rails_template_18f 0.8.2 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71f972115a1f66ddfefa4341186434fe24a4e78b201ad192786a4c5d34bebb8c
-  data.tar.gz: dcbf65cd0f011f12aa918975b426e23002d07c54c14d4251d5e8102bc59e74a3
+  metadata.gz: ea2ec3406d7768825b772437242ea1b106d635ef1e4231b0a3c5b7959c88574f
+  data.tar.gz: edce599ccfdb6455e5dd8a781aecd37c54ec1d94045aba71735d9262885070e1
 SHA512:
-  metadata.gz: '09de09463925281bdb7731686bebfe8eb4441a208e488597abfc910510dead294a0380629ed43af55956fb798fa2aeffeaddc25c0b6e2dd6e584db6791b211b0'
-  data.tar.gz: d12d2667e1aa2bf8e49097ccc9b3f76656a5a71b5ca829b1e02361d33df62af298c27dfe6de8da268f6ead509a54725c1df5852813196bd113f1daedf9f70de4
+  metadata.gz: 6b1cd11a24976b6eeb067ac5ff3dc050c6e049dc2e5875d55b24b269059233b7503cb9eeeb6f70df78543dd30e6a69bc9cbaf8d15f9b38aba7e568847f830bd4
+  data.tar.gz: 3cbeed2a16a2f6b89d31f193540556b56e12fa575f659feb513ba75cfea06b1bb19f7fcfcae501fc0ec576a8dead1d7bca87d058c67d3db605611bc6f6551eb2

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 ## [Unreleased]
 
+
+## [1.1.0] - 2024-08-20
+
+- add an auditree generator for integration with auditree-devtools and github actions to run it
+- remove the obsolete entry to include nodejs_buildpack in cloud.gov manifest.yml
+
+## [1.0.0] - 2024-06-27
+
+- new applications are now on Rails 7.1.x
+- implement USWDS language selector component when translation files are included
+- cleans up github actions and circleci generators to address bitrot
+- utilize docker-trestle project for OSCAL integration / compliance as code
+
 ## [0.8.2] - 2024-06-06
 
 - Replace deprecated github action for cloud.gov deploys with cg-supported one

data/Gemfile.lock

@@ -1,55 +1,71 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (0.8.2)
-      activesupport (~> 7.0.0)
-      colorize (~> 0.8)
-      railties (~> 7.0.0)
-      thor (~> 1.0)
+    rails_template_18f (1.1.0)
+      activesupport (~> 7.1.0)
+      colorize (~> 1.1)
+      railties (~> 7.1.0)
+      thor (~> 1.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (7.0.8.4)
-      actionview (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
-      rack (~> 2.0, >= 2.2.4)
+    actionpack (7.1.3.4)
+      actionview (= 7.1.3.4)
+      activesupport (= 7.1.3.4)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.8.4)
-      activesupport (= 7.0.8.4)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.3.4)
+      activesupport (= 7.1.3.4)
       builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (7.0.8.4)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (7.1.3.4)
+      base64
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
+      mutex_m
       tzinfo (~> 2.0)
     ammeter (1.1.7)
       activesupport (>= 3.0)
       railties (>= 3.0)
       rspec-rails (>= 2.2)
     ast (2.4.2)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
     builder (3.2.4)
     byebug (11.1.3)
-    colorize (0.8.1)
+    colorize (1.1.0)
     concurrent-ruby (1.3.1)
+    connection_pool (2.4.1)
     crass (1.0.6)
     diff-lcs (1.5.1)
+    drb (2.2.1)
     erubi (1.12.0)
     i18n (1.14.5)
       concurrent-ruby (~> 1.0)
+    io-console (0.7.2)
+    irb (1.13.1)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
     json (2.7.2)
     language_server-protocol (3.17.0.3)
     lint_roller (1.1.0)
     loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    method_source (1.1.0)
     minitest (5.23.1)
+    mutex_m (0.2.0)
     nokogiri (1.16.5-arm64-darwin)
       racc (~> 1.4)
     nokogiri (1.16.5-x86_64-darwin)
@@ -60,10 +76,17 @@ GEM
     parser (3.3.2.0)
       ast (~> 2.4.1)
       racc
+    psych (5.1.2)
+      stringio
     racc (1.8.0)
-    rack (2.2.9)
+    rack (3.0.11)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
     rack-test (2.1.0)
       rack (>= 1.3)
+    rackup (2.1.0)
+      rack (>= 3)
+      webrick (~> 1.8)
     rails-dom-testing (2.2.0)
       activesupport (>= 5.0.0)
       minitest
@@ -71,16 +94,21 @@ GEM
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
       nokogiri (~> 1.14)
-    railties (7.0.8.4)
-      actionpack (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
-      method_source
+    railties (7.1.3.4)
+      actionpack (= 7.1.3.4)
+      activesupport (= 7.1.3.4)
+      irb
+      rackup (>= 1.0.0)
       rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.2.1)
+    rdoc (6.7.0)
+      psych (>= 4.0.0)
     regexp_parser (2.9.2)
+    reline (0.5.8)
+      io-console (~> 0.5)
     rexml (3.2.8)
       strscan (>= 3.0.9)
     rspec (3.13.0)
@@ -133,11 +161,13 @@ GEM
     standard-performance (1.4.0)
       lint_roller (~> 1.1)
       rubocop-performance (~> 1.21.0)
+    stringio (3.1.0)
     strscan (3.1.0)
     thor (1.3.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
+    webrick (1.8.1)
     zeitwerk (2.6.15)
 
 PLATFORMS
@@ -151,8 +181,8 @@ DEPENDENCIES
   byebug
   rails_template_18f!
   rake (~> 13.0)
-  rspec (~> 3.11)
-  standard (~> 1.3)
+  rspec (~> 3.13)
+  standard (~> 1.36)
 
 BUNDLED WITH
    2.3.15

data/README.md

@@ -2,9 +2,9 @@
 ============================
 The 18F Rails template starts or upgrades Rails projects so that they're more secure, follow compliance rules, and are nearly ready to deploy onto cloud.gov. This gem sets up security checks and compliance diagrams, adds the U.S. Web Design System (USWDS), and much much more — [see the full list of features](#features).
 
-This template will create a new Rails 7.0.x project.
+This template will create a new Rails 7.1.x project.
 
-[See the `rails-6` branch for Rails 6.1.x](https://github.com/18F/rails-template/tree/rails-6)
+[See the `rails-7.0` branch for Rails 7.0.x](https://github.com/gsa-tts/rails-template/tree/rails-7.0)
 
 ## Installation
 
@@ -43,6 +43,7 @@ There are a variety of options that customize your Rails application.
 --skip-action-cable     # Don't include ActionCable websocket implementation
 --skip-action-mailbox   # Don't include inbound email
 --skip-hotwire          # Don't include Hotwire JS library
+--skip-docker           # Don't include Dockerfile meant for production use
 --skip-test             # Skip built-in test framework. (We include RSpec)
 --javascript=webpack    # Use webpack for JS bundling
 --css=postcss           # Use the PostCSS framework for bundling CSS
@@ -56,7 +57,6 @@ There are a variety of options that customize your Rails application.
 |--------|-------------|
 | `--no-skip-<framework>` | Each of the skipped frameworks listed above (also in `railsrc`) can be overridden on the command line. For example: `--no-skip-active-storage` will include support for `ActiveStorage` document uploads |
 | `--javascript=esbuild` | Use [esbuild](https://esbuild.github.io/) instead of [webpack](https://webpack.js.org/) for JavaScript bundling. Note that maintaining IE11 support with esbuild may be tricky. |
-| `--no-skip-<FRAMEWORK>` | Each of the skipped frameworks in `railsrc` can be overridden on the command line. For example: `--no-skip-active-storage` will include support for `ActiveStorage` document uploads |
 
 You probably won't want to customize the template — that defeats the purpose of using this gem!
 
@@ -128,8 +128,8 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/18f/rails-template. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/18f/rails-template/blob/main/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/gsa-tts/rails-template. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/gsa-tts/rails-template/blob/main/CODE_OF_CONDUCT.md).
 
 ## Code of conduct
 
-Everyone interacting in the 18F Rails Template project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/rahearn/rails-template-18f/blob/main/CODE_OF_CONDUCT.md).
+Everyone interacting in the 18F Rails Template project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/gsa-tts/rails-template/blob/main/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -8,3 +8,15 @@ RSpec::Core::RakeTask.new(:spec)
 require "standard/rake"
 
 task default: %i[spec standard]
+
+task :release do
+  # adding a custom release task because I can't get the default `rake release` to play nicely with my
+  # passkey login to rubygems.org on GFE, so I need to use the `gem push --otp` version.
+  # set the environment variable gem_push=false to enable this block
+  gemhelper = Bundler::GemHelper.instance
+  unless gemhelper.send :gem_push?
+    gemspec = gemhelper.gemspec
+    Bundler.ui.warn "Next step: publish the #{gemspec.name} gem with:"
+    Bundler.ui.warn "gem push pkg/#{gemspec.name}-#{gemspec.version}.gem --otp OTP"
+  end
+end

data/SECURITY.md

@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+Only certain branches are supported with security updates.
+
+| Version (branch) | Supported   |
+| ---------------- | ----------- |
+| main      | :white_check_mark: |
+| rails-7.0 | :white_check_mark: |
+| other     | :x:                |
+
+When using this code or reporting vulnerability please be sure to use supported branches and the most recent release tag.
+
+## Reporting a Vulnerability
+
+Use the `Report a vulnerability` link at https://github.com/GSA-TTS/rails-template/security to report a security vulnerability
+on a supported branch of this repository.

data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb

@@ -94,15 +94,8 @@ module RailsTemplate18f
         end
       end
 
-      def update_oscal_doc
-        if oscal_dir_exists?
-          insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation a.\n"
-            #{app_name} employs ClamAV to detect and quarantine malicious code in user-uploaded files.
-          EOS
-          insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation b.\n"
-            ClamAV is configured to automatically update malicious code detection signatures on a daily basis.
-          EOS
-        end
+      def update_oscal
+        copy_oscal_component "active_storage"
       end
     end
   end

data/lib/generators/rails_template18f/active_storage/templates/oscal/component-definitions/active_storage/component-definition.json

@@ -0,0 +1,69 @@
+{
+  "component-definition": {
+    "uuid": "6c8efe45-ab46-4d02-846e-5d58b4797a3e",
+    "metadata": {
+      "title": "ActiveStorage Component Definition.",
+      "last-modified": "2024-06-10T17:31:06.312964+00:00",
+      "version": "0.0.1",
+      "oscal-version": "1.1.2"
+    },
+    "components": [
+      {
+        "uuid": "a206dda7-d1f6-451c-8a0f-b6f4e8bf22d0",
+        "type": "software",
+        "title": "ClamAV",
+        "description": "ClamAV malware scanner",
+        "props": [
+          {
+            "name": "Rule_Id",
+            "value": "properly-configured",
+            "remarks": "rule_config"
+          },
+          {
+            "name": "Rule_Description",
+            "value": "System owner has configured the system to properly run the ClamAV scanner and send files to it on upload",
+            "remarks": "rule_config"
+          }
+        ],
+        "control-implementations": [
+          {
+            "uuid": "e1a02625-cb99-48e6-8240-90f2fdcc8481",
+            "source": "trestle://profiles/gsa-moderate/profile.json",
+            "description": "Controls satisfied via use of the ClamAV malware scanning app",
+            "implemented-requirements": [
+              {
+                "uuid": "4c53c056-dbbd-4889-b268-e1d50bc1fd88",
+                "control-id": "si-3",
+                "description": "",
+                "statements": [
+                  {
+                    "statement-id": "si-3_smt.a",
+                    "uuid": "9621f3b7-878f-487a-bfa1-bbd9d2111e25",
+                    "description": "The system employs ClamAV to detect and quarantine malicious code in user-uploaded files.",
+                    "props": [
+                      {
+                        "name": "Rule_Id",
+                        "value": "properly-configured"
+                      }
+                    ]
+                  },
+                  {
+                    "statement-id": "si-3_smt.b",
+                    "uuid": "850c1163-5c94-4018-9593-0f8e908ace2f",
+                    "description": "ClamAV is configured to automatically update malicious code detection signatures on a daily basis.",
+                    "props": [
+                      {
+                        "name": "Rule_Id",
+                        "value": "properly-configured"
+                      }
+                    ]
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}

data/lib/generators/rails_template18f/auditree/auditree_generator.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module RailsTemplate18f
+  module Generators
+    class AuditreeGenerator < ::Rails::Generators::Base
+      include Base
+
+      class_option :tag, desc: "Which auditree docker tag to use. Defaults to `latest`"
+      class_option :git_email, desc: "Email address to associate with commits to the evidence locker"
+
+      desc <<~DESC
+        Description:
+          Set up auditree validation checking with https://github.com/GSA-TTS/devtools-auditree.
+
+          This generator is still experimental.
+      DESC
+
+      def copy_bin
+        template "bin/auditree"
+        chmod "bin/auditree", 0o755
+      end
+
+      def copy_github_actions
+        if file_exists? ".github/workflows"
+          directory "github", ".github"
+        end
+      end
+
+      def update_readme
+        if file_content("README.md").match?("## Documentation")
+          insert_into_file "README.md", readme_contents, after: "## Documentation\n"
+        else
+          append_to_file "README.md", "\n## Documentation\n#{readme_contents}"
+        end
+      end
+
+      def update_component_list
+        if oscal_dir_exists?
+          insert_into_file "doc/compliance/oscal/trestle-config.yaml", "  - devtools_cloud_gov\n"
+        end
+      end
+
+      no_tasks do
+        def docker_auditree_tag
+          options[:tag].present? ? options[:tag] : "latest"
+        end
+
+        def git_email
+          options[:git_email].present? ? options[:git_email] : "TKTK-email@gsa.gov"
+        end
+
+        def readme_contents
+          <<~README
+
+            ### Auditree Control Validation
+
+            Auditree is used within CI/CD to validate that certain controls are in place.
+
+            * Run `bin/auditree` to start the auditree CLI.
+            * Run `bin/auditree SCRIPT_NAME` to run a single auditree script
+
+            #### Initial auditree setup.
+
+            These steps must happen once per project.
+
+            1. Docker desktop must be running
+            1. Initialize the config file with `bin/auditree init > config/auditree.template.json`
+            1. Create an evidence locker repository with a default or blank README
+            1. Create a github personal access token to interact with the code repo and evidence locker and set as `AUDITREE_GITHUB_TOKEN` secret within your production Github environment secrets.
+            1. Update `config/auditree.template.json` with the repo addresses for your locker and code repos
+            1. Copy the `devtools_cloud_gov` component definition into the project with the latest docker-trestle
+
+            #### Ongoing use
+
+            See the [auditree-devtools README](https://github.com/gsa-tts/auditree-devtools) for help with updating
+            auditree and using new checks.
+          README
+        end
+      end
+    end
+  end
+end

data/lib/generators/rails_template18f/auditree/templates/bin/auditree.tt

@@ -0,0 +1,29 @@
+#! /usr/bin/env bash
+usage="
+$0: Run auditree docker image.
+
+Usage:
+  $0 -h
+  $0
+  $0 init > path/to/auditree.template.json
+  $0 fetch
+  $0 check > path/to/assessment-results/auditree/assessment-results.json
+
+Notes:
+The following environment variables will be passed through to the docker image:
+* GITHUB_TOKEN - a token that has permissions to read and write to the evidence locker and code repository. Required for all but 'init'
+* CF_USERNAME - the cloud.gov username to fetch evidence from cloud.gov, only needed when running fetch script
+* CF_PASSWORD - the cloud.gov password to fetch evidence from cloud.gov, only needed when running fetch script
+"
+
+if [ "$1" = "-h" ]; then
+    echo "$usage"
+    exit 0
+fi
+
+command="bash"
+if [ "$1" != "" ]; then
+    command=$1
+fi
+
+docker run -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="<%= git_email %>" -it --rm ghcr.io/gsa-tts/auditree:<%= docker_auditree_tag %> $command

data/lib/generators/rails_template18f/auditree/templates/github/actions/auditree-cmd/action.yml.tt

@@ -0,0 +1,31 @@
+name: "Run an auditree-devtools command"
+description: "Sets up workspace for running a single command in auditree-devtools"
+inputs:
+  tag:
+    description: auditree-devtools tag to use. Defaults to <%= docker_auditree_tag %>
+    required: false
+    default: <%= docker_auditree_tag %>
+  cmd:
+    description: Command to run within auditree-devtools
+    required: true
+  email:
+    description: Git user email to attribute to evidence updates
+    required: true
+  config_template:
+    description: Auditree config file template
+    required: false
+    default: config/auditree.template.json
+  cdef:
+    description: OSCAL Component Definition being used as baseline for assessment results
+    required: false
+    default: doc/compliance/oscal/component-definitions/devtools_cloud_gov/component-definition.json
+runs:
+  using: "composite"
+  steps:
+    - name: Run cmd
+      shell: bash
+      run:
+        docker run -v $GITHUB_WORKSPACE/${{inputs.config_template}}:/app/auditree.template.json:ro
+          -v $GITHUB_WORKSPACE/${{inputs.cdef}}:/app/cdef.json:ro
+          -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="${{inputs.email}}"
+          ghcr.io/gsa-tts/auditree:${{ inputs.tag }} ${{ inputs.cmd }}

data/lib/generators/rails_template18f/auditree/templates/github/workflows/auditree-validation.yml.tt

@@ -0,0 +1,42 @@
+name: Run Auditree Checks
+
+on:
+  workflow_dispatch:
+  schedule:
+    # cron format: 'minute hour dayofmonth month dayofweek'
+    # this will run at 11am UTC every day (6am EST / 7am EDT)
+    - cron: '0 11 * * *'
+
+jobs:
+  run_auditree:
+    name: Fetch and check auditree evidence
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Fetch evidence
+        uses: ./.github/actions/auditree-cmd
+        env:
+          CF_USERNAME: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
+          GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
+        with:
+          cmd: fetch
+          email: "<%= git_email %>"
+
+      - name: Check evidence
+        uses: ./.github/actions/auditree-cmd
+        env:
+          CF_USERNAME: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
+          GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
+        with:
+          cmd: check > doc/compliance/oscal/assessment-results/auditree/assessment-results.json
+          email: "<%= git_email %>"
+
+      - name: Save results
+        uses: actions/upload-artifact@v4
+        with:
+          name: auditree_assessment_results
+          path: doc/compliance/oscal/assessment-results/auditree

data/lib/generators/rails_template18f/circleci/circleci_generator.rb

@@ -16,14 +16,14 @@ module RailsTemplate18f
       def install_needed_gems
         gem_name = "rspec_junit_formatter"
         return if gem_installed? gem_name
-        gem gem_name, "~> 0.5", group: :test
+        gem gem_name, "~> 0.6", group: :test
         bundle_install
       end
 
       def install_pipeline
         directory "circleci", ".circleci"
         copy_file "docker-compose.ci.yml"
-        template "Dockerfile"
+        template "Dockerfile.ci"
         copy_file "bin/ci-server-start", mode: :preserve
       end
 
@@ -66,7 +66,7 @@ EOB
       end
 
       def update_oscal_docs
-        update_cicd_oscal_docs("CircleCI")
+        copy_oscal_component "circleci"
       end
 
       no_tasks do

data/lib/generators/rails_template18f/circleci/templates/bin/ci-server-start

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# this script is used by docker-compose and Dockerfile to start up a servrer
+# this script is used by docker-compose and Dockerfile.ci to start up a server
 # for running OWASP in CircleCI
 
 dockerize -wait tcp://db:5432 -timeout 1m