rails_template_18f 0.7.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a69496a0836c43df3d636ecf91d120c5975b8462ab285edaacc2494b3af8265f
-  data.tar.gz: 7d1fbc494eb83d99bb0f498fc983db9dd6d45c1ca37895da5a60876c5fea5d0f
+  metadata.gz: dcc4a62d027d473b29b87425d2418522373457ae750a3bfa1e7d5834f3e3d39f
+  data.tar.gz: 88d86b8508c80de0b0593ca4852a789442e4ac5e84324c074e866bc85d50de37
 SHA512:
-  metadata.gz: 35b93c784bd2fd885745e300e16d054861ef48303dfde9167a6c21edaeb0e78c846a950e99d51d559868f71275c341443a158bd84b766b9b0a822d2d68606d25
-  data.tar.gz: 10703f7f1a3a75ecdd62fcc05123058b75dd6d9685121ee0bb38f0014d3354ab15ff2b4f30619439c436d4be2c58247d4e07ec65172c49c769c2b346e7802023
+  metadata.gz: b8145b8f45a774296b8ea2add76694855f5c618e5900e2dcb4528666c6a855913d5a8eace278d1f208bce0ff1fa23818544bf1a931b11e88856451684fa6a465
+  data.tar.gz: ef237cfc40495ef9bece29583ad4007c08631e5cfd092e9415914442ffa588302a980f4fef1584d520827df970a791d1633a43cbe90e8d5eb72c036be7e84a0c

data/CHANGELOG.md

@@ -1,5 +1,21 @@
 ## [Unreleased]
 
+## [0.8.0] - 2022-07-14
+
+- use rails-erd gem for auto-updating logical data models
+- use cleaner multi-line strings for GitHub Actions deploy steps
+- generate an SBOM for ruby dependencies in either Github Actions or CircleCI using cyclonedx-ruby
+
+## [0.7.2] - 2022-07-07
+
+- update default node version in github actions to 16.15
+- update OSCAL message format to include the app_name as an OSCAL component once assembled
+
+## [0.7.1] - 2022-07-05
+
+- fix issue with initial git commit when no OSCAL docs were updated during initial app creation
+- add extra content to project README about working with submodules
+
 ## [0.7.0] - 2022-07-05
 
 - OSCAL generator to integrate with https://github.com/GSA-TTS/compliance-template

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (0.7.0)
+    rails_template_18f (0.8.0)
       activesupport (~> 7.0.0)
       colorize (~> 0.8)
       railties (~> 7.0.0)

data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb

@@ -86,10 +86,6 @@ module RailsTemplate18f
         end
       end
 
-      def update_data_model_uml
-        insert_into_file "doc/compliance/apps/data.logical.md", data_model_uml, before: "@enduml"
-      end
-
       def generate_adr
         adr_dir = File.expand_path(File.join("doc", "adr"), destination_root)
         if Dir.exist? adr_dir
@@ -108,45 +104,6 @@ module RailsTemplate18f
           EOS
         end
       end
-
-      no_tasks do
-        def data_model_uml
-          <<~UML
-            class file_uploads {
-              * id : bigint <<generated>>
-              * scan_status : string
-              * record_id : bigint
-              * record_type : string
-            }
-            class active_storage_attachments {
-              * id : bigint <<generated>>
-              * name : string
-              * record_type : string
-              * record_id : bigint
-              * blob_id : bigint
-              * created_at : timestamp without time zone
-            }
-            class active_storage_blobs {
-              * id : bigint <<generated>>
-              * key : string
-              * filename : string
-              content_type : string
-              metadata : text
-              * service_name : string
-              * byte_size : bigint
-              checksum : string
-              * created_at : timestamp without time zone
-            }
-            class active_storage_variant_records {
-              * id : bigint <<generated>>
-              * variation_digest : string
-            }
-            file_uploads ||--|| active_storage_attachments
-            active_storage_attachments ||--|{ active_storage_blobs
-            active_storage_variant_records ||--|{ active_storage_blobs
-          UML
-        end
-      end
     end
   end
 end

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -133,6 +133,20 @@ jobs:
           name: Yarn audit
           command: bundle exec rake yarn:audit
 
+  sbom_generation:
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+    steps:
+      - setup-project
+      - run:
+          name: Install cyclonedx
+          command: gem install cyclonedx-ruby
+      - run:
+          name: Generate BOM
+          command: cyclonedx-ruby -p . -o ruby_bom.xml
+      - store_artifacts:
+          path: ./ruby_bom.xml
+
   owasp_scan:
     machine:
       image: ubuntu-2004:202111-02
@@ -343,6 +357,9 @@ workflows:
       - static_security_scans:
           requires:
             - build
+      - sbom_generation:
+          requires:
+            - build
       - owasp_scan:
           requires:
             - build

data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb

@@ -145,7 +145,7 @@ EOB
         elsif File.exist?(nvmrc_path)
           File.read(nvmrc_path).strip
         else
-          "16.13"
+          "16.15"
         end
       end
 

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/dependency-scans.yml

@@ -37,3 +37,20 @@ jobs:
 
       - name: Run yarn audit
         run: bundle exec rake yarn:audit
+
+  ruby-bom:
+    name: Ruby SBOM Generation
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/setup-languages
+      - name: Install cyclonedx
+        run: gem install cyclonedx-ruby
+      - name: Generate BOM
+        run: cyclonedx-ruby -p . -o ruby_bom.xml
+      - name: Save BOM
+        uses: actions/upload-artifact@v3
+        with:
+          name: ruby-bom
+          path: ./ruby_bom.xml

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt

@@ -50,4 +50,6 @@ jobs:
           cf_password: ${{ secrets.CF_PASSWORD }}
           cf_org: <%= cloud_gov_organization %>
           cf_space: <%= cloud_gov_production_space %>
-          push_arguments: "--vars-file config/deployment/production.yml --var rails_master_key=$RAILS_MASTER_KEY"
+          push_arguments: >-
+            --vars-file config/deployment/production.yml
+            --var rails_master_key=$RAILS_MASTER_KEY

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt

@@ -50,4 +50,6 @@ jobs:
           cf_password: ${{ secrets.CF_PASSWORD }}
           cf_org: <%= cloud_gov_organization %>
           cf_space: <%= cloud_gov_staging_space %>
-          push_arguments: "--vars-file config/deployment/staging.yml --var rails_master_key=$RAILS_MASTER_KEY"
+          push_arguments: >-
+            --vars-file config/deployment/staging.yml
+            --var rails_master_key=$RAILS_MASTER_KEY

data/lib/generators/rails_template18f/oscal/oscal_generator.rb

@@ -44,30 +44,54 @@ module RailsTemplate18f
         end
       end
 
+      def configure_submodule
+        unless detach?
+          git config: "-f .gitmodules submodule.\"doc/compliance/oscal\".branch #{branch_name}"
+          git config: "diff.submodule log"
+          git config: "status.submodulesummary 1"
+          git config: "push.recurseSubmodules check"
+        end
+      end
+
       no_tasks do
         def branch_name
           options[:branch].present? ? options[:branch] : app_name
         end
 
         def readme_contents
-          if detach?
-            <<~README
+          content = <<~README
 
-              ### Compliance Documentation
+            ### Compliance Documentation
 
-              Security Controls should be documented within doc/compliance/oscal.
-            README
-          else
-            <<~README
+            Security Controls should be documented within doc/compliance/oscal.
+          README
+          return content if detach?
+          <<~README
+            #{content}
 
-              ### Compliance Documentation
+            #### Git Submodule Commands
 
-              Security Controls should be documented within doc/compliance/oscal.
+            See git's [submodule documentation](https://git-scm.com/book/en/v2/Git-Tools-Submodules)
+            for more information on tracking changes to these files.
 
-              See git's [submodule documentation](https://git-scm.com/book/en/v2/Git-Tools-Submodules)
-              for more information on tracking changes to these files.
-            README
-          end
+            ##### Cloning this project
+
+            `git clone --recurse-submodules <<REPO_ADDRESS>>`
+
+            ##### Pull changes including OSCAL changes
+
+            `git pull --recurse-submodules`
+
+            ##### Push changes including OSCAL changes
+
+            `git push --recurse-submodules=check` _then_ `git push --recurse-submodules=on-demand`
+
+            ##### Helpful config settings:
+
+            * `git config diff.submodule log`
+            * `git config status.submodulesummary 1`
+            * `git config push.recurseSubmodules check`
+          README
         end
 
         def detach?

data/lib/generators/rails_template18f/rails_erd/rails_erd_generator.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module RailsTemplate18f
+  module Generators
+    class RailsErdGenerator < ::Rails::Generators::Base
+      include Base
+
+      desc <<~DESC
+        Description:
+          Install rails-erd and configure to automatically run on db migration
+      DESC
+
+      def install_graphviz
+        append_to_file "Brewfile", <<~EOB
+
+          # used by rails-erd documentation tool
+          brew "graphviz"
+        EOB
+      end
+
+      def install_gem
+        return if gem_installed?("rails-erd")
+        gem "rails-erd", "~> 1.7", group: :development
+      end
+
+      def install_helper_tasks
+        bundle_install do
+          generate "erd:install"
+        end
+      end
+
+      def copy_config
+        copy_file "erdconfig", ".erdconfig"
+      end
+
+      def update_readme
+        insert_into_file "doc/compliance/README.md", <<~EOM, before: "## Development"
+          ### Logical Data Model
+
+          The logical data model will be auto-generated on each database migration.
+          The rendered output is saved to doc/compliance/rendered/apps/data.logical.pdf
+
+        EOM
+      end
+    end
+  end
+end

data/lib/generators/rails_template18f/rails_erd/templates/erdconfig

@@ -0,0 +1,9 @@
+attributes:
+  - content
+  - timestamps
+filename: "doc/compliance/rendered/apps/data.logical"
+filetype: pdf
+inheritance: false
+orientation: horizontal
+polymorphism: false
+exclude: "ActiveRecord::InternalMetadata,ActiveRecord::SchemaMigration"

data/lib/rails_template18f/generators/base.rb

@@ -63,7 +63,7 @@ module RailsTemplate18f
       def insert_into_oscal(filename, content, after: "## What is the solution and how is it implemented?\n")
         content = <<~EOS
 
-          **#{app_name} Implementation:**
+          ### #{app_name}
 
           #{content}
         EOS

data/lib/rails_template18f/generators/pipeline_options.rb

@@ -17,14 +17,15 @@ module RailsTemplate18f
       def update_cicd_oscal_docs(ci_name)
         if oscal_dir_exists?
           update_ca7_oscal_doc
-          update_cm2_oscal_doc("GitHub Actions")
-          update_cm3_oscal_doc("GitHub Actions")
+          update_cm2_oscal_doc(ci_name)
+          update_cm3_oscal_doc(ci_name)
           update_ra5_oscal_doc
-          update_sa11_oscal_doc("GitHub Actions")
+          update_sa11_oscal_doc(ci_name)
           update_sa22_oscal_doc
-          update_sc281_oscal_doc("GitHub Actions")
+          update_sc281_oscal_doc(ci_name)
           update_si2_oscal_doc
           update_si10_oscal_doc
+          update_sr3_oscal_doc(ci_name)
         end
       end
 
@@ -94,18 +95,11 @@ module RailsTemplate18f
         insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation a.\n"
           The CI/CD pipeline utilizes multiple tools to perform static code analysis for security and privacy:
 
-          ### Brakeman
-          Brakeman is a static code scanner designed to find security issues in Ruby on Rails code. It can flag potential SQL injection,
+          * **Brakeman** is a static code scanner designed to find security issues in Ruby on Rails code. It can flag potential SQL injection,
           Command Injection, open redirects, and other common vulnerabilities.
-
-          ### Bundle Audit
-          bundle-audit checks Ruby dependencies against a database of known CVE numbers.
-
-          ### Yarn Audit
-          yarn audit checks Javascript dependencies against a database of known CVE numbers.
-
-          ### OWASP ZAP
-          OWASP ZAP is a dynamic security scanner that can simulate actual attacks on a running server.
+          * **bundle-audit** checks Ruby dependencies against a database of known CVE numbers.
+          * **yarn audit** checks Javascript dependencies against a database of known CVE numbers.
+          * **OWASP ZAP** is a dynamic security scanner that can simulate actual attacks on a running server.
 
           An additional RAILS_ENV has been created called ci. It inherits from production to ensure that the system being tested is as close as possible to production while allowing for overrides such as bypassing authentication in a secure way.
         EOS
@@ -183,6 +177,14 @@ module RailsTemplate18f
           that may lead to application vulnerabilities that are a result of improper input validation.
         EOS
       end
+
+      def update_sr3_oscal_doc(ci)
+        insert_into_oscal "sr-3.md", <<~EOS, after: "Implementation b.\n"
+          A complete Software Bill of Materials (SBOM) for all Ruby dependencies is automatically
+          generated by #{ci} on each push to GitHub as well as on a nightly basis. These can be downloaded
+          from the applicable artifact section for each CI job.
+        EOS
+      end
     end
   end
 end

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "0.7.0"
+  VERSION = "0.8.0"
 end

data/template.rb

@@ -319,8 +319,10 @@ end
 directory "doc"
 register_announcement("Documentation", <<~EOM)
   * Include a short description of your application in doc/compliance/apps/application.boundary.md
-  * Remember to keep your Logical Data Model up to date in doc/compliance/apps/data.logical.md
 EOM
+after_bundle do
+  generate "rails_template18f:rails_erd"
+end
 
 if compliance_template
   after_bundle do
@@ -483,7 +485,8 @@ after_bundle do
     EOM
     if compliance_template_submodule
       inside "doc/compliance/oscal" do
-        git commit: "-a -m 'rails-template generated control statements'"
+        run "git add -A"
+        run "git diff-index --quiet HEAD || git commit -am 'rails-template generated control statements'"
       end
     end
     git add: "."

data/templates/doc/compliance/README.md

@@ -1,13 +1,18 @@
 # Compliance artifacts
 
-## What is this?
-
 In order to maintain and revise compliance materials with minimal fuss, we store all artifacts as text source (eg Markdown, PlantUML, OSCAL), then generate rendered materials for consumption by downstream entities in the assessment and authorization process.
 
 This directory initially just contains system architecture diagrams corresponding to sections 1-12 of a typical System Security Plan (SSP) document.
 
 The source for other things (OSCAL for control descriptions, evidence generation scripts, etc) will appear here over time.
 
+## Documents
+
+### Application Boundary
+
+The UML source of the application boundary is stored at doc/compliance/apps/application.boundary.md.
+The rendered output is saved to doc/compliance/rendered/apps/application.boundary.svg
+
 ## Development
 
 These plugins may be helpful for editing diagrams.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_template_18f
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Ryan Ahearn
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-07-05 00:00:00.000000000 Z
+date: 2022-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -167,6 +167,8 @@ files:
 - lib/generators/rails_template18f/newrelic/newrelic_generator.rb
 - lib/generators/rails_template18f/newrelic/templates/config/newrelic.yml.tt
 - lib/generators/rails_template18f/oscal/oscal_generator.rb
+- lib/generators/rails_template18f/rails_erd/rails_erd_generator.rb
+- lib/generators/rails_template18f/rails_erd/templates/erdconfig
 - lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb
 - lib/generators/rails_template18f/sidekiq/templates/config/initializers/redis.rb
 - lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt
@@ -235,7 +237,6 @@ files:
 - templates/doc/adr/0004-rails-csp-compliant-script-tag-helpers.md.tt
 - templates/doc/compliance/README.md
 - templates/doc/compliance/apps/application.boundary.md.tt
-- templates/doc/compliance/apps/data.logical.md
 - templates/doc/compliance/rendered/apps/.keep
 - templates/editorconfig
 - templates/env

data/templates/doc/compliance/apps/data.logical.md

@@ -1,21 +0,0 @@
-# Logical Data Model
-
-![logical data model view](../rendered/apps/data.logical.svg)
-
-```plantuml
-@startuml
-scale 0.65
-
-' avoid problems with angled crows feet
-skinparam linetype ortho
-
-class TKTK_Example {
-  * id : integer <<generated>>
-}
-@enduml
-```
-
-### Notes
-
-* See the help docs for [Entity Relationship Diagram](https://plantuml.com/ie-diagram) and [Class Diagram](https://plantuml.com/class-diagram) for syntax help.
-* We're using the `*` visibility modifier to denote fields that cannot be `null`.