From 74baeb06760599d77ef578bf424d86726ba19702 Mon Sep 17 00:00:00 2001 From: Ricardo Zamora Date: Mon, 29 Jul 2024 17:02:46 -0700 Subject: [PATCH 1/5] remove maturity model cookiecutter prompt Signed-off-by: Ricardo Zamora --- .../repometrics/cookiecutter.json | 4 +--- .../repometrics/{{cookiecutter.project_type}}/code.json | 2 +- .../repometrics/cookiecutter.json | 4 +--- .../repometrics/{{cookiecutter.project_type}}/code.json | 2 +- .../repometrics/cookiecutter.json | 4 +--- .../repometrics/{{cookiecutter.project_type}}/code.json | 2 +- .../repometrics/cookiecutter.json | 4 +--- .../repometrics/{{cookiecutter.project_type}}/code.json | 2 +- 8 files changed, 8 insertions(+), 16 deletions(-) diff --git a/tier1/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json b/tier1/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json index 162b0a8..1cb6e73 100644 --- a/tier1/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json +++ b/tier1/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json @@ -6,13 +6,11 @@ "subset_in_healthcare": "Policy, Operational", "user_type": "Providers, Patients, Government", "repository_host": ["Github.com", "GitHub ENT", "GitHub Cloud", "GitLab.com", "GitLab ENT", "GitLab ENT CCSQ"], - "maturity_model_tier": ["1", "2", "3", "4"], "__prompts__": { "group": "Which group is the project part of?", "subset_in_healthcare": "Which subset of healthcare does the project belong to?", "user_type": "Who are the intended users?", "user_input": "Does the project accept user input? (e.g. allows user to query a database, allows login by users, etc.)", - "repository_host": "Where is the repository hosted?", - "maturity_model_tier": "What maturity model tier is your project classified as?" + "repository_host": "Where is the repository hosted?" } } \ No newline at end of file diff --git a/tier1/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json b/tier1/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json index 0841645..0b975c4 100644 --- a/tier1/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json +++ b/tier1/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json @@ -6,5 +6,5 @@ "subset_in_healthcare": "{{ cookiecutter.subset_in_healthcare }}", "user_type": "{{ cookiecutter.user_type }}", "repository_host": "{{ cookiecutter.repository_host }}", - "maturity_model_tier": "{{ cookiecutter.maturity_model_tier }}" + "maturity_model_tier": "1" } \ No newline at end of file diff --git a/tier2/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json b/tier2/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json index 162b0a8..1cb6e73 100644 --- a/tier2/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json +++ b/tier2/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json @@ -6,13 +6,11 @@ "subset_in_healthcare": "Policy, Operational", "user_type": "Providers, Patients, Government", "repository_host": ["Github.com", "GitHub ENT", "GitHub Cloud", "GitLab.com", "GitLab ENT", "GitLab ENT CCSQ"], - "maturity_model_tier": ["1", "2", "3", "4"], "__prompts__": { "group": "Which group is the project part of?", "subset_in_healthcare": "Which subset of healthcare does the project belong to?", "user_type": "Who are the intended users?", "user_input": "Does the project accept user input? (e.g. allows user to query a database, allows login by users, etc.)", - "repository_host": "Where is the repository hosted?", - "maturity_model_tier": "What maturity model tier is your project classified as?" + "repository_host": "Where is the repository hosted?" } } \ No newline at end of file diff --git a/tier2/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json b/tier2/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json index 0841645..cf17ec0 100644 --- a/tier2/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json +++ b/tier2/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json @@ -6,5 +6,5 @@ "subset_in_healthcare": "{{ cookiecutter.subset_in_healthcare }}", "user_type": "{{ cookiecutter.user_type }}", "repository_host": "{{ cookiecutter.repository_host }}", - "maturity_model_tier": "{{ cookiecutter.maturity_model_tier }}" + "maturity_model_tier": "2" } \ No newline at end of file diff --git a/tier3/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json b/tier3/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json index 162b0a8..1cb6e73 100644 --- a/tier3/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json +++ b/tier3/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json @@ -6,13 +6,11 @@ "subset_in_healthcare": "Policy, Operational", "user_type": "Providers, Patients, Government", "repository_host": ["Github.com", "GitHub ENT", "GitHub Cloud", "GitLab.com", "GitLab ENT", "GitLab ENT CCSQ"], - "maturity_model_tier": ["1", "2", "3", "4"], "__prompts__": { "group": "Which group is the project part of?", "subset_in_healthcare": "Which subset of healthcare does the project belong to?", "user_type": "Who are the intended users?", "user_input": "Does the project accept user input? (e.g. allows user to query a database, allows login by users, etc.)", - "repository_host": "Where is the repository hosted?", - "maturity_model_tier": "What maturity model tier is your project classified as?" + "repository_host": "Where is the repository hosted?" } } \ No newline at end of file diff --git a/tier3/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json b/tier3/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json index 0841645..df7db27 100644 --- a/tier3/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json +++ b/tier3/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json @@ -6,5 +6,5 @@ "subset_in_healthcare": "{{ cookiecutter.subset_in_healthcare }}", "user_type": "{{ cookiecutter.user_type }}", "repository_host": "{{ cookiecutter.repository_host }}", - "maturity_model_tier": "{{ cookiecutter.maturity_model_tier }}" + "maturity_model_tier": "3" } \ No newline at end of file diff --git a/tier4/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json b/tier4/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json index 162b0a8..1cb6e73 100644 --- a/tier4/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json +++ b/tier4/{{cookiecutter.project_slug}}/repometrics/cookiecutter.json @@ -6,13 +6,11 @@ "subset_in_healthcare": "Policy, Operational", "user_type": "Providers, Patients, Government", "repository_host": ["Github.com", "GitHub ENT", "GitHub Cloud", "GitLab.com", "GitLab ENT", "GitLab ENT CCSQ"], - "maturity_model_tier": ["1", "2", "3", "4"], "__prompts__": { "group": "Which group is the project part of?", "subset_in_healthcare": "Which subset of healthcare does the project belong to?", "user_type": "Who are the intended users?", "user_input": "Does the project accept user input? (e.g. allows user to query a database, allows login by users, etc.)", - "repository_host": "Where is the repository hosted?", - "maturity_model_tier": "What maturity model tier is your project classified as?" + "repository_host": "Where is the repository hosted?" } } \ No newline at end of file diff --git a/tier4/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json b/tier4/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json index 0841645..70cce25 100644 --- a/tier4/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json +++ b/tier4/{{cookiecutter.project_slug}}/repometrics/{{cookiecutter.project_type}}/code.json @@ -6,5 +6,5 @@ "subset_in_healthcare": "{{ cookiecutter.subset_in_healthcare }}", "user_type": "{{ cookiecutter.user_type }}", "repository_host": "{{ cookiecutter.repository_host }}", - "maturity_model_tier": "{{ cookiecutter.maturity_model_tier }}" + "maturity_model_tier": "4" } \ No newline at end of file From 653ce0e8bf6a8ca086d7eaae9222040f5b06c90a Mon Sep 17 00:00:00 2001 From: Isaac Milarsky Date: Tue, 30 Jul 2024 12:59:02 -0500 Subject: [PATCH 2/5] fix checks Signed-off-by: Isaac Milarsky --- .../.github/workflows/checks.yml | 30 +++++-------------- .../.github/workflows/checks.yml | 28 +++++------------ .../.github/workflows/checks.yml | 28 +++++------------ .../.github/workflows/checks.yml | 28 +++++------------ 4 files changed, 29 insertions(+), 85 deletions(-) diff --git a/tier1/{{cookiecutter.project_slug}}/.github/workflows/checks.yml b/tier1/{{cookiecutter.project_slug}}/.github/workflows/checks.yml index 2a564d0..2711cb7 100644 --- a/tier1/{{cookiecutter.project_slug}}/.github/workflows/checks.yml +++ b/tier1/{{cookiecutter.project_slug}}/.github/workflows/checks.yml @@ -1,12 +1,12 @@ name: "run-linting-checks" on: - pull_request: - branches: [main, dev] - + push: + branches: + - 'main' jobs: resolve-repolinter-json: - uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@add-repolinter-workflows + uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@main with: url_to_json: 'https://raw.githubusercontent.com/DSACMS/repo-scaffolder/main/tier1/%7B%7Bcookiecutter.project_slug%7D%7D/repolinter.json' @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest env: {% raw %} - RAW_JSON: ${{ needs.resolve-repolinter-json.outputs.raw-json}} + RAW_JSON: ${{ needs.resolve-repolinter-json.outputs.raw-json }} {% endraw %} steps: - uses: actions/checkout@v4 @@ -52,20 +52,6 @@ jobs: # Default: "[Repolinter] Open Source Policy Issues" output_name: '[Repolinter] Tier 1 Repository Hygiene Issue' - # The name to use for the issue label created by repolinter-action. This name - # should be unique to repolinter-action (i.e. not used by any other issue) to - # prevent repolinter-action from getting confused. - # - # This option will be ignored if output_type != "issue". - # - # Default: "repolinter" - label_name: 'cms-oss-tier1' - - # The color to use for the issue label created by repolinter-action. The value - # for this option should be an unprefixed RRGGBB hex string (ex. ff568a). - # The default value is a shade of yellow. - # - # This option will be ignored if output_type != "issue". - # - # Default: "fbca04" - label_color: 'ff69b4' \ No newline at end of file + # The default token is the repolinter token for the DSACMS org + # You can change it if needed. + token: ${{ secrets.REPOLINTER_AUTO_TOKEN }} diff --git a/tier2/{{cookiecutter.project_slug}}/.github/workflows/checks.yml b/tier2/{{cookiecutter.project_slug}}/.github/workflows/checks.yml index 320417a..b6f563b 100644 --- a/tier2/{{cookiecutter.project_slug}}/.github/workflows/checks.yml +++ b/tier2/{{cookiecutter.project_slug}}/.github/workflows/checks.yml @@ -1,12 +1,12 @@ name: "run-linting-checks" on: - pull_request: - branches: [main, dev] - + push: + branches: + - 'main' jobs: resolve-repolinter-json: - uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@add-repolinter-workflows + uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@main with: url_to_json: 'https://raw.githubusercontent.com/DSACMS/repo-scaffolder/main/tier2/%7B%7Bcookiecutter.project_slug%7D%7D/repolinter.json' @@ -52,20 +52,6 @@ jobs: # Default: "[Repolinter] Open Source Policy Issues" output_name: '[Repolinter] Tier 2 Repository Hygiene Issue' - # The name to use for the issue label created by repolinter-action. This name - # should be unique to repolinter-action (i.e. not used by any other issue) to - # prevent repolinter-action from getting confused. - # - # This option will be ignored if output_type != "issue". - # - # Default: "repolinter" - label_name: 'cms-oss-tier2' - - # The color to use for the issue label created by repolinter-action. The value - # for this option should be an unprefixed RRGGBB hex string (ex. ff568a). - # The default value is a shade of yellow. - # - # This option will be ignored if output_type != "issue". - # - # Default: "fbca04" - label_color: 'ff69b4' \ No newline at end of file + # The default token is the repolinter token for the DSACMS org + # You can change it if needed. + token: ${{ secrets.REPOLINTER_AUTO_TOKEN }} diff --git a/tier3/{{cookiecutter.project_slug}}/.github/workflows/checks.yml b/tier3/{{cookiecutter.project_slug}}/.github/workflows/checks.yml index 5b1b8e7..ce3db02 100644 --- a/tier3/{{cookiecutter.project_slug}}/.github/workflows/checks.yml +++ b/tier3/{{cookiecutter.project_slug}}/.github/workflows/checks.yml @@ -1,12 +1,12 @@ name: "run-linting-checks" on: - pull_request: - branches: [main, dev] - + push: + branches: + - 'main' jobs: resolve-repolinter-json: - uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@add-repolinter-workflows + uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@main with: url_to_json: 'https://raw.githubusercontent.com/DSACMS/repo-scaffolder/main/tier3/%7B%7Bcookiecutter.project_slug%7D%7D/repolinter.json' @@ -52,20 +52,6 @@ jobs: # Default: "[Repolinter] Open Source Policy Issues" output_name: '[Repolinter] Tier 3 Repository Hygiene Issue' - # The name to use for the issue label created by repolinter-action. This name - # should be unique to repolinter-action (i.e. not used by any other issue) to - # prevent repolinter-action from getting confused. - # - # This option will be ignored if output_type != "issue". - # - # Default: "repolinter" - label_name: 'cms-oss-tier3' - - # The color to use for the issue label created by repolinter-action. The value - # for this option should be an unprefixed RRGGBB hex string (ex. ff568a). - # The default value is a shade of yellow. - # - # This option will be ignored if output_type != "issue". - # - # Default: "fbca04" - label_color: 'ff69b4' \ No newline at end of file + # The default token is the repolinter token for the DSACMS org + # You can change it if needed. + token: ${{ secrets.REPOLINTER_AUTO_TOKEN }} diff --git a/tier4/{{cookiecutter.project_slug}}/.github/workflows/checks.yml b/tier4/{{cookiecutter.project_slug}}/.github/workflows/checks.yml index 2af340c..e502c22 100644 --- a/tier4/{{cookiecutter.project_slug}}/.github/workflows/checks.yml +++ b/tier4/{{cookiecutter.project_slug}}/.github/workflows/checks.yml @@ -1,12 +1,12 @@ name: "run-linting-checks" on: - pull_request: - branches: [main, dev] - + push: + branches: + - 'main' jobs: resolve-repolinter-json: - uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@add-repolinter-workflows + uses: DSACMS/repo-scaffolder/.github/workflows/extendJSONFile.yml@main with: url_to_json: 'https://raw.githubusercontent.com/DSACMS/repo-scaffolder/main/tier4/%7B%7Bcookiecutter.project_slug%7D%7D/repolinter.json' @@ -52,20 +52,6 @@ jobs: # Default: "[Repolinter] Open Source Policy Issues" output_name: '[Repolinter] Tier 4 Repository Hygiene Issue' - # The name to use for the issue label created by repolinter-action. This name - # should be unique to repolinter-action (i.e. not used by any other issue) to - # prevent repolinter-action from getting confused. - # - # This option will be ignored if output_type != "issue". - # - # Default: "repolinter" - label_name: 'cms-oss-tier4' - - # The color to use for the issue label created by repolinter-action. The value - # for this option should be an unprefixed RRGGBB hex string (ex. ff568a). - # The default value is a shade of yellow. - # - # This option will be ignored if output_type != "issue". - # - # Default: "fbca04" - label_color: 'ff69b4' + # The default token is the repolinter token for the DSACMS org + # You can change it if needed. + token: ${{ secrets.REPOLINTER_AUTO_TOKEN }} From 0aee7618965cb7933b035b7dba44428605a0947a Mon Sep 17 00:00:00 2001 From: Natalia Luzuriaga Date: Thu, 1 Aug 2024 11:37:01 -0400 Subject: [PATCH 3/5] added sbom excerpt to policies section of readme Signed-off-by: Natalia Luzuriaga --- tier0/{{cookiecutter.project_slug}}/README.md | 9 +++++++++ tier1/{{cookiecutter.project_slug}}/README.md | 8 ++++++++ tier2/{{cookiecutter.project_slug}}/README.md | 8 ++++++++ tier3/{{cookiecutter.project_slug}}/README.md | 8 ++++++++ tier4/{{cookiecutter.project_slug}}/README.md | 8 ++++++++ 5 files changed, 41 insertions(+) diff --git a/tier0/{{cookiecutter.project_slug}}/README.md b/tier0/{{cookiecutter.project_slug}}/README.md index 3993636..e5cc94f 100644 --- a/tier0/{{cookiecutter.project_slug}}/README.md +++ b/tier0/{{cookiecutter.project_slug}}/README.md @@ -133,6 +133,15 @@ the American public, but you are also welcome to submit anonymously. For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md). +### Software Bill of Materials (SBOM) + +A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. + +In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies. + +For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom. + + ## Public domain This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE). diff --git a/tier1/{{cookiecutter.project_slug}}/README.md b/tier1/{{cookiecutter.project_slug}}/README.md index 3299893..4ab3dc8 100644 --- a/tier1/{{cookiecutter.project_slug}}/README.md +++ b/tier1/{{cookiecutter.project_slug}}/README.md @@ -125,6 +125,14 @@ the American public, but you are also welcome to submit anonymously. For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md). +### Software Bill of Materials (SBOM) + +A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. + +In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies. + +For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom. + ## Public domain This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE). diff --git a/tier2/{{cookiecutter.project_slug}}/README.md b/tier2/{{cookiecutter.project_slug}}/README.md index 238a0a6..07e39bd 100644 --- a/tier2/{{cookiecutter.project_slug}}/README.md +++ b/tier2/{{cookiecutter.project_slug}}/README.md @@ -121,6 +121,14 @@ the American public, but you are also welcome to submit anonymously. For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md). +### Software Bill of Materials (SBOM) + +A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. + +In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies. + +For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom. + ## Public domain This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE). diff --git a/tier3/{{cookiecutter.project_slug}}/README.md b/tier3/{{cookiecutter.project_slug}}/README.md index 79ae938..619b9c5 100644 --- a/tier3/{{cookiecutter.project_slug}}/README.md +++ b/tier3/{{cookiecutter.project_slug}}/README.md @@ -121,6 +121,14 @@ the American public, but you are also welcome to submit anonymously. For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md). +### Software Bill of Materials (SBOM) + +A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. + +In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies. + +For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom. + ## Public domain This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE). diff --git a/tier4/{{cookiecutter.project_slug}}/README.md b/tier4/{{cookiecutter.project_slug}}/README.md index cb2e961..4747b9b 100644 --- a/tier4/{{cookiecutter.project_slug}}/README.md +++ b/tier4/{{cookiecutter.project_slug}}/README.md @@ -111,6 +111,14 @@ the American public, but you are also welcome to submit anonymously. For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md). +### Software Bill of Materials (SBOM) + +A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. + +In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies. + +For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom. + ## Public domain This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE). From 9c96cd0972a381f125f12ec2b063d7dad12d4a0c Mon Sep 17 00:00:00 2001 From: Natalia Luzuriaga Date: Thu, 1 Aug 2024 11:56:04 -0400 Subject: [PATCH 4/5] Update README.md --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 68223f8..e0f66c6 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,14 @@ the American public, but you are also welcome to submit anonymously. For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md). +### Software Bill of Materials (SBOM) + +A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. + +In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/DSACMS/repo-scaffolder/network/dependencies. + +For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom. + ## Public domain This project is in the public domain within the United States, and copyright From 0baf69b0f2eee1e7efe94396965268c6df827947 Mon Sep 17 00:00:00 2001 From: Natalia Luzuriaga Date: Tue, 13 Aug 2024 10:16:01 -0400 Subject: [PATCH 5/5] updated VDP text Signed-off-by: Natalia Luzuriaga --- tier1/{{cookiecutter.project_slug}}/SECURITY.md | 6 +----- tier2/{{cookiecutter.project_slug}}/SECURITY.md | 6 +----- tier3/{{cookiecutter.project_slug}}/SECURITY.md | 6 +----- tier4/{{cookiecutter.project_slug}}/SECURITY.md | 6 +----- 4 files changed, 4 insertions(+), 20 deletions(-) diff --git a/tier1/{{cookiecutter.project_slug}}/SECURITY.md b/tier1/{{cookiecutter.project_slug}}/SECURITY.md index 0230f3c..22768df 100644 --- a/tier1/{{cookiecutter.project_slug}}/SECURITY.md +++ b/tier1/{{cookiecutter.project_slug}}/SECURITY.md @@ -2,11 +2,7 @@ The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith. -*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via -email or via GitHub Issues. Please use our website to submit vulnerabilities at -[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com). -HHS maintains an acknowledgements page to recognize your efforts on behalf of -the American public, but you are also welcome to submit anonymously. +*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days. Review the HHS Disclosure Policy and websites in scope: [https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html). diff --git a/tier2/{{cookiecutter.project_slug}}/SECURITY.md b/tier2/{{cookiecutter.project_slug}}/SECURITY.md index 0230f3c..22768df 100644 --- a/tier2/{{cookiecutter.project_slug}}/SECURITY.md +++ b/tier2/{{cookiecutter.project_slug}}/SECURITY.md @@ -2,11 +2,7 @@ The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith. -*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via -email or via GitHub Issues. Please use our website to submit vulnerabilities at -[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com). -HHS maintains an acknowledgements page to recognize your efforts on behalf of -the American public, but you are also welcome to submit anonymously. +*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days. Review the HHS Disclosure Policy and websites in scope: [https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html). diff --git a/tier3/{{cookiecutter.project_slug}}/SECURITY.md b/tier3/{{cookiecutter.project_slug}}/SECURITY.md index 0230f3c..22768df 100644 --- a/tier3/{{cookiecutter.project_slug}}/SECURITY.md +++ b/tier3/{{cookiecutter.project_slug}}/SECURITY.md @@ -2,11 +2,7 @@ The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith. -*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via -email or via GitHub Issues. Please use our website to submit vulnerabilities at -[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com). -HHS maintains an acknowledgements page to recognize your efforts on behalf of -the American public, but you are also welcome to submit anonymously. +*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days. Review the HHS Disclosure Policy and websites in scope: [https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html). diff --git a/tier4/{{cookiecutter.project_slug}}/SECURITY.md b/tier4/{{cookiecutter.project_slug}}/SECURITY.md index 0230f3c..22768df 100644 --- a/tier4/{{cookiecutter.project_slug}}/SECURITY.md +++ b/tier4/{{cookiecutter.project_slug}}/SECURITY.md @@ -2,11 +2,7 @@ The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith. -*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via -email or via GitHub Issues. Please use our website to submit vulnerabilities at -[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com). -HHS maintains an acknowledgements page to recognize your efforts on behalf of -the American public, but you are also welcome to submit anonymously. +*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days. Review the HHS Disclosure Policy and websites in scope: [https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).