requested changes

sachin-panayil · sachin-panayil · commit 2d8749a2bfd0 · 2024-10-30T13:37:31.000-04:00
Signed-off-by: Sachin Panayil &lt;sachinpanayil01@gmail.com&gt;
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -1,5 +1,7 @@
 name: "run-linting-checks"
 on:
+  pull_request:
+    branches: [main, dev]
   push:
     branches:
       - 'main'
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -13,11 +13,6 @@ We encourage you to read this project's CONTRIBUTING policy (you are here), its
 [LICENSE](LICENSE.md), and its [README](README.md).
 
 # Getting Started
-## Building the Project
-
-For instructions on how to invoke the script, see the usage section of the [README](README.md)
-
-
 ## Building Dependencies
 
 First, install the dependencies that are required for these scripts:
@@ -27,6 +22,10 @@ First, install the dependencies that are required for these scripts:
  - [Git Install here](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
  - [Curl](https://curl.se/docs/)
 
+## Building the Project
+
+For instructions on how to invoke the script, see the usage section of the [README](README.md)
+
 ### Workflow and Branching
 
 We follow the [GitHub Flow Workflow](https://guides.github.com/introduction/flow/)
@@ -118,11 +117,7 @@ questions, just [shoot us an email](mailto:opensource@cms.hhs.gov).
 
 ### Security and Responsible Disclosure Policy
 
-*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
-email or via GitHub Issues. Please use our website to submit vulnerabilities at
-[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
-HHS maintains an acknowledgements page to recognize your efforts on behalf of
-the American public, but you are also welcome to submit anonymously.
+*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
 
 For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md).
 
diff --git a/README.md b/README.md
@@ -19,7 +19,7 @@ Establish and maintain guidance, policies, practices, and talent pipelines that
 
 ## Core Team
 
-A full list of contributors can be found on [https://github.cms.gov/DSACMS/repodive-tools/graphs/contributors](https://github.cms.gov/DSACMS/repodive-tools/graphs/contributors).
+A full list of contributors can be found on [https://github.com/DSACMS/repodive-tools/graphs/contributors](https://github.cms.gov/DSACMS/repodive-tools/graphs/contributors).
 
 <!--
 ## Documentation Index
@@ -147,16 +147,20 @@ questions, just [shoot us an email](mailto:opensource@cms.hhs.gov).
 
 ### Security and Responsible Disclosure Policy
 
-*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
-email or via GitHub Issues. Please use our website to submit vulnerabilities at
-[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
-HHS maintains an acknowledgements page to recognize your efforts on behalf of
-the American public, but you are also welcome to submit anonymously.
+*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
 
 For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see [SECURITY.md](SECURITY.md).
 
+### Software Bill of Materials (SBOM)
+
+A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. 
+
+In the spirit of [Executive Order 14028 - Improving the Nation’s Cyber Security](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028), a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies.
+
+For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom.
+
 ## Public domain
 
 This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/) as indicated in [LICENSE](LICENSE).
 
-All contributions to this project will be released under the CC0 dedication. By submitting a pull request or issue, you are agreeing to comply with this waiver of copyright interest.
+All contributions to this project will be released under the CC0 dedication. By submitting a pull request or issue, you are agreeing to comply with this waiver of copyright interest.
diff --git a/SECURITY.md b/SECURITY.md
@@ -2,18 +2,11 @@
 
 The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
 
-*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via
-email or via GitHub Issues. Please use our website to submit vulnerabilities at
-[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com).
-HHS maintains an acknowledgements page to recognize your efforts on behalf of
-the American public, but you are also welcome to submit anonymously.
+*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
 
 Review the HHS Disclosure Policy and websites in scope:
 [https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).
 
 This policy describes *what systems and types of research* are covered under this
 policy, *how to send* us vulnerability reports, and *how long* we ask security
-researchers to wait before publicly disclosing vulnerabilities.
-
-If you have other cybersecurity related questions, please contact us at
-[csirc@hhs.gov](mailto:csirc@hhs.gov).
+researchers to wait before publicly disclosing vulnerabilities.
diff --git a/checklist.md b/checklist.md
@@ -96,10 +96,6 @@ As part of the code review, engineers should reference modern listings of the mo
    - Cross-Site Scripting (XSS) - Application does not have a web based user interface or form for user input.
    - Insecure Deserialization - Application does not perform deserialization of external or user provided data. </b>
 
-   - The scripts (gen-gource-logs-on-repos.sh and run-scc-on-repos.sh) contain hardcoded empty TOKEN variables. These should be moved to environment variables or a different secure system
-   - There is minimal error handling within the script files (concat.sh and run-contrib-resolution-rough.sh) pertaining to file system operations
-   - There is minimal error handling within the API cals made to the GitHub API
-
 
 ### Code Analysis 
 
diff --git a/code.json b/code.json
@@ -6,7 +6,7 @@
       "longDescription": "This repository is a collection of scripts and tools for a given repodiving effort. Repodiving in this context means going through a git repository and gathering relevant information for a specific purpose."
     }
   },
-  "status": "archival",
+  "status": "production",
   "permissions": {
     "licenses": [
       {
@@ -23,11 +23,11 @@
     "mac"
   ],
   "categories": [
-    "data-collection, data-analytics"
+    "data-collection,data-analytics"
   ],
   "softwareType": "standalone/backend",
   "languages": [
-    "bash, python"
+    "bash,python"
   ],
   "maintenance": "internal",
   "date": {
@@ -36,7 +36,7 @@
     "metadataLastUpdated": "2024-10-22T22:00:58+0000"
   },
   "tags": [
-    "git, repository, scripts, repodiving"
+    "git,repository,scripts,repodiving"
   ],
   "contact": {
     "email": "opensource@cms.hhs.gov",
diff --git a/gen-gource-logs-on-repos.sh b/gen-gource-logs-on-repos.sh
@@ -3,7 +3,7 @@
 # Variables
 GITHUB_API_URL="https://api.github.com"
 ORGANIZATION="CMSGov"
-TOKEN=""  # Replace with your GitHub token
+TOKEN=$GITHUB_TOKEN  # Set your environment variable to your GitHub Token
 
 # Function to fetch repositories from the organization
 fetch_repositories() {
diff --git a/run-scc-on-repos.sh b/run-scc-on-repos.sh
@@ -3,7 +3,7 @@
 # Variables
 GITHUB_API_URL="https://github.cms.gov/api/v3"
 ORGANIZATION="pecos-application-development"
-TOKEN=""  # Replace with your GitHub token
+TOKEN=$GITHUB_TOKEN  # Set your environment variable to your GitHub Token
 SCC_LOG_LOC=$(readlink -f ./scc_reports)
 
 
