rails_template_18f 0.7.0 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a69496a0836c43df3d636ecf91d120c5975b8462ab285edaacc2494b3af8265f
4
- data.tar.gz: 7d1fbc494eb83d99bb0f498fc983db9dd6d45c1ca37895da5a60876c5fea5d0f
3
+ metadata.gz: dcc4a62d027d473b29b87425d2418522373457ae750a3bfa1e7d5834f3e3d39f
4
+ data.tar.gz: 88d86b8508c80de0b0593ca4852a789442e4ac5e84324c074e866bc85d50de37
5
5
  SHA512:
6
- metadata.gz: 35b93c784bd2fd885745e300e16d054861ef48303dfde9167a6c21edaeb0e78c846a950e99d51d559868f71275c341443a158bd84b766b9b0a822d2d68606d25
7
- data.tar.gz: 10703f7f1a3a75ecdd62fcc05123058b75dd6d9685121ee0bb38f0014d3354ab15ff2b4f30619439c436d4be2c58247d4e07ec65172c49c769c2b346e7802023
6
+ metadata.gz: b8145b8f45a774296b8ea2add76694855f5c618e5900e2dcb4528666c6a855913d5a8eace278d1f208bce0ff1fa23818544bf1a931b11e88856451684fa6a465
7
+ data.tar.gz: ef237cfc40495ef9bece29583ad4007c08631e5cfd092e9415914442ffa588302a980f4fef1584d520827df970a791d1633a43cbe90e8d5eb72c036be7e84a0c
data/CHANGELOG.md CHANGED
@@ -1,5 +1,21 @@
1
1
  ## [Unreleased]
2
2
 
3
+ ## [0.8.0] - 2022-07-14
4
+
5
+ - use rails-erd gem for auto-updating logical data models
6
+ - use cleaner multi-line strings for GitHub Actions deploy steps
7
+ - generate an SBOM for ruby dependencies in either Github Actions or CircleCI using cyclonedx-ruby
8
+
9
+ ## [0.7.2] - 2022-07-07
10
+
11
+ - update default node version in github actions to 16.15
12
+ - update OSCAL message format to include the app_name as an OSCAL component once assembled
13
+
14
+ ## [0.7.1] - 2022-07-05
15
+
16
+ - fix issue with initial git commit when no OSCAL docs were updated during initial app creation
17
+ - add extra content to project README about working with submodules
18
+
3
19
  ## [0.7.0] - 2022-07-05
4
20
 
5
21
  - OSCAL generator to integrate with https://github.com/GSA-TTS/compliance-template
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- rails_template_18f (0.7.0)
4
+ rails_template_18f (0.8.0)
5
5
  activesupport (~> 7.0.0)
6
6
  colorize (~> 0.8)
7
7
  railties (~> 7.0.0)
@@ -86,10 +86,6 @@ module RailsTemplate18f
86
86
  end
87
87
  end
88
88
 
89
- def update_data_model_uml
90
- insert_into_file "doc/compliance/apps/data.logical.md", data_model_uml, before: "@enduml"
91
- end
92
-
93
89
  def generate_adr
94
90
  adr_dir = File.expand_path(File.join("doc", "adr"), destination_root)
95
91
  if Dir.exist? adr_dir
@@ -108,45 +104,6 @@ module RailsTemplate18f
108
104
  EOS
109
105
  end
110
106
  end
111
-
112
- no_tasks do
113
- def data_model_uml
114
- <<~UML
115
- class file_uploads {
116
- * id : bigint <<generated>>
117
- * scan_status : string
118
- * record_id : bigint
119
- * record_type : string
120
- }
121
- class active_storage_attachments {
122
- * id : bigint <<generated>>
123
- * name : string
124
- * record_type : string
125
- * record_id : bigint
126
- * blob_id : bigint
127
- * created_at : timestamp without time zone
128
- }
129
- class active_storage_blobs {
130
- * id : bigint <<generated>>
131
- * key : string
132
- * filename : string
133
- content_type : string
134
- metadata : text
135
- * service_name : string
136
- * byte_size : bigint
137
- checksum : string
138
- * created_at : timestamp without time zone
139
- }
140
- class active_storage_variant_records {
141
- * id : bigint <<generated>>
142
- * variation_digest : string
143
- }
144
- file_uploads ||--|| active_storage_attachments
145
- active_storage_attachments ||--|{ active_storage_blobs
146
- active_storage_variant_records ||--|{ active_storage_blobs
147
- UML
148
- end
149
- end
150
107
  end
151
108
  end
152
109
  end
@@ -133,6 +133,20 @@ jobs:
133
133
  name: Yarn audit
134
134
  command: bundle exec rake yarn:audit
135
135
 
136
+ sbom_generation:
137
+ docker:
138
+ - image: cimg/ruby:<%= ruby_version %>
139
+ steps:
140
+ - setup-project
141
+ - run:
142
+ name: Install cyclonedx
143
+ command: gem install cyclonedx-ruby
144
+ - run:
145
+ name: Generate BOM
146
+ command: cyclonedx-ruby -p . -o ruby_bom.xml
147
+ - store_artifacts:
148
+ path: ./ruby_bom.xml
149
+
136
150
  owasp_scan:
137
151
  machine:
138
152
  image: ubuntu-2004:202111-02
@@ -343,6 +357,9 @@ workflows:
343
357
  - static_security_scans:
344
358
  requires:
345
359
  - build
360
+ - sbom_generation:
361
+ requires:
362
+ - build
346
363
  - owasp_scan:
347
364
  requires:
348
365
  - build
@@ -145,7 +145,7 @@ EOB
145
145
  elsif File.exist?(nvmrc_path)
146
146
  File.read(nvmrc_path).strip
147
147
  else
148
- "16.13"
148
+ "16.15"
149
149
  end
150
150
  end
151
151
 
@@ -37,3 +37,20 @@ jobs:
37
37
 
38
38
  - name: Run yarn audit
39
39
  run: bundle exec rake yarn:audit
40
+
41
+ ruby-bom:
42
+ name: Ruby SBOM Generation
43
+ runs-on: ubuntu-latest
44
+
45
+ steps:
46
+ - uses: actions/checkout@v2
47
+ - uses: ./.github/actions/setup-languages
48
+ - name: Install cyclonedx
49
+ run: gem install cyclonedx-ruby
50
+ - name: Generate BOM
51
+ run: cyclonedx-ruby -p . -o ruby_bom.xml
52
+ - name: Save BOM
53
+ uses: actions/upload-artifact@v3
54
+ with:
55
+ name: ruby-bom
56
+ path: ./ruby_bom.xml
@@ -50,4 +50,6 @@ jobs:
50
50
  cf_password: ${{ secrets.CF_PASSWORD }}
51
51
  cf_org: <%= cloud_gov_organization %>
52
52
  cf_space: <%= cloud_gov_production_space %>
53
- push_arguments: "--vars-file config/deployment/production.yml --var rails_master_key=$RAILS_MASTER_KEY"
53
+ push_arguments: >-
54
+ --vars-file config/deployment/production.yml
55
+ --var rails_master_key=$RAILS_MASTER_KEY
@@ -50,4 +50,6 @@ jobs:
50
50
  cf_password: ${{ secrets.CF_PASSWORD }}
51
51
  cf_org: <%= cloud_gov_organization %>
52
52
  cf_space: <%= cloud_gov_staging_space %>
53
- push_arguments: "--vars-file config/deployment/staging.yml --var rails_master_key=$RAILS_MASTER_KEY"
53
+ push_arguments: >-
54
+ --vars-file config/deployment/staging.yml
55
+ --var rails_master_key=$RAILS_MASTER_KEY
@@ -44,30 +44,54 @@ module RailsTemplate18f
44
44
  end
45
45
  end
46
46
 
47
+ def configure_submodule
48
+ unless detach?
49
+ git config: "-f .gitmodules submodule.\"doc/compliance/oscal\".branch #{branch_name}"
50
+ git config: "diff.submodule log"
51
+ git config: "status.submodulesummary 1"
52
+ git config: "push.recurseSubmodules check"
53
+ end
54
+ end
55
+
47
56
  no_tasks do
48
57
  def branch_name
49
58
  options[:branch].present? ? options[:branch] : app_name
50
59
  end
51
60
 
52
61
  def readme_contents
53
- if detach?
54
- <<~README
62
+ content = <<~README
55
63
 
56
- ### Compliance Documentation
64
+ ### Compliance Documentation
57
65
 
58
- Security Controls should be documented within doc/compliance/oscal.
59
- README
60
- else
61
- <<~README
66
+ Security Controls should be documented within doc/compliance/oscal.
67
+ README
68
+ return content if detach?
69
+ <<~README
70
+ #{content}
62
71
 
63
- ### Compliance Documentation
72
+ #### Git Submodule Commands
64
73
 
65
- Security Controls should be documented within doc/compliance/oscal.
74
+ See git's [submodule documentation](https://git-scm.com/book/en/v2/Git-Tools-Submodules)
75
+ for more information on tracking changes to these files.
66
76
 
67
- See git's [submodule documentation](https://git-scm.com/book/en/v2/Git-Tools-Submodules)
68
- for more information on tracking changes to these files.
69
- README
70
- end
77
+ ##### Cloning this project
78
+
79
+ `git clone --recurse-submodules <<REPO_ADDRESS>>`
80
+
81
+ ##### Pull changes including OSCAL changes
82
+
83
+ `git pull --recurse-submodules`
84
+
85
+ ##### Push changes including OSCAL changes
86
+
87
+ `git push --recurse-submodules=check` _then_ `git push --recurse-submodules=on-demand`
88
+
89
+ ##### Helpful config settings:
90
+
91
+ * `git config diff.submodule log`
92
+ * `git config status.submodulesummary 1`
93
+ * `git config push.recurseSubmodules check`
94
+ README
71
95
  end
72
96
 
73
97
  def detach?
@@ -0,0 +1,49 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "rails/generators"
4
+
5
+ module RailsTemplate18f
6
+ module Generators
7
+ class RailsErdGenerator < ::Rails::Generators::Base
8
+ include Base
9
+
10
+ desc <<~DESC
11
+ Description:
12
+ Install rails-erd and configure to automatically run on db migration
13
+ DESC
14
+
15
+ def install_graphviz
16
+ append_to_file "Brewfile", <<~EOB
17
+
18
+ # used by rails-erd documentation tool
19
+ brew "graphviz"
20
+ EOB
21
+ end
22
+
23
+ def install_gem
24
+ return if gem_installed?("rails-erd")
25
+ gem "rails-erd", "~> 1.7", group: :development
26
+ end
27
+
28
+ def install_helper_tasks
29
+ bundle_install do
30
+ generate "erd:install"
31
+ end
32
+ end
33
+
34
+ def copy_config
35
+ copy_file "erdconfig", ".erdconfig"
36
+ end
37
+
38
+ def update_readme
39
+ insert_into_file "doc/compliance/README.md", <<~EOM, before: "## Development"
40
+ ### Logical Data Model
41
+
42
+ The logical data model will be auto-generated on each database migration.
43
+ The rendered output is saved to doc/compliance/rendered/apps/data.logical.pdf
44
+
45
+ EOM
46
+ end
47
+ end
48
+ end
49
+ end
@@ -0,0 +1,9 @@
1
+ attributes:
2
+ - content
3
+ - timestamps
4
+ filename: "doc/compliance/rendered/apps/data.logical"
5
+ filetype: pdf
6
+ inheritance: false
7
+ orientation: horizontal
8
+ polymorphism: false
9
+ exclude: "ActiveRecord::InternalMetadata,ActiveRecord::SchemaMigration"
@@ -63,7 +63,7 @@ module RailsTemplate18f
63
63
  def insert_into_oscal(filename, content, after: "## What is the solution and how is it implemented?\n")
64
64
  content = <<~EOS
65
65
 
66
- **#{app_name} Implementation:**
66
+ ### #{app_name}
67
67
 
68
68
  #{content}
69
69
  EOS
@@ -17,14 +17,15 @@ module RailsTemplate18f
17
17
  def update_cicd_oscal_docs(ci_name)
18
18
  if oscal_dir_exists?
19
19
  update_ca7_oscal_doc
20
- update_cm2_oscal_doc("GitHub Actions")
21
- update_cm3_oscal_doc("GitHub Actions")
20
+ update_cm2_oscal_doc(ci_name)
21
+ update_cm3_oscal_doc(ci_name)
22
22
  update_ra5_oscal_doc
23
- update_sa11_oscal_doc("GitHub Actions")
23
+ update_sa11_oscal_doc(ci_name)
24
24
  update_sa22_oscal_doc
25
- update_sc281_oscal_doc("GitHub Actions")
25
+ update_sc281_oscal_doc(ci_name)
26
26
  update_si2_oscal_doc
27
27
  update_si10_oscal_doc
28
+ update_sr3_oscal_doc(ci_name)
28
29
  end
29
30
  end
30
31
 
@@ -94,18 +95,11 @@ module RailsTemplate18f
94
95
  insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation a.\n"
95
96
  The CI/CD pipeline utilizes multiple tools to perform static code analysis for security and privacy:
96
97
 
97
- ### Brakeman
98
- Brakeman is a static code scanner designed to find security issues in Ruby on Rails code. It can flag potential SQL injection,
98
+ * **Brakeman** is a static code scanner designed to find security issues in Ruby on Rails code. It can flag potential SQL injection,
99
99
  Command Injection, open redirects, and other common vulnerabilities.
100
-
101
- ### Bundle Audit
102
- bundle-audit checks Ruby dependencies against a database of known CVE numbers.
103
-
104
- ### Yarn Audit
105
- yarn audit checks Javascript dependencies against a database of known CVE numbers.
106
-
107
- ### OWASP ZAP
108
- OWASP ZAP is a dynamic security scanner that can simulate actual attacks on a running server.
100
+ * **bundle-audit** checks Ruby dependencies against a database of known CVE numbers.
101
+ * **yarn audit** checks Javascript dependencies against a database of known CVE numbers.
102
+ * **OWASP ZAP** is a dynamic security scanner that can simulate actual attacks on a running server.
109
103
 
110
104
  An additional RAILS_ENV has been created called ci. It inherits from production to ensure that the system being tested is as close as possible to production while allowing for overrides such as bypassing authentication in a secure way.
111
105
  EOS
@@ -183,6 +177,14 @@ module RailsTemplate18f
183
177
  that may lead to application vulnerabilities that are a result of improper input validation.
184
178
  EOS
185
179
  end
180
+
181
+ def update_sr3_oscal_doc(ci)
182
+ insert_into_oscal "sr-3.md", <<~EOS, after: "Implementation b.\n"
183
+ A complete Software Bill of Materials (SBOM) for all Ruby dependencies is automatically
184
+ generated by #{ci} on each push to GitHub as well as on a nightly basis. These can be downloaded
185
+ from the applicable artifact section for each CI job.
186
+ EOS
187
+ end
186
188
  end
187
189
  end
188
190
  end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module RailsTemplate18f
4
- VERSION = "0.7.0"
4
+ VERSION = "0.8.0"
5
5
  end
data/template.rb CHANGED
@@ -319,8 +319,10 @@ end
319
319
  directory "doc"
320
320
  register_announcement("Documentation", <<~EOM)
321
321
  * Include a short description of your application in doc/compliance/apps/application.boundary.md
322
- * Remember to keep your Logical Data Model up to date in doc/compliance/apps/data.logical.md
323
322
  EOM
323
+ after_bundle do
324
+ generate "rails_template18f:rails_erd"
325
+ end
324
326
 
325
327
  if compliance_template
326
328
  after_bundle do
@@ -483,7 +485,8 @@ after_bundle do
483
485
  EOM
484
486
  if compliance_template_submodule
485
487
  inside "doc/compliance/oscal" do
486
- git commit: "-a -m 'rails-template generated control statements'"
488
+ run "git add -A"
489
+ run "git diff-index --quiet HEAD || git commit -am 'rails-template generated control statements'"
487
490
  end
488
491
  end
489
492
  git add: "."
@@ -1,13 +1,18 @@
1
1
  # Compliance artifacts
2
2
 
3
- ## What is this?
4
-
5
3
  In order to maintain and revise compliance materials with minimal fuss, we store all artifacts as text source (eg Markdown, PlantUML, OSCAL), then generate rendered materials for consumption by downstream entities in the assessment and authorization process.
6
4
 
7
5
  This directory initially just contains system architecture diagrams corresponding to sections 1-12 of a typical System Security Plan (SSP) document.
8
6
 
9
7
  The source for other things (OSCAL for control descriptions, evidence generation scripts, etc) will appear here over time.
10
8
 
9
+ ## Documents
10
+
11
+ ### Application Boundary
12
+
13
+ The UML source of the application boundary is stored at doc/compliance/apps/application.boundary.md.
14
+ The rendered output is saved to doc/compliance/rendered/apps/application.boundary.svg
15
+
11
16
  ## Development
12
17
 
13
18
  These plugins may be helpful for editing diagrams.
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails_template_18f
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.7.0
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Ahearn
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-07-05 00:00:00.000000000 Z
11
+ date: 2022-07-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: railties
@@ -167,6 +167,8 @@ files:
167
167
  - lib/generators/rails_template18f/newrelic/newrelic_generator.rb
168
168
  - lib/generators/rails_template18f/newrelic/templates/config/newrelic.yml.tt
169
169
  - lib/generators/rails_template18f/oscal/oscal_generator.rb
170
+ - lib/generators/rails_template18f/rails_erd/rails_erd_generator.rb
171
+ - lib/generators/rails_template18f/rails_erd/templates/erdconfig
170
172
  - lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb
171
173
  - lib/generators/rails_template18f/sidekiq/templates/config/initializers/redis.rb
172
174
  - lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt
@@ -235,7 +237,6 @@ files:
235
237
  - templates/doc/adr/0004-rails-csp-compliant-script-tag-helpers.md.tt
236
238
  - templates/doc/compliance/README.md
237
239
  - templates/doc/compliance/apps/application.boundary.md.tt
238
- - templates/doc/compliance/apps/data.logical.md
239
240
  - templates/doc/compliance/rendered/apps/.keep
240
241
  - templates/editorconfig
241
242
  - templates/env
@@ -1,21 +0,0 @@
1
- # Logical Data Model
2
-
3
- ![logical data model view](../rendered/apps/data.logical.svg)
4
-
5
- ```plantuml
6
- @startuml
7
- scale 0.65
8
-
9
- ' avoid problems with angled crows feet
10
- skinparam linetype ortho
11
-
12
- class TKTK_Example {
13
- * id : integer <<generated>>
14
- }
15
- @enduml
16
- ```
17
-
18
- ### Notes
19
-
20
- * See the help docs for [Entity Relationship Diagram](https://plantuml.com/ie-diagram) and [Class Diagram](https://plantuml.com/class-diagram) for syntax help.
21
- * We're using the `*` visibility modifier to denote fields that cannot be `null`.