Merge pull request #137 from DSACMS/dev

Merge Dev Into Main

README.md

@@ -83,6 +83,14 @@ the American public, but you are also welcome to submit anonymously.
 
 For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md).
 
+### Software Bill of Materials (SBOM)
+
+A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software.
+
+In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/DSACMS/repo-scaffolder/network/dependencies.
+
+For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom.
+
 ## Public domain
 
 This project is in the public domain within the United States, and copyright

tier0/{{cookiecutter.project_slug}}/README.md

@@ -133,6 +133,15 @@ the American public, but you are also welcome to submit anonymously.
 
 For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md).
 
+### Software Bill of Materials (SBOM)
+
+A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. 
+
+In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies.
+
+For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom.
+
+
 ## Public domain
 
 This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE).

tier1/{{cookiecutter.project_slug}}/.github/workflows/checks.yml

@@ -1,12 +1,12 @@
 name: "run-linting-checks"
 on:
-  pull_request:
-    branches: [main, dev]
-
+  push:
+    branches:
+      - 'main'
 
 jobs:
   resolve-repolinter-json:
-    uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@add-repolinter-workflows
+    uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@main
     with: 
       url_to_json: 'https://raw.githubusercontent.com/DSACMS/repo-scaffolder/main/tier1/%7B%7Bcookiecutter.project_slug%7D%7D/repolinter.json'
 
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       {% raw %}
-      RAW_JSON: ${{ needs.resolve-repolinter-json.outputs.raw-json}}
+      RAW_JSON: ${{ needs.resolve-repolinter-json.outputs.raw-json }}
       {% endraw %}
     steps:
       - uses: actions/checkout@v4
@@ -52,20 +52,6 @@ jobs:
           # Default: "[Repolinter] Open Source Policy Issues"
           output_name: '[Repolinter] Tier 1 Repository Hygiene Issue'
 
-          # The name to use for the issue label created by repolinter-action. This name
-          # should be unique to repolinter-action (i.e. not used by any other issue) to
-          # prevent repolinter-action from getting confused.
-          #
-          # This option will be ignored if output_type != "issue".
-          #
-          # Default: "repolinter"
-          label_name: 'cms-oss-tier1'
-
-          # The color to use for the issue label created by repolinter-action. The value
-          # for this option should be an unprefixed RRGGBB hex string (ex. ff568a).
-          # The default value is a shade of yellow.
-          #
-          # This option will be ignored if output_type != "issue".
-          #
-          # Default: "fbca04"
-          label_color: 'ff69b4'
+          # The default token is the repolinter token for the DSACMS org
+          # You can change it if needed.
+          token: ${{ secrets.REPOLINTER_AUTO_TOKEN }}

tier1/{{cookiecutter.project_slug}}/README.md

@@ -125,6 +125,14 @@ the American public, but you are also welcome to submit anonymously.
 
 For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md).
 
+### Software Bill of Materials (SBOM)
+
+A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. 
+
+In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies.
+
+For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom.
+
 ## Public domain
 
 This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE).

tier1/{{cookiecutter.project_slug}}/SECURITY.md

@@ -2,11 +2,7 @@
 
 The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
 
-*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
-email or via GitHub Issues. Please use our website to submit vulnerabilities at
-[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
-HHS maintains an acknowledgements page to recognize your efforts on behalf of
-the American public, but you are also welcome to submit anonymously.
+*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
 
 Review the HHS Disclosure Policy and websites in scope:
 [https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).

tier1/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json

@@ -6,13 +6,11 @@
     "subset_in_healthcare": "Policy, Operational",
     "user_type": "Providers, Patients, Government",
     "repository_host": ["Github.com", "GitHub ENT", "GitHub Cloud", "GitLab.com", "GitLab ENT", "GitLab ENT CCSQ"],
-    "maturity_model_tier": ["1", "2", "3", "4"],
     "__prompts__": {
         "group": "Which group is the project part of?",
         "subset_in_healthcare": "Which subset of healthcare does the project belong to?",
         "user_type": "Who are the intended users?",
         "user_input": "Does the project accept user input? (e.g. allows user to query a database, allows login by users, etc.)",
-        "repository_host": "Where is the repository hosted?",
-        "maturity_model_tier": "What maturity model tier is your project classified as?"
+        "repository_host": "Where is the repository hosted?"
     }
 }

tier1/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json

@@ -6,5 +6,5 @@
     "subset_in_healthcare": "{{ cookiecutter.subset_in_healthcare }}",
     "user_type": "{{ cookiecutter.user_type }}",
     "repository_host": "{{ cookiecutter.repository_host }}",
-    "maturity_model_tier": "{{ cookiecutter.maturity_model_tier }}"
+    "maturity_model_tier": "1"
 }

tier2/{{cookiecutter.project_slug}}/.github/workflows/checks.yml

@@ -1,12 +1,12 @@
 name: "run-linting-checks"
 on:
-  pull_request:
-    branches: [main, dev]
-
+  push:
+    branches:
+      - 'main'
 
 jobs:
   resolve-repolinter-json:
-    uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@add-repolinter-workflows
+    uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@main
     with: 
       url_to_json: 'https://raw.githubusercontent.com/DSACMS/repo-scaffolder/main/tier2/%7B%7Bcookiecutter.project_slug%7D%7D/repolinter.json'
 
@@ -52,20 +52,6 @@ jobs:
           # Default: "[Repolinter] Open Source Policy Issues"
           output_name: '[Repolinter] Tier 2 Repository Hygiene Issue'
 
-          # The name to use for the issue label created by repolinter-action. This name
-          # should be unique to repolinter-action (i.e. not used by any other issue) to
-          # prevent repolinter-action from getting confused.
-          #
-          # This option will be ignored if output_type != "issue".
-          #
-          # Default: "repolinter"
-          label_name: 'cms-oss-tier2'
-
-          # The color to use for the issue label created by repolinter-action. The value
-          # for this option should be an unprefixed RRGGBB hex string (ex. ff568a).
-          # The default value is a shade of yellow.
-          #
-          # This option will be ignored if output_type != "issue".
-          #
-          # Default: "fbca04"
-          label_color: 'ff69b4'
+          # The default token is the repolinter token for the DSACMS org
+          # You can change it if needed.
+          token: ${{ secrets.REPOLINTER_AUTO_TOKEN }}

tier2/{{cookiecutter.project_slug}}/README.md

@@ -121,6 +121,14 @@ the American public, but you are also welcome to submit anonymously.
 
 For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md).
 
+### Software Bill of Materials (SBOM)
+
+A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. 
+
+In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies.
+
+For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom.
+
 ## Public domain
 
 This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE).

tier2/{{cookiecutter.project_slug}}/SECURITY.md

@@ -2,11 +2,7 @@
 
 The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
 
-*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
-email or via GitHub Issues. Please use our website to submit vulnerabilities at
-[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
-HHS maintains an acknowledgements page to recognize your efforts on behalf of
-the American public, but you are also welcome to submit anonymously.
+*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
 
 Review the HHS Disclosure Policy and websites in scope:
 [https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).

tier2/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json

@@ -6,13 +6,11 @@
     "subset_in_healthcare": "Policy, Operational",
     "user_type": "Providers, Patients, Government",
     "repository_host": ["Github.com", "GitHub ENT", "GitHub Cloud", "GitLab.com", "GitLab ENT", "GitLab ENT CCSQ"],
-    "maturity_model_tier": ["1", "2", "3", "4"],
     "__prompts__": {
         "group": "Which group is the project part of?",
         "subset_in_healthcare": "Which subset of healthcare does the project belong to?",
         "user_type": "Who are the intended users?",
         "user_input": "Does the project accept user input? (e.g. allows user to query a database, allows login by users, etc.)",
-        "repository_host": "Where is the repository hosted?",
-        "maturity_model_tier": "What maturity model tier is your project classified as?"
+        "repository_host": "Where is the repository hosted?"
     }
 }

tier2/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json

@@ -6,5 +6,5 @@
     "subset_in_healthcare": "{{ cookiecutter.subset_in_healthcare }}",
     "user_type": "{{ cookiecutter.user_type }}",
     "repository_host": "{{ cookiecutter.repository_host }}",
-    "maturity_model_tier": "{{ cookiecutter.maturity_model_tier }}"
+    "maturity_model_tier": "2"
 }

tier3/{{cookiecutter.project_slug}}/.github/workflows/checks.yml

@@ -1,12 +1,12 @@
 name: "run-linting-checks"
 on:
-  pull_request:
-    branches: [main, dev]
-
+  push:
+    branches:
+      - 'main'
 
 jobs:
   resolve-repolinter-json:
-    uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@add-repolinter-workflows
+    uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@main
     with: 
       url_to_json: 'https://raw.githubusercontent.com/DSACMS/repo-scaffolder/main/tier3/%7B%7Bcookiecutter.project_slug%7D%7D/repolinter.json'
 
@@ -52,20 +52,6 @@ jobs:
           # Default: "[Repolinter] Open Source Policy Issues"
           output_name: '[Repolinter] Tier 3 Repository Hygiene Issue'
 
-          # The name to use for the issue label created by repolinter-action. This name
-          # should be unique to repolinter-action (i.e. not used by any other issue) to
-          # prevent repolinter-action from getting confused.
-          #
-          # This option will be ignored if output_type != "issue".
-          #
-          # Default: "repolinter"
-          label_name: 'cms-oss-tier3'
-
-          # The color to use for the issue label created by repolinter-action. The value
-          # for this option should be an unprefixed RRGGBB hex string (ex. ff568a).
-          # The default value is a shade of yellow.
-          #
-          # This option will be ignored if output_type != "issue".
-          #
-          # Default: "fbca04"
-          label_color: 'ff69b4'
+          # The default token is the repolinter token for the DSACMS org
+          # You can change it if needed.
+          token: ${{ secrets.REPOLINTER_AUTO_TOKEN }}

tier3/{{cookiecutter.project_slug}}/README.md

@@ -121,6 +121,14 @@ the American public, but you are also welcome to submit anonymously.
 
 For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md).
 
+### Software Bill of Materials (SBOM)
+
+A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. 
+
+In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies.
+
+For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom.
+
 ## Public domain
 
 This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE).

tier3/{{cookiecutter.project_slug}}/SECURITY.md

@@ -2,11 +2,7 @@
 
 The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
 
-*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
-email or via GitHub Issues. Please use our website to submit vulnerabilities at
-[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
-HHS maintains an acknowledgements page to recognize your efforts on behalf of
-the American public, but you are also welcome to submit anonymously.
+*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
 
 Review the HHS Disclosure Policy and websites in scope:
 [https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).

tier3/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json

@@ -6,13 +6,11 @@
     "subset_in_healthcare": "Policy, Operational",
     "user_type": "Providers, Patients, Government",
     "repository_host": ["Github.com", "GitHub ENT", "GitHub Cloud", "GitLab.com", "GitLab ENT", "GitLab ENT CCSQ"],
-    "maturity_model_tier": ["1", "2", "3", "4"],
     "__prompts__": {
         "group": "Which group is the project part of?",
         "subset_in_healthcare": "Which subset of healthcare does the project belong to?",
         "user_type": "Who are the intended users?",
         "user_input": "Does the project accept user input? (e.g. allows user to query a database, allows login by users, etc.)",
-        "repository_host": "Where is the repository hosted?",
-        "maturity_model_tier": "What maturity model tier is your project classified as?"
+        "repository_host": "Where is the repository hosted?"
     }
 }

tier3/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json

@@ -6,5 +6,5 @@
     "subset_in_healthcare": "{{ cookiecutter.subset_in_healthcare }}",
     "user_type": "{{ cookiecutter.user_type }}",
     "repository_host": "{{ cookiecutter.repository_host }}",
-    "maturity_model_tier": "{{ cookiecutter.maturity_model_tier }}"
+    "maturity_model_tier": "3"
 }

tier4/{{cookiecutter.project_slug}}/.github/workflows/checks.yml

@@ -1,12 +1,12 @@
 name: "run-linting-checks"
 on:
-  pull_request:
-    branches: [main, dev]
-
+  push:
+    branches:
+      - 'main'
 
 jobs:
   resolve-repolinter-json:
-    uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@add-repolinter-workflows
+    uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@main
     with: 
       url_to_json: 'https://raw.githubusercontent.com/DSACMS/repo-scaffolder/main/tier4/%7B%7Bcookiecutter.project_slug%7D%7D/repolinter.json'
 
@@ -52,20 +52,6 @@ jobs:
           # Default: "[Repolinter] Open Source Policy Issues"
           output_name: '[Repolinter] Tier 4 Repository Hygiene Issue'
 
-          # The name to use for the issue label created by repolinter-action. This name
-          # should be unique to repolinter-action (i.e. not used by any other issue) to
-          # prevent repolinter-action from getting confused.
-          #
-          # This option will be ignored if output_type != "issue".
-          #
-          # Default: "repolinter"
-          label_name: 'cms-oss-tier4'
-
-          # The color to use for the issue label created by repolinter-action. The value
-          # for this option should be an unprefixed RRGGBB hex string (ex. ff568a).
-          # The default value is a shade of yellow.
-          #
-          # This option will be ignored if output_type != "issue".
-          #
-          # Default: "fbca04"
-          label_color: 'ff69b4'
+          # The default token is the repolinter token for the DSACMS org
+          # You can change it if needed.
+          token: ${{ secrets.REPOLINTER_AUTO_TOKEN }}