rails_template_18f 0.8.1 → 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (75) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +12 -0
  3. data/Gemfile.lock +58 -28
  4. data/README.md +5 -5
  5. data/Rakefile +12 -0
  6. data/SECURITY.md +18 -0
  7. data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb +2 -9
  8. data/lib/generators/rails_template18f/active_storage/templates/oscal/component-definitions/active_storage/component-definition.json +69 -0
  9. data/lib/generators/rails_template18f/circleci/circleci_generator.rb +3 -3
  10. data/lib/generators/rails_template18f/circleci/templates/bin/ci-server-start +1 -1
  11. data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt +60 -17
  12. data/lib/generators/rails_template18f/circleci/templates/docker-compose.ci.yml +1 -0
  13. data/lib/generators/rails_template18f/circleci/templates/oscal/component-definitions/circleci/component-definition.json.tt +310 -0
  14. data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb +7 -12
  15. data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-languages/action.yml.tt +1 -1
  16. data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-project/action.yml.tt +1 -0
  17. data/lib/generators/rails_template18f/github_actions/templates/github/actions/trestle-cmd/action.yml +20 -0
  18. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/assemble-ssp.yml.tt +26 -0
  19. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml +6 -2
  20. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/dependency-scans.yml +4 -4
  21. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt +15 -28
  22. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt +15 -28
  23. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt +8 -3
  24. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt +4 -3
  25. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/pa11y.yml.tt +6 -2
  26. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/rspec.yml.tt +1 -1
  27. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml +20 -58
  28. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml +20 -58
  29. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/validate-ssp.yml.tt +46 -0
  30. data/lib/generators/rails_template18f/github_actions/templates/oscal/component-definitions/github_actions/component-definition.json.tt +310 -0
  31. data/lib/generators/rails_template18f/i18n/i18n_generator.rb +7 -6
  32. data/lib/generators/rails_template18f/i18n/templates/config/locales/en.yml.tt +1 -0
  33. data/lib/generators/rails_template18f/i18n/templates/config/locales/es.yml +2 -0
  34. data/lib/generators/rails_template18f/i18n/templates/config/locales/fr.yml +2 -0
  35. data/lib/generators/rails_template18f/i18n/templates/config/locales/zh.yml +2 -0
  36. data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb +2 -37
  37. data/lib/generators/rails_template18f/newrelic/templates/oscal/component-definitions/newrelic/component-definition.json.tt +113 -0
  38. data/lib/generators/rails_template18f/oscal/oscal_generator.rb +55 -17
  39. data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt +10 -0
  40. data/lib/generators/rails_template18f/oscal/templates/doc/compliance/oscal/trestle-config.yaml.tt +6 -0
  41. data/lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb +2 -2
  42. data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt +37 -52
  43. data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/import.sh +1 -0
  44. data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/main.tf.tt +7 -10
  45. data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/providers.tf +3 -3
  46. data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/run.sh.tt +27 -0
  47. data/lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt +33 -50
  48. data/lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf.tt +8 -2
  49. data/lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt +26 -40
  50. data/lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf.tt +8 -2
  51. data/lib/rails_template18f/generators/base.rb +9 -24
  52. data/lib/rails_template18f/generators/pipeline_options.rb +0 -172
  53. data/lib/rails_template18f/version.rb +1 -1
  54. data/rails-template-18f.gemspec +6 -6
  55. data/railsrc +1 -0
  56. data/railsrc-hotwire +1 -0
  57. data/template.rb +48 -44
  58. data/templates/Brewfile +2 -2
  59. data/templates/README.md.tt +3 -4
  60. data/templates/app/assets/stylesheets/uswds-components.scss +6 -0
  61. data/templates/app/assets/stylesheets/uswds-overrides/_index.scss +2 -0
  62. data/templates/app/assets/stylesheets/uswds-overrides/_override-usa-banner.scss +13 -0
  63. data/templates/app/assets/stylesheets/uswds-overrides/_override-usa-language-selector.scss +38 -0
  64. data/templates/app/views/application/_header.html.erb +6 -5
  65. data/templates/app/views/application/_language_selector.html.erb +35 -0
  66. data/templates/app/views/application/_usa_banner.html.erb +21 -16
  67. data/templates/bin/ops/create_service_account.sh.tt +11 -5
  68. data/templates/bin/owasp-scan +3 -3
  69. data/templates/bin/pa11y-scan +1 -1
  70. data/templates/config/environments/ci.rb +1 -0
  71. data/templates/pa11y.js +12 -0
  72. data/templates/pa11yci.js +8 -0
  73. metadata +31 -16
  74. data/templates/pa11yci +0 -9
  75. /data/lib/generators/rails_template18f/circleci/templates/{Dockerfile.tt → Dockerfile.ci.tt} +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8d21603b715f565d239901a62f7350b2b607f8ad264b2e23910d5c1203419038
4
- data.tar.gz: 20b9516691e7819b443d06fb05e141992cf4f8e179363b43ad11d87918319929
3
+ metadata.gz: a7f0ec410febea02b2e3cbc4200373ebbe5b2403f2bd643433acd8d493af8729
4
+ data.tar.gz: 6a58037093cf649f10bd0ae6166372c8d878e0eecf547baf0ab9be4be91b5d59
5
5
  SHA512:
6
- metadata.gz: 6f1350e3598ae74b8dcb039ec6c85b7dd124e2b42e3563c5edb5e72a3c061c33cce3bfe43274d7c3fa07bb8f9cd0462df7fa40926ffc90fe913c043edeb86c28
7
- data.tar.gz: d9bf899901b7cf2451d77dbd0eb50ddd016acc874d5144cee525d2b14df9bcb93887094e4ca1fa5a4b95a38ecb75ea622ffbfd9541e05edf292197016f909f3b
6
+ metadata.gz: 04c73690530b927f6cf0063c512f580725d19fcad7cce351b24e672b3169167747ae5c344ee437ca078bf4077f53bc7678a0fcdb0b5cf59b3743cec7ecfe79a0
7
+ data.tar.gz: 6aabb2b9fa5191ed1f295605d47153e79c753880eb8038591ceee1ac733185ddd23de64a7f0041f602527c12f4f92f627fe4a6379772b14cebe36fe87bcdf102
data/CHANGELOG.md CHANGED
@@ -1,5 +1,17 @@
1
1
  ## [Unreleased]
2
2
 
3
+ ## [1.0.0] - 2024-06-27
4
+
5
+ - new applications are now on Rails 7.1.x
6
+ - implement USWDS language selector component when translation files are included
7
+ - cleans up github actions and circleci generators to address bitrot
8
+ - utilize docker-trestle project for OSCAL integration / compliance as code
9
+
10
+ ## [0.8.2] - 2024-06-06
11
+
12
+ - Replace deprecated github action for cloud.gov deploys with cg-supported one
13
+ - Update terraform modules use for the actual module api - and specify the module version in use
14
+
3
15
  ## [0.8.1] - 2024-06-04
4
16
 
5
17
  - fix error when compliance-template fork question is left blank
data/Gemfile.lock CHANGED
@@ -1,55 +1,71 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- rails_template_18f (0.8.1)
5
- activesupport (~> 7.0.0)
6
- colorize (~> 0.8)
7
- railties (~> 7.0.0)
8
- thor (~> 1.0)
4
+ rails_template_18f (1.0.0)
5
+ activesupport (~> 7.1.0)
6
+ colorize (~> 1.1)
7
+ railties (~> 7.1.0)
8
+ thor (~> 1.3)
9
9
 
10
10
  GEM
11
11
  remote: https://rubygems.org/
12
12
  specs:
13
- actionpack (7.0.8.4)
14
- actionview (= 7.0.8.4)
15
- activesupport (= 7.0.8.4)
16
- rack (~> 2.0, >= 2.2.4)
13
+ actionpack (7.1.3.4)
14
+ actionview (= 7.1.3.4)
15
+ activesupport (= 7.1.3.4)
16
+ nokogiri (>= 1.8.5)
17
+ racc
18
+ rack (>= 2.2.4)
19
+ rack-session (>= 1.0.1)
17
20
  rack-test (>= 0.6.3)
18
- rails-dom-testing (~> 2.0)
19
- rails-html-sanitizer (~> 1.0, >= 1.2.0)
20
- actionview (7.0.8.4)
21
- activesupport (= 7.0.8.4)
21
+ rails-dom-testing (~> 2.2)
22
+ rails-html-sanitizer (~> 1.6)
23
+ actionview (7.1.3.4)
24
+ activesupport (= 7.1.3.4)
22
25
  builder (~> 3.1)
23
- erubi (~> 1.4)
24
- rails-dom-testing (~> 2.0)
25
- rails-html-sanitizer (~> 1.1, >= 1.2.0)
26
- activesupport (7.0.8.4)
26
+ erubi (~> 1.11)
27
+ rails-dom-testing (~> 2.2)
28
+ rails-html-sanitizer (~> 1.6)
29
+ activesupport (7.1.3.4)
30
+ base64
31
+ bigdecimal
27
32
  concurrent-ruby (~> 1.0, >= 1.0.2)
33
+ connection_pool (>= 2.2.5)
34
+ drb
28
35
  i18n (>= 1.6, < 2)
29
36
  minitest (>= 5.1)
37
+ mutex_m
30
38
  tzinfo (~> 2.0)
31
39
  ammeter (1.1.7)
32
40
  activesupport (>= 3.0)
33
41
  railties (>= 3.0)
34
42
  rspec-rails (>= 2.2)
35
43
  ast (2.4.2)
44
+ base64 (0.2.0)
45
+ bigdecimal (3.1.8)
36
46
  builder (3.2.4)
37
47
  byebug (11.1.3)
38
- colorize (0.8.1)
48
+ colorize (1.1.0)
39
49
  concurrent-ruby (1.3.1)
50
+ connection_pool (2.4.1)
40
51
  crass (1.0.6)
41
52
  diff-lcs (1.5.1)
53
+ drb (2.2.1)
42
54
  erubi (1.12.0)
43
55
  i18n (1.14.5)
44
56
  concurrent-ruby (~> 1.0)
57
+ io-console (0.7.2)
58
+ irb (1.13.1)
59
+ rdoc (>= 4.0.0)
60
+ reline (>= 0.4.2)
45
61
  json (2.7.2)
46
62
  language_server-protocol (3.17.0.3)
47
63
  lint_roller (1.1.0)
48
64
  loofah (2.22.0)
49
65
  crass (~> 1.0.2)
50
66
  nokogiri (>= 1.12.0)
51
- method_source (1.1.0)
52
67
  minitest (5.23.1)
68
+ mutex_m (0.2.0)
53
69
  nokogiri (1.16.5-arm64-darwin)
54
70
  racc (~> 1.4)
55
71
  nokogiri (1.16.5-x86_64-darwin)
@@ -60,10 +76,17 @@ GEM
60
76
  parser (3.3.2.0)
61
77
  ast (~> 2.4.1)
62
78
  racc
79
+ psych (5.1.2)
80
+ stringio
63
81
  racc (1.8.0)
64
- rack (2.2.9)
82
+ rack (3.0.11)
83
+ rack-session (2.0.0)
84
+ rack (>= 3.0.0)
65
85
  rack-test (2.1.0)
66
86
  rack (>= 1.3)
87
+ rackup (2.1.0)
88
+ rack (>= 3)
89
+ webrick (~> 1.8)
67
90
  rails-dom-testing (2.2.0)
68
91
  activesupport (>= 5.0.0)
69
92
  minitest
@@ -71,16 +94,21 @@ GEM
71
94
  rails-html-sanitizer (1.6.0)
72
95
  loofah (~> 2.21)
73
96
  nokogiri (~> 1.14)
74
- railties (7.0.8.4)
75
- actionpack (= 7.0.8.4)
76
- activesupport (= 7.0.8.4)
77
- method_source
97
+ railties (7.1.3.4)
98
+ actionpack (= 7.1.3.4)
99
+ activesupport (= 7.1.3.4)
100
+ irb
101
+ rackup (>= 1.0.0)
78
102
  rake (>= 12.2)
79
- thor (~> 1.0)
80
- zeitwerk (~> 2.5)
103
+ thor (~> 1.0, >= 1.2.2)
104
+ zeitwerk (~> 2.6)
81
105
  rainbow (3.1.1)
82
106
  rake (13.2.1)
107
+ rdoc (6.7.0)
108
+ psych (>= 4.0.0)
83
109
  regexp_parser (2.9.2)
110
+ reline (0.5.8)
111
+ io-console (~> 0.5)
84
112
  rexml (3.2.8)
85
113
  strscan (>= 3.0.9)
86
114
  rspec (3.13.0)
@@ -133,11 +161,13 @@ GEM
133
161
  standard-performance (1.4.0)
134
162
  lint_roller (~> 1.1)
135
163
  rubocop-performance (~> 1.21.0)
164
+ stringio (3.1.0)
136
165
  strscan (3.1.0)
137
166
  thor (1.3.1)
138
167
  tzinfo (2.0.6)
139
168
  concurrent-ruby (~> 1.0)
140
169
  unicode-display_width (2.5.0)
170
+ webrick (1.8.1)
141
171
  zeitwerk (2.6.15)
142
172
 
143
173
  PLATFORMS
@@ -151,8 +181,8 @@ DEPENDENCIES
151
181
  byebug
152
182
  rails_template_18f!
153
183
  rake (~> 13.0)
154
- rspec (~> 3.11)
155
- standard (~> 1.3)
184
+ rspec (~> 3.13)
185
+ standard (~> 1.36)
156
186
 
157
187
  BUNDLED WITH
158
188
  2.3.15
data/README.md CHANGED
@@ -2,9 +2,9 @@
2
2
  ============================
3
3
  The 18F Rails template starts or upgrades Rails projects so that they're more secure, follow compliance rules, and are nearly ready to deploy onto cloud.gov. This gem sets up security checks and compliance diagrams, adds the U.S. Web Design System (USWDS), and much much more — [see the full list of features](#features).
4
4
 
5
- This template will create a new Rails 7.0.x project.
5
+ This template will create a new Rails 7.1.x project.
6
6
 
7
- [See the `rails-6` branch for Rails 6.1.x](https://github.com/18F/rails-template/tree/rails-6)
7
+ [See the `rails-7.0` branch for Rails 7.0.x](https://github.com/gsa-tts/rails-template/tree/rails-7.0)
8
8
 
9
9
  ## Installation
10
10
 
@@ -43,6 +43,7 @@ There are a variety of options that customize your Rails application.
43
43
  --skip-action-cable # Don't include ActionCable websocket implementation
44
44
  --skip-action-mailbox # Don't include inbound email
45
45
  --skip-hotwire # Don't include Hotwire JS library
46
+ --skip-docker # Don't include Dockerfile meant for production use
46
47
  --skip-test # Skip built-in test framework. (We include RSpec)
47
48
  --javascript=webpack # Use webpack for JS bundling
48
49
  --css=postcss # Use the PostCSS framework for bundling CSS
@@ -56,7 +57,6 @@ There are a variety of options that customize your Rails application.
56
57
  |--------|-------------|
57
58
  | `--no-skip-<framework>` | Each of the skipped frameworks listed above (also in `railsrc`) can be overridden on the command line. For example: `--no-skip-active-storage` will include support for `ActiveStorage` document uploads |
58
59
  | `--javascript=esbuild` | Use [esbuild](https://esbuild.github.io/) instead of [webpack](https://webpack.js.org/) for JavaScript bundling. Note that maintaining IE11 support with esbuild may be tricky. |
59
- | `--no-skip-<FRAMEWORK>` | Each of the skipped frameworks in `railsrc` can be overridden on the command line. For example: `--no-skip-active-storage` will include support for `ActiveStorage` document uploads |
60
60
 
61
61
  You probably won't want to customize the template — that defeats the purpose of using this gem!
62
62
 
@@ -128,8 +128,8 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
128
128
 
129
129
  ## Contributing
130
130
 
131
- Bug reports and pull requests are welcome on GitHub at https://github.com/18f/rails-template. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/18f/rails-template/blob/main/CODE_OF_CONDUCT.md).
131
+ Bug reports and pull requests are welcome on GitHub at https://github.com/gsa-tts/rails-template. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/gsa-tts/rails-template/blob/main/CODE_OF_CONDUCT.md).
132
132
 
133
133
  ## Code of conduct
134
134
 
135
- Everyone interacting in the 18F Rails Template project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/rahearn/rails-template-18f/blob/main/CODE_OF_CONDUCT.md).
135
+ Everyone interacting in the 18F Rails Template project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/gsa-tts/rails-template/blob/main/CODE_OF_CONDUCT.md).
data/Rakefile CHANGED
@@ -8,3 +8,15 @@ RSpec::Core::RakeTask.new(:spec)
8
8
  require "standard/rake"
9
9
 
10
10
  task default: %i[spec standard]
11
+
12
+ task :release do
13
+ # adding a custom release task because I can't get the default `rake release` to play nicely with my
14
+ # passkey login to rubygems.org on GFE, so I need to use the `gem push --otp` version.
15
+ # set the environment variable gem_push=false to enable this block
16
+ gemhelper = Bundler::GemHelper.instance
17
+ unless gemhelper.send :gem_push?
18
+ gemspec = gemhelper.gemspec
19
+ Bundler.ui.warn "Next step: publish the #{gemspec.name} gem with:"
20
+ Bundler.ui.warn "gem push pkg/#{gemspec.name}-#{gemspec.version}.gem --otp OTP"
21
+ end
22
+ end
data/SECURITY.md ADDED
@@ -0,0 +1,18 @@
1
+ # Security Policy
2
+
3
+ ## Supported Versions
4
+
5
+ Only certain branches are supported with security updates.
6
+
7
+ | Version (branch) | Supported |
8
+ | ---------------- | ----------- |
9
+ | main | :white_check_mark: |
10
+ | rails-7.0 | :white_check_mark: |
11
+ | other | :x: |
12
+
13
+ When using this code or reporting vulnerability please be sure to use supported branches and the most recent release tag.
14
+
15
+ ## Reporting a Vulnerability
16
+
17
+ Use the `Report a vulnerability` link at https://github.com/GSA-TTS/rails-template/security to report a security vulnerability
18
+ on a supported branch of this repository.
@@ -94,15 +94,8 @@ module RailsTemplate18f
94
94
  end
95
95
  end
96
96
 
97
- def update_oscal_doc
98
- if oscal_dir_exists?
99
- insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation a.\n"
100
- #{app_name} employs ClamAV to detect and quarantine malicious code in user-uploaded files.
101
- EOS
102
- insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation b.\n"
103
- ClamAV is configured to automatically update malicious code detection signatures on a daily basis.
104
- EOS
105
- end
97
+ def update_oscal
98
+ copy_oscal_component "active_storage"
106
99
  end
107
100
  end
108
101
  end
@@ -0,0 +1,69 @@
1
+ {
2
+ "component-definition": {
3
+ "uuid": "6c8efe45-ab46-4d02-846e-5d58b4797a3e",
4
+ "metadata": {
5
+ "title": "ActiveStorage Component Definition.",
6
+ "last-modified": "2024-06-10T17:31:06.312964+00:00",
7
+ "version": "0.0.1",
8
+ "oscal-version": "1.1.2"
9
+ },
10
+ "components": [
11
+ {
12
+ "uuid": "a206dda7-d1f6-451c-8a0f-b6f4e8bf22d0",
13
+ "type": "software",
14
+ "title": "ClamAV",
15
+ "description": "ClamAV malware scanner",
16
+ "props": [
17
+ {
18
+ "name": "Rule_Id",
19
+ "value": "properly-configured",
20
+ "remarks": "rule_config"
21
+ },
22
+ {
23
+ "name": "Rule_Description",
24
+ "value": "System owner has configured the system to properly run the ClamAV scanner and send files to it on upload",
25
+ "remarks": "rule_config"
26
+ }
27
+ ],
28
+ "control-implementations": [
29
+ {
30
+ "uuid": "e1a02625-cb99-48e6-8240-90f2fdcc8481",
31
+ "source": "trestle://profiles/gsa-moderate/profile.json",
32
+ "description": "Controls satisfied via use of the ClamAV malware scanning app",
33
+ "implemented-requirements": [
34
+ {
35
+ "uuid": "4c53c056-dbbd-4889-b268-e1d50bc1fd88",
36
+ "control-id": "si-3",
37
+ "description": "",
38
+ "statements": [
39
+ {
40
+ "statement-id": "si-3_smt.a",
41
+ "uuid": "9621f3b7-878f-487a-bfa1-bbd9d2111e25",
42
+ "description": "The system employs ClamAV to detect and quarantine malicious code in user-uploaded files.",
43
+ "props": [
44
+ {
45
+ "name": "Rule_Id",
46
+ "value": "properly-configured"
47
+ }
48
+ ]
49
+ },
50
+ {
51
+ "statement-id": "si-3_smt.b",
52
+ "uuid": "850c1163-5c94-4018-9593-0f8e908ace2f",
53
+ "description": "ClamAV is configured to automatically update malicious code detection signatures on a daily basis.",
54
+ "props": [
55
+ {
56
+ "name": "Rule_Id",
57
+ "value": "properly-configured"
58
+ }
59
+ ]
60
+ }
61
+ ]
62
+ }
63
+ ]
64
+ }
65
+ ]
66
+ }
67
+ ]
68
+ }
69
+ }
@@ -16,14 +16,14 @@ module RailsTemplate18f
16
16
  def install_needed_gems
17
17
  gem_name = "rspec_junit_formatter"
18
18
  return if gem_installed? gem_name
19
- gem gem_name, "~> 0.5", group: :test
19
+ gem gem_name, "~> 0.6", group: :test
20
20
  bundle_install
21
21
  end
22
22
 
23
23
  def install_pipeline
24
24
  directory "circleci", ".circleci"
25
25
  copy_file "docker-compose.ci.yml"
26
- template "Dockerfile"
26
+ template "Dockerfile.ci"
27
27
  copy_file "bin/ci-server-start", mode: :preserve
28
28
  end
29
29
 
@@ -66,7 +66,7 @@ EOB
66
66
  end
67
67
 
68
68
  def update_oscal_docs
69
- update_cicd_oscal_docs("CircleCI")
69
+ copy_oscal_component "circleci"
70
70
  end
71
71
 
72
72
  no_tasks do
@@ -1,6 +1,6 @@
1
1
  #!/bin/bash
2
2
  #
3
- # this script is used by docker-compose and Dockerfile to start up a servrer
3
+ # this script is used by docker-compose and Dockerfile.ci to start up a server
4
4
  # for running OWASP in CircleCI
5
5
 
6
6
  dockerize -wait tcp://db:5432 -timeout 1m
@@ -1,10 +1,10 @@
1
1
  version: 2.1
2
2
 
3
3
  orbs:
4
- ruby: circleci/ruby@1.3.0
5
- node: circleci/node@5.0.0
6
- browser-tools: circleci/browser-tools@1.2.3<% if terraform? %>
7
- terraform: circleci/terraform@3.0.0<% end %>
4
+ ruby: circleci/ruby@2.1.3
5
+ node: circleci/node@5.2.0
6
+ browser-tools: circleci/browser-tools@1.4.8<% if terraform? %>
7
+ terraform: circleci/terraform@3.2.1<% end %>
8
8
 
9
9
  commands:
10
10
  setup-project:
@@ -15,7 +15,24 @@ commands:
15
15
  install-yarn: true
16
16
  - node/install-packages:
17
17
  cache-only-lockfile: false
18
- pkg-manager: yarn
18
+ pkg-manager: yarn<% if oscal_dir_exists? %>
19
+ trestle-cmd:
20
+ description: Set up environment for running docker-trestle commands
21
+ parameters:
22
+ tag:
23
+ description: docker-trestle tag to use. Defaults to latest
24
+ type: string
25
+ default: latest
26
+ cmd:
27
+ description: Command to run within docker-trestle
28
+ type: string
29
+ steps:
30
+ - run:
31
+ name: Fix directory permissions
32
+ command: chmod -R a+w doc/compliance/oscal || true
33
+ - run:
34
+ name: Run trestle command
35
+ command: docker run -v $(pwd)/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:<< parameters.tag >> << parameters.cmd >><% end %>
19
36
  cg-deploy:
20
37
  description: "Login to cloud foundry space with service account credentials
21
38
  and push application using deployment configuration file."
@@ -47,7 +64,7 @@ commands:
47
64
  - run:
48
65
  name: Install Cloud Foundry CLI
49
66
  command: |
50
- curl -v -L -o cf-cli_amd64.deb 'https://packages.cloudfoundry.org/stable?release=debian64&version=v7&source=github'
67
+ curl -v -L -o cf-cli_amd64.deb 'https://packages.cloudfoundry.org/stable?release=debian64&version=v8&source=github'
51
68
  sudo dpkg -i cf-cli_amd64.deb
52
69
  - run:
53
70
  name: Login with service account
@@ -75,7 +92,7 @@ jobs:
75
92
  parallelism: 3
76
93
  docker:
77
94
  - image: cimg/ruby:<%= ruby_version %>
78
- - image: cimg/postgres:12.9
95
+ - image: cimg/postgres:15.7
79
96
  environment:
80
97
  POSTGRES_USER: circleci
81
98
  POSTGRES_DB: <%= app_name %>_test
@@ -117,7 +134,26 @@ jobs:
117
134
  - tmp/cache/assets/sprockets
118
135
 
119
136
  - ruby/rspec-test
120
-
137
+ <% if oscal_dir_exists? %>
138
+ validate_ssp:
139
+ machine:
140
+ image: ubuntu-2204:current
141
+ steps:
142
+ - checkout
143
+ - trestle-cmd:
144
+ cmd: trestle validate -f system-security-plans/<%= app_name %>/system-security-plan.json
145
+ - trestle-cmd:
146
+ cmd: assemble-ssp-json 2> /dev/null | grep "^No changes to assembled ssp"
147
+ assemble_ssp:
148
+ machine:
149
+ image: ubuntu-2204:current
150
+ steps:
151
+ - checkout
152
+ - trestle-cmd:
153
+ cmd: trestle assemble -n <%= app_name %> system-security-plan
154
+ - store_artifacts:
155
+ path: doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
156
+ <% end %>
121
157
  static_security_scans:
122
158
  docker:
123
159
  - image: cimg/ruby:<%= ruby_version %>
@@ -149,7 +185,7 @@ jobs:
149
185
 
150
186
  owasp_scan:
151
187
  machine:
152
- image: ubuntu-2004:202111-02
188
+ image: ubuntu-2204:current
153
189
  steps:
154
190
  - checkout
155
191
 
@@ -172,14 +208,14 @@ jobs:
172
208
  name: Run OWASP Zap
173
209
  command: |
174
210
  docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
175
- --user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
211
+ --user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
176
212
  zap-baseline.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
177
213
  - store_artifacts:
178
214
  path: reports/owasp_report.html
179
215
 
180
216
  owasp_full_scan:
181
217
  machine:
182
- image: ubuntu-2004:202111-02
218
+ image: ubuntu-2204:current
183
219
  steps:
184
220
  - checkout
185
221
 
@@ -202,7 +238,7 @@ jobs:
202
238
  name: Run OWASP Zap
203
239
  command: |
204
240
  docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
205
- --user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
241
+ --user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
206
242
  zap-full-scan.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
207
243
  - store_artifacts:
208
244
  path: reports/owasp_report.html
@@ -210,7 +246,7 @@ jobs:
210
246
  a11y_scan:
211
247
  docker:
212
248
  - image: cimg/ruby:<%= ruby_version %>
213
- - image: cimg/postgres:12.9
249
+ - image: cimg/postgres:15.7
214
250
  environment:
215
251
  POSTGRES_USER: circleci
216
252
  POSTGRES_DB: <%= app_name %>_development
@@ -262,7 +298,7 @@ jobs:
262
298
 
263
299
  - run:
264
300
  name: Run pa11y-ci
265
- command: yarn run pa11y-ci
301
+ command: yarn run pa11y-ci -c pa11yci.js
266
302
  <% if terraform? %>
267
303
  terraform_plan_staging:
268
304
  executor: terraform/default
@@ -290,7 +326,7 @@ jobs:
290
326
  - checkout
291
327
  - attach_workspace:
292
328
  at: .
293
- - terraform/apply
329
+ - terraform/apply:
294
330
  path: terraform/staging
295
331
  terraform_plan_production:
296
332
  executor: terraform/default
@@ -318,7 +354,7 @@ jobs:
318
354
  - checkout
319
355
  - attach_workspace:
320
356
  at: .
321
- - terraform/apply
357
+ - terraform/apply:
322
358
  path: terraform/production
323
359
  <% end %>
324
360
  deploy_staging:
@@ -353,7 +389,14 @@ workflows:
353
389
  - build
354
390
  - test:
355
391
  requires:
356
- - build
392
+ - build<% if oscal_dir_exists? %>
393
+ - validate_ssp
394
+ - assemble_ssp:
395
+ filters:
396
+ branches:
397
+ only: main
398
+ requires:
399
+ - validate_ssp<% end %>
357
400
  - static_security_scans:
358
401
  requires:
359
402
  - build
@@ -3,6 +3,7 @@ services:
3
3
  web:
4
4
  build:
5
5
  context: .
6
+ dockerfile: Dockerfile.ci
6
7
  user: ${CURRENT_USER:-root}
7
8
  networks:
8
9
  - ci_network