feat(updates for v1): Refactor, assorted updates for v1 (#8)

* Functional... checking in

* working as intended, but we should make it safer

* prettier

* Add some type stuff

* remove deubg

* prettier

* README and LICENSE

* Update README.md

* README

* README

* README

* readme

* readme

* README

* Remove project as a label... its problematic, as these issues are scoped only to a region within an account

* prettier and readme

* README

* readme

* No need for credentials here

* revertme, testing test

* put this back

* Add dependency review action

* Remove test that is no longer valid

* Remove debug

* add creds to coverage

* whoops

* revertme

* fix typo

* confused meme

* remove debug

* Change default severities to include MEDIUM, since macpro is held to that standard

* README

* Update the example

* Removed AWS creds from test workflow and added mocking STS client to our tests

* removed AWS creds from unit-tests workflow

* put test back: Missing a required environment variable

* Update jira-lib.ts

* Remove comments

* remove comments

* Add await for creating issues

* Remove unused PROJECT variable

* remove some small unused stuff

---------

Co-authored-by: Jon Holman <[email protected]>

.github/workflows/dependency-review.yml

@@ -0,0 +1,20 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: "Dependency Review"
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v3
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@v2

.github/workflows/test.yml

@@ -21,10 +21,5 @@ jobs:
       - uses: actions/setup-node@v3
         with:
           node-version: 16
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
-        with:
-          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }}
-          aws-region: us-east-1
       - run: npm ci
       - run: npm run test

.github/workflows/unit-tests.yml

@@ -11,21 +11,15 @@ on:
 jobs:
   coverage-report:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
         with:
           node-version: 16
-      - uses: actions/cache@v2
-        with:
-          path: |
-            **/node_modules
-          key: ${{ github.workflow }}-${{ github.job }}-${{ runner.os }}-modules-test-coverage-${{ hashFiles('package-lock.json') }}
-      - name: install
-        run: |
-          if [ ! -d "node_modules" ]; then # If we don't have any node_modules (CircleCI cache miss scenario), run yarn install --frozen-lockfile.  Otherwise, we're all set, do nothing.
-            npm ci
-          fi
+      - run: npm install
       - run: npm run coverage
       - name: publish test coverage to code climate
         if: always() && env.CC_TEST_REPORTER_ID != ''

LICENSE

@@ -1,21 +1,31 @@
-MIT License
-
-Copyright (c) 2023 Centers for Medicare & Medicaid Services
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+As a work of the United States Government, this project is in the
+public domain within the United States.
+
+Additionally, we waive copyright and related rights in the work
+worldwide through the CC0 1.0 Universal public domain dedication.
+
+## CC0 1.0 Universal Summary
+
+This is a human-readable summary of the [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
+
+### No Copyright
+
+The person who associated a work with this deed has dedicated the work to
+the public domain by waiving all of his or her rights to the work worldwide
+under copyright law, including all related and neighboring rights, to the
+extent allowed by law.
+
+You can copy, modify, distribute and perform the work, even for commercial
+purposes, all without asking permission.
+
+### Other Information
+
+In no way are the patent or trademark rights of any person affected by CC0,
+nor are the rights that other persons may have in the work or in how the
+work is used, such as publicity or privacy rights.
+
+Unless expressly stated otherwise, the person who associated a work with
+this deed makes no warranties about the work, and disclaims liability for
+all uses of the work, to the fullest extent permitted by applicable law.
+When using or citing the work, you should not imply endorsement by the
+author or the affirmer.

README.md

@@ -1,6 +1,9 @@
 <h1 align="center" style="border-bottom: none;">macpro-security-hub-sync</h1>
 <h3 align="center">NPM module to create Jira issues for all findings in Security Hub for the current AWS account.</h3>
 <p align="center">
+  <a href="https://cmsgov.slack.com/archives/C04MBTV136X">
+    <img alt="Slack" src="https://img.shields.io/badge/Slack-channel-purple.svg">
+  </a>
   <a href="https://github.com/Enterprise-CMCS/macpro-security-hub-sync/releases/latest">
     <img alt="latest release" src="https://img.shields.io/github/release/Enterprise-CMCS/macpro-security-hub-sync.svg">
   </a>
@@ -24,53 +27,63 @@
   </a>
 </p>
 
-## Information
-
-This package syncs AWS Security Hub Findings to Jira.
-
-- When the sync utility is run, each Security Hub Finding type (Title) is represented as a single issue. So if you have violated the 'S3.8' rule three individual times, you will have one S3.8 Jira Issue created.
-- By default, CRITICAL and HIGH severity findings get issues created in Jira. However, this is configurable in either direction (more or less sensitivity).
-- When the utility runs, previously created Jira issues that no longer have an active finding are closed. In this way, Jira issues can be automatically closed as the Findings are resolved, if you run the utility on a schedule (recommended).
+## Usage
 
-## Synchronization Process
-
-The SecurityHubJiraSyncOptions class's main function is sync. The sync process follows this process:
-Step 1. Get all open Security Hub issues from Jira
-Step 2. Get all current findings from Security Hub
-Step 3. Close existing Jira issues if their finding is no longer active/current
-Step 4. Create Jira issue for current findings that do not already have a Jira issue
-
-## Usage and Getting Started
-
-To install the package run the following command:
+Set a few enviroment variables that are expected by the package:
 
 ```
-npm install --save-dev @enterprise-cmcs/macpro-security-hub-sync
+export JIRA_HOST=yourorg.atlassian.net
+export JIRA_PROJECT=OY2 // This is the ID for the Jira Project you want to interact with
+export JIRA_USERNAME="[email protected]"
+export JIRA_TOKEN="a very long string" // This should be a [Personal Access Token](https://confluence.atlassian.com/enterprise/using-personal-access-tokens-1026032365.html) that you generate
 ```
 
-or
+Install the package with a dependency manager of your choice, probably as a dev dependency:
 
 ```
-yarn add --dev @enterprise-cmcs/macpro-security-hub-sync
+npm install @enterprise-cmcs/macpro-security-hub-sync --save-dev
 ```
 
-After installing the package in your project include this import statement
+Import the package and execute a sync:
 
 ```
 import { SecurityHubJiraSync } from "@enterprise-cmcs/macpro-security-hub-sync";
+await new SecurityHubJiraSync().sync();
 ```
 
-With SecurityHubJiraSync imported you can now execute it like:
+Or, override defaults by passing more options:
 
 ```
-await new SecurityHubJiraSync({ region = "us-east-1", severities: ["MEDIUM"] }).sync();
+await new SecurityHubJiraSync({
+  region: "us-west-2", // Which regional Security Hub to scrape; default is "us-east-1"
+  severities: ["HIGH","CRITICAL"], // List of all severities to find; default is ["MEDIUM","HIGH","CRITICAL"]
+  customJiraFields: { // A map of custom fields to add to each Jira Issue; no default; making this nicer is WIP
+    customfield_14117: [{value: "Platform Team"}],
+    customfield_14151: [{value: "Not Applicable "}],
+  }
+}).sync();
 ```
 
-## Contributing
+## Info
+
+#### Overview
 
-Found a bug, want to help with updating the docs or maybe you want to help add a feature. Refer to our contribution documentation for more information: [Documentation](./docs/CONTRIBUTING.MD)
+This package syncs AWS Security Hub Findings to Jira.
 
-## Instructions to test locally with a yarn project
+- When the sync utility is run, each Security Hub Finding type (Title) is represented as a single issue. So if you have violated the 'S3.8' rule three individual times, you will have one S3.8 Jira Issue created.
+- By default, CRITICAL and HIGH severity findings get issues created in Jira. However, this is configurable in either direction (more or less sensitivity).
+- When the utility runs, previously created Jira issues that no longer have an active finding are closed. In this way, Jira issues can be automatically closed as the Findings are resolved, if you run the utility on a schedule (recommended).
+
+#### Sync Process
+
+The SecurityHubJiraSyncOptions class's main function is sync. The sync process follows this process:
+
+1. Get all open Security Hub issues (identified by a label convention) from Jira
+2. Get all current findings from Security Hub
+3. Close existing Jira issues if their finding is no longer active/current
+4. Create Jira issue (including labels from our label convention) for current findings that do not already have a Jira issue
+
+#### Instructions to test locally with a yarn project
 
 - in your terminal from your local clone of macpro-security-hub-sync with your development branch
 - `yarn link` (note, when testing is complete, run `yarn unlink`)
@@ -103,8 +116,14 @@ success Using linked package for "@enterprise-cmcs/macpro-security-hub-sync".
 - `yarn install`
 - Note: when testing is complete run `yarn unlink "@enterprise-cmcs/macpro-security-hub-sync"`
 
+## Contributing
+
+You can check out our current open issues [here](https://github.com/Enterprise-CMCS/macpro-security-hub-sync/issues). Please feel free to open new issues for bugs or enhancements.
+
+Also, join us on [Slack](https://cmsgov.slack.com/archives/C04MBTV136X)
+
 ## License
 
-[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![License](https://img.shields.io/badge/License-CC0--1.0--Universal-blue.svg)](https://creativecommons.org/publicdomain/zero/1.0/legalcode)
 
 See [LICENSE](LICENSE) for full details.

examples/github-actions/run-security-hub-sync.yml → examples/.github/workflows/security-hub-jira-sync.yml

@@ -18,36 +18,25 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Configure direnv
-        uses: HatsuneMiku3939/direnv-action@v1
-
       - name: Install Node
         uses: actions/setup-node@v3
         with:
-          node-version-file: .nvmrc
-
-      - name: Node cache
-        uses: actions/cache@v2
-        with:
-          path: "**/node_modules"
-          key: ${{ github.workflow }}-${{ github.job }}-${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
+          node-version: 16
 
+      # AWS credentials must be provided to get findings from security hub; how you inject credentials can vary.
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }}
           aws-region: us-east-1
           role-duration-seconds: 10800
 
+      - run: npm install
+
       - name: Invoke Security Hub Jira Sync
-        id: runningStages
         env:
           JIRA_HOST: qmacbis.atlassian.net
-          JIRA_USERNAME: xxx
-          JIRA_TOKEN: xxx
           JIRA_PROJECT: OY2
-          JIRA_CLOSED_STATUSES: "Done"
-          PROJECT: cms-bigmac
-        run: |
-          npm i -g ts-node
-          ts-node src/run-sync.ts
+          JIRA_USERNAME: ${{ secrets.JIRA_USERNAME }}
+          JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }}
+        run: node run.js

examples/.gitignore

@@ -0,0 +1 @@
+package-lock.json

examples/README.md

@@ -0,0 +1,7 @@
+## Example
+
+This is intended to be an example of how a project might install the package and automate the running of it with GitHub Actions.
+
+It has been made to be a very stripped down implementation.
+
+To see a real world implementation, which at its core is this example but with more optimization around the workflow and a more robust run script, see [macpro-base-template's implementation](REPLACEME)

examples/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "example",
+  "type": "module",
+  "devDependencies": {
+    "@enterprise-cmcs/macpro-security-hub-sync": "^1.0.0"
+  }
+}

examples/run.js

@@ -0,0 +1,3 @@
+import { SecurityHubJiraSync } from "@enterprise-cmcs/macpro-security-hub-sync";
+
+await new SecurityHubJiraSync().sync();