mirror of
https://github.com/cisagov/log4j-affected-db.git
synced 2024-11-22 16:40:48 +00:00
Merge branch 'develop' into patch-1
This commit is contained in:
commit
25db426dbb
13 changed files with 1303 additions and 294 deletions
13
.github/CODEOWNERS
vendored
Normal file
13
.github/CODEOWNERS
vendored
Normal file
|
@ -0,0 +1,13 @@
|
|||
# Each line is a file pattern followed by one or more owners.
|
||||
|
||||
# These owners will be the default owners for everything in the
|
||||
# repo. Unless a later match takes precedence, these owners will be
|
||||
# requested for review when someone opens a pull request.
|
||||
* @ChrisSCISA @justmurphy @KwadwoBCISA
|
||||
|
||||
# These folks own any dot-files in the repository.
|
||||
.* @dav3r @felddy @jsf9k @mcdonnnj
|
||||
|
||||
# These folks own any files in the .github directory at the root of
|
||||
# the repository and any of its subdirectories.
|
||||
/.github/ @dav3r @felddy @jsf9k @mcdonnnj
|
|
@ -1,35 +1,27 @@
|
|||
---
|
||||
name: Product Submission Template
|
||||
about: Template for product submissions of all publicly available information and
|
||||
vendor-supplied advisories regarding the log4j vulnerability.
|
||||
title: ''
|
||||
labels: ''
|
||||
assignees: ''
|
||||
|
||||
about: Template for product submissions of all publicly available information
|
||||
and vendor-supplied advisories regarding the log4j vulnerability.
|
||||
---
|
||||
# Submission Template #
|
||||
|
||||
---
|
||||
name: Software Product Submission Template
|
||||
about: Schema for product submission for log4j vulnerability.
|
||||
|
||||
---
|
||||
|
||||
# Submission Template
|
||||
|
||||
Please provide the following information.
|
||||
Please provide the following information.
|
||||
|
||||
- Vendor Name
|
||||
- Product Name
|
||||
- Version(s) affected
|
||||
- Status: Please choose from one of the following (Unknown/Affected/Not Affected/Fixed/Under Investigation).
|
||||
- Update Available: Yes or No (If Yes, please provide link to information)
|
||||
- Status: Please choose from one of the following - Unknown, Affected,
|
||||
Not Affected, Fixed, and Under Investigation.
|
||||
- Update Available: Yes or No (If Yes, please provide link to information)
|
||||
- Notes
|
||||
- References
|
||||
- Last Updated: Date of last update
|
||||
- Last Updated: Date of last update
|
||||
|
||||
For questions about choice for status, please see the information below.
|
||||
- Unknown - Status unknown. Default choice.
|
||||
|
||||
- Unknown - Status unknown. Default choice.
|
||||
- Affected - Reported to be affected by CVE-2021-44228.
|
||||
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further action necessary.
|
||||
- Fixed - Patch and/or mitigations available (see provided links).
|
||||
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further
|
||||
action necessary.
|
||||
- Fixed - Patch and/or mitigations available (see provided links).
|
||||
- Under Investigation - Vendor investigating status.
|
||||
|
|
1
.github/SECURITY.md
vendored
1
.github/SECURITY.md
vendored
|
@ -1 +0,0 @@
|
|||
|
18
.github/dependabot.yml
vendored
Normal file
18
.github/dependabot.yml
vendored
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
|
||||
- package-ecosystem: "pip"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
|
||||
- package-ecosystem: "terraform"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
42
.github/workflows/build.yml
vendored
Normal file
42
.github/workflows/build.yml
vendored
Normal file
|
@ -0,0 +1,42 @@
|
|||
---
|
||||
name: build
|
||||
|
||||
on:
|
||||
push:
|
||||
pull_request:
|
||||
repository_dispatch:
|
||||
types: [apb]
|
||||
|
||||
env:
|
||||
PIP_CACHE_DIR: ~/.cache/pip
|
||||
PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- id: setup-python
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: "3.10"
|
||||
- uses: actions/cache@v2
|
||||
env:
|
||||
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
|
||||
py${{ steps.setup-python.outputs.python-version }}"
|
||||
with:
|
||||
path: |
|
||||
${{ env.PIP_CACHE_DIR }}
|
||||
${{ env.PRE_COMMIT_CACHE_DIR }}
|
||||
key: "${{ env.BASE_CACHE_KEY }}\
|
||||
${{ hashFiles('**/.pre-commit-config.yaml') }}"
|
||||
restore-keys: |
|
||||
${{ env.BASE_CACHE_KEY }}
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
python -m pip install --upgrade pip setuptools wheel
|
||||
pip install --upgrade pre-commit
|
||||
- name: Set up pre-commit hook environments
|
||||
run: pre-commit install-hooks
|
||||
- name: Run pre-commit on all files
|
||||
run: pre-commit run --all-files
|
8
.gitignore
vendored
Normal file
8
.gitignore
vendored
Normal file
|
@ -0,0 +1,8 @@
|
|||
# This file specifies intentionally untracked files that Git should ignore.
|
||||
# Files already tracked by Git are not affected.
|
||||
# See: https://git-scm.com/docs/gitignore
|
||||
|
||||
## Python ##
|
||||
__pycache__
|
||||
.mypy_cache
|
||||
.python-version
|
50
.mdl_config.yaml
Normal file
50
.mdl_config.yaml
Normal file
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
|
||||
# Default state for all rules
|
||||
default: true
|
||||
|
||||
# MD003/heading-style/header-style - Heading style
|
||||
MD003:
|
||||
# Enforce the ATX-closed style of header
|
||||
style: "atx_closed"
|
||||
|
||||
# MD004/ul-style - Unordered list style
|
||||
MD004:
|
||||
# Enforce dashes for unordered lists
|
||||
style: "dash"
|
||||
|
||||
# MD013/line-length - Line length
|
||||
MD013:
|
||||
# Do not enforce for code blocks
|
||||
code_blocks: false
|
||||
# Do not enforce for tables
|
||||
tables: false
|
||||
|
||||
# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the
|
||||
# same content
|
||||
MD024:
|
||||
# Allow headers with the same content as long as they are not in the same
|
||||
# parent heading
|
||||
allow_different_nesting: true
|
||||
|
||||
# MD029/ol-prefix - Ordered list item prefix
|
||||
MD029:
|
||||
# Enforce the `1.` style for ordered lists
|
||||
style: "one"
|
||||
|
||||
# MD033/no-inline-html - Inline HTML
|
||||
MD033:
|
||||
# The h1 and img elements are allowed to permit header images
|
||||
allowed_elements:
|
||||
- h1
|
||||
- img
|
||||
|
||||
# MD035/hr-style - Horizontal rule style
|
||||
MD035:
|
||||
# Enforce dashes for horizontal rules
|
||||
style: "---"
|
||||
|
||||
# MD046/code-block-style Code block style
|
||||
MD046:
|
||||
# Enforce the fenced style for code blocks
|
||||
style: "fenced"
|
48
.pre-commit-config.yaml
Normal file
48
.pre-commit-config.yaml
Normal file
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
default_language_version:
|
||||
# force all unspecified python hooks to run python3
|
||||
python: python3
|
||||
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.0.1
|
||||
hooks:
|
||||
- id: check-case-conflict
|
||||
- id: check-executables-have-shebangs
|
||||
- id: check-json
|
||||
- id: check-merge-conflict
|
||||
- id: check-toml
|
||||
- id: check-xml
|
||||
- id: debug-statements
|
||||
- id: detect-aws-credentials
|
||||
args:
|
||||
- --allow-missing-credentials
|
||||
- id: detect-private-key
|
||||
- id: end-of-file-fixer
|
||||
exclude: files/(issue|motd)
|
||||
- id: mixed-line-ending
|
||||
args:
|
||||
- --fix=lf
|
||||
- id: pretty-format-json
|
||||
args:
|
||||
- --autofix
|
||||
- id: requirements-txt-fixer
|
||||
- id: trailing-whitespace
|
||||
|
||||
# Text file hooks
|
||||
- repo: https://github.com/igorshubovych/markdownlint-cli
|
||||
rev: v0.30.0
|
||||
hooks:
|
||||
- id: markdownlint
|
||||
args:
|
||||
- --config=.mdl_config.yaml
|
||||
- repo: https://github.com/pre-commit/mirrors-prettier
|
||||
rev: v2.5.1
|
||||
hooks:
|
||||
- id: prettier
|
||||
- repo: https://github.com/adrienverge/yamllint
|
||||
rev: v1.26.3
|
||||
hooks:
|
||||
- id: yamllint
|
||||
args:
|
||||
- --strict
|
7
.prettierignore
Normal file
7
.prettierignore
Normal file
|
@ -0,0 +1,7 @@
|
|||
# Already being linted by pretty-format-json
|
||||
*.json
|
||||
# Already being linted by mdl
|
||||
*.md
|
||||
# Already being linted by yamllint
|
||||
*.yaml
|
||||
*.yml
|
7
.yamllint
Normal file
7
.yamllint
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
extends: default
|
||||
|
||||
rules:
|
||||
# yamllint doesn't like when we use yes and no for true and false,
|
||||
# but that's pretty standard in Ansible.
|
||||
truthy: disable
|
154
CONTRIBUTING.md
Normal file
154
CONTRIBUTING.md
Normal file
|
@ -0,0 +1,154 @@
|
|||
# Welcome #
|
||||
|
||||
We're so glad you're thinking about contributing to this open source
|
||||
project! If you're unsure or afraid of anything, just ask or submit
|
||||
the issue or pull request anyway. The worst that can happen is that
|
||||
you'll be politely asked to change something. We appreciate any sort
|
||||
of contribution, and don't want a wall of rules to get in the way of
|
||||
that.
|
||||
|
||||
Before contributing, we encourage you to read our CONTRIBUTING policy
|
||||
(you are here), our [LICENSE](LICENSE), and our [README](README.md),
|
||||
all of which should be in this repository.
|
||||
|
||||
## Issues ##
|
||||
|
||||
If you want to report a bug or request a new feature, the most direct
|
||||
method is to [create an
|
||||
issue](https://github.com/cisagov/log4j-affected-db/issues) in this
|
||||
repository. We recommend that you first search through existing
|
||||
issues (both open and closed) to check if your particular issue has
|
||||
already been reported. If it has then you might want to add a comment
|
||||
to the existing issue. If it hasn't then feel free to create a new
|
||||
one.
|
||||
|
||||
## Pull requests ##
|
||||
|
||||
If you choose to [submit a pull
|
||||
request](https://github.com/cisagov/log4j-affected-db/pulls), you will
|
||||
notice that our continuous integration (CI) system runs a fairly
|
||||
extensive set of linters and syntax checkers. Your pull request may
|
||||
fail these checks, and that's OK. If you want you can stop there and
|
||||
wait for us to make the necessary corrections to ensure your code
|
||||
passes the CI checks.
|
||||
|
||||
If you want to make the changes yourself, or if you want to become a
|
||||
regular contributor, then you will want to set up
|
||||
[pre-commit](https://pre-commit.com/) on your local machine. Once you
|
||||
do that, the CI checks will run locally before you even write your
|
||||
commit message. This speeds up your development cycle considerably.
|
||||
|
||||
### Setting up pre-commit ###
|
||||
|
||||
There are a few ways to do this, but we prefer to use
|
||||
[`pyenv`](https://github.com/pyenv/pyenv) and
|
||||
[`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv) to
|
||||
create and manage a Python virtual environment specific to this
|
||||
project.
|
||||
|
||||
#### Installing and using `pyenv` and `pyenv-virtualenv` ####
|
||||
|
||||
On the Mac, we recommend installing [brew](https://brew.sh/). Then
|
||||
installation is as simple as `brew install pyenv pyenv-virtualenv` and
|
||||
adding this to your profile:
|
||||
|
||||
```bash
|
||||
export PYENV_ROOT="$HOME/.pyenv"
|
||||
export PATH="$PYENV_ROOT/bin:$PATH"
|
||||
eval "$(pyenv init --path)"
|
||||
eval "$(pyenv init -)"
|
||||
eval "$(pyenv virtualenv-init -)"
|
||||
```
|
||||
|
||||
For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you
|
||||
don't want to use `brew`) you can use
|
||||
[pyenv/pyenv-installer](https://github.com/pyenv/pyenv-installer) to
|
||||
install the necessary tools. Before running this ensure that you have
|
||||
installed the prerequisites for your platform according to the
|
||||
[`pyenv` wiki
|
||||
page](https://github.com/pyenv/pyenv/wiki/common-build-problems).
|
||||
|
||||
On WSL you should treat your platform as whatever Linux distribution
|
||||
you've chosen to install.
|
||||
|
||||
Once you have installed `pyenv` you will need to add the following
|
||||
lines to your `.bash_profile` (or `.profile`):
|
||||
|
||||
```bash
|
||||
export PYENV_ROOT="$HOME/.pyenv"
|
||||
export PATH="$PYENV_ROOT/bin:$PATH"
|
||||
eval "$(pyenv init --path)"
|
||||
```
|
||||
|
||||
and then add the following lines to your `.bashrc`:
|
||||
|
||||
```bash
|
||||
eval "$(pyenv init -)"
|
||||
eval "$(pyenv virtualenv-init -)"
|
||||
```
|
||||
|
||||
If you want more information about setting up `pyenv` once installed, please run
|
||||
|
||||
```console
|
||||
pyenv init
|
||||
```
|
||||
|
||||
and
|
||||
|
||||
```console
|
||||
pyenv virtualenv-init
|
||||
```
|
||||
|
||||
for the current configuration instructions.
|
||||
|
||||
If you are using a shell other than `bash` you should follow the
|
||||
instructions that the `pyenv-installer` script outputs.
|
||||
|
||||
You will need to reload your shell for these changes to take effect so
|
||||
you can begin to use `pyenv`.
|
||||
|
||||
For a list of Python versions that are already installed and ready to
|
||||
use with `pyenv`, use the command `pyenv versions`. To see a list of
|
||||
the Python versions available to be installed and used with `pyenv`
|
||||
use the command `pyenv install --list`. You can read more
|
||||
[here](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md) about
|
||||
the many things that `pyenv` can do. See
|
||||
[here](https://github.com/pyenv/pyenv-virtualenv#usage) for the
|
||||
additional capabilities that pyenv-virtualenv adds to the `pyenv`
|
||||
command.
|
||||
|
||||
#### Creating the Python virtual environment ####
|
||||
|
||||
Once `pyenv` and `pyenv-virtualenv` are installed on your system, you
|
||||
can create and configure the Python virtual environment with these
|
||||
commands:
|
||||
|
||||
```console
|
||||
cd log4j-affected-db
|
||||
pyenv virtualenv <python_version_to_use> log4j-affected-db
|
||||
pyenv local log4j-affected-db
|
||||
pip install --upgrade pip setuptools wheel pre-commit
|
||||
```
|
||||
|
||||
#### Installing the pre-commit hook ####
|
||||
|
||||
Now setting up pre-commit is as simple as:
|
||||
|
||||
```console
|
||||
pre-commit install
|
||||
```
|
||||
|
||||
At this point the pre-commit checks will run against any files that
|
||||
you attempt to commit. If you want to run the checks against the
|
||||
entire repo, just execute `pre-commit run --all-files`.
|
||||
|
||||
## Public domain ##
|
||||
|
||||
This project is in the public domain within the United States, and
|
||||
copyright and related rights in the work worldwide are waived through
|
||||
the [CC0 1.0 Universal public domain
|
||||
dedication](https://creativecommons.org/publicdomain/zero/1.0/).
|
||||
|
||||
All contributions to this project will be released under the CC0
|
||||
dedication. By submitting a pull request, you are agreeing to comply
|
||||
with this waiver of copyright interest.
|
116
LICENSE
Normal file
116
LICENSE
Normal file
|
@ -0,0 +1,116 @@
|
|||
CC0 1.0 Universal
|
||||
|
||||
Statement of Purpose
|
||||
|
||||
The laws of most jurisdictions throughout the world automatically confer
|
||||
exclusive Copyright and Related Rights (defined below) upon the creator and
|
||||
subsequent owner(s) (each and all, an "owner") of an original work of
|
||||
authorship and/or a database (each, a "Work").
|
||||
|
||||
Certain owners wish to permanently relinquish those rights to a Work for the
|
||||
purpose of contributing to a commons of creative, cultural and scientific
|
||||
works ("Commons") that the public can reliably and without fear of later
|
||||
claims of infringement build upon, modify, incorporate in other works, reuse
|
||||
and redistribute as freely as possible in any form whatsoever and for any
|
||||
purposes, including without limitation commercial purposes. These owners may
|
||||
contribute to the Commons to promote the ideal of a free culture and the
|
||||
further production of creative, cultural and scientific works, or to gain
|
||||
reputation or greater distribution for their Work in part through the use and
|
||||
efforts of others.
|
||||
|
||||
For these and/or other purposes and motivations, and without any expectation
|
||||
of additional consideration or compensation, the person associating CC0 with a
|
||||
Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
|
||||
and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
|
||||
and publicly distribute the Work under its terms, with knowledge of his or her
|
||||
Copyright and Related Rights in the Work and the meaning and intended legal
|
||||
effect of CC0 on those rights.
|
||||
|
||||
1. Copyright and Related Rights. A Work made available under CC0 may be
|
||||
protected by copyright and related or neighboring rights ("Copyright and
|
||||
Related Rights"). Copyright and Related Rights include, but are not limited
|
||||
to, the following:
|
||||
|
||||
i. the right to reproduce, adapt, distribute, perform, display, communicate,
|
||||
and translate a Work;
|
||||
|
||||
ii. moral rights retained by the original author(s) and/or performer(s);
|
||||
|
||||
iii. publicity and privacy rights pertaining to a person's image or likeness
|
||||
depicted in a Work;
|
||||
|
||||
iv. rights protecting against unfair competition in regards to a Work,
|
||||
subject to the limitations in paragraph 4(a), below;
|
||||
|
||||
v. rights protecting the extraction, dissemination, use and reuse of data in
|
||||
a Work;
|
||||
|
||||
vi. database rights (such as those arising under Directive 96/9/EC of the
|
||||
European Parliament and of the Council of 11 March 1996 on the legal
|
||||
protection of databases, and under any national implementation thereof,
|
||||
including any amended or successor version of such directive); and
|
||||
|
||||
vii. other similar, equivalent or corresponding rights throughout the world
|
||||
based on applicable law or treaty, and any national implementations thereof.
|
||||
|
||||
2. Waiver. To the greatest extent permitted by, but not in contravention of,
|
||||
applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
|
||||
unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
|
||||
and Related Rights and associated claims and causes of action, whether now
|
||||
known or unknown (including existing as well as future claims and causes of
|
||||
action), in the Work (i) in all territories worldwide, (ii) for the maximum
|
||||
duration provided by applicable law or treaty (including future time
|
||||
extensions), (iii) in any current or future medium and for any number of
|
||||
copies, and (iv) for any purpose whatsoever, including without limitation
|
||||
commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
|
||||
the Waiver for the benefit of each member of the public at large and to the
|
||||
detriment of Affirmer's heirs and successors, fully intending that such Waiver
|
||||
shall not be subject to revocation, rescission, cancellation, termination, or
|
||||
any other legal or equitable action to disrupt the quiet enjoyment of the Work
|
||||
by the public as contemplated by Affirmer's express Statement of Purpose.
|
||||
|
||||
3. Public License Fallback. Should any part of the Waiver for any reason be
|
||||
judged legally invalid or ineffective under applicable law, then the Waiver
|
||||
shall be preserved to the maximum extent permitted taking into account
|
||||
Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
|
||||
is so judged Affirmer hereby grants to each affected person a royalty-free,
|
||||
non transferable, non sublicensable, non exclusive, irrevocable and
|
||||
unconditional license to exercise Affirmer's Copyright and Related Rights in
|
||||
the Work (i) in all territories worldwide, (ii) for the maximum duration
|
||||
provided by applicable law or treaty (including future time extensions), (iii)
|
||||
in any current or future medium and for any number of copies, and (iv) for any
|
||||
purpose whatsoever, including without limitation commercial, advertising or
|
||||
promotional purposes (the "License"). The License shall be deemed effective as
|
||||
of the date CC0 was applied by Affirmer to the Work. Should any part of the
|
||||
License for any reason be judged legally invalid or ineffective under
|
||||
applicable law, such partial invalidity or ineffectiveness shall not
|
||||
invalidate the remainder of the License, and in such case Affirmer hereby
|
||||
affirms that he or she will not (i) exercise any of his or her remaining
|
||||
Copyright and Related Rights in the Work or (ii) assert any associated claims
|
||||
and causes of action with respect to the Work, in either case contrary to
|
||||
Affirmer's express Statement of Purpose.
|
||||
|
||||
4. Limitations and Disclaimers.
|
||||
|
||||
a. No trademark or patent rights held by Affirmer are waived, abandoned,
|
||||
surrendered, licensed or otherwise affected by this document.
|
||||
|
||||
b. Affirmer offers the Work as-is and makes no representations or warranties
|
||||
of any kind concerning the Work, express, implied, statutory or otherwise,
|
||||
including without limitation warranties of title, merchantability, fitness
|
||||
for a particular purpose, non infringement, or the absence of latent or
|
||||
other defects, accuracy, or the present or absence of errors, whether or not
|
||||
discoverable, all to the greatest extent permissible under applicable law.
|
||||
|
||||
c. Affirmer disclaims responsibility for clearing rights of other persons
|
||||
that may apply to the Work or any use thereof, including without limitation
|
||||
any person's Copyright and Related Rights in the Work. Further, Affirmer
|
||||
disclaims responsibility for obtaining any necessary consents, permissions
|
||||
or other rights required for any use of the Work.
|
||||
|
||||
d. Affirmer understands and acknowledges that Creative Commons is not a
|
||||
party to this document and has no duty or obligation with respect to this
|
||||
CC0 or use of the Work.
|
||||
|
||||
For more information, please see
|
||||
<http://creativecommons.org/publicdomain/zero/1.0/>
|
Loading…
Reference in a new issue