feat: support multiple control catalog versions (#269)

vinayada1 · Vinaya Damle · web-flow · commit fdb55ffd74d6 · 2026-03-26T20:58:01.000-05:00
Signed-off-by: Vinaya Damle &lt;vinayada@mac.lan&gt;
Signed-off-by: Vinaya Damle &lt;vinayada1@users.noreply.github.com&gt;
Co-authored-by: Vinaya Damle &lt;vinayada@mac.lan&gt;
diff --git a/.github/scripts/ci.sh b/.github/scripts/ci.sh
@@ -94,7 +94,7 @@ services:
     plugin: github-repo
     policy:
       catalogs:
-        - osps-baseline
+        - osps-baseline-2026-02
       applicability:
         - Maturity Level 1
     vars:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -33,4 +33,4 @@ jobs:
           ./.github/scripts/ci.sh 2>&1 | tee integration_output.txt
       - name: Verify test output
         run: |
-          grep -E 'privateer_osps-baseline.*Passed.*Warnings.*Failed.*Possible' integration_output.txt
+          grep -E 'privateer_osps-baseline-2026-02.*Passed.*Warnings.*Failed.*Possible' integration_output.txt
diff --git a/data/catalogs/OSPS_Baseline_2025_10.yaml b/data/catalogs/OSPS_Baseline_2025_10.yaml
@@ -1,7 +1,7 @@
 metadata:
-  id: osps-baseline
+  id: osps-baseline-2025-10
   title: Open Source Project Security Baseline
-  version: ""
+  version: "2025.10"
   description: |
     The Open Source Project Security (OSPS) Baseline is a set of security criteria
     that projects should meet to demonstrate a strong security posture.
diff --git a/data/catalogs/OSPS_Baseline_2026_02.yaml b/data/catalogs/OSPS_Baseline_2026_02.yaml
diff --git a/evaluation_plans/evaluation-plans.go b/evaluation_plans/evaluation-plans.go
@@ -15,7 +15,9 @@ import (
 )
 
 var (
-	// Open Source Project Security Baseline
+	// OSPS contains assessment step implementations for OSPS Baseline controls.
+	// Each catalog YAML defines which IDs are active for that version,
+	// so the SDK only runs the relevant subset.
 	OSPS = map[string][]gemara.AssessmentStep{
 		"OSPS-AC-01.01": {
 			reusable_steps.GithubBuiltIn,
@@ -243,3 +245,23 @@ var (
 		},
 	}
 )
+
+// AllSteps merges all step maps into a single map for registration with the SDK.
+// Assessment IDs are unique across catalogs (e.g., OSPS-* vs CRA-*), so the
+// catalog YAML naturally filters to the correct subset at evaluation time.
+// To add a new catalog family, define its step map and include it here.
+//
+// A single shared map is safe across catalog versions because the OSPS
+// maintenance policy (https://github.com/ossf/security-baseline/blob/main/docs/maintenance.md#identifiers)
+// guarantees that substantive changes to a control result in a new identifier.
+// This means implementations for a given assessment ID will not diverge between
+// versions, so all versions can share the same step function for the same key.
+func AllSteps() map[string][]gemara.AssessmentStep {
+	merged := make(map[string][]gemara.AssessmentStep, len(OSPS))
+	for id, steps := range OSPS {
+		merged[id] = steps
+	}
+	// Add additional catalog step maps here, e.g.:
+	// for id, steps := range CRA { merged[id] = steps }
+	return merged
+}
diff --git a/evaluation_plans/evaluation-plans_test.go b/evaluation_plans/evaluation-plans_test.go
@@ -0,0 +1,78 @@
+package evaluation_plans
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/gemaraproj/go-gemara"
+	"github.com/goccy/go-yaml"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAllSteps(t *testing.T) {
+	t.Run("Returns non-empty map", func(t *testing.T) {
+		result := AllSteps()
+		assert.NotEmpty(t, result)
+	})
+
+	t.Run("Contains all OSPS entries", func(t *testing.T) {
+		result := AllSteps()
+		for id := range OSPS {
+			assert.Contains(t, result, id, "AllSteps() missing OSPS key %s", id)
+		}
+		assert.Equal(t, len(OSPS), len(result))
+	})
+
+	t.Run("Every entry has non-empty steps", func(t *testing.T) {
+		result := AllSteps()
+		for id, steps := range result {
+			assert.NotEmpty(t, steps, "AllSteps() entry %s has no steps", id)
+		}
+	})
+
+	t.Run("Returns a copy not the original", func(t *testing.T) {
+		result := AllSteps()
+		result["fake-id"] = nil
+		_, exists := OSPS["fake-id"]
+		assert.False(t, exists, "mutating AllSteps() result should not affect OSPS")
+	})
+}
+
+// TestAllCatalogAssessmentIDsHaveSteps ensures every assessment requirement ID
+// defined in every catalog YAML has a corresponding entry in the combined step map.
+// This prevents silently producing "Unknown" results when a new catalog
+// introduces assessment IDs without adding step implementations.
+func TestAllCatalogAssessmentIDsHaveSteps(t *testing.T) {
+	allSteps := AllSteps()
+	catalogDir := filepath.Join("..", "data", "catalogs")
+	entries, err := os.ReadDir(catalogDir)
+	if err != nil {
+		t.Fatalf("failed to read catalog directory: %v", err)
+	}
+
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		catalogPath := filepath.Join(catalogDir, entry.Name())
+		t.Run(entry.Name(), func(t *testing.T) {
+			data, err := os.ReadFile(catalogPath)
+			if err != nil {
+				t.Fatalf("failed to read catalog %s: %v", entry.Name(), err)
+			}
+			var catalog gemara.ControlCatalog
+			if err := yaml.Unmarshal(data, &catalog); err != nil {
+				t.Fatalf("failed to parse catalog %s: %v", entry.Name(), err)
+			}
+
+			for _, control := range catalog.Controls {
+				for _, req := range control.AssessmentRequirements {
+					if _, ok := allSteps[req.Id]; !ok {
+						t.Errorf("catalog %s has assessment requirement %s but no step implementation exists", entry.Name(), req.Id)
+					}
+				}
+			}
+		})
+	}
+}
diff --git a/example-config.yml b/example-config.yml
@@ -13,7 +13,7 @@ services:
     # The policy section may be set at the top level if assessing multiple services via privateer
     policy:
       catalogs:
-        - osps-baseline # currently this is the only available catalog to assess against
+        - osps-baseline-2026-02 # use osps-baseline-2025-10 for the previous version
       applicability:
         - Maturity Level 1
         # - Maturity Level 2
diff --git a/go.mod b/go.mod
@@ -4,6 +4,7 @@ go 1.25.1
 
 require (
 	github.com/gemaraproj/go-gemara v0.0.2
+	github.com/goccy/go-yaml v1.19.2
 	github.com/google/go-github/v74 v74.0.0
 	github.com/migueleliasweb/go-github-mock v1.5.0
 	github.com/ossf/si-tooling/v2 v2.2.0
@@ -26,7 +27,6 @@ require (
 	github.com/go-git/go-billy/v5 v5.8.0 // indirect
 	github.com/go-git/go-git/v5 v5.17.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
-	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/go-github/v71 v71.0.0 // indirect
 	github.com/google/go-github/v73 v73.0.0 // indirect
diff --git a/main.go b/main.go
@@ -54,9 +54,10 @@ func main() {
 	}
 
 	orchestrator.AddRequiredVars(RequiredVars)
-	err = orchestrator.AddEvaluationSuite("osps-baseline", nil, evaluation_plans.OSPS)
+
+	err = orchestrator.AddEvaluationSuiteForAllCatalogs(nil, evaluation_plans.AllSteps())
 	if err != nil {
-		fmt.Printf("Error adding evaluation suite: %v\n", err)
+		fmt.Printf("Error adding evaluation suites: %v\n", err)
 		os.Exit(1)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -54,9 +54,10 @@ func main() {`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`orchestrator.AddRequiredVars(RequiredVars)`
`57`		`- err = orchestrator.AddEvaluationSuite("osps-baseline", nil, evaluation_plans.OSPS)`
	`57`	`+`
	`58`	`+ err = orchestrator.AddEvaluationSuiteForAllCatalogs(nil, evaluation_plans.AllSteps())`
`58`	`59`	`if err != nil {`
`59`		`- fmt.Printf("Error adding evaluation suite: %v\n", err)`
	`60`	`+ fmt.Printf("Error adding evaluation suites: %v\n", err)`
`60`	`61`	`os.Exit(1)`
`61`	`62`	`}`
`62`	`63`