Add OSPS-DO-04 ruletype

Signed-off-by: Adolfo García Veytia (puerco) <[email protected]>
ossf · Dec 12, 2024 · 4bed3f7 · 4bed3f7
1 parent 2fd1c06
commit 4bed3f7
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 7 deletions.
diff --git a/resources/minder/osps-baseline-level2.yaml b/resources/minder/osps-baseline-level2.yaml
@@ -82,17 +82,15 @@ repository:
     type: OSPS-DO-03
     def: {}
 
-  # - name: OSPS-DO-04
+  - name: OSPS-DO-04
   #   Policy for coordinated vulnerability reporting, with a clear timeframe for response.
   #
-  #   [] Check SI for `vulnerability-reporting` block.`
+  #   [x] Check SI for `vulnerability-reporting` block.`
   #   [] Look for and check test of SECURITY.md for text patterns
   #
-  #   type: security_policy
-  #   displayName: "[OSPS-DO-04] Ensure there is a security policy file"
-  #   def:
-  #     filename: SECURITY.md
-
+    type: OSPS-DO-04
+    def: {}
+
   # - name: OSPS-DO-05
   #   Project documentation MUST include a mechanism for reporting defects.
   #

diff --git a/resources/minder/rules/OSPS-DO-04.yaml b/resources/minder/rules/OSPS-DO-04.yaml
@@ -0,0 +1,44 @@
+# SPDX-FileCopyrightText: Copyright 2024 The OSPS Baseline Authors
+# SPDX-License-Identifier: Apache-2.0
+---
+# Requires the Security Insights data source to be installed:
+# https://github.com/mindersec/minder-rules-and-profiles/blob/main/data-sources/security-insights.yaml
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: OSPS-DO-04
+display_name: Ensures a project has a vulnerability reporting policy 
+short_failure_message: No vulnerability reporting policy found.
+severity:
+  value: low
+context:
+  provider: github
+description: |
+  Checks that the project links a vulnerability reporting policy. 
+guidance: |
+  This rule type checks for the project's vulnerability reporting tool.
+  Currently, the rules looks for sources in the `vulnerability-reporting`
+  section of the Security Insights file.
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+  ingest:
+    type: git
+  eval:
+    type: rego
+    data_sources:
+      - name: securityinsights
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+        import rego.v1
+
+        default allow := false
+
+        si = minder.datasource.securityinsights.parse({})
+        allow if {
+            count(si["vulnerability-reporting"]) > 0
+        }