Merge branch 'main' into fix_export_control_url

coreinfrastructure · Sep 13, 2024 · 7da40b0 · 7da40b0
2 parents eccf1c0 + 93e5567
commit 7da40b0
Show file tree

Hide file tree

Showing 58 changed files with 1,119 additions and 423 deletions.
diff --git a/.bundler-audit.yml b/.bundler-audit.yml
@@ -0,0 +1,31 @@
+# Configure bundle-audit
+
+# Identify dependencies that have CVE entries but
+# are not exploitable vulnerabilities in our application.
+
+ignore:
+  # Ignore these vulnerabilities in jquery-ui-rails.
+  # This client-side JavaScript library
+  # never receives untrusted data. Also, we never use position(), and
+  # thus we never use its "of" parameter that's vulnerable to XSS, and we don't
+  # use DatePicker.
+  - CVE-2021-41182
+  - CVE-2021-41183
+  - CVE-2021-41184
+  - CVE-2022-31160
+  # A vulnerability has been identified in Bootstrap that exposes users
+  # to Cross-Site Scripting (XSS) attacks. The issue is present in the
+  # carousel component, where the data-slide and data-slide-to attributes
+  # can be exploited through the href attribute of an tag due to inadequate
+  # sanitization.
+  # However, we never use the carousel component, and we strictly restrict
+  # the HTML text the user is allowed to insert, so it's not exploitable
+  # in our use. More information:
+  # https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
+  # https://nvd.nist.gov/vuln/detail/CVE-2024-6484
+  - CVE-2024-6484
+
+# At one time we ignored CVE-2015-9284 (omniauth), because we mitigated this with a
+# third-party countermeasure (omniauth-rails_csrf_protection) in:
+# https://github.com/coreinfrastructure/best-practices-badge/pull/1298
+# This is no longer necessary, so we removed that.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -3,9 +3,11 @@ version: 2.1
 # OpenSSF Scorecard. You can see the hash pins on the various "image:"
 # values. That prevents downloading of later subversions AND of later
 # updates. When you *DO* want to update, you can easily find out the hash
-# of a given docker container by just running something like:
-# > docker pull circleci/postgres:11.5-ram
-# This will return with the SHA-256 hash of the current version.
+# of a given docker container via:
+# https://hub.docker.com/r/cimg/postgres/tags
+# For more info: https://circleci.com/developer/images/image/cimg/postgres
+# You could also run something like:
+# > docker pull circleci/postgres:13.14
 #
 orbs:
   browser-tools: circleci/browser-tools@1.4.1
@@ -27,7 +29,7 @@ jobs:
         PG_USER: ubuntu
         RAILS_ENV: test
         RACK_ENV: test
-    - image: cimg/postgres@sha256:baf39240249c9aeaaf09a3052e3663a5e99fa515c38ed6293b6689ffa15bb48e # pin :11.17
+    - image: cimg/postgres@sha256:86e5a2c769da73ad7c6fa2de1b520d44566c146ba9f5c33382be023754804128 # pin :14.11
       environment:
         POSTGRES_USER: ubuntu
         POSTGRES_DB: circle_ruby_test

diff --git a/.codespellignore b/.codespellignore
@@ -0,0 +1,23 @@
+# French phrase used in tests: mis à jour
+mis
+
+# reenable - used as .attribute in .rb as well
+reenable
+
+# rouge - name of the repo
+rouge
+
+# Suh - name
+suh
+
+# projets - French term used in a test
+projets
+
+# requestor - as requested in the original PR
+requestor
+
+#
+secur
+
+# socioeconomic - Don't change the standard CODE_OF_CONDUCT for hyphenation
+socio-economic
diff --git a/.codespellrc b/.codespellrc
@@ -1,10 +1,4 @@
 [codespell]
 skip = .git,*.pdf,*.svg,locales,vcr_cassettes,*.rake
-# French phrase uses in tests
-ignore-regex = mis à jour
-# reenable - used as .attribute in .rb as well
-# rouge - name of the repo
-# Suh - name
-# projets - French used in a test
-# requestor - as requested in the original PR
-ignore-words-list = reenable,rouge,suh,projets,requestor,secur
+
+ignore-words: .codespellignore
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -17,3 +17,5 @@ jobs:
         uses: actions/checkout@v4
       - name: Codespell
         uses: codespell-project/actions-codespell@v2
+        with:
+          ignore_words_file: .codespellignore
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '37 21 * * 3'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: results.sarif
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -16,6 +16,7 @@ Here's help on how to make contributions, divided into the following sections:
 * reuse (supply chain for third-party components, including updating them),
 * keeping up the main branch, and
 * handling the rename of the "master" branch to "main".
+* governance
 
 ## General information
 
@@ -130,7 +131,7 @@ some blank lines and the signed-off-by text above;
 then configure git to use that as a commit template.  For example:
 
 ````sh
-git config commit.template ~/cii-best-practices-badge/git-template
+git config commit.template ~/best-practices-badge/git-template
 ````
 
 It's not practical to fix old contributions in git, so if one is forgotten,
@@ -150,6 +151,9 @@ See the section on reuse for their license requirements
 (they don't need to be MIT, but all required components must be
 open source software).
 
+The data *managed* by this application is released under different
+open data licenses. See the README for more information.
+
 ### We are proactive
 
 In general we try to be proactive to detect and eliminate
@@ -1031,3 +1035,15 @@ git fetch origin
 git branch -u origin/main main
 git remote set-head origin -a
 ~~~~
+
+## Governance
+
+This project is led by the OpenSSF Best Practices Badge
+Technical Steering Committee (TSC).
+For current members, see [TSC.md](./TSC.md).
+The TSC is supported by a technical lead.
+
+The file [governance.md](docs/governance.md) describes our governance model
+(how we decide things) in more detail.
+That file is considered "incorporated by reference" by this
+CONTRIBUTING document.