Micro-purchase

This is a web application used to manage the bidding process for 18F's micro-purchase threshold experiment. The platform will allow vendors to bid on open opportunities with 18F, track their bids, and learn of the winning bidder. So long as vendors are registered on SAM.gov and have GitHub accounts, they will be able to view open opportunities and bid on them.

With this application, a vendor will be able to view the full list of open micro-purchasing opportunities, access bid histories, and place bids on services requested by 18F. All bids will start under $3,500 and each project will specify the desired product and method of delivery.

This is a Ruby/Rails application using ActiveRecord and PostgreSQL. This repo contains the front end of a web app that integrates GitHub and SAM.gov. For more information on setting up the back end of the web app, see below.

• Staging: https://micropurchase-staging.18f.gov/
• Production: https://micropurchase.18f.gov/
• API docs: https://micropurchase.18f.gov/api
• Problem statement
• Roadmap
• Leads tracker
• Backlog

Documentation

Local Development

See the CONTRIBUTING.md for a full run-down of how to contribute to this application.

Database Schema

We are keeping a version-controlled Entity Relationship Diagram (ERD) located indocs/erd.pdf. Any new change to the database schema must include an update to this diagram. You can automatically update the diagram by running (follow the local development instructions below if you don't have the app setup locally):

[docker-compose run web] bundle exec erd

Updating the ERD requires Graphiz. Installation instructions are here.

Coverage and CodeClimate

Because this application uses two different test suites (RSpec and Cucumber), it has a more complicated setup for measuring coverage and reporting it to CodeClimate. By default, CodeClimate only will use the coverage statistics from RSpec, meaning you will see a drop in coverage for controllers tested more thoroughly by Cucumber. The solution involves a few parts:

1. The .simplecov file in the root specifies SimpleCov configuration shared by both RSpec and Cucumber. This switches the coverage gem to use for CI vs. local operation.
2. The codeclimate_batch CLI merges the coverage reports from each suite before reporting to CodeClimate. This process includes sending all configs to the cc-amend service. To use the them, you must also make sure your CI calls bundler with --binstubs to install gem binaries locally.
3. The codeclimate_batch gem will only run on a CI server and you must also define an environment variable CODECLIMATE_REPO_TOKEN with the value of the repo token provided by CodeClimate for it to work.
4. The codeclimate_batch gem will also only run on the DEFAULT_BRANCH specified in the .simplecov file. If you change your CodeClimate to use a branch other than develop, you must change the value in .simplecov

If everything is working correctly, you should see the following text at the bottom of CI builds of your develop branch:

$ ./bin/codeclimate-batch --groups 2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 23656  100    41  100 23615    202   114k --:--:-- --:--:-- --:--:--  118k
sent 2 reports for 18F-micropurchase-1248
Code climate: 0.21s to send 2 reports

Security Scans

This repository uses two tools to provide a total of three types of automated security checks:

• Brakeman provides static code analysis.
• Hakiri is used to ensure the Rails/Ruby versions contain no known CVEs.
• Hakiri is used to ensure the gems declared in the Gemfile contain no known CVEs.

All security scans are built into the test suite. bundle exec rake spec will run them. To run the security scans ad hoc:

Brakeman:

bundle exec brakeman

Hakiri for Ruby/Rails versions:

bundle exec hakiri system:scan -m hakiri_manifest.json

Hakiri for Gemfile dependency versions:

bundle exec hakiri gemfile:scan

Ignored Brakeman warnings

Sometimes Brakeman will report a false positive. In cases like these, the warnings will be ignored. Ignored warnings are declared in config/brakeman.ignore. This file contains a machine-readable list of all ignored warnings. Any ignored warning will contain a note explaining (or linking to an explanation of) why the warning is ignored.

Public domain

This project is in the worldwide public domain. As stated in CONTRIBUTING:

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.