This is a web application used to manage the bidding process for 18F's micro-purchase threshold experiment. The platform will allow vendors to bid on open opportunities with 18F, track their bids, and learn of the winning bidder. So long as vendors are registered on SAM.gov and have GitHub accounts, they will be able to view open opportunities and bid on them.
With this application, a vendor will be able to view the full list of open micro-purchasing opportunities, access bid histories, and place bids on services requested by 18F. All bids will start under $3,500 and each project will specify the desired product and method of delivery.
This is a Ruby/Rails application using ActiveRecord and PostgreSQL. This repo contains the front end of a web app that integrates GitHub and SAM.gov. For more information on setting up the back end of the web app, see below.
- Staging: https://micropurchase-staging.18f.gov/
- Production: https://micropurchase.18f.gov/
- API docs: https://micropurchase.18f.gov/api
- Problem statement
- Roadmap
- Leads tracker
- Backlog
See the CONTRIBUTING.md for a full run-down of how to contribute to this application.
We are keeping a version-controlled Entity Relationship Diagram (ERD) located
indocs/erd.pdf
. Any new change to the database schema must include an update
to this diagram. You can automatically update the diagram by running (follow the
local development instructions below if you don't have the app setup locally):
[docker-compose run web] bundle exec erd
Updating the ERD requires Graphiz. Installation instructions are here.
Because this application uses two different test suites (RSpec and Cucumber), it has a more complicated setup for measuring coverage and reporting it to CodeClimate. By default, CodeClimate only will use the coverage statistics from RSpec, meaning you will see a drop in coverage for controllers tested more thoroughly by Cucumber. The solution involves a few parts:
- The
.simplecov
file in the root specifies SimpleCov configuration shared by both RSpec and Cucumber. This switches the coverage gem to use for CI vs. local operation. - The codeclimate_batch CLI merges the coverage reports from each suite before reporting to CodeClimate. This process includes sending all configs to the cc-amend service. To use the them, you must also make sure your CI calls bundler with
--binstubs
to install gem binaries locally. - The codeclimate_batch gem will only run on a CI server and you must also define an environment variable
CODECLIMATE_REPO_TOKEN
with the value of the repo token provided by CodeClimate for it to work. - The codeclimate_batch gem will also only run on the DEFAULT_BRANCH specified in the
.simplecov
file. If you change your CodeClimate to use a branch other than develop, you must change the value in.simplecov
If everything is working correctly, you should see the following text at the bottom of CI builds of your develop
branch:
$ ./bin/codeclimate-batch --groups 2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 23656 100 41 100 23615 202 114k --:--:-- --:--:-- --:--:-- 118k
sent 2 reports for 18F-micropurchase-1248
Code climate: 0.21s to send 2 reports
This repository uses two tools to provide a total of three types of automated security checks:
- Brakeman provides static code analysis.
- Hakiri is used to ensure the Rails/Ruby versions contain no known CVEs.
- Hakiri is used to ensure the gems declared in the Gemfile contain no known CVEs.
All security scans are built into the test suite. bundle exec rake spec
will run them. To run the security scans ad hoc:
Brakeman:
bundle exec brakeman
Hakiri for Ruby/Rails versions:
bundle exec hakiri system:scan -m hakiri_manifest.json
Hakiri for Gemfile dependency versions:
bundle exec hakiri gemfile:scan
Sometimes Brakeman will report a false positive. In cases like these, the warnings will be ignored. Ignored warnings are declared in config/brakeman.ignore
. This file contains a machine-readable list of all ignored warnings. Any ignored warning will contain a note explaining (or linking to an explanation of) why the warning is ignored.
This project is in the worldwide public domain. As stated in CONTRIBUTING:
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.