R24.03 Item Relationship Service (IRS) - Release Checks

[kelaja]

Release Info

Please provide information on what you want to be included in the Eclipse Tractus-X release.
If you are not owner of this issue, please provide the information as comment to the issue.

Version to be included in Eclipse Tractus-X release:

• Release 4.5.2
• IRS Chart irs-helm-6.14.2

Leading product repository:
IRS Repos

Compliance Verifications

This issue tracks all compliance related checks, that need to be performed for a product release in Eclipse Tractus-X.

• Gaia-X compliance confirmed
• Note: @wjost requested approval
• GDPR compliance confirmed (personal data, data protection + privacy DPP)
• Requested Jens Weiss for approval based on R23.12
• Interoperability checks performed
• Note: Business Hours on 19.2.2024
• Data Sovereignty checks performed
• Note: Business Hours on 19.2.2024
• Compliant with relevant published CX Standards (see the Catena-X standard library)

Documentation

• Arc24 documentation up-to-date
• Note: Requested @vialkoje for review and approval
• Administrators Guide up-to-date
• Note: Requested @vialkoje for review and approval
• End-User manual up-to-date
• Note: Requested @vialkoje for review and approval
• Interface documentation up-to-date
• Note: Requested @vialkoje for review and approval

Security Checks

• Threat Modeling Analysis passed
• Note: Requested SecOps team for approval on base of R23.12
• Static Application Security Testing (SAST) scans passed
• Dynamic Application Security Testing (DAST) tests passed #526
• Secret Scans passed
• Note: Secret scans no issues - requested @DnlZF for approval
• Software Composition Analysis (SCA) passed
• @klaudiaZF @ZFLokesh @RoKrish14 @Tim.herres
• Container Scans passed
• Infrastructure as Code (IaC) scans passed

General Checks

• Tractus-X Release Guidelines fulfilled QG checks (Release 24.03) item-relationship-service#422
• Compliant with the Style Guide
  • Note: Requested @jjeroch for approval

Test Results

• E2E Integration Test passed
• Note: @ds-alexander-bulgakov covering approval of E2E with test management
• User Journey approved
• Note: @kelaja approval based on approval of R23.12 without any changes

Helpful Links

• Eclipse Tractus-X openAPI specs on SwaggerHub
• Catena-X standard library

[mkanal]

Good morning @jjeroch,
The IRS does not provide an UI. For this reason, it is not necessary to check the style guide. Would you please confirm this as an expert in this issue. Thank you very much
Martin

[mkanal]

Good morning @vialkoje,

The Tractus-X Release Guidelines Check is pending for QG4 R24.3.
I would like to ask you for your review and subsequent approval of the QG4 ACs for documentation.
If a personal appointment is required, please let me know. In this case, I will send you suggested dates.

Tractus-X Release Guidelines Check Release 24.3:
• #494

Documentation:

Docu
Arc24 documentation
Administrators Guide
End-User manual // IRS does not provide any UI
Interface documentation
Interface documentation

Thank you very much
Martin

[mkanal]

@kelaja please update the status based on the following information:

• "User Journey approved": User Journey has not changed since release 23.12. For this reason, the approval of the User Journey is based on the approval given by BO of R23.12.
• GDPR compliance confirmed - There is no change since release 23.12 regarding the processing ans storing of GDPR related data (personal data, data protection + privacy DPP) For this reason, the approval of the User Journey is based on the approval given by GDPR experts of R23.12.
• Gaia-X compliance confirmed - in reference to R24.03 Item Relationship Service (IRS) - Release Checks #494 (comment)

fyi @jzbmw

[mkanal]

@wjost,
kindly ask for your approval regarding Gaia-X compliance. There are no changes between 24.3 and already approved version 23.12.
Thank you very much
Martin

[wjost]

For Release R24.03 we do not support Targus-Release auf GXDCH. Hence „Gaia-X compliance“ is still on the level of R23.12. I confirm this release is GAIA-X compliant.

[mkanal]

Interoperability checks

Preparation for Business Hour 19.2.2024 17:30 - 18:15
Participants @jzbmw & @mkanal
https://confluence.catena-x.net/display/PL/2024-02-12+InterOp+for+TraceX+and+IRS

[mkanal]

Threat Modeling Analysis passed

@pablosec @scherersebastian
There are no relevant changes in either product compared to R23.12. For this reason, we would like to request the release of the QGC "Threat Modelling Analysis passed" based on the R23.12 release.

[mkanal]

Please fix these issues regarding the role of security minister @ds-jhartmann @ds-ext-kmassalski @dsmf

(x) Container Scans passed

• https://github.com/catenax-ng/tx-item-relationship-service/security/code-scanning/708
• https://github.com/catenax-ng/tx-item-relationship-service/security/code-scanning/706
• https://github.com/catenax-ng/tx-item-relationship-service/security/code-scanning/663

Expat library is not under our control, it is inside eclipse-temurin image, that we are using in Dockerfile.

It is possible to manually update expat in the container with below command:
RUN apk add --upgrade --no-cache expat
however this is not acceptable by System team, which decision is to put OSS over security:
https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02/#use-base-image-as-is

Taking the above into account, we can only wait until there is a new eclipse-temurin image with an upgraded version of the expat library (probably soon, as JDK is already patched, waiting for JRE).

CSRF security finding was fixed.

[mkanal]

Stand 14.02.2024
@pablosec @scherersebastian

Static Application Security Testing (SAST) scans passed

@BANANAS1337 @RoKrish14

• code is scanned weekly with Veracode tool
• medium risks have mitigation statement
• There are no high and above CVEs

Dynamic Application Security Testing (DAST) tests passed

• INVICTI tool new scan profile IRS-PEN 14.02.2024
• no findings
  

Secret Scans passed

@DnlZF

• Veracode
• GitHub Secret Scanning
• Note: No findings
• https://github.com/eclipse-tractusx/item-relationship-service/security/secret-scanning
• GitGuardian
• Note: No findings
  

Software Composition Analysis (SCA) passed

VeraCode

@klaudiaZF @ZFLokesh @RoKrish14 @Tim.herres

Container Scans passed

@RoKrish14

• https://github.com/eclipse-tractusx/item-relationship-service/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3ATrivy
• Note 2 findings: Test CVE's for QG (Short Notice) item-relationship-service#419

Infrastructure as Code (IaC) scans passed

@RoKrish14

• Note : no findings https://github.com/eclipse-tractusx/item-relationship-service/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3AKICS

[mkanal]

Data Sovereignty checks performed

Hello @vialkoje

there seems to be no official DS Guidlines for the R34.3. Can you please give us an approval based on 23.12. There were no changes to R23.12 in IRS: Please approve.
#494
#506
Thank you very much
Martin

[DirkBTSI]

INT test performed/documented.
E2E test performed/documented.
No high defect.
TM approved
@kelaja : please approve for "E2E Integration Test passed"

[almadigabor]

Hey! I'm done with the first round of checks and opened 2 issues that needs to be fixed. You can see more detail here.

[vialkoje]

Documentation available and looking consistent - Expert Approval granted

[mkanal]

[jzbmw]

As PO I assure that no changes from an earlier release of the Interoperability aspects exists

[RolaH1t]

2 minor findings wrt TRGs => QG approval postponed
Expect fix within cw 8.

[almadigabor]

Hey, I've closed the QG issue as all subtasks have been fixed. I approve the QG. The new versions are:

AppVersion: 4.5.1
Chart version: 6.14.1

[RoKrish14]

SAST: Approved
SCA: Approved
DAST: Approved
Secret Scans: Approved

IAC: Pending
Container Scanning: Pending

[szymonkowalczykzf]

Security Assessment Process (Threat Modeling Analysis) approved.

No significant changes detected since last release.
No open critical & high finding remaining for this release.

Documentation of the assessment will be moved out to the GitHub repositories of the Products before the next release.

[mkanal]

SAST: Approved SCA: Approved DAST: Approved Secret Scans: Approved

IAC: Pending Container Scanning: Pending

Hello @RoKrish14
are there any vulnerabilities or open topics why IAC and container scanning is in pending state?
Thank you very much
Martin

[RoKrish14]

@ds-mwesener @ds-mmaul presented me with the security dashboard to look at the results.

Container Scans: Approved
IAC: Approved

[mkanal]

Hello

@ds-mwesener @ds-mmaul presented me with the security dashboard to look at the results.

Container Scans: Approved IAC: Approved

Thank you very much.

[mkanal]

Hello @RolaH1t and @kelaja
all Q-Gate criteria are approved from experts.
Please recheck and close this issue.
Thank you very much
Martin

[RolaH1t]

QG4 approval granted. Congrats!