
66 ..Default::default()
67 }
68 }
69
70 fn bundle(state: EvidenceState<RepositoryPosture>) -> EvidenceBundle {
71 EvidenceBundle {
72 repository_posture: state,
73 ..Default::default()
74 }
75 }
76
77 #[test]
78 fn not_applicable_when_posture_not_applicable() {
79 let findings = SecurityPolicyControl.evaluate(&bundle(EvidenceState::not_applicable()));
80 assert_eq!(findings[0].status, ControlStatus::NotApplicable);
81 }
82
83 #[test]
84 fn indeterminate_when_posture_missing() {
85 let findings = SecurityPolicyControl.evaluate(&bundle(EvidenceState::missing(vec![
86 EvidenceGap::CollectionFailed {
87 source: "github".to_string(),
88 subject: "posture".to_string(),
89 detail: "API error".to_string(),
90 },
91 ])));
92 assert_eq!(findings[0].status, ControlStatus::Indeterminate);
93 }
94
95 #[test]
96 fn violated_when_no_policy() {
97 let findings =
98 SecurityPolicyControl.evaluate(&bundle(EvidenceState::complete(posture(false, false))));
99 assert_eq!(findings[0].status, ControlStatus::Violated);
100 assert!(findings[0].rationale.contains("No SECURITY.md"));
101 }
102
103 #[test]
104 fn violated_when_policy_without_disclosure() {
105 let findings =
106 SecurityPolicyControl.evaluate(&bundle(EvidenceState::complete(posture(true, false))));
107 assert_eq!(findings[0].status, ControlStatus::Violated);
108 assert!(
109 findings[0]
110 .rationale
111 .contains("lacks a responsible disclosure")
112 );
113 }
114
115 #[test]
116 fn satisfied_when_policy_with_disclosure() {
117 let findings =
118 SecurityPolicyControl.evaluate(&bundle(EvidenceState::complete(posture(true, true))));
119 assert_eq!(findings[0].status, ControlStatus::Satisfied);
120 }
121}