1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-11-23 00:50:48 +00:00

Merge branch 'develop' into fixquarkus

This commit is contained in:
justmurphy 2021-12-16 18:24:54 -05:00 committed by GitHub
commit 976c3cb8d1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 1343 additions and 301 deletions

13
.github/CODEOWNERS vendored Normal file
View file

@ -0,0 +1,13 @@
# Each line is a file pattern followed by one or more owners.
# These owners will be the default owners for everything in the
# repo. Unless a later match takes precedence, these owners will be
# requested for review when someone opens a pull request.
* @ChrisSCISA @justmurphy @KwadwoBCISA
# These folks own any dot-files in the repository.
.* @dav3r @felddy @jsf9k @mcdonnnj
# These folks own any files in the .github directory at the root of
# the repository and any of its subdirectories.
/.github/ @dav3r @felddy @jsf9k @mcdonnnj

View file

@ -1,35 +1,27 @@
--- ---
name: Product Submission Template name: Product Submission Template
about: Template for product submissions of all publicly available information and about: Template for product submissions of all publicly available information
vendor-supplied advisories regarding the log4j vulnerability. and vendor-supplied advisories regarding the log4j vulnerability.
title: ''
labels: ''
assignees: ''
--- ---
# Submission Template #
--- Please provide the following information.
name: Software Product Submission Template
about: Schema for product submission for log4j vulnerability.
---
# Submission Template
Please provide the following information.
- Vendor Name - Vendor Name
- Product Name - Product Name
- Version(s) affected - Version(s) affected
- Status: Please choose from one of the following (Unknown/Affected/Not Affected/Fixed/Under Investigation). - Status: Please choose from one of the following - Unknown, Affected,
- Update Available: Yes or No (If Yes, please provide link to information) Not Affected, Fixed, and Under Investigation.
- Update Available: Yes or No (If Yes, please provide link to information)
- Notes - Notes
- References - References
- Last Updated: Date of last update - Last Updated: Date of last update
For questions about choice for status, please see the information below. For questions about choice for status, please see the information below.
- Unknown - Status unknown. Default choice.
- Unknown - Status unknown. Default choice.
- Affected - Reported to be affected by CVE-2021-44228. - Affected - Reported to be affected by CVE-2021-44228.
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further action necessary. - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further
- Fixed - Patch and/or mitigations available (see provided links). action necessary.
- Fixed - Patch and/or mitigations available (see provided links).
- Under Investigation - Vendor investigating status. - Under Investigation - Vendor investigating status.

1
.github/SECURITY.md vendored
View file

@ -1 +0,0 @@

18
.github/dependabot.yml vendored Normal file
View file

@ -0,0 +1,18 @@
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "terraform"
directory: "/"
schedule:
interval: "weekly"

42
.github/workflows/build.yml vendored Normal file
View file

@ -0,0 +1,42 @@
---
name: build
on:
push:
pull_request:
repository_dispatch:
types: [apb]
env:
PIP_CACHE_DIR: ~/.cache/pip
PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- id: setup-python
uses: actions/setup-python@v2
with:
python-version: "3.10"
- uses: actions/cache@v2
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}"
with:
path: |
${{ env.PIP_CACHE_DIR }}
${{ env.PRE_COMMIT_CACHE_DIR }}
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/.pre-commit-config.yaml') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
pip install --upgrade pre-commit
- name: Set up pre-commit hook environments
run: pre-commit install-hooks
- name: Run pre-commit on all files
run: pre-commit run --all-files

8
.gitignore vendored Normal file
View file

@ -0,0 +1,8 @@
# This file specifies intentionally untracked files that Git should ignore.
# Files already tracked by Git are not affected.
# See: https://git-scm.com/docs/gitignore
## Python ##
__pycache__
.mypy_cache
.python-version

50
.mdl_config.yaml Normal file
View file

@ -0,0 +1,50 @@
---
# Default state for all rules
default: true
# MD003/heading-style/header-style - Heading style
MD003:
# Enforce the ATX-closed style of header
style: "atx_closed"
# MD004/ul-style - Unordered list style
MD004:
# Enforce dashes for unordered lists
style: "dash"
# MD013/line-length - Line length
MD013:
# Do not enforce for code blocks
code_blocks: false
# Do not enforce for tables
tables: false
# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the
# same content
MD024:
# Allow headers with the same content as long as they are not in the same
# parent heading
allow_different_nesting: true
# MD029/ol-prefix - Ordered list item prefix
MD029:
# Enforce the `1.` style for ordered lists
style: "one"
# MD033/no-inline-html - Inline HTML
MD033:
# The h1 and img elements are allowed to permit header images
allowed_elements:
- h1
- img
# MD035/hr-style - Horizontal rule style
MD035:
# Enforce dashes for horizontal rules
style: "---"
# MD046/code-block-style Code block style
MD046:
# Enforce the fenced style for code blocks
style: "fenced"

48
.pre-commit-config.yaml Normal file
View file

@ -0,0 +1,48 @@
---
default_language_version:
# force all unspecified python hooks to run python3
python: python3
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- id: check-case-conflict
- id: check-executables-have-shebangs
- id: check-json
- id: check-merge-conflict
- id: check-toml
- id: check-xml
- id: debug-statements
- id: detect-aws-credentials
args:
- --allow-missing-credentials
- id: detect-private-key
- id: end-of-file-fixer
exclude: files/(issue|motd)
- id: mixed-line-ending
args:
- --fix=lf
- id: pretty-format-json
args:
- --autofix
- id: requirements-txt-fixer
- id: trailing-whitespace
# Text file hooks
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.30.0
hooks:
- id: markdownlint
args:
- --config=.mdl_config.yaml
- repo: https://github.com/pre-commit/mirrors-prettier
rev: v2.5.1
hooks:
- id: prettier
- repo: https://github.com/adrienverge/yamllint
rev: v1.26.3
hooks:
- id: yamllint
args:
- --strict

7
.prettierignore Normal file
View file

@ -0,0 +1,7 @@
# Already being linted by pretty-format-json
*.json
# Already being linted by mdl
*.md
# Already being linted by yamllint
*.yaml
*.yml

7
.yamllint Normal file
View file

@ -0,0 +1,7 @@
---
extends: default
rules:
# yamllint doesn't like when we use yes and no for true and false,
# but that's pretty standard in Ansible.
truthy: disable

154
CONTRIBUTING.md Normal file
View file

@ -0,0 +1,154 @@
# Welcome #
We're so glad you're thinking about contributing to this open source
project! If you're unsure or afraid of anything, just ask or submit
the issue or pull request anyway. The worst that can happen is that
you'll be politely asked to change something. We appreciate any sort
of contribution, and don't want a wall of rules to get in the way of
that.
Before contributing, we encourage you to read our CONTRIBUTING policy
(you are here), our [LICENSE](LICENSE), and our [README](README.md),
all of which should be in this repository.
## Issues ##
If you want to report a bug or request a new feature, the most direct
method is to [create an
issue](https://github.com/cisagov/log4j-affected-db/issues) in this
repository. We recommend that you first search through existing
issues (both open and closed) to check if your particular issue has
already been reported. If it has then you might want to add a comment
to the existing issue. If it hasn't then feel free to create a new
one.
## Pull requests ##
If you choose to [submit a pull
request](https://github.com/cisagov/log4j-affected-db/pulls), you will
notice that our continuous integration (CI) system runs a fairly
extensive set of linters and syntax checkers. Your pull request may
fail these checks, and that's OK. If you want you can stop there and
wait for us to make the necessary corrections to ensure your code
passes the CI checks.
If you want to make the changes yourself, or if you want to become a
regular contributor, then you will want to set up
[pre-commit](https://pre-commit.com/) on your local machine. Once you
do that, the CI checks will run locally before you even write your
commit message. This speeds up your development cycle considerably.
### Setting up pre-commit ###
There are a few ways to do this, but we prefer to use
[`pyenv`](https://github.com/pyenv/pyenv) and
[`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv) to
create and manage a Python virtual environment specific to this
project.
#### Installing and using `pyenv` and `pyenv-virtualenv` ####
On the Mac, we recommend installing [brew](https://brew.sh/). Then
installation is as simple as `brew install pyenv pyenv-virtualenv` and
adding this to your profile:
```bash
export PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init --path)"
eval "$(pyenv init -)"
eval "$(pyenv virtualenv-init -)"
```
For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you
don't want to use `brew`) you can use
[pyenv/pyenv-installer](https://github.com/pyenv/pyenv-installer) to
install the necessary tools. Before running this ensure that you have
installed the prerequisites for your platform according to the
[`pyenv` wiki
page](https://github.com/pyenv/pyenv/wiki/common-build-problems).
On WSL you should treat your platform as whatever Linux distribution
you've chosen to install.
Once you have installed `pyenv` you will need to add the following
lines to your `.bash_profile` (or `.profile`):
```bash
export PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init --path)"
```
and then add the following lines to your `.bashrc`:
```bash
eval "$(pyenv init -)"
eval "$(pyenv virtualenv-init -)"
```
If you want more information about setting up `pyenv` once installed, please run
```console
pyenv init
```
and
```console
pyenv virtualenv-init
```
for the current configuration instructions.
If you are using a shell other than `bash` you should follow the
instructions that the `pyenv-installer` script outputs.
You will need to reload your shell for these changes to take effect so
you can begin to use `pyenv`.
For a list of Python versions that are already installed and ready to
use with `pyenv`, use the command `pyenv versions`. To see a list of
the Python versions available to be installed and used with `pyenv`
use the command `pyenv install --list`. You can read more
[here](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md) about
the many things that `pyenv` can do. See
[here](https://github.com/pyenv/pyenv-virtualenv#usage) for the
additional capabilities that pyenv-virtualenv adds to the `pyenv`
command.
#### Creating the Python virtual environment ####
Once `pyenv` and `pyenv-virtualenv` are installed on your system, you
can create and configure the Python virtual environment with these
commands:
```console
cd log4j-affected-db
pyenv virtualenv <python_version_to_use> log4j-affected-db
pyenv local log4j-affected-db
pip install --upgrade pip setuptools wheel pre-commit
```
#### Installing the pre-commit hook ####
Now setting up pre-commit is as simple as:
```console
pre-commit install
```
At this point the pre-commit checks will run against any files that
you attempt to commit. If you want to run the checks against the
entire repo, just execute `pre-commit run --all-files`.
## Public domain ##
This project is in the public domain within the United States, and
copyright and related rights in the work worldwide are waived through
the [CC0 1.0 Universal public domain
dedication](https://creativecommons.org/publicdomain/zero/1.0/).
All contributions to this project will be released under the CC0
dedication. By submitting a pull request, you are agreeing to comply
with this waiver of copyright interest.

116
LICENSE Normal file
View file

@ -0,0 +1,116 @@
CC0 1.0 Universal
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator and
subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for the
purpose of contributing to a commons of creative, cultural and scientific
works ("Commons") that the public can reliably and without fear of later
claims of infringement build upon, modify, incorporate in other works, reuse
and redistribute as freely as possible in any form whatsoever and for any
purposes, including without limitation commercial purposes. These owners may
contribute to the Commons to promote the ideal of a free culture and the
further production of creative, cultural and scientific works, or to gain
reputation or greater distribution for their Work in part through the use and
efforts of others.
For these and/or other purposes and motivations, and without any expectation
of additional consideration or compensation, the person associating CC0 with a
Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
and publicly distribute the Work under its terms, with knowledge of his or her
Copyright and Related Rights in the Work and the meaning and intended legal
effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not limited
to, the following:
i. the right to reproduce, adapt, distribute, perform, display, communicate,
and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or likeness
depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data in
a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation thereof,
including any amended or successor version of such directive); and
vii. other similar, equivalent or corresponding rights throughout the world
based on applicable law or treaty, and any national implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention of,
applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
and Related Rights and associated claims and causes of action, whether now
known or unknown (including existing as well as future claims and causes of
action), in the Work (i) in all territories worldwide, (ii) for the maximum
duration provided by applicable law or treaty (including future time
extensions), (iii) in any current or future medium and for any number of
copies, and (iv) for any purpose whatsoever, including without limitation
commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
the Waiver for the benefit of each member of the public at large and to the
detriment of Affirmer's heirs and successors, fully intending that such Waiver
shall not be subject to revocation, rescission, cancellation, termination, or
any other legal or equitable action to disrupt the quiet enjoyment of the Work
by the public as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason be
judged legally invalid or ineffective under applicable law, then the Waiver
shall be preserved to the maximum extent permitted taking into account
Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
is so judged Affirmer hereby grants to each affected person a royalty-free,
non transferable, non sublicensable, non exclusive, irrevocable and
unconditional license to exercise Affirmer's Copyright and Related Rights in
the Work (i) in all territories worldwide, (ii) for the maximum duration
provided by applicable law or treaty (including future time extensions), (iii)
in any current or future medium and for any number of copies, and (iv) for any
purpose whatsoever, including without limitation commercial, advertising or
promotional purposes (the "License"). The License shall be deemed effective as
of the date CC0 was applied by Affirmer to the Work. Should any part of the
License for any reason be judged legally invalid or ineffective under
applicable law, such partial invalidity or ineffectiveness shall not
invalidate the remainder of the License, and in such case Affirmer hereby
affirms that he or she will not (i) exercise any of his or her remaining
Copyright and Related Rights in the Work or (ii) assert any associated claims
and causes of action with respect to the Work, in either case contrary to
Affirmer's express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or warranties
of any kind concerning the Work, express, implied, statutory or otherwise,
including without limitation warranties of title, merchantability, fitness
for a particular purpose, non infringement, or the absence of latent or
other defects, accuracy, or the present or absence of errors, whether or not
discoverable, all to the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without limitation
any person's Copyright and Related Rights in the Work. Further, Affirmer
disclaims responsibility for obtaining any necessary consents, permissions
or other rights required for any use of the Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to this
CC0 or use of the Work.
For more information, please see
<http://creativecommons.org/publicdomain/zero/1.0/>

1146
README.md

File diff suppressed because it is too large Load diff