chore: cleanup OSCAL export logic for consistency

This updates the Layer 1 and Layer 2 implementations of OSCAL
generation for a more cohesive approach.

Assisted by: Composer(Cursor AI)
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>

Author: jpower432

cmd/oscal_export/export/export.go

@@ -64,7 +64,7 @@ func Catalog(path string, args []string) error {
 		return err
 	}
 
-	oscalCatalog, err := oscal.FromCatalog(catalog, "https://example/versions/%s#%s")
+	oscalCatalog, err := oscal.CatalogFromCatalog(catalog, oscal.WithControlHref("https://example/versions/%s#%s"))
 	if err != nil {
 		return err
 	}

oscal/catalog.go

@@ -0,0 +1,133 @@
+package oscal
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/defenseunicorns/go-oscal/src/pkg/uuid"
+	oscal "github.com/defenseunicorns/go-oscal/src/types/oscal-1-1-3"
+	"github.com/ossf/gemara"
+)
+
+// CatalogFromCatalog converts a Layer 2 Catalog to OSCAL Catalog format.
+// The function automatically:
+//   - Uses the catalog's internal version from Metadata.Version (or defaultVersion if empty)
+//   - Uses the ControlFamily.Id as the OSCAL group ID
+//   - Generates a unique UUID for the catalog
+//
+// Options:
+//   - WithControlHref: URL template for linking to controls. Uses format: controlHREF(version, controlID)
+//     Example: "https://baseline.openssf.org/versions/%s#%s"
+//   - WithVersion: Override the version (defaults to catalog.Metadata.Version or defaultVersion)
+//   - WithCanonicalHrefFormat: Alternative canonical HREF format (if WithControlHref not provided)
+func CatalogFromCatalog(catalog *gemara.Catalog, opts ...GenerateOption) (oscal.Catalog, error) {
+	options := generateOpts{}
+	for _, opt := range opts {
+		opt(&options)
+	}
+	options.completeFromCatalog(catalog)
+
+	metadata, err := createMetadataFromCatalog(catalog, options)
+	if err != nil {
+		return oscal.Catalog{}, fmt.Errorf("error creating catalog metadata: %w", err)
+	}
+
+	// Determine control HREF format for control links
+	controlHREF := options.controlHREF
+	if controlHREF == "" {
+		controlHREF = options.canonicalHref
+	}
+
+	oscalCatalog := oscal.Catalog{
+		UUID:     uuid.NewUUID(),
+		Groups:   nil,
+		Metadata: metadata,
+	}
+
+	catalogGroups := []oscal.Group{}
+
+	for _, family := range catalog.ControlFamilies {
+		group := oscal.Group{
+			Class:    "family",
+			Controls: nil,
+			ID:       family.Id,
+			Title:    strings.ReplaceAll(family.Description, "\n", "\\n"),
+		}
+
+		controls := []oscal.Control{}
+		for _, control := range family.Controls {
+			controlTitle := strings.TrimSpace(control.Title)
+
+			newCtl := oscal.Control{
+				Class: family.Id,
+				ID:    control.Id,
+				Title: strings.ReplaceAll(controlTitle, "\n", "\\n"),
+				Parts: &[]oscal.Part{
+					{
+						Name:  "statement",
+						ID:    fmt.Sprintf("%s_smt", control.Id),
+						Prose: control.Objective,
+					},
+				},
+				Links: func() *[]oscal.Link {
+					if controlHREF != "" {
+						return &[]oscal.Link{
+							{
+								Href: fmt.Sprintf(controlHREF, options.version, strings.ToLower(control.Id)),
+								Rel:  "canonical",
+							},
+						}
+					}
+					return nil
+				}(),
+			}
+
+			var subControls []oscal.Control
+			for _, ar := range control.AssessmentRequirements {
+				subControl := oscal.Control{
+					ID:    ar.Id,
+					Title: ar.Id,
+					Parts: &[]oscal.Part{
+						{
+							Name:  "statement",
+							ID:    fmt.Sprintf("%s_smt", ar.Id),
+							Prose: ar.Text,
+						},
+					},
+				}
+
+				if ar.Recommendation != "" {
+					*subControl.Parts = append(*subControl.Parts, oscal.Part{
+						Name:  "guidance",
+						ID:    fmt.Sprintf("%s_gdn", ar.Id),
+						Prose: ar.Recommendation,
+					})
+				}
+
+				*subControl.Parts = append(*subControl.Parts, oscal.Part{
+					Name: "assessment-objective",
+					ID:   fmt.Sprintf("%s_obj", ar.Id),
+					Links: &[]oscal.Link{
+						{
+							Href: fmt.Sprintf("#%s_smt", ar.Id),
+							Rel:  "assessment-for",
+						},
+					},
+				})
+
+				subControls = append(subControls, subControl)
+			}
+
+			if len(subControls) > 0 {
+				newCtl.Controls = &subControls
+			}
+			controls = append(controls, newCtl)
+		}
+
+		group.Controls = &controls
+		catalogGroups = append(catalogGroups, group)
+	}
+	oscalCatalog.Groups = &catalogGroups
+
+	return oscalCatalog, nil
+}

oscal/catalog_test.go

@@ -0,0 +1,140 @@
+package oscal
+
+import (
+	"testing"
+
+	oscalTypes "github.com/defenseunicorns/go-oscal/src/types/oscal-1-1-3"
+	"github.com/ossf/gemara"
+	"github.com/stretchr/testify/assert"
+
+	oscalUtils "github.com/ossf/gemara/internal/oscal"
+)
+
+var testCases = []struct {
+	name          string
+	catalog       *gemara.Catalog
+	controlHREF   string
+	wantErr       bool
+	expectedTitle string
+}{
+	{
+		name: "Valid catalog with single control family",
+		catalog: &gemara.Catalog{
+			Metadata: gemara.Metadata{
+				Id:      "test-catalog",
+				Version: "devel",
+			},
+			Title: "Test Catalog",
+			ControlFamilies: []gemara.ControlFamily{
+				{
+					Id:          "AC",
+					Title:       "access-control",
+					Description: "Controls for access management",
+					Controls: []gemara.Control{
+						{
+							Id:    "AC-01",
+							Title: "Access Control Policy",
+							AssessmentRequirements: []gemara.AssessmentRequirement{
+								{
+									Id:   "AC-01.1",
+									Text: "Develop and document access control policy",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		controlHREF:   "https://baseline.openssf.org/versions/%s#%s",
+		wantErr:       false,
+		expectedTitle: "Test Catalog",
+	},
+	{
+		name: "Valid catalog with multiple control families",
+		catalog: &gemara.Catalog{
+			Metadata: gemara.Metadata{
+				Id:      "test-catalog-multi",
+				Version: "devel",
+			},
+			Title: "Test Catalog Multiple",
+			ControlFamilies: []gemara.ControlFamily{
+				{
+					Id:          "AC",
+					Title:       "access-control",
+					Description: "Controls for access management",
+					Controls: []gemara.Control{
+						{
+							Id:    "AC-01",
+							Title: "Access Control Policy",
+							AssessmentRequirements: []gemara.AssessmentRequirement{
+								{
+									Id:   "AC-01.1",
+									Text: "Develop and document access control policy",
+								},
+							},
+						},
+					},
+				},
+				{
+					Id:          "BR",
+					Title:       "business-requirements",
+					Description: "Controls for business requirements",
+					Controls: []gemara.Control{
+						{
+							Id:    "BR-01",
+							Title: "Business Requirements Policy",
+							AssessmentRequirements: []gemara.AssessmentRequirement{
+								{
+									Id:   "BR-01.1",
+									Text: "Define business requirements",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		controlHREF:   "https://baseline.openssf.org/versions/%s#%s",
+		wantErr:       false,
+		expectedTitle: "Test Catalog Multiple",
+	},
+}
+
+func TestFromCatalog(t *testing.T) {
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			oscalCatalog, err := CatalogFromCatalog(tt.catalog, WithControlHref(tt.controlHREF))
+
+			if (err == nil) == tt.wantErr {
+				t.Errorf("ToOSCAL() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if tt.wantErr {
+				return
+			}
+
+			// Wrap oscal catalog
+			// Create the proper OSCAL document structure
+			oscalDocument := oscalTypes.OscalModels{
+				Catalog: &oscalCatalog,
+			}
+
+			// Create validation for the OSCAL catalog
+			assert.NoError(t, oscalUtils.Validate(oscalDocument))
+
+			// Compare each field
+			assert.NotEmpty(t, oscalCatalog.UUID)
+			assert.Equal(t, tt.expectedTitle, oscalCatalog.Metadata.Title)
+			assert.Equal(t, tt.catalog.Metadata.Version, oscalCatalog.Metadata.Version)
+			assert.Equal(t, len(tt.catalog.ControlFamilies), len(*oscalCatalog.Groups))
+
+			// Compare each control family
+			for i, family := range tt.catalog.ControlFamilies {
+				groups := (*oscalCatalog.Groups)
+				group := groups[i]
+				assert.Equal(t, family.Id, group.ID)
+			}
+		})
+	}
+}