Merge pull request #412 from cisagov/improvement/add-readme-template

Use a YAML file to store product information

.github/ISSUE_TEMPLATE/product-submission-form.yml

@@ -27,30 +27,6 @@ body:
       placeholder: v2; 1.5; >3; >=4; >5, <6; etc.
     validations:
       required: true
-  - type: dropdown
-    id: product-status
-    attributes:
-      label: Product status
-      description: What is the current status of the affected product?
-      options:
-        - Unknown
-        - Affected
-        - Not Affected
-        - Fixed
-        - Under Investigation
-    validations:
-      required: true
-  - type: markdown
-    attributes:
-      value: |
-        Please use the information below when selecting a status.
-
-        - Unknown - Status unknown. Default choice.
-        - Affected - Reported to be affected by CVE-2021-44228.
-        - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
-          further action necessary.
-        - Fixed - Patch and/or mitigations available (see provided links).
-        - Under Investigation - Vendor investigating status.
   - type: dropdown
     id: product-updated
     attributes:

.github/ISSUE_TEMPLATE/product-update-form.yml

@@ -29,28 +29,6 @@ body:
     attributes:
       label: Product version(s)
       description: What version(s) of the product are affected?
-  - type: dropdown
-    id: product-status
-    attributes:
-      label: Product status
-      description: What is the current status of the affected product?
-      options:
-        - Unknown
-        - Affected
-        - Not Affected
-        - Fixed
-        - Under Investigation
-  - type: markdown
-    attributes:
-      value: |
-        Please use the information below when selecting a status.
-
-        - Unknown - Status unknown. Default choice.
-        - Affected - Reported to be affected by CVE-2021-44228.
-        - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
-          further action necessary.
-        - Fixed - Patch and/or mitigations available (see provided links).
-        - Under Investigation - Vendor investigating status.
   - type: dropdown
     id: product-updated
     attributes:

.github/workflows/update_software_list.yml

@@ -0,0 +1,111 @@
+---
+name: Update the software list
+
+on:
+  push:
+    branches:
+      - develop
+
+env:
+  PIP_CACHE_DIR: ~/.cache/pip
+  TESTING_BRANCH_BASE: testing/update_software_list
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    outputs:
+      # Commit author information for git
+      git_author: ${{ steps.git-config.outputs.author }}
+      git_email: ${{ steps.git-config.outputs.email }}
+      git_user: ${{ steps.git-config.outputs.user }}
+      # The name of the branch used for testing
+      testing_branch: ${{ steps.testing-branch.outputs.name }}
+    steps:
+      - id: git-config
+        run: |
+          echo "::set-output name=author::$GIT_USER <$GIT_EMAIL>"
+          echo "::set-output name=email::$GIT_EMAIL"
+          echo "::set-output name=user::$GIT_USER"
+        env:
+          GIT_EMAIL: ${{ fromJson(secrets.GIT_AUTHOR_INFORMATION).user.email }}
+          GIT_USER: ${{ fromJson(secrets.GIT_AUTHOR_INFORMATION).user.name }}
+      - id: testing-branch
+        run: echo "::set-output name=name::$BASE_BRANCH/$COMMIT_SHA"
+        env:
+          BASE_BRANCH: ${{ env.TESTING_BRANCH_BASE }}
+          COMMIT_SHA: ${{ github.sha }}
+  generate_list_update:
+    runs-on: ubuntu-latest
+    needs: setup
+    outputs:
+      # If changes are detected then a commit will have been pushed
+      updated_list: ${{ steps.commit-for-testing.outputs.changes_detected }}
+    # Don't run if we're seeing an update push
+    if: github.actor != needs.setup.outputs.git_user
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.CISAGOVBOT_PAT }}
+      - id: setup-python
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.10"
+      - uses: actions/cache@v2
+        env:
+          BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
+            py${{ steps.setup-python.outputs.python-version }}-"
+        with:
+          path: |
+            ${{ env.PIP_CACHE_DIR }}
+          key: "${{ env.BASE_CACHE_KEY }}\
+            ${{ hashFiles('.github/workflows/update_software_list.yml') }}-\
+            ${{ hashFiles('config/requirements.txt') }}"
+          restore-keys: |
+            ${{ env.BASE_CACHE_KEY }}
+      - name: Update Python base packages
+        run: python -m pip install --upgrade pip setuptools wheel
+      - name: Install dependencies
+        run: pip install --upgrade --requirement config/requirements.txt
+      - name: Create the branch for test validation
+        run: git switch --create ${{ needs.setup.outputs.testing_branch }}
+      - name: Generate a normalized YAML file
+        run: normalize-yml data/cisagov.yml > normalized.yml
+      - name: Generate a Markdown table from the normalized YAML file
+        run: yml2md normalized.yml > table_data.md
+      - name: Generate a new software list from the updated data
+        run: md-from-template config/SOFTWARE-LIST.tpl.md table_data.md > SOFTWARE-LIST.md
+      - id: commit-for-testing
+        uses: stefanzweifel/git-auto-commit-action@v4
+        with:
+          branch: ${{ needs.setup.outputs.testing_branch }}
+          commit_message: Update the software list
+          commit_user_name: ${{ needs.setup.outputs.git_user }}
+          commit_user_email: ${{ needs.setup.outputs.git_email }}
+          commit_author: ${{ needs.setup.outputs.git_author }}
+          file_pattern: SOFTWARE-LIST.md
+  merge_list_update:
+    runs-on: ubuntu-latest
+    needs:
+      - setup
+      - generate_list_update
+    if: needs.generate_list_update.outputs.updated_list == 'true'
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.CISAGOVBOT_PAT }}
+      - name: Configure git
+        run: |
+          git config user.name "${{ needs.setup.outputs.git_user }}"
+          git config user.email "${{ needs.setup.outputs.git_email }}"
+      - uses: lewagon/wait-on-check-action@v1.0.0
+        with:
+          check-name: lint
+          ref: ${{ needs.setup.outputs.testing_branch }}
+          repo-token: ${{ github.token }}
+      - name: Merge the testing branch
+        run: |
+          git fetch
+          git merge origin/${{ needs.setup.outputs.testing_branch }}
+          git push
+      - name: Cleanup testing branch
+        run: git push --delete origin ${{ needs.setup.outputs.testing_branch }}

.yamllint

@@ -5,3 +5,6 @@ rules:
   # yamllint doesn't like when we use yes and no for true and false,
   # but that's pretty standard in Ansible.
   truthy: disable
+
+  # Enforcing this rule would be complicated for auto-generated data right now.
+  line-length: disable

config/SOFTWARE-LIST.tpl.md

@@ -0,0 +1,20 @@
+# CISA Log4j (CVE-2021-44228) Affected Vendor & Software List #
+
+## Status Descriptions ##
+
+| Status | Description |
+| ------ | ----------- |
+| Unknown | Status unknown. Default choice. |
+| Affected | Reported to be affected by CVE-2021-44228. |
+| Not Affected | Reported to NOT be affected by CVE-2021-44228 and no further action necessary. |
+| Fixed | Patch and/or mitigations available (see provided links). |
+| Under Investigation | Vendor investigating status. |
+
+## Software List ##
+
+This list was initially populated using information from the following sources:
+
+- Kevin Beaumont
+- SwitHak
+
+{{software_markdown_table}}

config/requirements.txt

@@ -0,0 +1 @@
+https://github.com/cisagov/log4j-md-yml/archive/v1.0.0.tar.gz