fix: treat empty and whitespace-only URIs as not insecure (OSPS-BR-03.01) (#245)

Signed-off-by: jmeridth <jmeridth@gmail.com>

Author: jmeridth

evaluation_plans/osps/build_release/steps.go

@@ -236,7 +236,8 @@ func getLinks(data data.Payload) []string {
 }
 
 func insecureURI(uri string) bool {
-	if strings.HasPrefix(uri, "https://") ||
+	if strings.TrimSpace(uri) == "" ||
+		strings.HasPrefix(uri, "https://") ||
 		strings.HasPrefix(uri, "ssh:") ||
 		strings.HasPrefix(uri, "git:") ||
 		strings.HasPrefix(uri, "git@") {

evaluation_plans/osps/build_release/steps_test.go

@@ -124,6 +124,29 @@ func TestMultipleVariables(t *testing.T) {
 
 }
 
+func TestInsecureURI(t *testing.T) {
+	tests := []struct {
+		name     string
+		uri      string
+		expected bool
+	}{
+		{"empty string is not insecure", "", false},
+		{"whitespace string is not insecure", "   ", false},
+		{"https is not insecure", "https://example.com", false},
+		{"ssh is not insecure", "ssh://example.com", false},
+		{"git protocol is not insecure", "git://example.com", false},
+		{"git@ is not insecure", "git@github.com:org/repo.git", false},
+		{"http is insecure", "http://example.com", true},
+		{"ftp is insecure", "ftp://example.com", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, insecureURI(tt.uri), tt.name)
+		})
+	}
+}
+
 func TestUnTrustedVarsRegex(t *testing.T) {
 
 	expression, err := regexp.Compile(untrustedVarsRegex)