feat: extend control evaluation status with additional states and refine evaluation logic

elmilan06 · elmilan06 · commit 467ebdf70e44 · 2026-03-19T02:08:35.000-05:00
diff --git a/plugins/compliance-orchestrator/evaluator/evaluator.go b/plugins/compliance-orchestrator/evaluator/evaluator.go
@@ -77,7 +77,7 @@ func (e *Evaluator) evaluateQuery(ctx context.Context, q models.QueryConfig) mod
 		}
 	}
 
-	const evidenceLimit = 50
+	const evidenceLimit = 10
 	rawRows := res.Rows
 	if len(rawRows) > evidenceLimit {
 		rawRows = rawRows[:evidenceLimit]
@@ -140,26 +140,72 @@ func evaluateQueryRule(q models.QueryConfig, hits int) (models.QueryEvaluationSt
 
 func computeControlStatus(strategy models.ComplianceStrategy, results []models.QueryEvaluation) models.ControlEvaluationStatus {
 
-	switch strategy {
-	case models.StrategyAll:
-		for _, r := range results {
-			if r.Status != models.QueryStatusCompliant {
-				return models.ControlStatusNonCompliant
-			}
+	hasCompliant := false
+	hasNonCompliant := false
+	hasError := false
+	allNotApplicable := true
+
+	applicableCount := 0
+	errorCount := 0
+
+	for _, r := range results {
+		switch r.Status {
+		case models.QueryStatusCompliant:
+			hasCompliant = true
+			allNotApplicable = false
+			applicableCount++
+
+		case models.QueryStatusNonCompliant:
+			hasNonCompliant = true
+			allNotApplicable = false
+			applicableCount++
+
+		case models.QueryStatusError:
+			hasError = true
+			allNotApplicable = false
+			applicableCount++
+			errorCount++
+
+		case models.QueryStatusNotApplicable:
 		}
-		return models.ControlStatusCompliant
+	}
+
+	if allNotApplicable {
+		return models.ControlStatusNotApplicable
+	}
 
+	if applicableCount > 0 && errorCount == applicableCount {
+		return models.ControlStatusNotEvaluated
+	}
+
+	switch strategy {
 	case models.StrategyAny:
-		for _, r := range results {
-			if r.Status == models.QueryStatusCompliant {
-				return models.ControlStatusCompliant
-			}
+		if hasCompliant {
+			return models.ControlStatusCompliant
+		}
+
+		if hasError {
+			return models.ControlStatusNonCompliant
 		}
-		return models.ControlStatusNonCompliant
 
-	default:
 		return models.ControlStatusNonCompliant
+
+	case models.StrategyAll:
+
+		if hasNonCompliant {
+			return models.ControlStatusNonCompliant
+		}
+
+		if hasError {
+			return models.ControlStatusNonCompliant
+		}
+
+		if hasCompliant {
+			return models.ControlStatusCompliant
+		}
 	}
+
+	return models.ControlStatusNonCompliant
 }
 
 func patternExists(pattern int, active []models.IndexPattern) bool {
diff --git a/plugins/compliance-orchestrator/models/constant.go b/plugins/compliance-orchestrator/models/constant.go
@@ -12,8 +12,10 @@ const (
 type ControlEvaluationStatus string
 
 const (
-	ControlStatusCompliant    ControlEvaluationStatus = "COMPLIANT"
-	ControlStatusNonCompliant ControlEvaluationStatus = "NON_COMPLIANT"
+	ControlStatusCompliant     ControlEvaluationStatus = "COMPLIANT"
+	ControlStatusNonCompliant  ControlEvaluationStatus = "NON_COMPLIANT"
+	ControlStatusNotApplicable ControlEvaluationStatus = "NOT_APPLICABLE"
+	ControlStatusNotEvaluated  ControlEvaluationStatus = "NOT_EVALUATED"
 )
 
 type EvaluationRule string
