rails_template_18f 0.8.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d21603b715f565d239901a62f7350b2b607f8ad264b2e23910d5c1203419038
-  data.tar.gz: 20b9516691e7819b443d06fb05e141992cf4f8e179363b43ad11d87918319929
+  metadata.gz: a7f0ec410febea02b2e3cbc4200373ebbe5b2403f2bd643433acd8d493af8729
+  data.tar.gz: 6a58037093cf649f10bd0ae6166372c8d878e0eecf547baf0ab9be4be91b5d59
 SHA512:
-  metadata.gz: 6f1350e3598ae74b8dcb039ec6c85b7dd124e2b42e3563c5edb5e72a3c061c33cce3bfe43274d7c3fa07bb8f9cd0462df7fa40926ffc90fe913c043edeb86c28
-  data.tar.gz: d9bf899901b7cf2451d77dbd0eb50ddd016acc874d5144cee525d2b14df9bcb93887094e4ca1fa5a4b95a38ecb75ea622ffbfd9541e05edf292197016f909f3b
+  metadata.gz: 04c73690530b927f6cf0063c512f580725d19fcad7cce351b24e672b3169167747ae5c344ee437ca078bf4077f53bc7678a0fcdb0b5cf59b3743cec7ecfe79a0
+  data.tar.gz: 6aabb2b9fa5191ed1f295605d47153e79c753880eb8038591ceee1ac733185ddd23de64a7f0041f602527c12f4f92f627fe4a6379772b14cebe36fe87bcdf102

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 ## [Unreleased]
 
+## [1.0.0] - 2024-06-27
+
+- new applications are now on Rails 7.1.x
+- implement USWDS language selector component when translation files are included
+- cleans up github actions and circleci generators to address bitrot
+- utilize docker-trestle project for OSCAL integration / compliance as code
+
+## [0.8.2] - 2024-06-06
+
+- Replace deprecated github action for cloud.gov deploys with cg-supported one
+- Update terraform modules use for the actual module api - and specify the module version in use
+
 ## [0.8.1] - 2024-06-04
 
 - fix error when compliance-template fork question is left blank

data/Gemfile.lock

@@ -1,55 +1,71 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (0.8.1)
-      activesupport (~> 7.0.0)
-      colorize (~> 0.8)
-      railties (~> 7.0.0)
-      thor (~> 1.0)
+    rails_template_18f (1.0.0)
+      activesupport (~> 7.1.0)
+      colorize (~> 1.1)
+      railties (~> 7.1.0)
+      thor (~> 1.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (7.0.8.4)
-      actionview (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
-      rack (~> 2.0, >= 2.2.4)
+    actionpack (7.1.3.4)
+      actionview (= 7.1.3.4)
+      activesupport (= 7.1.3.4)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.8.4)
-      activesupport (= 7.0.8.4)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.3.4)
+      activesupport (= 7.1.3.4)
       builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (7.0.8.4)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (7.1.3.4)
+      base64
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
+      mutex_m
       tzinfo (~> 2.0)
     ammeter (1.1.7)
       activesupport (>= 3.0)
       railties (>= 3.0)
       rspec-rails (>= 2.2)
     ast (2.4.2)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
     builder (3.2.4)
     byebug (11.1.3)
-    colorize (0.8.1)
+    colorize (1.1.0)
     concurrent-ruby (1.3.1)
+    connection_pool (2.4.1)
     crass (1.0.6)
     diff-lcs (1.5.1)
+    drb (2.2.1)
     erubi (1.12.0)
     i18n (1.14.5)
       concurrent-ruby (~> 1.0)
+    io-console (0.7.2)
+    irb (1.13.1)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
     json (2.7.2)
     language_server-protocol (3.17.0.3)
     lint_roller (1.1.0)
     loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    method_source (1.1.0)
     minitest (5.23.1)
+    mutex_m (0.2.0)
     nokogiri (1.16.5-arm64-darwin)
       racc (~> 1.4)
     nokogiri (1.16.5-x86_64-darwin)
@@ -60,10 +76,17 @@ GEM
     parser (3.3.2.0)
       ast (~> 2.4.1)
       racc
+    psych (5.1.2)
+      stringio
     racc (1.8.0)
-    rack (2.2.9)
+    rack (3.0.11)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
     rack-test (2.1.0)
       rack (>= 1.3)
+    rackup (2.1.0)
+      rack (>= 3)
+      webrick (~> 1.8)
     rails-dom-testing (2.2.0)
       activesupport (>= 5.0.0)
       minitest
@@ -71,16 +94,21 @@ GEM
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
       nokogiri (~> 1.14)
-    railties (7.0.8.4)
-      actionpack (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
-      method_source
+    railties (7.1.3.4)
+      actionpack (= 7.1.3.4)
+      activesupport (= 7.1.3.4)
+      irb
+      rackup (>= 1.0.0)
       rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.2.1)
+    rdoc (6.7.0)
+      psych (>= 4.0.0)
     regexp_parser (2.9.2)
+    reline (0.5.8)
+      io-console (~> 0.5)
     rexml (3.2.8)
       strscan (>= 3.0.9)
     rspec (3.13.0)
@@ -133,11 +161,13 @@ GEM
     standard-performance (1.4.0)
       lint_roller (~> 1.1)
       rubocop-performance (~> 1.21.0)
+    stringio (3.1.0)
     strscan (3.1.0)
     thor (1.3.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
+    webrick (1.8.1)
     zeitwerk (2.6.15)
 
 PLATFORMS
@@ -151,8 +181,8 @@ DEPENDENCIES
   byebug
   rails_template_18f!
   rake (~> 13.0)
-  rspec (~> 3.11)
-  standard (~> 1.3)
+  rspec (~> 3.13)
+  standard (~> 1.36)
 
 BUNDLED WITH
    2.3.15

data/README.md

@@ -2,9 +2,9 @@
 ============================
 The 18F Rails template starts or upgrades Rails projects so that they're more secure, follow compliance rules, and are nearly ready to deploy onto cloud.gov. This gem sets up security checks and compliance diagrams, adds the U.S. Web Design System (USWDS), and much much more — [see the full list of features](#features).
 
-This template will create a new Rails 7.0.x project.
+This template will create a new Rails 7.1.x project.
 
-[See the `rails-6` branch for Rails 6.1.x](https://github.com/18F/rails-template/tree/rails-6)
+[See the `rails-7.0` branch for Rails 7.0.x](https://github.com/gsa-tts/rails-template/tree/rails-7.0)
 
 ## Installation
 
@@ -43,6 +43,7 @@ There are a variety of options that customize your Rails application.
 --skip-action-cable     # Don't include ActionCable websocket implementation
 --skip-action-mailbox   # Don't include inbound email
 --skip-hotwire          # Don't include Hotwire JS library
+--skip-docker           # Don't include Dockerfile meant for production use
 --skip-test             # Skip built-in test framework. (We include RSpec)
 --javascript=webpack    # Use webpack for JS bundling
 --css=postcss           # Use the PostCSS framework for bundling CSS
@@ -56,7 +57,6 @@ There are a variety of options that customize your Rails application.
 |--------|-------------|
 | `--no-skip-<framework>` | Each of the skipped frameworks listed above (also in `railsrc`) can be overridden on the command line. For example: `--no-skip-active-storage` will include support for `ActiveStorage` document uploads |
 | `--javascript=esbuild` | Use [esbuild](https://esbuild.github.io/) instead of [webpack](https://webpack.js.org/) for JavaScript bundling. Note that maintaining IE11 support with esbuild may be tricky. |
-| `--no-skip-<FRAMEWORK>` | Each of the skipped frameworks in `railsrc` can be overridden on the command line. For example: `--no-skip-active-storage` will include support for `ActiveStorage` document uploads |
 
 You probably won't want to customize the template — that defeats the purpose of using this gem!
 
@@ -128,8 +128,8 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/18f/rails-template. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/18f/rails-template/blob/main/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/gsa-tts/rails-template. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/gsa-tts/rails-template/blob/main/CODE_OF_CONDUCT.md).
 
 ## Code of conduct
 
-Everyone interacting in the 18F Rails Template project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/rahearn/rails-template-18f/blob/main/CODE_OF_CONDUCT.md).
+Everyone interacting in the 18F Rails Template project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/gsa-tts/rails-template/blob/main/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -8,3 +8,15 @@ RSpec::Core::RakeTask.new(:spec)
 require "standard/rake"
 
 task default: %i[spec standard]
+
+task :release do
+  # adding a custom release task because I can't get the default `rake release` to play nicely with my
+  # passkey login to rubygems.org on GFE, so I need to use the `gem push --otp` version.
+  # set the environment variable gem_push=false to enable this block
+  gemhelper = Bundler::GemHelper.instance
+  unless gemhelper.send :gem_push?
+    gemspec = gemhelper.gemspec
+    Bundler.ui.warn "Next step: publish the #{gemspec.name} gem with:"
+    Bundler.ui.warn "gem push pkg/#{gemspec.name}-#{gemspec.version}.gem --otp OTP"
+  end
+end

data/SECURITY.md

@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+Only certain branches are supported with security updates.
+
+| Version (branch) | Supported   |
+| ---------------- | ----------- |
+| main      | :white_check_mark: |
+| rails-7.0 | :white_check_mark: |
+| other     | :x:                |
+
+When using this code or reporting vulnerability please be sure to use supported branches and the most recent release tag.
+
+## Reporting a Vulnerability
+
+Use the `Report a vulnerability` link at https://github.com/GSA-TTS/rails-template/security to report a security vulnerability
+on a supported branch of this repository.

data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb

@@ -94,15 +94,8 @@ module RailsTemplate18f
         end
       end
 
-      def update_oscal_doc
-        if oscal_dir_exists?
-          insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation a.\n"
-            #{app_name} employs ClamAV to detect and quarantine malicious code in user-uploaded files.
-          EOS
-          insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation b.\n"
-            ClamAV is configured to automatically update malicious code detection signatures on a daily basis.
-          EOS
-        end
+      def update_oscal
+        copy_oscal_component "active_storage"
       end
     end
   end

data/lib/generators/rails_template18f/active_storage/templates/oscal/component-definitions/active_storage/component-definition.json

@@ -0,0 +1,69 @@
+{
+  "component-definition": {
+    "uuid": "6c8efe45-ab46-4d02-846e-5d58b4797a3e",
+    "metadata": {
+      "title": "ActiveStorage Component Definition.",
+      "last-modified": "2024-06-10T17:31:06.312964+00:00",
+      "version": "0.0.1",
+      "oscal-version": "1.1.2"
+    },
+    "components": [
+      {
+        "uuid": "a206dda7-d1f6-451c-8a0f-b6f4e8bf22d0",
+        "type": "software",
+        "title": "ClamAV",
+        "description": "ClamAV malware scanner",
+        "props": [
+          {
+            "name": "Rule_Id",
+            "value": "properly-configured",
+            "remarks": "rule_config"
+          },
+          {
+            "name": "Rule_Description",
+            "value": "System owner has configured the system to properly run the ClamAV scanner and send files to it on upload",
+            "remarks": "rule_config"
+          }
+        ],
+        "control-implementations": [
+          {
+            "uuid": "e1a02625-cb99-48e6-8240-90f2fdcc8481",
+            "source": "trestle://profiles/gsa-moderate/profile.json",
+            "description": "Controls satisfied via use of the ClamAV malware scanning app",
+            "implemented-requirements": [
+              {
+                "uuid": "4c53c056-dbbd-4889-b268-e1d50bc1fd88",
+                "control-id": "si-3",
+                "description": "",
+                "statements": [
+                  {
+                    "statement-id": "si-3_smt.a",
+                    "uuid": "9621f3b7-878f-487a-bfa1-bbd9d2111e25",
+                    "description": "The system employs ClamAV to detect and quarantine malicious code in user-uploaded files.",
+                    "props": [
+                      {
+                        "name": "Rule_Id",
+                        "value": "properly-configured"
+                      }
+                    ]
+                  },
+                  {
+                    "statement-id": "si-3_smt.b",
+                    "uuid": "850c1163-5c94-4018-9593-0f8e908ace2f",
+                    "description": "ClamAV is configured to automatically update malicious code detection signatures on a daily basis.",
+                    "props": [
+                      {
+                        "name": "Rule_Id",
+                        "value": "properly-configured"
+                      }
+                    ]
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}

data/lib/generators/rails_template18f/circleci/circleci_generator.rb

@@ -16,14 +16,14 @@ module RailsTemplate18f
       def install_needed_gems
         gem_name = "rspec_junit_formatter"
         return if gem_installed? gem_name
-        gem gem_name, "~> 0.5", group: :test
+        gem gem_name, "~> 0.6", group: :test
         bundle_install
       end
 
       def install_pipeline
         directory "circleci", ".circleci"
         copy_file "docker-compose.ci.yml"
-        template "Dockerfile"
+        template "Dockerfile.ci"
         copy_file "bin/ci-server-start", mode: :preserve
       end
 
@@ -66,7 +66,7 @@ EOB
       end
 
       def update_oscal_docs
-        update_cicd_oscal_docs("CircleCI")
+        copy_oscal_component "circleci"
       end
 
       no_tasks do

data/lib/generators/rails_template18f/circleci/templates/bin/ci-server-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# this script is used by docker-compose and Dockerfile to start up a servrer
+# this script is used by docker-compose and Dockerfile.ci to start up a server
 # for running OWASP in CircleCI
 
 dockerize -wait tcp://db:5432 -timeout 1m

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -1,10 +1,10 @@
 version: 2.1
 
 orbs:
-  ruby: circleci/ruby@1.3.0
-  node: circleci/node@5.0.0
-  browser-tools: circleci/browser-tools@1.2.3<% if terraform? %>
-  terraform: circleci/terraform@3.0.0<% end %>
+  ruby: circleci/ruby@2.1.3
+  node: circleci/node@5.2.0
+  browser-tools: circleci/browser-tools@1.4.8<% if terraform? %>
+  terraform: circleci/terraform@3.2.1<% end %>
 
 commands:
   setup-project:
@@ -15,7 +15,24 @@ commands:
           install-yarn: true
       - node/install-packages:
           cache-only-lockfile: false
-          pkg-manager: yarn
+          pkg-manager: yarn<% if oscal_dir_exists? %>
+  trestle-cmd:
+    description: Set up environment for running docker-trestle commands
+    parameters:
+      tag:
+        description: docker-trestle tag to use. Defaults to latest
+        type: string
+        default: latest
+      cmd:
+        description: Command to run within docker-trestle
+        type: string
+    steps:
+      - run:
+          name: Fix directory permissions
+          command: chmod -R a+w doc/compliance/oscal || true
+      - run:
+          name: Run trestle command
+          command: docker run -v $(pwd)/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:<< parameters.tag >> << parameters.cmd >><% end %>
   cg-deploy:
     description: "Login to cloud foundry space with service account credentials
       and push application using deployment configuration file."
@@ -47,7 +64,7 @@ commands:
       - run:
           name: Install Cloud Foundry CLI
           command: |
-            curl -v -L -o cf-cli_amd64.deb 'https://packages.cloudfoundry.org/stable?release=debian64&version=v7&source=github'
+            curl -v -L -o cf-cli_amd64.deb 'https://packages.cloudfoundry.org/stable?release=debian64&version=v8&source=github'
             sudo dpkg -i cf-cli_amd64.deb
       - run:
           name: Login with service account
@@ -75,7 +92,7 @@ jobs:
     parallelism: 3
     docker:
       - image: cimg/ruby:<%= ruby_version %>
-      - image: cimg/postgres:12.9
+      - image: cimg/postgres:15.7
         environment:
           POSTGRES_USER: circleci
           POSTGRES_DB: <%= app_name %>_test
@@ -117,7 +134,26 @@ jobs:
             - tmp/cache/assets/sprockets
 
       - ruby/rspec-test
-
+<% if oscal_dir_exists? %>
+  validate_ssp:
+    machine:
+      image: ubuntu-2204:current
+    steps:
+      - checkout
+      - trestle-cmd:
+          cmd: trestle validate -f system-security-plans/<%= app_name %>/system-security-plan.json
+      - trestle-cmd:
+          cmd: assemble-ssp-json 2> /dev/null | grep "^No changes to assembled ssp"
+  assemble_ssp:
+    machine:
+      image: ubuntu-2204:current
+    steps:
+      - checkout
+      - trestle-cmd:
+          cmd: trestle assemble -n <%= app_name %> system-security-plan
+      - store_artifacts:
+          path: doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+<% end %>
   static_security_scans:
     docker:
       - image: cimg/ruby:<%= ruby_version %>
@@ -149,7 +185,7 @@ jobs:
 
   owasp_scan:
     machine:
-      image: ubuntu-2004:202111-02
+      image: ubuntu-2204:current
     steps:
       - checkout
 
@@ -172,14 +208,14 @@ jobs:
           name: Run OWASP Zap
           command: |
             docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
-              --user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
+              --user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
               zap-baseline.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
       - store_artifacts:
           path: reports/owasp_report.html
 
   owasp_full_scan:
     machine:
-      image: ubuntu-2004:202111-02
+      image: ubuntu-2204:current
     steps:
       - checkout
 
@@ -202,7 +238,7 @@ jobs:
           name: Run OWASP Zap
           command: |
             docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
-              --user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
+              --user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
               zap-full-scan.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
       - store_artifacts:
           path: reports/owasp_report.html
@@ -210,7 +246,7 @@ jobs:
   a11y_scan:
     docker:
       - image: cimg/ruby:<%= ruby_version %>
-      - image: cimg/postgres:12.9
+      - image: cimg/postgres:15.7
         environment:
           POSTGRES_USER: circleci
           POSTGRES_DB: <%= app_name %>_development
@@ -262,7 +298,7 @@ jobs:
 
       - run:
           name: Run pa11y-ci
-          command: yarn run pa11y-ci
+          command: yarn run pa11y-ci -c pa11yci.js
 <% if terraform? %>
   terraform_plan_staging:
     executor: terraform/default
@@ -290,7 +326,7 @@ jobs:
       - checkout
       - attach_workspace:
           at: .
-      - terraform/apply
+      - terraform/apply:
           path: terraform/staging
   terraform_plan_production:
     executor: terraform/default
@@ -318,7 +354,7 @@ jobs:
       - checkout
       - attach_workspace:
           at: .
-      - terraform/apply
+      - terraform/apply:
           path: terraform/production
 <% end %>
   deploy_staging:
@@ -353,7 +389,14 @@ workflows:
       - build
       - test:
           requires:
-            - build
+            - build<% if oscal_dir_exists? %>
+      - validate_ssp
+      - assemble_ssp:
+          filters:
+            branches:
+              only: main
+          requires:
+            - validate_ssp<% end %>
       - static_security_scans:
           requires:
             - build

data/lib/generators/rails_template18f/circleci/templates/docker-compose.ci.yml

@@ -3,6 +3,7 @@ services:
   web:
     build:
       context: .
+      dockerfile: Dockerfile.ci
     user: ${CURRENT_USER:-root}
     networks:
       - ci_network