rails_template_18f 0.6.0 → 0.7.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d71812f11d19dc0ed9960407de8d0b3c0755c0d6bb2ba64981af55f0add88657
4
- data.tar.gz: 63d920adcc4e1e8acd83805d0edcaf5235f75150226dcd1ee8dcbef303407ba6
3
+ metadata.gz: a69496a0836c43df3d636ecf91d120c5975b8462ab285edaacc2494b3af8265f
4
+ data.tar.gz: 7d1fbc494eb83d99bb0f498fc983db9dd6d45c1ca37895da5a60876c5fea5d0f
5
5
  SHA512:
6
- metadata.gz: bca37870efffd0200b5fbf1b9491a1497cd1cdae7423d93f9c0eda1ff2cde4779932ea8f23be29f632e0310483c31724273d64d36a78d94e67a94c1cd903eb1a
7
- data.tar.gz: 6d09c8fc4870c7ca1851fdd4c439ec1b6dd73d8e9551ca2b3d0be2d5da1a2f28e0cd9655ba219f25c2674face10ea0b8d5eeaadba6fd47705b04d516ac777d67
6
+ metadata.gz: 35b93c784bd2fd885745e300e16d054861ef48303dfde9167a6c21edaeb0e78c846a950e99d51d559868f71275c341443a158bd84b766b9b0a822d2d68606d25
7
+ data.tar.gz: 10703f7f1a3a75ecdd62fcc05123058b75dd6d9685121ee0bb38f0014d3354ab15ff2b4f30619439c436d4be2c58247d4e07ec65172c49c769c2b346e7802023
data/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  ## [Unreleased]
2
2
 
3
+ ## [0.7.0] - 2022-07-05
4
+
5
+ - OSCAL generator to integrate with https://github.com/GSA-TTS/compliance-template
6
+
3
7
  ## [0.6.0] - 2022-06-07
4
8
 
5
9
  - include USWDS 3.0 for new apps
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- rails_template_18f (0.6.0)
4
+ rails_template_18f (0.7.0)
5
5
  activesupport (~> 7.0.0)
6
6
  colorize (~> 0.8)
7
7
  railties (~> 7.0.0)
@@ -46,7 +46,7 @@ GEM
46
46
  crass (~> 1.0.2)
47
47
  nokogiri (>= 1.5.9)
48
48
  method_source (1.0.0)
49
- minitest (5.15.0)
49
+ minitest (5.16.2)
50
50
  nokogiri (1.13.6-x86_64-darwin)
51
51
  racc (~> 1.4)
52
52
  nokogiri (1.13.6-x86_64-linux)
@@ -55,13 +55,13 @@ GEM
55
55
  parser (3.1.2.0)
56
56
  ast (~> 2.4.1)
57
57
  racc (1.6.0)
58
- rack (2.2.3.1)
59
- rack-test (1.1.0)
60
- rack (>= 1.0, < 3)
58
+ rack (2.2.4)
59
+ rack-test (2.0.2)
60
+ rack (>= 1.3)
61
61
  rails-dom-testing (2.0.3)
62
62
  activesupport (>= 4.2.0)
63
63
  nokogiri (>= 1.6)
64
- rails-html-sanitizer (1.4.2)
64
+ rails-html-sanitizer (1.4.3)
65
65
  loofah (~> 2.3)
66
66
  railties (7.0.3)
67
67
  actionpack (= 7.0.3)
@@ -72,7 +72,7 @@ GEM
72
72
  zeitwerk (~> 2.5)
73
73
  rainbow (3.1.1)
74
74
  rake (13.0.6)
75
- regexp_parser (2.4.0)
75
+ regexp_parser (2.5.0)
76
76
  rexml (3.2.5)
77
77
  rspec (3.11.0)
78
78
  rspec-core (~> 3.11.0)
@@ -95,7 +95,7 @@ GEM
95
95
  rspec-mocks (~> 3.10)
96
96
  rspec-support (~> 3.10)
97
97
  rspec-support (3.11.0)
98
- rubocop (1.29.0)
98
+ rubocop (1.29.1)
99
99
  parallel (~> 1.10)
100
100
  parser (>= 3.1.0.0)
101
101
  rainbow (>= 2.2.2, < 4.0)
@@ -104,20 +104,20 @@ GEM
104
104
  rubocop-ast (>= 1.17.0, < 2.0)
105
105
  ruby-progressbar (~> 1.7)
106
106
  unicode-display_width (>= 1.4.0, < 3.0)
107
- rubocop-ast (1.17.0)
107
+ rubocop-ast (1.18.0)
108
108
  parser (>= 3.1.1.0)
109
109
  rubocop-performance (1.13.3)
110
110
  rubocop (>= 1.7.0, < 2.0)
111
111
  rubocop-ast (>= 0.4.0)
112
112
  ruby-progressbar (1.11.0)
113
- standard (1.12.0)
114
- rubocop (= 1.29.0)
113
+ standard (1.12.1)
114
+ rubocop (= 1.29.1)
115
115
  rubocop-performance (= 1.13.3)
116
116
  thor (1.2.1)
117
117
  tzinfo (2.0.4)
118
118
  concurrent-ruby (~> 1.0)
119
- unicode-display_width (2.1.0)
120
- zeitwerk (2.5.4)
119
+ unicode-display_width (2.2.0)
120
+ zeitwerk (2.6.0)
121
121
 
122
122
  PLATFORMS
123
123
  x86_64-darwin-20
data/README.md CHANGED
@@ -91,7 +91,8 @@ ActionCable is included to enable the [Turbo Streams](https://turbo.hotwired.dev
91
91
  1. Create boundary and logical data model compliance diagrams
92
92
  1. Create `manifest.yml` and variable files for cloud.gov deployment
93
93
  1. Optionally run the `rake db:create` and `rake db:migrate` setup steps
94
- 1. Optionally create Github Actions workflows for testing and cloud.gov deploy
94
+ 1. Optionally integrate with https://github.com/GSA-TTS/compliance-template
95
+ 1. Optionally create GitHub Actions workflows for testing and cloud.gov deploy
95
96
  1. Optionally create terraform modules supporting staging & production cloud.gov spaces
96
97
  1. Optionally create CircleCI workflows for testing and cloud.gov deploy
97
98
  1. Optionally create a New Relic config with FEDRAMP-specific host
@@ -98,6 +98,17 @@ module RailsTemplate18f
98
98
  end
99
99
  end
100
100
 
101
+ def update_oscal_doc
102
+ if oscal_dir_exists?
103
+ insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation a.\n"
104
+ #{app_name} employs ClamAV to detect and quarantine malicious code in user-uploaded files.
105
+ EOS
106
+ insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation b.\n"
107
+ ClamAV is configured to automatically update malicious code detection signatures on a daily basis.
108
+ EOS
109
+ end
110
+ end
111
+
101
112
  no_tasks do
102
113
  def data_model_uml
103
114
  <<~UML
@@ -65,6 +65,10 @@ EOB
65
65
  EOB
66
66
  end
67
67
 
68
+ def update_oscal_docs
69
+ update_cicd_oscal_docs("CircleCI")
70
+ end
71
+
68
72
  no_tasks do
69
73
  def readme_cicd
70
74
  <<~EOM
@@ -79,7 +83,7 @@ EOB
79
83
  <<~EOM
80
84
 
81
85
  Deploys to staging#{terraform? ? ", including applying changes in terraform," : ""} happen
82
- on every push to the `main` branch in Github.
86
+ on every push to the `main` branch in GitHub.
83
87
 
84
88
  The following secrets must be set within [CircleCI Environment Variables](https://circleci.com/docs/2.0/env-vars/)
85
89
  to enable a deploy to work:
@@ -97,7 +101,7 @@ EOB
97
101
  <<~EOM
98
102
 
99
103
  Deploys to production#{terraform? ? ", including applying changes in terraform," : ""} happen
100
- on every push to the `production` branch in Github.
104
+ on every push to the `production` branch in GitHub.
101
105
 
102
106
  The following secrets must be set within [CircleCI Environment Variables](https://circleci.com/docs/2.0/env-vars/)
103
107
  to enable a deploy to work:
@@ -12,7 +12,7 @@ module RailsTemplate18f
12
12
 
13
13
  desc <<~DESC
14
14
  Description:
15
- Install Github Actions workflow files
15
+ Install GitHub Actions workflow files
16
16
  DESC
17
17
 
18
18
  def install_actions
@@ -51,7 +51,7 @@ module RailsTemplate18f
51
51
  def update_boundary_diagram
52
52
  boundary_filename = "doc/compliance/apps/application.boundary.md"
53
53
  insert_into_file boundary_filename, <<EOB, after: "Boundary(cicd, \"CI/CD Pipeline\") {\n"
54
- System_Ext(githuball, "GitHub w/ Github Actions", "GSA-controlled code repository and Continuous Integration Service")
54
+ System_Ext(githuball, "GitHub w/ GitHub Actions", "GSA-controlled code repository and Continuous Integration Service")
55
55
  EOB
56
56
  insert_into_file boundary_filename, <<~EOB, before: "@enduml"
57
57
  Rel(developer, githuball, "Publish code", "git ssh (22)")
@@ -68,6 +68,10 @@ EOB
68
68
  EOM
69
69
  end
70
70
 
71
+ def update_oscal_docs
72
+ update_cicd_oscal_docs("GitHub Actions")
73
+ end
74
+
71
75
  no_tasks do
72
76
  def readme_cicd
73
77
  <<~EOM
@@ -82,7 +86,7 @@ EOB
82
86
  <<~EOM
83
87
 
84
88
  Deploys to staging#{terraform? ? ", including applying changes in terraform," : ""} happen
85
- on every push to the `main` branch in Github.
89
+ on every push to the `main` branch in GitHub.
86
90
 
87
91
  The following secrets must be set within the `staging` [environment secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
88
92
  to enable a deploy to work:
@@ -100,7 +104,7 @@ EOB
100
104
  <<~EOM
101
105
 
102
106
  Deploys to production#{terraform? ? ", including applying changes in terraform," : ""} happen
103
- on every push to the `production` branch in Github.
107
+ on every push to the `production` branch in GitHub.
104
108
 
105
109
  The following secrets must be set within the `production` [environment secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
106
110
  to enable a deploy to work:
@@ -57,6 +57,45 @@ EOB
57
57
  EOB
58
58
  end
59
59
 
60
+ def update_oscal_doc
61
+ if oscal_dir_exists?
62
+ insert_into_oscal "si-4.md", <<~EOS, after: "## Implementation a.\n"
63
+ New Relic is used for the purposes of monitoring and analyzing #{app_name} application data. New Relic monitors each application within #{app_name} for
64
+ basic container utilization (CPU, memory, disk) as a baseline of provided metrics. New Relic dashboards are used by #{app_name} operations to obtain
65
+ near real-time views into the metrics obtained from each application. New Relic provides application metrics that give insight into request/response rates,
66
+ failure rates, etc. New Relic uses this data to detect anomalies (such as potential unauthorized activity) and alerts the #{app_name} team via <<INSERT NOTIFICATION CHANNEL>>
67
+ in the GSA Slack. Example: a spike in failed requests may indicate an unauthorized user has entered the system and is attempting to phish for PII.
68
+
69
+ 1. A subset of relevant specific metrics #{app_name} is constantly monitoring include:
70
+ * Abnormal cpu, memory, and disk utilization (defined in New Relic alerting rules)
71
+ * Number of incoming requests
72
+ * Request response time
73
+ * Application crashes (for any reason)
74
+ * Response status codes (high numbers of failing requests would be abnormal)
75
+ * Applications (by name)
76
+ * Abnormally high request rates
77
+ 1. Metrics that can be audited within #{app_name} include:
78
+ * SSH Sessions (disabled in production under normal circumstances)
79
+ 1. A subset of relevant incidents #{app_name} will use these metrics to protect against include:
80
+ * Unauthorized Access / Intrusion to #{app_name} as an Administrator
81
+ * Denial of Service (DoS)
82
+ * Improper Usage
83
+ * Malicious Code
84
+ * System Uptime
85
+ * High Resource Usage
86
+
87
+ When suspicious activity is encountered #{app_name} Operations audit the event through the cloud.gov logs provided at logs.fr.cloud.gov
88
+ (a Kibana instance allowing users to access, filter, and search their cloud.gov logs. These logs are retained automatically by cloud.gov for 180 days after creation.
89
+ EOS
90
+ insert_into_oscal "si-4.md", "The #{app_name} application logs events to stdout and stderr which are ingested by cloud.gov and New Relic.", after: "## Implementation c.\n"
91
+ insert_into_oscal "si-4.md", "#{app_name} Operations are responsible for monitoring the New Relic dashboards that report on specific application events and performing follow-up investigations where necessary.", after: "## Implementation d.\n"
92
+ insert_into_oscal "si-4.2.md", <<~EOS
93
+ #{app_name} is monitored using New Relic Application Performance Monitoring (APM),
94
+ Synthetics and Logs, which detects and alerts on abnormal responses from #{app_name} applications.
95
+ EOS
96
+ end
97
+ end
98
+
60
99
  no_tasks do
61
100
  def readme
62
101
  <<~EOM
@@ -0,0 +1,79 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "rails/generators"
4
+
5
+ module RailsTemplate18f
6
+ module Generators
7
+ class OscalGenerator < ::Rails::Generators::Base
8
+ include Base
9
+
10
+ class_option :oscal_repo, required: true, desc: "GitHub Repo containing Compliance-Template fork"
11
+ class_option :detach, type: :boolean, default: false, desc: "Copy OSCAL files into repo, rather than using a submodule"
12
+ class_option :branch, desc: "Name of the branch to switch to when using a submodule. Defaults to `app_name`"
13
+
14
+ desc <<~DESC
15
+ Description:
16
+ Add a fork of https://github.com/GSA-TTS/compliance-template.git as a
17
+ submodule for documenting security controls.
18
+
19
+ This generator is still experimental.
20
+
21
+ Prerequisite:
22
+
23
+ Fork the compliance-template repo for your own use. Updates to the documentation
24
+ will be pushed to this fork, not the rails app repository.
25
+ DESC
26
+
27
+ def copy_template_files
28
+ if detach?
29
+ git clone: "#{options[:oscal_repo]} doc/compliance/oscal"
30
+ remove_dir "doc/compliance/oscal/.git"
31
+ else
32
+ git submodule: "add #{options[:oscal_repo]} doc/compliance/oscal"
33
+ inside "doc/compliance/oscal" do
34
+ git switch: "-c #{branch_name}"
35
+ end
36
+ end
37
+ end
38
+
39
+ def update_readme
40
+ if file_content("README.md").match?("## Documentation")
41
+ insert_into_file "README.md", readme_contents, after: "## Documentation\n"
42
+ else
43
+ append_to_file "README.md", "\n## Documentation\n#{readme_contents}"
44
+ end
45
+ end
46
+
47
+ no_tasks do
48
+ def branch_name
49
+ options[:branch].present? ? options[:branch] : app_name
50
+ end
51
+
52
+ def readme_contents
53
+ if detach?
54
+ <<~README
55
+
56
+ ### Compliance Documentation
57
+
58
+ Security Controls should be documented within doc/compliance/oscal.
59
+ README
60
+ else
61
+ <<~README
62
+
63
+ ### Compliance Documentation
64
+
65
+ Security Controls should be documented within doc/compliance/oscal.
66
+
67
+ See git's [submodule documentation](https://git-scm.com/book/en/v2/Git-Tools-Submodules)
68
+ for more information on tracking changes to these files.
69
+ README
70
+ end
71
+ end
72
+
73
+ def detach?
74
+ options[:detach]
75
+ end
76
+ end
77
+ end
78
+ end
79
+ end
@@ -18,6 +18,7 @@ module RailsTemplate18f
18
18
 
19
19
  included do
20
20
  self.source_path = RailsTemplate18f::Generators.const_source_location(name).first
21
+ class_option :oscal_profile, desc: "Name of the OSCAL profile to populate. Only needed if multiple folders are present in doc/compliance/oscal/dist/system-security-plans"
21
22
  end
22
23
 
23
24
  private
@@ -36,24 +37,65 @@ module RailsTemplate18f
36
37
  end
37
38
 
38
39
  def file_content(filename)
39
- file_path = File.expand_path(filename, destination_root)
40
- if File.exist? file_path
41
- File.read(file_path)
40
+ if file_exists?(filename)
41
+ File.read(file_path(filename))
42
42
  else
43
43
  ""
44
44
  end
45
45
  end
46
46
 
47
+ def file_path(filename)
48
+ File.expand_path(filename, destination_root)
49
+ end
50
+
51
+ def file_exists?(filename)
52
+ File.exist? file_path(filename)
53
+ end
54
+
47
55
  def ruby_version
48
56
  RUBY_VERSION
49
57
  end
50
58
 
59
+ def oscal_dir_exists?
60
+ Dir.exist? file_path("doc/compliance/oscal")
61
+ end
62
+
63
+ def insert_into_oscal(filename, content, after: "## What is the solution and how is it implemented?\n")
64
+ content = <<~EOS
65
+
66
+ **#{app_name} Implementation:**
67
+
68
+ #{content}
69
+ EOS
70
+ begin
71
+ insert_into_file File.join(oscal_path, filename), content, after: after
72
+ rescue Thor::Error => ex
73
+ warn ex.message
74
+ end
75
+ end
76
+
77
+ def oscal_path
78
+ @oscal_path ||= if options[:oscal_profile].present?
79
+ file_path(File.join("doc/compliance/oscal/dist/system-security-plans", options[:oscal_profile]))
80
+ else
81
+ ssp_dir = file_path("doc/compliance/oscal/dist/system-security-plans")
82
+ profiles = Dir.children(ssp_dir).select { |f| File.directory?(File.join(ssp_dir, f)) }
83
+ if profiles.empty?
84
+ fail "No OSCAL profiles found. Please run `make generate` from the `doc/compliance/oscal` folder"
85
+ elsif profiles.count > 1
86
+ fail "Multiple OSCAL profiles found. Please specify which one to update by passing the `--oscal-profile` option"
87
+ else
88
+ File.join(ssp_dir, profiles.first)
89
+ end
90
+ end
91
+ end
92
+
51
93
  def terraform_dir_exists?
52
- Dir.exist? File.expand_path("terraform", destination_root)
94
+ Dir.exist? file_path("terraform")
53
95
  end
54
96
 
55
97
  def skip_git?
56
- !Dir.exist?(File.expand_path(".git", destination_root))
98
+ !Dir.exist?(file_path(".git"))
57
99
  end
58
100
 
59
101
  def has_active_job?
@@ -13,6 +13,176 @@ module RailsTemplate18f
13
13
  def terraform?
14
14
  options[:terraform].nil? ? terraform_dir_exists? : options[:terraform]
15
15
  end
16
+
17
+ def update_cicd_oscal_docs(ci_name)
18
+ if oscal_dir_exists?
19
+ update_ca7_oscal_doc
20
+ update_cm2_oscal_doc("GitHub Actions")
21
+ update_cm3_oscal_doc("GitHub Actions")
22
+ update_ra5_oscal_doc
23
+ update_sa11_oscal_doc("GitHub Actions")
24
+ update_sa22_oscal_doc
25
+ update_sc281_oscal_doc("GitHub Actions")
26
+ update_si2_oscal_doc
27
+ update_si10_oscal_doc
28
+ end
29
+ end
30
+
31
+ private
32
+
33
+ def update_ca7_oscal_doc
34
+ insert_into_oscal "ca-7.md", <<~EOS, after: "## Implementation a.\n"
35
+ * #{app_name} DevOps staff review OWASP and Dependency scans every build, or at least weekly.
36
+ * #{app_name} DevOps staff and the GSA ISSO review Web Application vulnerability scans on a weekly basis.
37
+ * #{app_name} Administrators and DevOps staff review changes for potential security impact and engage the #{app_name} ISSO and ISSM who will review or engage assessment staff as needed.
38
+ EOS
39
+ end
40
+
41
+ def update_cm2_oscal_doc(ci)
42
+ insert_into_oscal "cm-2.2.md", <<~EOS
43
+ The #{app_name} team develops, documents, and maintains a current baseline for the #{app_name} application
44
+ components under configuration control, managed via git and github.com, and orchestrated using #{ci}
45
+ and the cloud.gov Cloud Foundry CLI.
46
+
47
+ Note: All cloud.gov brokered services (including databases) are fully managed by the cloud.gov platform.
48
+ Due to this, the configuration and security of these services are not included in the #{app_name} configuration baseline.
49
+ EOS
50
+ end
51
+
52
+ def update_cm3_oscal_doc(ci)
53
+ insert_into_oscal "cm-3.1.md", <<~EOS, after: "## Implementation (f)\n"
54
+ #{app_name} employs #{ci} to execute proposed changes to the information system.
55
+ #{app_name} Administrators and #{app_name} Developers are automatically notified of
56
+ the success or failure of the change execution via the GitHub notification system.
57
+ EOS
58
+ end
59
+
60
+ def update_ra5_oscal_doc
61
+ insert_into_oscal "ra-5.md", <<~EOS, after: "## Implementation a.\n"
62
+ Any vulnerabilities in #{app_name} would have to be introduced at time of deployment because #{app_name}
63
+ is a set of cloud.gov managed applications with SSH disabled in Production. #{app_name} monitors for
64
+ vulnerabilities by ensuring that scans for vulnerabilities in the information system and hosted applications occur
65
+ daily and when new code is deployed.
66
+
67
+ OWASP ZAP scans are built into the #{app_name} CI/CD pipeline and runs a series of web vulnerability scans before
68
+ a successful deploy can be made to cloud.gov. Any issues or alerts caused by the scan are documented by #{app_name}
69
+ Operations and cause the deployment to fail. Issues are tracked in GitHub. The issue posted will provide information
70
+ on which endpoints are vulnerable and the level of vulnerability, ranging from **False Positive** to **High**.
71
+ The issue also provides a detailed report formatted in html, json, and markdown.
72
+
73
+ #{app_name} Administrators are responsible for reporting any new vulnerabilities reported by the OWASP ZAP scan to the #{app_name} ISSO.
74
+ EOS
75
+ insert_into_oscal "ra-5.md", <<~EOS, after: "## Implementation b.\n"
76
+ 1. Alerts from each ZAP vulnerability scan are automatically reported in GitHub as an issue on the #{app_name} repository.
77
+ This issue will enumerate each finding and detail the type and severity of the vulnerability. #{app_name} Developers and
78
+ #{app_name} Administrators receive automated alerts via GitHub of the issues to remediate. Scan results are sent to the
79
+ #{app_name} System Owner by #{app_name} Administrators. The vulnerabilities are analyzed and prioritized within GitHub
80
+ based on input from the #{app_name} System Owner and ISSO.
81
+ 1. The ZAP report contains vulnerabilities grouped by type and by risk level. The report also provides a detailed report
82
+ formatted in html, json, and markdown. The reported issues also include the CVE item associated with the vulnerability.
83
+ 1. Vulnerabilities are classified by ZAP under a level range from **False Positive** to **High**. The impact level is
84
+ used to drive the priority of the effort to remediate.
85
+ EOS
86
+ insert_into_oscal "ra-5.md", <<~EOS, after: "## Implementation c.\n"
87
+ The ZAP vulnerability report contains information about how the attack was made and suggested solutions for each vulnerability found.
88
+ Any static code analysis findings identified during automation as part of the GitHub pull request process must be reviewed, analyzed,
89
+ and resolved by the #{app_name} Developer before the team can merge the pull request.
90
+ EOS
91
+ end
92
+
93
+ def update_sa11_oscal_doc(ci)
94
+ insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation a.\n"
95
+ The CI/CD pipeline utilizes multiple tools to perform static code analysis for security and privacy:
96
+
97
+ ### Brakeman
98
+ Brakeman is a static code scanner designed to find security issues in Ruby on Rails code. It can flag potential SQL injection,
99
+ Command Injection, open redirects, and other common vulnerabilities.
100
+
101
+ ### Bundle Audit
102
+ bundle-audit checks Ruby dependencies against a database of known CVE numbers.
103
+
104
+ ### Yarn Audit
105
+ yarn audit checks Javascript dependencies against a database of known CVE numbers.
106
+
107
+ ### OWASP ZAP
108
+ OWASP ZAP is a dynamic security scanner that can simulate actual attacks on a running server.
109
+
110
+ An additional RAILS_ENV has been created called ci. It inherits from production to ensure that the system being tested is as close as possible to production while allowing for overrides such as bypassing authentication in a secure way.
111
+ EOS
112
+ insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation b.\n"
113
+ #{ci} runs rspec tests for unit, integration, and regression testing at every code push to github.com and every Pull Request.
114
+ EOS
115
+ insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation c.\n"
116
+ Test and scan results can be viewed from within #{ci} for every run of the pipeline.
117
+
118
+ When #{ci} is run as a result of a Pull Request, the status of the tests and scans are automatically reported as part of the Pull Request.
119
+ EOS
120
+ end
121
+
122
+ def update_sa22_oscal_doc
123
+ insert_into_oscal "sa-22.md", <<~EOS, after: "## Implementation a.\n"
124
+ The #{app_name} application is built and supported by the #{app_name} DevOps staff.
125
+
126
+ #{app_name} utilizes public open source Ruby and NodeJS components.
127
+
128
+ #{app_name} utilizes dependency scanning tools Bundle Audit and Yarn Audit to find vulnerable or insecure dependencies.
129
+
130
+ If a vulnerable or insecure dependency is found it will be upgraded or replaced. Additionally the #{app_name} team code
131
+ review processes include a review of the health (up to date, supported, many individuals involved) of direct open source dependencies.
132
+ EOS
133
+ insert_into_oscal "sa-22.md", <<~EOS, after: "## Implementation b.\n"
134
+ There are currently no unsupported system components within #{app_name}. In case an unsupported system component is required
135
+ to maintain #{app_name}, the #{app_name} System Owner will be consulted to make a determination in coordination with the #{app_name} ISSO and ISSM.
136
+ EOS
137
+ end
138
+
139
+ def update_sc281_oscal_doc(ci)
140
+ insert_into_oscal "sc-28.1.md", <<~EOS
141
+ As an additional layer of protection, all PII data is encrypted using [Active Record Encryption — Ruby on Rails Guides](https://guides.rubyonrails.org/active_record_encryption.html).
142
+ This encryption is implemented in a using non-deterministic AES-256-GCM through Ruby's openssl library with a 256-bit key and a random initialization vector {rails crypto module}.
143
+
144
+ The Data Encryption Key is stored in the credentials.yml file in an encrypted format by Ruby's openssl library using the AES-128-GCM cipher,
145
+ and is built into the application package.
146
+
147
+ The credentials.yml decryption key is stored in #{ci} and injected into the running application as an environmental variable. The application then uses this key
148
+ to decrypt the credentials.yml file and obtain the Data Encryption Key.
149
+
150
+ A backup of the key is stored by the Lead Developer and System Owner within a keepass database stored in Google Drive.
151
+ EOS
152
+ end
153
+
154
+ def update_si2_oscal_doc
155
+ insert_into_oscal "si-2.md", <<~EOS, after: "Implementation a.\n"
156
+ Flaw and vulnerability checks are built into the #{app_name} CI/CD pipeline and automated to ensure compliance.
157
+ Dynamic vulnerability scans are performed against #{app_name} before a successful deployment and reports issues after every scan.
158
+ Compliance is documented in sections SA-11 and RA-5. The #{app_name} DevOps team uses GitHub as the Product Backlog to
159
+ track and prioritize issues related to system flaws.
160
+
161
+ The responsibility of remediating flaws and vulnerabilities (once a remediation is available) falls on the #{app_name} Developer,
162
+ who updates the #{app_name} code and deploys fixes as part of the normal development and CI/CD process.
163
+ EOS
164
+ insert_into_oscal "si-2.md", <<~EOS, after: "Implementation b.\n"
165
+ Any flaws or vulnerabilities resolved in #{app_name} result in a GitHub issue for triage via the #{app_name} CM Configuration Control
166
+ process described in CM-2(2). After resolving a vulnerability or flaw in #{app_name}, unit tests and integration tests are updated to
167
+ prevent further inclusion of similar flaws.
168
+
169
+ * All GitHub tickets have accompanying Acceptance Criteria that are used to create unit tests.
170
+ * Unit tests are run on the Development environment when new code is pushed.
171
+ * Integration tests are run on the Test environment when the remediation is deployed via the CI/CD process to ensure that the production
172
+ environment does not suffer from any side effects of the vulnerability remediation.
173
+ * Integration tests are run on the Prod environment when the remediation is deployed via the CI/CD process to validate the remediation and application functionality.
174
+ * All findings that are not remediated immediately are tracked in the #{app_name} Plan of Action and Milestones (POAM) by #{app_name} Operations and the #{app_name} ISSO.
175
+ EOS
176
+ end
177
+
178
+ def update_si10_oscal_doc
179
+ insert_into_oscal "si-10.md", <<~EOS
180
+ All inputs from the end user are parameterized prior to use to avoid potential sql injection.
181
+
182
+ #{app_name} utilizes Brakeman scanner as part of the CI/CD pipeline which further identifies coding practices
183
+ that may lead to application vulnerabilities that are a result of improper input validation.
184
+ EOS
185
+ end
16
186
  end
17
187
  end
18
188
  end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module RailsTemplate18f
4
- VERSION = "0.6.0"
4
+ VERSION = "0.7.0"
5
5
  end
data/template.rb CHANGED
@@ -52,6 +52,13 @@ unless Gem::Dependency.new("rails", "~> 7.0.0").match?("rails", Rails.gem_versio
52
52
  end
53
53
 
54
54
  # ask setup questions
55
+ compliance_template = yes?("Include OSCAL files from compliance-template? (y/n)")
56
+ compliance_template_repo = "git@github.com:GSA-TTS/compliance-template.git"
57
+ compliance_template_submodule = compliance_template && yes?("Clone #{compliance_template_repo} as a git submodule? (y/n)")
58
+ if compliance_template_submodule
59
+ compliance_template_repo = ask("What is the git clone address of your compliance-template fork?")
60
+ end
61
+
55
62
  terraform = yes?("Create terraform files for cloud.gov services? (y/n)")
56
63
  @cloud_gov_organization = ask("What is your cloud.gov organization name? (Leave blank to fill in later)")
57
64
  default_staging_space = "staging"
@@ -62,7 +69,7 @@ cloud_gov_production_space = ask("What is your cloud.gov production space name?
62
69
  cloud_gov_staging_space = default_staging_space if cloud_gov_staging_space.blank?
63
70
  cloud_gov_production_space = default_prod_space if cloud_gov_production_space.blank?
64
71
 
65
- @github_actions = yes?("Create Github Actions? (y/n)")
72
+ @github_actions = yes?("Create GitHub Actions? (y/n)")
66
73
  @circleci_pipeline = yes?("Create CircleCI config? (y/n)")
67
74
  newrelic = yes?("Create FEDRAMP New Relic config files? (y/n)")
68
75
  dap = yes?("If this will be a public site, should we include Digital Analytics Program code? (y/n)")
@@ -306,9 +313,6 @@ after_bundle do
306
313
  expect(rendered).to match "An official website of the United States government"
307
314
  end
308
315
  EOM
309
-
310
- # Setup translations
311
- generate "rails_template18f:i18n", "--languages=#{supported_languages.join(",")}", "--force"
312
316
  end
313
317
 
314
318
  # install ADRs and compliance documentation
@@ -318,6 +322,27 @@ register_announcement("Documentation", <<~EOM)
318
322
  * Remember to keep your Logical Data Model up to date in doc/compliance/apps/data.logical.md
319
323
  EOM
320
324
 
325
+ if compliance_template
326
+ after_bundle do
327
+ generator_arguments = [
328
+ "--oscal_repo=#{compliance_template_repo}",
329
+ (compliance_template_submodule ? "--no-detach" : "--detach")
330
+ ]
331
+ generate "rails_template18f:oscal", *generator_arguments
332
+ end
333
+ register_announcement("OSCAL Documentation", <<~EOM)
334
+ OSCAL files have been generated with some default implementation statements in `doc/compliance/oscal`
335
+
336
+ All generated statements must be reviewed for accuracy with your system's implementation before being
337
+ submitted for authorization.
338
+ EOM
339
+ end
340
+
341
+ after_bundle do
342
+ # Setup translations
343
+ generate "rails_template18f:i18n", "--languages=#{supported_languages.join(",")}", "--force"
344
+ end
345
+
321
346
  if newrelic
322
347
  after_bundle do
323
348
  generate "rails_template18f:newrelic"
@@ -384,11 +409,11 @@ if @github_actions
384
409
  generate "rails_template18f:github_actions", *generator_arguments
385
410
  end
386
411
  if cloud_gov_org_tktk?
387
- register_announcement("Github Actions", <<~EOM)
412
+ register_announcement("GitHub Actions", <<~EOM)
388
413
  * Fill in the cloud.gov organization information in .github/workflows/deploy-staging.yml
389
414
  EOM
390
415
  end
391
- register_announcement("Github Actions", <<~EOM)
416
+ register_announcement("GitHub Actions", <<~EOM)
392
417
  * Create environment variable secrets for deploy users as defined in the Deployment section of the README
393
418
  EOM
394
419
  end
@@ -451,6 +476,16 @@ after_bundle do
451
476
 
452
477
  unless skip_git?
453
478
  run "cp .gitignore .cfignore"
479
+ append_to_file ".cfignore", <<~EOM
480
+
481
+ # compliance documentation
482
+ /doc/compliance/
483
+ EOM
484
+ if compliance_template_submodule
485
+ inside "doc/compliance/oscal" do
486
+ git commit: "-a -m 'rails-template generated control statements'"
487
+ end
488
+ end
454
489
  git add: "."
455
490
  git commit: "-a -m 'Initial commit'"
456
491
  end
@@ -141,6 +141,8 @@ Configuration that changes from staging to production, but is public, should be
141
141
 
142
142
  ## Documentation
143
143
 
144
+ ### Architectural Decision Records
145
+
144
146
  Architectural Decision Records (ADR) are stored in `doc/adr`
145
147
  To create a new ADR, first install [ADR-tools](https://github.com/npryce/adr-tools) if you don't
146
148
  already have it installed.
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails_template_18f
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.7.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Ahearn
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-06-07 00:00:00.000000000 Z
11
+ date: 2022-07-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: railties
@@ -166,6 +166,7 @@ files:
166
166
  - lib/generators/rails_template18f/i18n_js/templates/lib/tasks/i18n.rake
167
167
  - lib/generators/rails_template18f/newrelic/newrelic_generator.rb
168
168
  - lib/generators/rails_template18f/newrelic/templates/config/newrelic.yml.tt
169
+ - lib/generators/rails_template18f/oscal/oscal_generator.rb
169
170
  - lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb
170
171
  - lib/generators/rails_template18f/sidekiq/templates/config/initializers/redis.rb
171
172
  - lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt