Initial commit

Author: kris-szlapa

.devcontainer /Dockerfile

@@ -0,0 +1,27 @@
+FROM python:3.12 as python-base
+
+
+ENV PYTHONDONTWRITEBYTECODE 1 \
+    PYTHONUNBUFFERED 1
+
+RUN apt-get update \
+    && apt-get install curl -y \
+    && curl -sSL https://install.python-poetry.org | python 
+
+ENV PATH="/root/.local/bin:$PATH"
+
+WORKDIR /usr/app
+
+COPY pyproject.toml poetry.lock ./
+
+RUN poetry config virtualenvs.create false \
+    && poetry install --no-dev --no-interaction --no-ansi
+
+
+
+FROM python-base as eps-bot
+WORKDIR /app
+COPY slackbot/ .
+COPY eps_corpus.db eps_corpus.db
+
+CMD [ "python3", "-u", "app.py"]

.devcontainer /devcontainer.json

@@ -0,0 +1,78 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
+{
+  "name": "Ubuntu",
+  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+  "build": {
+    "dockerfile": "Dockerfile",
+    "context": "..",
+    "args": {}
+  },
+  "mounts": [
+    "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
+    "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
+  ],
+  "features": {
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+      "version": "latest",
+      "moby": "true",
+      "installDockerBuildx": "true"
+    }
+  },
+  "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}/" },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "AmazonWebServices.aws-toolkit-vscode",
+        "redhat.vscode-yaml",
+        "ms-python.python",
+        "ms-python.flake8",
+        "eamodio.gitlens",
+        "github.vscode-pull-request-github",
+        "orta.vscode-jest",
+        "42crunch.vscode-openapi",
+        "mermade.openapi-lint",
+        "dbaeumer.vscode-eslint",
+        "christian-kohler.npm-intellisense",
+        "dbaeumer.vscode-eslint",
+        "lfm.vscode-makefile-term",
+        "GrapeCity.gc-excelviewer",
+        "redhat.vscode-xml",
+        "streetsidesoftware.code-spell-checker",
+        "timonwong.shellcheck",
+        "mkhl.direnv",
+        "github.vscode-github-actions"
+      ],
+      "settings": {
+        "python.defaultInterpreterPath": "/workspaces/eps-assist-me/.venv/bin/python",
+        "python.analysis.autoSearchPaths": true,
+        "python.analysis.extraPaths": [],
+        "python.testing.unittestEnabled": false,
+        "python.testing.pytestEnabled": true,
+        "python.linting.pylintEnabled": false,
+        "python.linting.flake8Enabled": true,
+        "python.linting.enabled": true, // required to format on save
+        "editor.defaultFormatter": "dbaeumer.vscode-eslint",
+        "editor.formatOnPaste": false, // required
+        "editor.formatOnType": false, // required
+        "editor.formatOnSave": true, // optional
+        "editor.formatOnSaveMode": "file",
+        "cSpell.words": ["fhir", "Formik", "pino", "serialisation"],
+        "eslint.useFlatConfig": true,
+        "eslint.format.enable": true
+          }
+    }
+  },
+  "postCreateCommand": "rm -f ~/.docker/config.json; git config --global --add safe.directory /workspaces/eps-assist-me; make install; direnv allow ."
+  // "features": {},
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  // "forwardPorts": [],
+  // Use 'postCreateCommand' to run commands after the container is created.
+  // "postCreateCommand": ""
+  // Configure tool-specific properties.
+  // "customizations": {},
+  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+  // "remoteUser": "root"
+}

.github/actions/mark_jira_released/action.yml

@@ -0,0 +1,26 @@
+name: "Create confluence release notes"
+description: "Do release note actions in confluence and jira"
+inputs:
+  RELEASE_TAG:
+    required: false
+    description: "The tag we are marking as released in jira"
+  DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE:
+    required: true
+    description: "The role to assume to execute the release notes lambda"
+
+runs:
+  using: "composite"
+  steps:
+    - name: connect to dev account
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: eu-west-2
+        role-to-assume: ${{ inputs.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
+        role-session-name: aws-dashboards-release-notes-run-lambda
+
+    - name: call markJiraReleased lambda
+      shell: bash
+      working-directory: .github/scripts
+      env:
+        RELEASE_TAG: ${{ inputs.RELEASE_TAG }}
+      run: ./call_mark_jira_released.sh

.github/actions/update_confluence_jira/action.yml

@@ -0,0 +1,89 @@
+name: "Create confluence release notes"
+description: "Do release note actions in confluence and jira"
+inputs:
+  TARGET_ENVIRONMENT:
+    required: true
+    description: "Target Environment"
+  RELEASE_TAG:
+    required: false
+    description: "The tag we are releasing - only used for create_rc_release_notes"
+  CONFLUENCE_PAGE_ID:
+    required: true
+    description: "The id of confluence page to update or create under"
+  CREATE_RC_RELEASE_NOTES:
+    required: true
+    description: "whether to create rc release notes page instead of normal release notes"
+    default: "false"
+  DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE:
+    required: true
+    description: "The role to assume to execute the release notes lambda"
+  DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE:
+    required: true
+    description: "The dev cloud formation deploy role"
+  TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE:
+    required: true
+    description: "The target cloud formation deploy role"
+
+runs:
+  using: "composite"
+  steps:
+    - name: connect to target account
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: eu-west-2
+        role-to-assume: ${{ inputs.TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+        role-session-name: cpt-api-release-notes-target
+
+    - name: Get deployed tag on target
+      shell: bash
+      working-directory: .github/scripts
+      env:
+        TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }}
+      run: ./get_target_deployed_tag.sh
+
+    - name: connect to dev account
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: eu-west-2
+        role-to-assume: ${{ inputs.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
+        role-session-name: cpt-api-release-notes-dev
+
+    - name: get current dev tag
+      shell: bash
+      working-directory: .github/scripts
+      run: ./get_current_dev_tag.sh
+
+    - name: connect to dev account to run release notes lambda
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: eu-west-2
+        role-to-assume: ${{ inputs.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
+        role-session-name: cpt-api-release-notes-run-lambda
+        unset-current-credentials: true
+
+    - name: create int release notes
+      shell: bash
+      working-directory: .github/scripts
+      if: inputs.TARGET_ENVIRONMENT == 'int' && inputs.CREATE_RC_RELEASE_NOTES == 'false'
+      env:
+        ENV: INT
+        PAGE_ID: ${{ inputs.CONFLUENCE_PAGE_ID }}
+      run: ./create_env_release_notes.sh
+
+    - name: create int rc release notes
+      shell: bash
+      working-directory: .github/scripts
+      if: inputs.TARGET_ENVIRONMENT == 'int' && inputs.CREATE_RC_RELEASE_NOTES == 'true'
+      env:
+        RELEASE_TAG: ${{ inputs.RELEASE_TAG }}
+        PAGE_ID: ${{ inputs.CONFLUENCE_PAGE_ID }}
+      run: ./create_int_rc_release_notes.sh
+
+    - name: create prod release notes
+      shell: bash
+      working-directory: .github/scripts
+      if: inputs.TARGET_ENVIRONMENT == 'prod'
+      env:
+        ENV: PROD
+        PAGE_ID: ${{ inputs.CONFLUENCE_PAGE_ID }}
+      run: ./create_env_release_notes.sh

.github/dependabot.yml

@@ -0,0 +1,47 @@
+#########################################################################
+# Dependabot configuration file
+#########################################################################
+
+version: 2
+registries:
+  npm-github:
+    type: npm-registry
+    url: https://npm.pkg.github.com
+    token: ${{secrets.DEPENDABOT_TOKEN}}
+
+updates:
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the
+    # default location of `.github/workflows`
+    directory: "/"
+    open-pull-requests-limit: 20
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "
+
+  ###################################
+  # NPM workspace  ##################
+  ###################################
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    versioning-strategy: increase
+    open-pull-requests-limit: 20
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "
+    registries:
+      - npm-github
+
+  ###################################
+  # Poetry  #########################
+  ###################################
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    versioning-strategy: increase
+    open-pull-requests-limit: 20
+    commit-message:
+      prefix: "Upgrade: [dependabot] - "

.github/pull_request_template.md

@@ -0,0 +1,59 @@
+## Summary
+
+**Remove items from this list if they are not relevant. Remove this line once this has been done**
+
+- Routine Change
+- :exclamation: Breaking Change
+- :robot: Operational or Infrastructure Change
+- :sparkles: New Feature
+- :warning: Potential issues that might be caused by this change
+
+### Details
+
+Add any summary information of what is in the change. **Remove this line if you have nothing to add.**
+
+## Pull Request Naming
+
+Pull requests should be named using the following format:
+
+```text
+Tag: [AEA-NNNN] - Short description
+```
+
+Tag can be one of:
+
+- `Fix` - for a bug fix. (Patch release)
+- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release)
+- `New` - implemented a new feature. (Minor release)
+- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release)
+- `Docs` - changes to documentation only. (Patch release)
+- `Build` - changes to build process only. (No release)
+- `Upgrade` - for a dependency upgrade. (Patch release)
+- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release)
+
+If the current release is x.y.z then
+- a patch release increases z by 1
+- a minor release increases y by 1
+- a major release increases x by 1
+
+Correct tagging is necessary for our automated versioning and release process.
+
+The description of your pull request will be used as the commit message for the merge, and also be included in the changelog. Please ensure that your title is sufficiently descriptive.
+
+### Rerunning Checks
+
+If you need to rename your pull request, you can restart the checks by either:
+
+- Closing and reopening the pull request
+- pushing an empty commit 
+  ```bash
+  git commit --allow-empty -m 'trigger build'
+  git push
+  ```
+- Amend your last commit and force push to the branch
+  ```bash
+  git commit --amend --no-edit
+  git push --force
+  ```
+
+Rerunning the checks from within the pull request will not use the updated title.

.github/scripts/call_mark_jira_released.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+echo "calling mark jira released"
+
+cat <<EOF > payload.json
+{ 
+  "releaseVersion": "EPS-Assist-AWS-$RELEASE_TAG"
+}
+EOF
+cat payload.json
+
+function_arn=$(aws cloudformation list-exports --query "Exports[?Name=='release-notes:MarkJiraReleasedLambdaArn'].Value" --output text)
+aws lambda invoke --function-name "${function_arn}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt
+cat out.txt

.github/scripts/check-sbom-issues-against-ignores.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Usage: ./check-sbom-issues-against-ignores.sh <ignored_issues_file> <scan_results_file>
+IGNORED_ISSUES_FILE="$1"
+SCAN_RESULTS_FILE="$2"
+
+# Check if files exist
+if [[ ! -f "$IGNORED_ISSUES_FILE" || ! -f "$SCAN_RESULTS_FILE" ]]; then
+  echo "Error: One or both of the required files do not exist."
+  exit 1
+fi
+
+# Read ignored issues into an array
+mapfile -t IGNORED_ISSUES < <(jq -r '.[]' "$IGNORED_ISSUES_FILE")
+
+# Read scan results and check for critical vulnerabilities
+CRITICAL_FOUND=false
+
+# Loop through vulnerabilities in the scan results
+while IFS= read -r MATCH; do
+  VULN_ID=$(echo "$MATCH" | jq -r '.vulnerability.id')
+
+  # Check if the vulnerability ID is in the ignored list
+  FOUND=false
+  for IGNORED in "${IGNORED_ISSUES[@]}"; do
+    if [[ "$IGNORED" == "$VULN_ID" ]]; then
+      FOUND=true
+      echo "Warning: Ignored vulnerability found: $VULN_ID"
+      break
+    fi
+  done
+
+  # If the vulnerability is not found in the ignored list, mark critical as found
+  if [[ "$FOUND" == false ]]; then
+    echo "Error: Critical vulnerability found that is not in the ignore list: $VULN_ID"
+    CRITICAL_FOUND=true
+  fi
+done < <(jq -c '.matches[] | select(.vulnerability.severity == "Critical")' "$SCAN_RESULTS_FILE")
+
+# Exit with error if critical vulnerability is found
+if [[ "$CRITICAL_FOUND" == true ]]; then
+  exit 1
+fi
+
+echo "No unignored critical vulnerabilities found."
+exit 0