@govuk-pay/cli 0.0.16 → 0.0.18

package/src/commands/tunnel.js

@@ -0,0 +1,370 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logTunnelCommands = void 0;
+const standardContent_js_1 = require("../core/standardContent.js");
+const client_ec2_1 = require("@aws-sdk/client-ec2");
+const client_ecs_1 = require("@aws-sdk/client-ecs");
+const client_rds_1 = require("@aws-sdk/client-rds");
+const readline_1 = __importDefault(require("readline"));
+const child_process_1 = require("child_process");
+const constants_js_1 = require("../core/constants.js");
+let ec2;
+let ecs;
+const FORMAT = {
+    red: '\x1b[31m',
+    green: '\x1b[32m',
+    yellow: '\x1b[33m',
+    reset: '\x1b[0m',
+    ul: '\x1b[4m',
+    ulstop: '\x1b[24m'
+};
+function logTunnelCommands() {
+    console.log(`Commands:
+    pay tunnel <ENVIRONMENT> <APP-NAME> # Open tunnel to application <APP-NAME> database in specified environment <ENVIRONMENT>
+    pay tunnel help                     # Describe tunnel command`);
+}
+exports.logTunnelCommands = logTunnelCommands;
+async function tunnelHandler(options) {
+    await (0, standardContent_js_1.showHeader)();
+    const { environment, application } = parseArguments(options);
+    console.log(`Opening a database tunnel to ${environment} ${application}`);
+    ec2 = new client_ec2_1.EC2Client();
+    ecs = new client_ecs_1.ECSClient();
+    let bastionTask = null;
+    let tunnel = null;
+    try {
+        printWarningToUser();
+        const database = await getDatabaseDetails(environment, application);
+        bastionTask = await startBastion(environment);
+        tunnel = openTunnel(bastionTask, database, environment);
+        printHowToTunnelText(application, environment, database.EngineVersion);
+        await waitForExit();
+        await shutdown(environment, tunnel, bastionTask);
+    }
+    catch (error) {
+        if (typeof error === 'string') {
+            printError(error);
+        }
+        else if (error instanceof Error) {
+            printError(error.message);
+        }
+        await shutdown(environment, tunnel, bastionTask);
+        process.exit(2);
+    }
+}
+exports.default = tunnelHandler;
+function parseArguments(options) {
+    if (options.arguments.length !== 2 || options.arguments[0] === 'help') {
+        logTunnelCommands();
+        process.exit(0);
+    }
+    const environment = options.arguments[0];
+    const application = options.arguments[1];
+    if (!constants_js_1.APPLICATIONS.includes(application)) {
+        printError(`Invalid application: "${application}". Must be one of ${constants_js_1.APPLICATIONS.join(', ')}`);
+        process.exit(2);
+    }
+    if (!constants_js_1.ENVIRONMENTS.includes(environment)) {
+        printError(`Invalid environment: "${environment}". Must be one of ${constants_js_1.ENVIRONMENTS.join(', ')}`);
+        process.exit(2);
+    }
+    return {
+        environment, application
+    };
+}
+async function waitForExit() {
+    const prompt = "\nTo shutdown bastion task and close tunnel type 'exit' or 'Ctrl-C'\n";
+    const rl = readline_1.default.createInterface({
+        input: process.stdin,
+        output: process.stdout
+    });
+    printGreen(prompt);
+    return await new Promise(resolve => {
+        rl.on('line', input => {
+            if (input === 'exit') {
+                rl.close();
+                resolve();
+            }
+            else {
+                console.log(`Unknown command ${input}`);
+                printGreen(prompt);
+            }
+        });
+        rl.on('SIGINT', () => {
+            console.log('Received: Ctrl-C');
+            rl.close();
+            resolve();
+        });
+    });
+}
+async function startBastion(environment) {
+    const subnetIds = await getBastionSubNets(environment);
+    const securityGroupIds = await getBastionSecurityGroups(environment);
+    let bastionTask = await launchBastionTask(environment, subnetIds, securityGroupIds);
+    bastionTask = await waitForBastionToBeReady(bastionTask, environment);
+    return bastionTask;
+}
+async function getBastionSubNets(environment) {
+    const subnetCommand = new client_ec2_1.DescribeSubnetsCommand({
+        Filters: [{
+                Name: 'tag:Name',
+                Values: [`${environment}-bastion`]
+            }]
+    });
+    const subnetCommandResponse = await ec2.send(subnetCommand);
+    const subnets = subnetCommandResponse.Subnets;
+    if (subnets == null || subnets.length < 1) {
+        throw new Error(`Failed to find subnets for the bastion in ${environment}`);
+    }
+    return subnets
+        .filter(s => s.SubnetId !== undefined)
+        .map((subnet) => subnet.SubnetId);
+}
+async function getBastionSecurityGroups(environment) {
+    const securityGroupCommand = new client_ec2_1.DescribeSecurityGroupsCommand({
+        Filters: [{
+                Name: 'group-name',
+                Values: [`${environment}-bastion`]
+            }]
+    });
+    const securityGroupCommandResponse = await ec2.send(securityGroupCommand);
+    const securityGroups = securityGroupCommandResponse.SecurityGroups;
+    if (securityGroups == null || securityGroups.length < 1) {
+        throw new Error(`Failed to find security groups for the bastion in ${environment}`);
+    }
+    return securityGroups
+        .filter(s => s.GroupId !== undefined)
+        .map((securityGroup) => securityGroup.GroupId);
+}
+async function launchBastionTask(environment, subnetIds, securityGroupIds) {
+    const runTaskCommand = new client_ecs_1.RunTaskCommand({
+        cluster: `${environment}-fargate`,
+        taskDefinition: `${environment}-bastion`,
+        launchType: 'FARGATE',
+        enableExecuteCommand: true,
+        networkConfiguration: {
+            awsvpcConfiguration: {
+                subnets: subnetIds,
+                securityGroups: securityGroupIds,
+                assignPublicIp: 'DISABLED'
+            }
+        },
+        // TODO: Add the developer's name as a Tag or suffix to startedBy.
+        startedBy: 'PAY-CLI'
+    });
+    const runTaskCommandResponse = await ecs.send(runTaskCommand);
+    if ((runTaskCommandResponse.failures != null) && runTaskCommandResponse.failures.length > 0) {
+        const failureReasons = runTaskCommandResponse.failures
+            .map((failure) => failure.reason)
+            .join(', ');
+        throw new Error(`Failed to run bastion task: ${failureReasons}`);
+    }
+    else if (runTaskCommandResponse.tasks?.length !== 1) {
+        throw new Error(`Expected 1 bastion task but got: ${String(runTaskCommandResponse.tasks?.length)}`);
+    }
+    else {
+        return runTaskCommandResponse.tasks[0];
+    }
+}
+async function refreshTask(taskArn, environment) {
+    const describeTaskCommand = new client_ecs_1.DescribeTasksCommand({
+        cluster: `${environment}-fargate`,
+        tasks: [taskArn]
+    });
+    const describeTaskCommandResponse = await ecs.send(describeTaskCommand);
+    if ((describeTaskCommandResponse.failures != null) && describeTaskCommandResponse.failures.length > 0) {
+        const failureReasons = describeTaskCommandResponse.failures
+            .map((failure) => failure.reason)
+            .join(', ');
+        throw new Error(`Failed to get task: ${failureReasons}`);
+    }
+    else if (describeTaskCommandResponse.tasks?.length !== 1) {
+        throw new Error(`Expected 1 bastion task but got: ${String(describeTaskCommandResponse.tasks?.length)}`);
+    }
+    else {
+        return describeTaskCommandResponse.tasks[0];
+    }
+}
+async function sleep(ms) {
+    return await new Promise(resolve => setTimeout(resolve, ms));
+}
+async function waitForBastionToBeReady(task, environment) {
+    console.log('Waiting for the bastion task to start');
+    let previousStatus;
+    while (!isRunningAndConnected(task)) {
+        if (task.lastStatus !== previousStatus) {
+            previousStatus = task.lastStatus;
+            process.stdout.write(`\n\tCurrent status: ${task.lastStatus} `);
+            if (task.lastStatus === 'RUNNING') {
+                process.stdout.write('\n\tWaiting for the bastion to connect to the network ');
+            }
+        }
+        else {
+            process.stdout.write('.');
+        }
+        await sleep(1000);
+        task = await refreshTask(task.taskArn, environment);
+        if (task.desiredStatus !== 'RUNNING') {
+            console.error(`\tBastion desired state is unexpectedly: ${task.desiredStatus}`);
+            throw Error('Bastion task failed to start');
+        }
+    }
+    console.log('\n\tBastion started successfully');
+    return task;
+}
+function isRunningAndConnected(task) {
+    // RUNNING doesn't mean that the task is ready to accept network connections.
+    // The 'ExecuteCommandAgent' must be running within the container before ssm
+    // can connect. Note: task.connectivity === 'CONNECTED' is not sufficient.
+    const connectionStatus = task.attachments
+        ?.filter(a => a.type === 'ElasticNetworkInterface')
+        .map(a => a.status)[0];
+    const agentStatus = task.containers
+        ?.flatMap(c => c.managedAgents)
+        .filter(agent => agent?.name === 'ExecuteCommandAgent')
+        .map(agent => agent?.lastStatus)[0];
+    return task.lastStatus === 'RUNNING' && connectionStatus === 'ATTACHED' && agentStatus === 'RUNNING';
+}
+async function stopBastion(task, environment) {
+    const stopTaskCommand = new client_ecs_1.StopTaskCommand({
+        task: task.taskArn,
+        cluster: `${environment}-fargate`,
+        reason: 'Stopping bastion'
+    });
+    const stopTaskCommandResponse = await ecs.send(stopTaskCommand);
+    if (stopTaskCommandResponse.task == null) {
+        throw new Error(`Failed to stop bastion task: ${task.taskArn}`);
+    }
+    console.log('Stopping Bastion');
+}
+async function getDatabaseDetails(environment, application) {
+    const describeDbCommand = new client_rds_1.DescribeDBInstancesCommand({});
+    const rds = new client_rds_1.RDSClient();
+    const describeDbCommandResponse = await rds.send(describeDbCommand);
+    if (describeDbCommandResponse.DBInstances == null || describeDbCommandResponse.DBInstances.length < 1) {
+        throw new Error(`Failed to find the database for ${application} in ${environment}`);
+    }
+    const appDatabases = describeDbCommandResponse.DBInstances
+        .filter(s => s.DBInstanceIdentifier?.startsWith(`${environment}-${application}`));
+    if (appDatabases.length === 0) {
+        throw new Error(`Failed to find the database for ${application} in ${environment}`);
+    }
+    else if (appDatabases.length > 1) {
+        // TODO: Allow an argument to specify the exact database name. Print out how
+        // to re-run the describeDbCommand specifying the required database.
+        const databaseNames = appDatabases.map(d => d.DBInstanceIdentifier).join(':');
+        throw new Error(`There are multiple matching databases: ${databaseNames}`);
+    }
+    else {
+        return appDatabases[0];
+    }
+}
+function openTunnel(task, db, environment) {
+    const cluster = `${environment}-fargate`;
+    const ecsTaskId = task.taskArn?.split('/').at(-1);
+    const ecsContainerRunTimeId = task.containers?.map(c => c.runtimeId)[0];
+    const rdsEndpoint = db.Endpoint?.Address;
+    const target = `ecs:${cluster}_${ecsTaskId}_${ecsContainerRunTimeId}`;
+    const parameters = `{"host":["${rdsEndpoint}"],"portNumber":["5432"],"localPortNumber":["65432"]}`;
+    const commandArgs = [
+        'ssm',
+        'start-session',
+        '--target', target,
+        '--document-name', 'AWS-StartPortForwardingSessionToRemoteHost',
+        '--parameters', parameters
+    ];
+    const tunnelProc = (0, child_process_1.spawn)('aws', commandArgs, { detached: true });
+    // TODO: useful for testing when the spawned process exits itself. Consider
+    // removing before final launch of the command.
+    // const tunnelProc = spawn('sleep', ['5'], { detached: true })
+    tunnelProc.stdout.on('data', (data) => {
+        console.log(`tunnel command: ${data}`);
+    });
+    tunnelProc.stderr.on('data', (data) => {
+        console.error(`tunnel command error: ${data}`);
+    });
+    tunnelProc.on('close', (code, _signal) => {
+        if (code !== null) {
+            console.error(`\nTunnel unexpectedly closed with exit code: ${code}`);
+            console.group();
+            console.error('Type `exit` or `Ctrl-C` to shutdown the bastion task then try again.');
+            const tunnelCommandForConsole = commandArgs
+                .join(' ')
+                .replaceAll('--', '\\\n--')
+                .replace('{', "'{")
+                .replace('}', "}'");
+            console.error(`The command to manually create the tunnel is: \naws ${tunnelCommandForConsole}`);
+            console.groupEnd();
+        }
+        else {
+            console.log('Tunnel closed');
+        }
+    });
+    return tunnelProc;
+}
+async function shutdown(environment, tunnel, bastionTask) {
+    console.log('Shutting down');
+    if (tunnel !== undefined && tunnel !== null) {
+        if (tunnel.exitCode === null && tunnel.pid !== undefined) {
+            process.kill(-(tunnel.pid));
+        }
+        else {
+            console.log(`Tunnel already closed, exit code: ${tunnel?.exitCode ?? 'no exit code'}`);
+        }
+    }
+    if (bastionTask !== null) {
+        bastionTask = await refreshTask(bastionTask.taskArn, environment);
+        if (bastionTask.desiredStatus !== 'STOPPED') {
+            await stopBastion(bastionTask, environment);
+        }
+    }
+    printGreen('Shutdown complete.');
+}
+function printHowToTunnelText(application, environment, dbEngineVersion) {
+    const dbUser = getDbUser(application);
+    const payLowPassDbSecretName = getPayLowPassDbSecretname(environment, dbUser);
+    const paySecretsPasswordName = getPaySecretsPasswordName();
+    printGreen(`\nConnected tunnel to ${application} RDS database in ${environment} on port 65432\n`);
+    printGreen('Copy DB credentials to clipboard (in another window) using pay-low-pass:');
+    printGreen(`  pay-low-pass ${payLowPassDbSecretName} | pbcopy`);
+    printGreen('Alternatively, fetch credentials from pay secrets:');
+    printGreen(`  pay secrets fetch ${environment} ${application} ${paySecretsPasswordName} | pbcopy`);
+    printGreen('Open psql with:');
+    printGreen(`  psql -h localhost -p 65432 -U ${dbUser} -d ${application}`);
+    printGreen('Alternatively connect using docker instead of needing psql installed locally and set the password automatically using pay-low-pass:');
+    printGreen(`   docker run --rm -ti postgres:${dbEngineVersion}-alpine psql --host docker.for.mac.localhost --port 65432 --user ${dbUser} --dbname ${application}`);
+    printGreen('Or even more conveniently connect using a docker container and set the password automatically using pay-low-pass:');
+    printGreen(`   docker run -e "PGPASSWORD=$(pay-low-pass ${payLowPassDbSecretName})" --rm -ti postgres:${dbEngineVersion}-alpine psql --host docker.for.mac.localhost --port 65432 --user ${dbUser} --dbname ${application}\n`);
+}
+// TODO: add a write flag. Default to readonly.
+function getDbUser(application) {
+    return `${application}_support_readonly`;
+}
+function getPayLowPassDbSecretname(environment, user) {
+    return `aws/rds/support_readonly_users/${environment.split('-')[0]}/${user}`;
+}
+function getPaySecretsPasswordName() {
+    return 'DB_SUPPORT_PASSWORD_READONLY';
+}
+function printWarningToUser() {
+    console.log(FORMAT.yellow, '⚠️  WARNING: When using SSM, any and all activity you perform may be getting logged for security auditing purposes (think PCI).', FORMAT.reset);
+    console.log(FORMAT.yellow, `Avoid sending or accessing ${FORMAT.ul}anything${FORMAT.ulstop} that could cause a security breach, such as:`, FORMAT.reset);
+    console.log(FORMAT.yellow, FORMAT.reset);
+    console.log(FORMAT.yellow, '• Secret API Keys or Tokens', FORMAT.reset);
+    console.log(FORMAT.yellow, '• Credentials or Passwords', FORMAT.reset);
+    console.log(FORMAT.yellow, '• Cardholder Data or Personally-Identifiable Information (PII)', FORMAT.reset);
+    console.log(FORMAT.yellow, '• Anything else that may be protected by GDPR or PCI-DSS', FORMAT.reset);
+    console.log(FORMAT.yellow, "• Anything classified as GSC 'Secret' or above", FORMAT.reset);
+    console.log(FORMAT.yellow, FORMAT.reset);
+    console.log(FORMAT.yellow, `If you have a problem with this or aren't sure, use Ctrl-C ${FORMAT.ul}right now${FORMAT.ulstop} and discontinue your SSM session.`, FORMAT.reset);
+    console.log(FORMAT.yellow, FORMAT.reset);
+}
+function printError(error) {
+    console.error(`${FORMAT.red}${error}${FORMAT.reset}`);
+}
+function printGreen(message) {
+    console.error(`${FORMAT.green}${message}${FORMAT.reset}`);
+}

package/src/core/commandRouter.js

@@ -8,10 +8,14 @@ const browse_js_1 = __importDefault(require("../commands/browse.js"));
 const demo_js_1 = __importDefault(require("../commands/demo.js"));
 const legacy_1 = __importDefault(require("../commands/legacy"));
 const help_1 = __importDefault(require("../commands/help"));
+const tunnel_js_1 = __importDefault(require("../commands/tunnel.js"));
 const handlers = new Map();
 handlers.set('browse', {
     handler: browse_js_1.default
 });
+handlers.set('tunnel', {
+    handler: tunnel_js_1.default
+});
 handlers.set('legacy', {
     handler: legacy_1.default
 });

package/src/core/constants.js

@@ -23,11 +23,29 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.distDirForBuildTasks = exports.rootDirForBuildTasks = exports.rootDir = void 0;
+exports.APPLICATIONS = exports.ENVIRONMENTS = exports.distDirForBuildTasks = exports.rootDirForBuildTasks = exports.rootDir = void 0;
 const path = __importStar(require("path"));
 exports.rootDir = path.resolve(__dirname, '..', '..');
 exports.rootDirForBuildTasks = exports.rootDir.endsWith('dist') ? path.resolve(exports.rootDir, '..') : exports.rootDir;
 exports.distDirForBuildTasks = path.join(exports.rootDirForBuildTasks, 'dist');
+exports.ENVIRONMENTS = ['test-12', 'test-perf-1', 'staging-2', 'deploy-tooling', 'production-2'];
+exports.APPLICATIONS = [
+    'adminusers',
+    'cardid',
+    'connector',
+    'egress',
+    'frontend',
+    'ledger',
+    'notifications',
+    'pact-broker',
+    'products',
+    'products',
+    'publicapi',
+    'publicauth',
+    'selfservice',
+    'toolbox',
+    'webhooks'
+];
 exports.default = {
     rootDir: exports.rootDir,
     distDirForBuildTasks: exports.distDirForBuildTasks,

package/resources/legacy-ruby-cli/lib/pay_cli/aws/document.rb

@@ -1,23 +0,0 @@
-require 'date'
-require 'English'
-require 'aws-sdk-core'
-
-module PayCLI::Aws
-  class Document
-    def self.security_group_rules!(env)
-       PayCLI::Environment.setup! env
-       ec2 = Aws::EC2::Client.new()
-       vpc_options =  {
-         :filters  => [{ name: "tag:Name" , values: ["#{env}-vpc"] } ]
-       }
-       vpcs = ec2.describe_vpcs(vpc_options)
-       vpc_id = vpcs[:vpcs][0][:vpc_id]
-       STDERR.puts "Got vpc id #{vpc_id} for #{env}"
-       STDERR.puts "Querying aws for security groups and using aws_security_viz to write diagram to security-group-visualisation-latest.svg "
-       pid = system  "bash", "-c" ,"aws_security_viz -o <(aws ec2 describe-security-groups --filters Name=vpc-id,Values=#{vpc_id}) -f security-group-visualisation-latest.svg --color"
-       STDERR.puts "Copy security-group-visualisation-latest.svg in the current directory to https://github.com/alphagov/pay-team-manual/blob/master/images/security-group-visualisation-latest.svg and review"
-       exit $CHILD_STATUS.exitstatus
-    end
-
-  end
-end

package/resources/legacy-ruby-cli/lib/pay_cli/ec2.rb

@@ -1,38 +0,0 @@
-require 'aws-sdk-ec2'
-
-class PayCLI::Ec2
-
-  attr_reader :ec2, :logger
-
-  def initialize(region: default_region, logger: Logger.new(STDERR))
-    @ec2 = ::Aws::EC2::Client.new(region: region)
-    @logger = logger
-  end
-
-  def all_instances
-    @instances ||= fetch_all_instances
-  end
-
-private
-  def default_region
-    ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || 'eu-west-1'
-  end
-
-  def fetch_all_instances
-    next_token = nil
-    instances = []
-
-    begin
-      response = ec2.describe_instances(next_token: next_token)
-
-      if response
-        instances += response.reservations.flat_map { |r| r.instances }
-        next_token = response.next_token
-      else
-        break
-      end
-    end while next_token
-
-    return instances
-  end
-end

package/resources/legacy-ruby-cli/vulnerability_scan/.nvmrc

@@ -1 +0,0 @@
-18.12.1

package/resources/legacy-ruby-cli/vulnerability_scan/generate_vulnerability_report.js

@@ -1,88 +0,0 @@
-const fs = require('fs')
-const path = require('path')
-const stringify = require('csv-stringify/sync').stringify
-
-const INPUT_PATH = `${path.resolve(path.dirname(__filename))}/reports`
-const OUTPUT_PATH = `${path.resolve(path.dirname(__filename))}/reports`
-
-const HEADERS = ["App name", "Release", "Vulnerability", "Severity", "Status", "Package", "Fixed version"]
-const NODE_MAJOR_VERSION = process.versions.node.split('.')[0];
-
-if (NODE_MAJOR_VERSION < 16) {
-  console.warn('⛔️ requires >= Node 16')
-  process.exit(1)
-} else {
-  generate()
-}
-
-function generate() {
-  const date = new Date().toJSON().slice(0, 10);
-  const jsonFiles = fs.readdirSync(INPUT_PATH).filter(file => path.extname(file) === '.json')
-  const reportFilePath = `${OUTPUT_PATH}/vulnerability_scan_report-${date}.csv`
-  const violatedRules = new Map()
-  let parseCount = 0
-  let rowCount = 0
-  try {
-    jsonFiles.forEach(file => {
-      const appInfo = extractAppAndReleaseFromFilename(file)
-      const filePath = path.join(INPUT_PATH, file)
-      const data = fs.readFileSync(filePath, 'utf8')
-      const parsedData = JSON.parse(data)
-
-      const appViolations = [];
-      violatedRules.set(`${appInfo.name}:${appInfo.release}`, appViolations)
-
-      parsedData["runs"][0]["tool"]["driver"]["rules"].forEach(
-        (violatedRule) => appViolations.push({
-          "App name": appInfo.name,
-          "Release": appInfo.release,
-          "Vulnerability": violatedRule.id,
-          "Severity": violatedRule.properties.cvssV3_severity,
-          "Status": "",
-          "Package": violatedRule.properties.purls.join("\n"),
-          "Fixed version": violatedRule.properties.fixed_version,
-        })
-      )
-
-      parseCount++
-    })
-  } catch (err) {
-    console.error(`Error: Failed parsing source json after successfully parsing ${parseCount} of ${jsonFiles.length} source files: `, err)
-    process.exit(1)
-  }
-
-  const csv_rows = [HEADERS];
-  try {
-    violatedRules.forEach((violations) => {
-      violations.forEach((violation) => {
-        const row = HEADERS.map(key => violation[key])
-        csv_rows.push(row)
-        rowCount++
-      })
-    })
-  } catch (err) {
-    console.error("Error collating results for writing to CSV: ", err)
-    process.exit(1)
-  }
-
-  try {
-    fs.writeFileSync(reportFilePath, stringify(csv_rows))
-  } catch (err) {
-    console.error("Error writing CSV file: ", err.message)
-    process.exit(1)
-  }
-
-  console.log(`Parsed ${parseCount} of ${jsonFiles.length} JSON files, wrote ${rowCount} row(s) to ${reportFilePath}`)
-}
-
-function extractAppAndReleaseFromFilename(fileName) {
-  const regex = /^.*?(?=-\d+)/ // matches any characters at the beginning of the string that are followed by a dash and one or more digits
-  const match = fileName.match(regex)
-  if (match && match[0]) {
-    const release = fileName.replace(`${match[0]}-`, "").replace(".json", "")
-    return { name: match[0], release }
-  } else {
-    const fallback = fileName.replace(".json", "")
-    return { name: fallback, release: fallback}
-  }
-}

package/resources/legacy-ruby-cli/vulnerability_scan/package.json

@@ -1,15 +0,0 @@
-{
-  "name": "vulnerability_scan",
-  "version": "1.0.0",
-  "description": "",
-  "main": "generate_vulnerability_report.js",
-  "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
-  },
-  "keywords": [],
-  "author": "",
-  "license": "MIT",
-  "dependencies": {
-    "csv-stringify": "^6"
-  }
-}

package/resources/legacy-ruby-cli/vulnerability_scan/scan.sh

@@ -1,88 +0,0 @@
-#!/bin/bash
-
-# Script for scanning ECR docker vulnerabilities with "docker scout cves"
-# https://docs.docker.com/engine/reference/commandline/scout_cves/
-
-# **** Run this from the root of pay-infra to store reports in this folder. ****
-
-# This will take about 5 minutes unless you already have the images cached locally.
-# You will be prompted for your aws-vault auth/MFA code.
-# The report will be stored in reports/vulnerability_scan_report-YYYY-MM-DD.csv
-
-set -euo pipefail
-
-ACCOUNT="staging"
-ACCOUNT_ID="888564216586"
-SOURCE_DIR=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
-REPORTS_FOLDER="$SOURCE_DIR/reports"
-ARCHITECTURE_TO_SCAN="linux/amd64"
-
-echo "🔍 checking for dependencies..."
-
-declare -a commands=("aws" "aws-vault" "docker" "docker scout")
-
-for cmd in "${commands[@]}"; do
-  # shellcheck disable=SC2086
-  if ! command -v $cmd &> /dev/null
-  then
-    echo "❌ $cmd"
-    exit 1
-  else
-    echo "✅ $cmd"
-  fi
-done
-
-# Login to ECR
-echo "Logging into $ACCOUNT ECR"
-aws-vault exec "$ACCOUNT" -- aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin "${ACCOUNT_ID}.dkr.ecr.eu-west-1.amazonaws.com"
-
-IMAGES=""
-
-# Get a all ECS clusters
-echo "Getting list of ECS clusters"
-CLUSTERS=$(aws-vault exec "$ACCOUNT" -- aws ecs list-clusters --query clusterArns --output text)
-
-for CLUSTER in $CLUSTERS; do
-  echo "Checking services in cluster $CLUSTER"
-  SERVICES=$(aws-vault exec "$ACCOUNT" -- aws ecs list-services --cluster "$CLUSTER" --query 'serviceArns' --output text | xargs -n1 | sort)
-
-  for SERVICE in $SERVICES; do
-    echo "Checking for container images in service $SERVICE"
-    TASK_DEFINITION=$(\
-      aws-vault exec "$ACCOUNT" -- \
-        aws ecs describe-services --cluster "$CLUSTER" --service "$SERVICE" --query 'services[].taskDefinition' --output text
-    )
-    CONTAINER_IMAGES=$(aws-vault exec "$ACCOUNT" -- aws ecs describe-task-definition --task-definition "$TASK_DEFINITION" --query 'taskDefinition.containerDefinitions[].image' --output text)
-    for CONTAINER_IMAGE in $CONTAINER_IMAGES; do
-      IMAGES="$IMAGES $CONTAINER_IMAGE"
-    done
-  done
-done
-
-for IMAGE in $(xargs -n1 <<<"$IMAGES" | sort | uniq); do
-  SHORT_REPO_AND_TAG=$(cut -d'/' -f 3 <<<"$IMAGE")
-  SHORT_REPO_NAME=$(cut -f 1 -d ":" <<<"$SHORT_REPO_AND_TAG")
-  IMAGE_TAG=$(cut -f 2 -d ":" <<<"$SHORT_REPO_AND_TAG")
-
-  echo "Scanning image $IMAGE"
-  docker scout cves --format sarif --platform "$ARCHITECTURE_TO_SCAN" --output "${REPORTS_FOLDER}/${SHORT_REPO_NAME}-${IMAGE_TAG}.json" "$IMAGE"
-done
-
-pushd "$SOURCE_DIR" >>/dev/null 2>&1
-
-echo "Installing node dependencies"
-npm install
-
-echo
-echo "|============================================================================================"
-echo "| Generating vulnerability report"
-echo "|============================================================================================"
-node "${SOURCE_DIR}/generate_vulnerability_report.js"
-echo "|============================================================================================"
-echo
-
-popd >>/dev/null 2>&1
-
-# Clean up report JSON files once done
-echo "Removing JSON report files..."
-rm $REPORTS_FOLDER/*.json