rails_template_18f 0.5.3 → 0.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69b1bf665be20b3234b5a6cc358a35167cf3ab4dc7833ba1f8a3615970f2a617
-  data.tar.gz: ec93203edd447a12699c94d57583b7971f846e70f415ad91915860386f83e862
+  metadata.gz: ec09af68270ab8a9c37472e382f4f5c847e2b14a5d865d5d0b161fdb7a5fc6c2
+  data.tar.gz: f83f58fc2fe89dc1d9516874138452ac2a6331aebaee7db9458abe1bc72c2cd2
 SHA512:
-  metadata.gz: dec9d9bcd8c8111fbcfc826d995fd8197751e93c0c4463fd0d321d3a71b71a920f39340b60df4011cf0ab3ccbce9a6ec71258044cfc11bdae29f271fcde4d978
-  data.tar.gz: 22e0ce9181cef72c2081326175b314e865f752422e9d72a54e74f01fca39e23c70b23659ba5c7372ec4dc141a826f48a691d0f68690ba810ce7fe9e6eab6269b
+  metadata.gz: 63584d2d0737790f36294c34e7e8d3611cf2d4e930e6664582b1d812e9d6117b609ba1912f40a2243d5bb24178cf989fddc1c3db8e29f41e178e188bd1e576bd
+  data.tar.gz: 6e78c92eb7cb24522aedb57c91a82ba077fd6780f4b34f0f138953e0ca4992daefcf610e0a934c10f32fee785e7dd72335ea2fbd87e4839d64dbae42cdc6a592

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 ## [Unreleased]
 
+## [0.7.1] - 2022-07-05
+
+- fix issue with initial git commit when no OSCAL docs were updated during initial app creation
+- add extra content to project README about working with submodules
+
+## [0.7.0] - 2022-07-05
+
+- OSCAL generator to integrate with https://github.com/GSA-TTS/compliance-template
+
+## [0.6.0] - 2022-06-07
+
+- include USWDS 3.0 for new apps
+- use postcss-minify instead of the sass gem for CSS minimization
+
 ## [0.5.3] - 2022-06-06
 
 - check that server started properly before running anything in `bin/with-server`

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (0.5.3)
+    rails_template_18f (0.7.1)
       activesupport (~> 7.0.0)
       colorize (~> 0.8)
       railties (~> 7.0.0)
@@ -46,7 +46,7 @@ GEM
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     method_source (1.0.0)
-    minitest (5.15.0)
+    minitest (5.16.2)
     nokogiri (1.13.6-x86_64-darwin)
       racc (~> 1.4)
     nokogiri (1.13.6-x86_64-linux)
@@ -55,13 +55,13 @@ GEM
     parser (3.1.2.0)
       ast (~> 2.4.1)
     racc (1.6.0)
-    rack (2.2.3.1)
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
+    rack (2.2.4)
+    rack-test (2.0.2)
+      rack (>= 1.3)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.2)
+    rails-html-sanitizer (1.4.3)
       loofah (~> 2.3)
     railties (7.0.3)
       actionpack (= 7.0.3)
@@ -72,7 +72,7 @@ GEM
       zeitwerk (~> 2.5)
     rainbow (3.1.1)
     rake (13.0.6)
-    regexp_parser (2.4.0)
+    regexp_parser (2.5.0)
     rexml (3.2.5)
     rspec (3.11.0)
       rspec-core (~> 3.11.0)
@@ -95,7 +95,7 @@ GEM
       rspec-mocks (~> 3.10)
       rspec-support (~> 3.10)
     rspec-support (3.11.0)
-    rubocop (1.29.0)
+    rubocop (1.29.1)
       parallel (~> 1.10)
       parser (>= 3.1.0.0)
       rainbow (>= 2.2.2, < 4.0)
@@ -104,20 +104,20 @@ GEM
       rubocop-ast (>= 1.17.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.17.0)
+    rubocop-ast (1.18.0)
       parser (>= 3.1.1.0)
     rubocop-performance (1.13.3)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
     ruby-progressbar (1.11.0)
-    standard (1.12.0)
-      rubocop (= 1.29.0)
+    standard (1.12.1)
+      rubocop (= 1.29.1)
       rubocop-performance (= 1.13.3)
     thor (1.2.1)
     tzinfo (2.0.4)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.1.0)
-    zeitwerk (2.5.4)
+    unicode-display_width (2.2.0)
+    zeitwerk (2.6.0)
 
 PLATFORMS
   x86_64-darwin-20

data/README.md

@@ -91,7 +91,8 @@ ActionCable is included to enable the [Turbo Streams](https://turbo.hotwired.dev
 1. Create boundary and logical data model compliance diagrams
 1. Create `manifest.yml` and variable files for cloud.gov deployment
 1. Optionally run the `rake db:create` and `rake db:migrate` setup steps
-1. Optionally create Github Actions workflows for testing and cloud.gov deploy
+1. Optionally integrate with https://github.com/GSA-TTS/compliance-template
+1. Optionally create GitHub Actions workflows for testing and cloud.gov deploy
 1. Optionally create terraform modules supporting staging & production cloud.gov spaces
 1. Optionally create CircleCI workflows for testing and cloud.gov deploy
 1. Optionally create a New Relic config with FEDRAMP-specific host

data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb

@@ -98,6 +98,17 @@ module RailsTemplate18f
         end
       end
 
+      def update_oscal_doc
+        if oscal_dir_exists?
+          insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation a.\n"
+            #{app_name} employs ClamAV to detect and quarantine malicious code in user-uploaded files.
+          EOS
+          insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation b.\n"
+            ClamAV is configured to automatically update malicious code detection signatures on a daily basis.
+          EOS
+        end
+      end
+
       no_tasks do
         def data_model_uml
           <<~UML

data/lib/generators/rails_template18f/circleci/circleci_generator.rb

@@ -65,6 +65,10 @@ EOB
         EOB
       end
 
+      def update_oscal_docs
+        update_cicd_oscal_docs("CircleCI")
+      end
+
       no_tasks do
         def readme_cicd
           <<~EOM
@@ -79,7 +83,7 @@ EOB
           <<~EOM
 
             Deploys to staging#{terraform? ? ", including applying changes in terraform," : ""} happen
-            on every push to the `main` branch in Github.
+            on every push to the `main` branch in GitHub.
 
             The following secrets must be set within [CircleCI Environment Variables](https://circleci.com/docs/2.0/env-vars/)
             to enable a deploy to work:
@@ -97,7 +101,7 @@ EOB
           <<~EOM
 
             Deploys to production#{terraform? ? ", including applying changes in terraform," : ""} happen
-            on every push to the `production` branch in Github.
+            on every push to the `production` branch in GitHub.
 
             The following secrets must be set within [CircleCI Environment Variables](https://circleci.com/docs/2.0/env-vars/)
             to enable a deploy to work:

data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb

@@ -12,7 +12,7 @@ module RailsTemplate18f
 
       desc <<~DESC
         Description:
-          Install Github Actions workflow files
+          Install GitHub Actions workflow files
       DESC
 
       def install_actions
@@ -51,7 +51,7 @@ module RailsTemplate18f
       def update_boundary_diagram
         boundary_filename = "doc/compliance/apps/application.boundary.md"
         insert_into_file boundary_filename, <<EOB, after: "Boundary(cicd, \"CI/CD Pipeline\") {\n"
-    System_Ext(githuball, "GitHub w/ Github Actions", "GSA-controlled code repository and Continuous Integration Service")
+    System_Ext(githuball, "GitHub w/ GitHub Actions", "GSA-controlled code repository and Continuous Integration Service")
 EOB
         insert_into_file boundary_filename, <<~EOB, before: "@enduml"
           Rel(developer, githuball, "Publish code", "git ssh (22)")
@@ -68,6 +68,10 @@ EOB
         EOM
       end
 
+      def update_oscal_docs
+        update_cicd_oscal_docs("GitHub Actions")
+      end
+
       no_tasks do
         def readme_cicd
           <<~EOM
@@ -82,7 +86,7 @@ EOB
           <<~EOM
 
             Deploys to staging#{terraform? ? ", including applying changes in terraform," : ""} happen
-            on every push to the `main` branch in Github.
+            on every push to the `main` branch in GitHub.
 
             The following secrets must be set within the `staging` [environment secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
             to enable a deploy to work:
@@ -100,7 +104,7 @@ EOB
           <<~EOM
 
             Deploys to production#{terraform? ? ", including applying changes in terraform," : ""} happen
-            on every push to the `production` branch in Github.
+            on every push to the `production` branch in GitHub.
 
             The following secrets must be set within the `production` [environment secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
             to enable a deploy to work:

data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb

@@ -57,6 +57,45 @@ EOB
         EOB
       end
 
+      def update_oscal_doc
+        if oscal_dir_exists?
+          insert_into_oscal "si-4.md", <<~EOS, after: "## Implementation a.\n"
+            New Relic is used for the purposes of monitoring and analyzing #{app_name} application data. New Relic monitors each application within #{app_name} for
+            basic container utilization (CPU, memory, disk) as a baseline of provided metrics. New Relic dashboards are used by #{app_name} operations to obtain
+            near real-time views into the metrics obtained from each application. New Relic provides application metrics that give insight into request/response rates,
+            failure rates, etc. New Relic uses this data to detect anomalies (such as potential unauthorized activity) and alerts the #{app_name} team via <<INSERT NOTIFICATION CHANNEL>>
+            in the GSA Slack. Example: a spike in failed requests may indicate an unauthorized user has entered the system and is attempting to phish for PII.
+
+            1. A subset of relevant specific metrics #{app_name} is constantly monitoring include:
+              * Abnormal cpu, memory, and disk utilization (defined in New Relic alerting rules)
+              * Number of incoming requests
+              * Request response time
+              * Application crashes (for any reason)
+              * Response status codes (high numbers of failing requests would be abnormal)
+              * Applications (by name)
+              * Abnormally high request rates
+            1. Metrics that can be audited within #{app_name} include:
+              * SSH Sessions (disabled in production under normal circumstances)
+            1. A subset of relevant incidents #{app_name} will use these metrics to protect against include:
+              * Unauthorized Access / Intrusion to #{app_name} as an Administrator
+              * Denial of Service (DoS)
+              * Improper Usage
+              * Malicious Code
+              * System Uptime
+              * High Resource Usage
+
+            When suspicious activity is encountered #{app_name} Operations audit the event through the cloud.gov logs provided at logs.fr.cloud.gov
+            (a Kibana instance allowing users to access, filter, and search their cloud.gov logs. These logs are retained automatically by cloud.gov for 180 days after creation.
+          EOS
+          insert_into_oscal "si-4.md", "The #{app_name} application logs events to stdout and stderr which are ingested by cloud.gov and New Relic.", after: "## Implementation c.\n"
+          insert_into_oscal "si-4.md", "#{app_name} Operations are responsible for monitoring the New Relic dashboards that report on specific application events and performing follow-up investigations where necessary.", after: "## Implementation d.\n"
+          insert_into_oscal "si-4.2.md", <<~EOS
+            #{app_name} is monitored using New Relic Application Performance Monitoring (APM),
+            Synthetics and Logs, which detects and alerts on abnormal responses from #{app_name} applications.
+          EOS
+        end
+      end
+
       no_tasks do
         def readme
           <<~EOM

data/lib/generators/rails_template18f/oscal/oscal_generator.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module RailsTemplate18f
+  module Generators
+    class OscalGenerator < ::Rails::Generators::Base
+      include Base
+
+      class_option :oscal_repo, required: true, desc: "GitHub Repo containing Compliance-Template fork"
+      class_option :detach, type: :boolean, default: false, desc: "Copy OSCAL files into repo, rather than using a submodule"
+      class_option :branch, desc: "Name of the branch to switch to when using a submodule. Defaults to `app_name`"
+
+      desc <<~DESC
+        Description:
+          Add a fork of https://github.com/GSA-TTS/compliance-template.git as a
+          submodule for documenting security controls.
+
+          This generator is still experimental.
+
+          Prerequisite:
+
+          Fork the compliance-template repo for your own use. Updates to the documentation
+          will be pushed to this fork, not the rails app repository.
+      DESC
+
+      def copy_template_files
+        if detach?
+          git clone: "#{options[:oscal_repo]} doc/compliance/oscal"
+          remove_dir "doc/compliance/oscal/.git"
+        else
+          git submodule: "add #{options[:oscal_repo]} doc/compliance/oscal"
+          inside "doc/compliance/oscal" do
+            git switch: "-c #{branch_name}"
+          end
+        end
+      end
+
+      def update_readme
+        if file_content("README.md").match?("## Documentation")
+          insert_into_file "README.md", readme_contents, after: "## Documentation\n"
+        else
+          append_to_file "README.md", "\n## Documentation\n#{readme_contents}"
+        end
+      end
+
+      def configure_submodule
+        unless detach?
+          git config: "-f .gitmodules submodule.\"doc/compliance/oscal\".branch #{branch_name}"
+          git config: "diff.submodule log"
+          git config: "status.submodulesummary 1"
+          git config: "push.recurseSubmodules check"
+        end
+      end
+
+      no_tasks do
+        def branch_name
+          options[:branch].present? ? options[:branch] : app_name
+        end
+
+        def readme_contents
+          content = <<~README
+
+            ### Compliance Documentation
+
+            Security Controls should be documented within doc/compliance/oscal.
+          README
+          return content if detach?
+          <<~README
+            #{content}
+
+            #### Git Submodule Commands
+
+            See git's [submodule documentation](https://git-scm.com/book/en/v2/Git-Tools-Submodules)
+            for more information on tracking changes to these files.
+
+            ##### Cloning this project
+
+            `git clone --recurse-submodules <<REPO_ADDRESS>>`
+
+            ##### Pull changes including OSCAL changes
+
+            `git pull --recurse-submodules`
+
+            ##### Push changes including OSCAL changes
+
+            `git push --recurse-submodules=check` _then_ `git push --recurse-submodules=on-demand`
+
+            ##### Helpful config settings:
+
+            * `git config diff.submodule log`
+            * `git config status.submodulesummary 1`
+            * `git config push.recurseSubmodules check`
+          README
+        end
+
+        def detach?
+          options[:detach]
+        end
+      end
+    end
+  end
+end

data/lib/rails_template18f/generators/base.rb

@@ -18,6 +18,7 @@ module RailsTemplate18f
 
       included do
         self.source_path = RailsTemplate18f::Generators.const_source_location(name).first
+        class_option :oscal_profile, desc: "Name of the OSCAL profile to populate. Only needed if multiple folders are present in doc/compliance/oscal/dist/system-security-plans"
       end
 
       private
@@ -36,24 +37,65 @@ module RailsTemplate18f
       end
 
       def file_content(filename)
-        file_path = File.expand_path(filename, destination_root)
-        if File.exist? file_path
-          File.read(file_path)
+        if file_exists?(filename)
+          File.read(file_path(filename))
         else
           ""
         end
       end
 
+      def file_path(filename)
+        File.expand_path(filename, destination_root)
+      end
+
+      def file_exists?(filename)
+        File.exist? file_path(filename)
+      end
+
       def ruby_version
         RUBY_VERSION
       end
 
+      def oscal_dir_exists?
+        Dir.exist? file_path("doc/compliance/oscal")
+      end
+
+      def insert_into_oscal(filename, content, after: "## What is the solution and how is it implemented?\n")
+        content = <<~EOS
+
+          **#{app_name} Implementation:**
+
+          #{content}
+        EOS
+        begin
+          insert_into_file File.join(oscal_path, filename), content, after: after
+        rescue Thor::Error => ex
+          warn ex.message
+        end
+      end
+
+      def oscal_path
+        @oscal_path ||= if options[:oscal_profile].present?
+          file_path(File.join("doc/compliance/oscal/dist/system-security-plans", options[:oscal_profile]))
+        else
+          ssp_dir = file_path("doc/compliance/oscal/dist/system-security-plans")
+          profiles = Dir.children(ssp_dir).select { |f| File.directory?(File.join(ssp_dir, f)) }
+          if profiles.empty?
+            fail "No OSCAL profiles found. Please run `make generate` from the `doc/compliance/oscal` folder"
+          elsif profiles.count > 1
+            fail "Multiple OSCAL profiles found. Please specify which one to update by passing the `--oscal-profile` option"
+          else
+            File.join(ssp_dir, profiles.first)
+          end
+        end
+      end
+
       def terraform_dir_exists?
-        Dir.exist? File.expand_path("terraform", destination_root)
+        Dir.exist? file_path("terraform")
       end
 
       def skip_git?
-        !Dir.exist?(File.expand_path(".git", destination_root))
+        !Dir.exist?(file_path(".git"))
       end
 
       def has_active_job?

data/lib/rails_template18f/generators/pipeline_options.rb

@@ -13,6 +13,176 @@ module RailsTemplate18f
       def terraform?
         options[:terraform].nil? ? terraform_dir_exists? : options[:terraform]
       end
+
+      def update_cicd_oscal_docs(ci_name)
+        if oscal_dir_exists?
+          update_ca7_oscal_doc
+          update_cm2_oscal_doc("GitHub Actions")
+          update_cm3_oscal_doc("GitHub Actions")
+          update_ra5_oscal_doc
+          update_sa11_oscal_doc("GitHub Actions")
+          update_sa22_oscal_doc
+          update_sc281_oscal_doc("GitHub Actions")
+          update_si2_oscal_doc
+          update_si10_oscal_doc
+        end
+      end
+
+      private
+
+      def update_ca7_oscal_doc
+        insert_into_oscal "ca-7.md", <<~EOS, after: "## Implementation a.\n"
+          * #{app_name} DevOps staff review OWASP and Dependency scans every build, or at least weekly.
+          * #{app_name} DevOps staff and the GSA ISSO review Web Application vulnerability scans on a weekly basis.
+          * #{app_name} Administrators and DevOps staff review changes for potential security impact and engage the #{app_name} ISSO and ISSM who will review or engage assessment staff as needed.
+        EOS
+      end
+
+      def update_cm2_oscal_doc(ci)
+        insert_into_oscal "cm-2.2.md", <<~EOS
+          The #{app_name} team develops, documents, and maintains a current baseline for the #{app_name} application
+          components under configuration control, managed via git and github.com, and orchestrated using #{ci}
+          and the cloud.gov Cloud Foundry CLI.
+
+          Note: All cloud.gov brokered services (including databases) are fully managed by the cloud.gov platform.
+          Due to this, the configuration and security of these services are not included in the #{app_name} configuration baseline.
+        EOS
+      end
+
+      def update_cm3_oscal_doc(ci)
+        insert_into_oscal "cm-3.1.md", <<~EOS, after: "## Implementation (f)\n"
+          #{app_name} employs #{ci} to execute proposed changes to the information system.
+          #{app_name} Administrators and #{app_name} Developers are automatically notified of
+          the success or failure of the change execution via the GitHub notification system.
+        EOS
+      end
+
+      def update_ra5_oscal_doc
+        insert_into_oscal "ra-5.md", <<~EOS, after: "## Implementation a.\n"
+          Any vulnerabilities in #{app_name} would have to be introduced at time of deployment because #{app_name}
+          is a set of cloud.gov managed applications with SSH disabled in Production. #{app_name} monitors for
+          vulnerabilities by ensuring that scans for vulnerabilities in the information system and hosted applications occur
+          daily and when new code is deployed.
+
+          OWASP ZAP scans are built into the #{app_name} CI/CD pipeline and runs a series of web vulnerability scans before
+          a successful deploy can be made to cloud.gov. Any issues or alerts caused by the scan are documented by #{app_name}
+          Operations and cause the deployment to fail. Issues are tracked in GitHub. The issue posted will provide information
+          on which endpoints are vulnerable and the level of vulnerability, ranging from **False Positive** to **High**.
+          The issue also provides a detailed report formatted in html, json, and markdown.
+
+          #{app_name} Administrators are responsible for reporting any new vulnerabilities reported by the OWASP ZAP scan to the #{app_name} ISSO.
+        EOS
+        insert_into_oscal "ra-5.md", <<~EOS, after: "## Implementation b.\n"
+          1. Alerts from each ZAP vulnerability scan are automatically reported in GitHub as an issue on the #{app_name} repository.
+          This issue will enumerate each finding and detail the type and severity of the vulnerability. #{app_name} Developers and
+          #{app_name} Administrators receive automated alerts via GitHub of the issues to remediate. Scan results are sent to the
+          #{app_name} System Owner by #{app_name} Administrators. The vulnerabilities are analyzed and prioritized within GitHub
+          based on input from the #{app_name} System Owner and ISSO.
+          1. The ZAP report contains vulnerabilities grouped by type and by risk level. The report also provides a detailed report
+          formatted in html, json, and markdown. The reported issues also include the CVE item associated with the vulnerability.
+          1. Vulnerabilities are classified by ZAP under a level range from **False Positive** to **High**. The impact level is
+          used to drive the priority of the effort to remediate.
+        EOS
+        insert_into_oscal "ra-5.md", <<~EOS, after: "## Implementation c.\n"
+          The ZAP vulnerability report contains information about how the attack was made and suggested solutions for each vulnerability found.
+          Any static code analysis findings identified during automation as part of the GitHub pull request process must be reviewed, analyzed,
+          and resolved by the #{app_name} Developer before the team can merge the pull request.
+        EOS
+      end
+
+      def update_sa11_oscal_doc(ci)
+        insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation a.\n"
+          The CI/CD pipeline utilizes multiple tools to perform static code analysis for security and privacy:
+
+          ### Brakeman
+          Brakeman is a static code scanner designed to find security issues in Ruby on Rails code. It can flag potential SQL injection,
+          Command Injection, open redirects, and other common vulnerabilities.
+
+          ### Bundle Audit
+          bundle-audit checks Ruby dependencies against a database of known CVE numbers.
+
+          ### Yarn Audit
+          yarn audit checks Javascript dependencies against a database of known CVE numbers.
+
+          ### OWASP ZAP
+          OWASP ZAP is a dynamic security scanner that can simulate actual attacks on a running server.
+
+          An additional RAILS_ENV has been created called ci. It inherits from production to ensure that the system being tested is as close as possible to production while allowing for overrides such as bypassing authentication in a secure way.
+        EOS
+        insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation b.\n"
+          #{ci} runs rspec tests for unit, integration, and regression testing at every code push to github.com and every Pull Request.
+        EOS
+        insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation c.\n"
+          Test and scan results can be viewed from within #{ci} for every run of the pipeline.
+
+          When #{ci} is run as a result of a Pull Request, the status of the tests and scans are automatically reported as part of the Pull Request.
+        EOS
+      end
+
+      def update_sa22_oscal_doc
+        insert_into_oscal "sa-22.md", <<~EOS, after: "## Implementation a.\n"
+          The #{app_name} application is built and supported by the #{app_name} DevOps staff.
+
+          #{app_name} utilizes public open source Ruby and NodeJS components.
+
+          #{app_name} utilizes dependency scanning tools Bundle Audit and Yarn Audit to find vulnerable or insecure dependencies.
+
+          If a vulnerable or insecure dependency is found it will be upgraded or replaced. Additionally the #{app_name} team code
+          review processes include a review of the health (up to date, supported, many individuals involved) of direct open source dependencies.
+        EOS
+        insert_into_oscal "sa-22.md", <<~EOS, after: "## Implementation b.\n"
+          There are currently no unsupported system components within #{app_name}. In case an unsupported system component is required
+          to maintain #{app_name}, the #{app_name} System Owner will be consulted to make a determination in coordination with the #{app_name} ISSO and ISSM.
+        EOS
+      end
+
+      def update_sc281_oscal_doc(ci)
+        insert_into_oscal "sc-28.1.md", <<~EOS
+          As an additional layer of protection, all PII data is encrypted using [Active Record Encryption — Ruby on Rails Guides](https://guides.rubyonrails.org/active_record_encryption.html).
+          This encryption is implemented in a using non-deterministic AES-256-GCM through Ruby's openssl library with a 256-bit key and a random initialization vector {rails crypto module}.
+
+          The Data Encryption Key is stored in the credentials.yml file in an encrypted format by Ruby's openssl library using the AES-128-GCM cipher,
+          and is built into the application package.
+
+          The credentials.yml decryption key is stored in #{ci} and injected into the running application as an environmental variable. The application then uses this key
+          to decrypt the credentials.yml file and obtain the Data Encryption Key.
+
+          A backup of the key is stored by the Lead Developer and System Owner within a keepass database stored in Google Drive.
+        EOS
+      end
+
+      def update_si2_oscal_doc
+        insert_into_oscal "si-2.md", <<~EOS, after: "Implementation a.\n"
+          Flaw and vulnerability checks are built into the #{app_name} CI/CD pipeline and automated to ensure compliance.
+          Dynamic vulnerability scans are performed against #{app_name} before a successful deployment and reports issues after every scan.
+          Compliance is documented in sections SA-11 and RA-5. The #{app_name} DevOps team uses GitHub as the Product Backlog to
+          track and prioritize issues related to system flaws.
+
+          The responsibility of remediating flaws and vulnerabilities (once a remediation is available) falls on the #{app_name} Developer,
+          who updates the #{app_name} code and deploys fixes as part of the normal development and CI/CD process.
+        EOS
+        insert_into_oscal "si-2.md", <<~EOS, after: "Implementation b.\n"
+          Any flaws or vulnerabilities resolved in #{app_name} result in a GitHub issue for triage via the #{app_name} CM Configuration Control
+          process described in CM-2(2). After resolving a vulnerability or flaw in #{app_name}, unit tests and integration tests are updated to
+          prevent further inclusion of similar flaws.
+
+          * All GitHub tickets have accompanying Acceptance Criteria that are used to create unit tests.
+          * Unit tests are run on the Development environment when new code is pushed.
+          * Integration tests are run on the Test environment when the remediation is deployed via the CI/CD process to ensure that the production
+          environment does not suffer from any side effects of the vulnerability remediation.
+          * Integration tests are run on the Prod environment when the remediation is deployed via the CI/CD process to validate the remediation and application functionality.
+          * All findings that are not remediated immediately are tracked in the #{app_name} Plan of Action and Milestones (POAM) by #{app_name} Operations and the #{app_name} ISSO.
+        EOS
+      end
+
+      def update_si10_oscal_doc
+        insert_into_oscal "si-10.md", <<~EOS
+          All inputs from the end user are parameterized prior to use to avoid potential sql injection.
+
+          #{app_name} utilizes Brakeman scanner as part of the CI/CD pipeline which further identifies coding practices
+          that may lead to application vulnerabilities that are a result of improper input validation.
+        EOS
+      end
     end
   end
 end

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "0.5.3"
+  VERSION = "0.7.1"
 end

data/template.rb

@@ -52,6 +52,13 @@ unless Gem::Dependency.new("rails", "~> 7.0.0").match?("rails", Rails.gem_versio
 end
 
 # ask setup questions
+compliance_template = yes?("Include OSCAL files from compliance-template? (y/n)")
+compliance_template_repo = "git@github.com:GSA-TTS/compliance-template.git"
+compliance_template_submodule = compliance_template && yes?("Clone #{compliance_template_repo} as a git submodule? (y/n)")
+if compliance_template_submodule
+  compliance_template_repo = ask("What is the git clone address of your compliance-template fork?")
+end
+
 terraform = yes?("Create terraform files for cloud.gov services? (y/n)")
 @cloud_gov_organization = ask("What is your cloud.gov organization name? (Leave blank to fill in later)")
 default_staging_space = "staging"
@@ -62,7 +69,7 @@ cloud_gov_production_space = ask("What is your cloud.gov production space name?
 cloud_gov_staging_space = default_staging_space if cloud_gov_staging_space.blank?
 cloud_gov_production_space = default_prod_space if cloud_gov_production_space.blank?
 
-@github_actions = yes?("Create Github Actions? (y/n)")
+@github_actions = yes?("Create GitHub Actions? (y/n)")
 @circleci_pipeline = yes?("Create CircleCI config? (y/n)")
 newrelic = yes?("Create FEDRAMP New Relic config files? (y/n)")
 dap = yes?("If this will be a public site, should we include Digital Analytics Program code? (y/n)")
@@ -226,35 +233,33 @@ end
 
 # setup USWDS and asset pipeline
 copy_file "browserslistrc", ".browserslistrc" if webpack?
-uncomment_lines "Gemfile", "sassc-rails" # use sassc-rails for asset minification in prod
 after_bundle do
-  js_startup = if webpack?
-    "webpack --config webpack.config.js"
-  else
-    "esbuild app/javascript/*.* --bundle --sourcemap --outdir=app/assets/builds"
-  end
-  insert_into_file "package.json", <<-EOJSON, before: /^\s+"dependencies"/
-  "scripts": {
-    "build": "#{js_startup}",
-    "build:css": "postcss ./app/assets/stylesheets/application.postcss.css -o ./app/assets/builds/application.css"
-  },
-  EOJSON
+  run 'npm set-script build:css "postcss ./app/assets/stylesheets/application.postcss.scss -o ./app/assets/builds/application.css"'
   # include verbose flag for dev postcss output
   gsub_file "Procfile.dev", "yarn build:css --watch", "yarn build:css --verbose --watch"
   # Replace postcss-nesting with sass since USWDS uses sass
   run "yarn remove postcss-nesting"
-  run "yarn add @csstools/postcss-sass"
-  run "yarn add postcss-scss"
+  run "yarn add @csstools/postcss-sass postcss-scss postcss-minify"
   insert_into_file "postcss.config.js", "  syntax: 'postcss-scss',\n", before: /^\s+plugins/
-  gsub_file "postcss.config.js", "postcss-nesting", "@csstools/postcss-sass"
-  run "yarn add uswds"
+  insert_into_file "package.json", <<-EOJSON, before: /^\s+\}$/
+  },
+  "resolutions": {
+    "@csstools/postcss-sass/@csstools/sass-import-resolve": "https://github.com/rahearn/sass-import-resolve"
+  EOJSON
+  gsub_file "postcss.config.js", "postcss-nesting'),", <<~EOJS.strip
+    @csstools/postcss-sass')({
+          includePaths: ['./node_modules/@uswds/uswds/packages'],
+        }),
+  EOJS
+  insert_into_file "postcss.config.js", "    process.env.NODE_ENV === 'production' ? require('postcss-minify') : null,\n", before: /^\s+\],/
+  run "yarn add @uswds/uswds"
   appjs_file = "app/javascript/application.js"
-  append_to_file appjs_file, "\nimport \"uswds\"\n"
+  append_to_file appjs_file, "\nimport \"@uswds/uswds\"\n"
   if hotwire?
     append_to_file appjs_file, <<~EOJS
 
       // make sure USWDS components are wired to their behavior after a Turbo navigation
-      import components from "uswds/src/js/components"
+      import components from "@uswds/uswds/src/js/components"
       let initialLoad = true;
       document.addEventListener("turbo:load", () => {
         if (initialLoad) {
@@ -272,9 +277,12 @@ after_bundle do
   end
   directory "app/assets"
   append_to_file "app/assets/stylesheets/application.postcss.css", <<~EOCSS
-    @import "uswds-settings.scss";
-    @import "../../../node_modules/uswds/dist/scss/uswds.scss";
+    @forward "uswds-settings.scss";
+    @forward "uswds-components.scss";
   EOCSS
+  inside "app/assets/stylesheets" do
+    File.rename("application.postcss.css", "application.postcss.scss")
+  end
   gsub_file "app/views/layouts/application.html.erb", "<html>", '<html lang="<%= I18n.locale %>">'
   gsub_file "app/views/layouts/application.html.erb", /^\s+<%= yield %>/, <<-EOHTML
     <%= render "application/usa_banner" %>
@@ -305,9 +313,6 @@ after_bundle do
     expect(rendered).to match "An official website of the United States government"
   end
   EOM
-
-  # Setup translations
-  generate "rails_template18f:i18n", "--languages=#{supported_languages.join(",")}", "--force"
 end
 
 # install ADRs and compliance documentation
@@ -317,6 +322,27 @@ register_announcement("Documentation", <<~EOM)
   * Remember to keep your Logical Data Model up to date in doc/compliance/apps/data.logical.md
 EOM
 
+if compliance_template
+  after_bundle do
+    generator_arguments = [
+      "--oscal_repo=#{compliance_template_repo}",
+      (compliance_template_submodule ? "--no-detach" : "--detach")
+    ]
+    generate "rails_template18f:oscal", *generator_arguments
+  end
+  register_announcement("OSCAL Documentation", <<~EOM)
+    OSCAL files have been generated with some default implementation statements in `doc/compliance/oscal`
+
+    All generated statements must be reviewed for accuracy with your system's implementation before being
+    submitted for authorization.
+  EOM
+end
+
+after_bundle do
+  # Setup translations
+  generate "rails_template18f:i18n", "--languages=#{supported_languages.join(",")}", "--force"
+end
+
 if newrelic
   after_bundle do
     generate "rails_template18f:newrelic"
@@ -383,11 +409,11 @@ if @github_actions
     generate "rails_template18f:github_actions", *generator_arguments
   end
   if cloud_gov_org_tktk?
-    register_announcement("Github Actions", <<~EOM)
+    register_announcement("GitHub Actions", <<~EOM)
       * Fill in the cloud.gov organization information in .github/workflows/deploy-staging.yml
     EOM
   end
-  register_announcement("Github Actions", <<~EOM)
+  register_announcement("GitHub Actions", <<~EOM)
     * Create environment variable secrets for deploy users as defined in the Deployment section of the README
   EOM
 end
@@ -450,6 +476,17 @@ after_bundle do
 
   unless skip_git?
     run "cp .gitignore .cfignore"
+    append_to_file ".cfignore", <<~EOM
+
+      # compliance documentation
+      /doc/compliance/
+    EOM
+    if compliance_template_submodule
+      inside "doc/compliance/oscal" do
+        run "git add -A"
+        run "git diff-index --quiet HEAD || git commit -am 'rails-template generated control statements'"
+      end
+    end
     git add: "."
     git commit: "-a -m 'Initial commit'"
   end

data/templates/README.md.tt

@@ -141,6 +141,8 @@ Configuration that changes from staging to production, but is public, should be
 
 ## Documentation
 
+### Architectural Decision Records
+
 Architectural Decision Records (ADR) are stored in `doc/adr`
 To create a new ADR, first install [ADR-tools](https://github.com/npryce/adr-tools) if you don't
 already have it installed.

data/templates/app/assets/images/uswds.js

@@ -1,5 +1,6 @@
 // Glue to find USWDS images with the `image_tag` helper
 
-//= link uswds/dist/img/us_flag_small.png
-//= link uswds/dist/img/icon-dot-gov.svg
-//= link uswds/dist/img/icon-https.svg
+//= link @uswds/uswds/dist/img/us_flag_small.png
+//= link @uswds/uswds/dist/img/icon-dot-gov.svg
+//= link @uswds/uswds/dist/img/icon-https.svg
+//= link @uswds/uswds/dist/img/usa-icons/close.svg

data/templates/app/assets/stylesheets/uswds-components.scss

@@ -0,0 +1,7 @@
+@forward "uswds-global";
+@forward "uswds-utilities";
+@forward "uswds-typography";
+@forward "usa-header";
+@forward "usa-banner";
+@forward "usa-section";
+// add additional packages here as you use them

data/templates/app/assets/stylesheets/uswds-settings.scss

@@ -1,7 +1,10 @@
-// Point the asset pipline to the correct locations
-$theme-font-path: "uswds/dist/fonts";
-$theme-image-path: "uswds/dist/img";
+@use "uswds-core" with (
+  // Point the asset pipline to the correct locations
+  $theme-font-path: "@uswds/uswds/dist/fonts",
+  $theme-image-path: "@uswds/uswds/dist/img",
 
-$theme-show-notifications: false;
+  $theme-show-notifications: false,
 
-// Put your USWDS Theme settings here
+  // Put your USWDS Theme settings here
+
+);

data/templates/app/views/application/_demo_site_banner.html.erb

@@ -1,3 +1,3 @@
-<div class="font-sans-lg padding-y-4 bg-secondary-darker text-white line-height-1 text-center">
+<div class="font-sans-lg padding-y-4 bg-secondary-darker text-white line-height-heading-1 text-center">
   <%= t('shared.header.demo_banner') %>
-</div>
+</div>

data/templates/app/views/application/_header.html.erb

@@ -11,7 +11,7 @@
     </div>
     <nav aria-label="<%= t('shared.header.primary') %>" class="usa-nav">
       <button class="usa-nav__close">
-        <%= image_tag "uswds/dist/img/usa-icons/close.svg", role: "img", alt: t('shared.header.close') %>
+        <%= image_tag "@uswds/uswds/dist/img/usa-icons/close.svg", role: "img", alt: t('shared.header.close') %>
       </button>
       <ul class="usa-nav__primary usa-accordion">
         <% I18n.available_locales.each do |l| %>

data/templates/app/views/application/_usa_banner.html.erb

@@ -5,7 +5,7 @@
     <header class="usa-banner__header">
       <div class="usa-banner__inner">
         <div class="grid-col-auto">
-          <%= image_tag "uswds/dist/img/us_flag_small.png", alt: t('shared.banner.us_flag'), class: "usa-banner__header-flag" %>
+          <%= image_tag "@uswds/uswds/dist/img/us_flag_small.png", alt: t('shared.banner.us_flag'), class: "usa-banner__header-flag" %>
         </div>
         <div class="grid-col-fill tablet:grid-col-auto">
           <p class="usa-banner__header-text">
@@ -30,14 +30,14 @@
       <% end %>
       <div class="grid-row grid-gap-lg">
         <div class="usa-banner__guidance tablet:grid-col-6">
-          <%= image_tag "uswds/dist/img/icon-dot-gov.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
+          <%= image_tag "@uswds/uswds/dist/img/icon-dot-gov.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
           <div class="usa-media-block__body">
             <strong><%= t('shared.banner.gov_heading') %></strong>
             <br> <%= t('shared.banner.gov_description_html') %>
           </div>
         </div>
         <div class="usa-banner__guidance tablet:grid-col-6">
-          <%= image_tag "uswds/dist/img/icon-https.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
+          <%= image_tag "@uswds/uswds/dist/img/icon-https.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
           <div class="usa-media-block__body">
             <p>
               <strong><%= t('shared.banner.secure_heading') %></strong>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_template_18f
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.7.1
 platform: ruby
 authors:
 - Ryan Ahearn
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-06-06 00:00:00.000000000 Z
+date: 2022-07-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -166,6 +166,7 @@ files:
 - lib/generators/rails_template18f/i18n_js/templates/lib/tasks/i18n.rake
 - lib/generators/rails_template18f/newrelic/newrelic_generator.rb
 - lib/generators/rails_template18f/newrelic/templates/config/newrelic.yml.tt
+- lib/generators/rails_template18f/oscal/oscal_generator.rb
 - lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb
 - lib/generators/rails_template18f/sidekiq/templates/config/initializers/redis.rb
 - lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt
@@ -214,6 +215,7 @@ files:
 - templates/Brewfile
 - templates/README.md.tt
 - templates/app/assets/images/uswds.js
+- templates/app/assets/stylesheets/uswds-components.scss
 - templates/app/assets/stylesheets/uswds-settings.scss
 - templates/app/views/application/_banner_lock_icon.html.erb
 - templates/app/views/application/_demo_site_banner.html.erb