QG checks (Release 24.05)

[carslen]

QG checks

Please keep this issue open until QG is concluded and will be managed by the Issue Creator! We will inform you about finding and proposals in separated issues, this issue here is for the Overview of the Checks!

Please keep this issue open until QG is concluded!

Product Owner: @jjeroch Dev SPOC: @evegufy Helm Chart Version: 1.0.0 App Version: 1.0.0

Release Managemnet Reference Issue: eclipse-tractusx/sig-release#672

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• [x] TRG 1.01 appropriate README.md
• [x] TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• [x] TRG 1.03 appropriate CHANGELOG.md
• [x] TRG 1.04 editable static files

TRG 2 Git

• [x] TRG 2.01 default branch is named main
• [x] TRG 2.03 repository structure
• [x] TRG 2.04 leading product repository
• [x] TRG 2.05 .tractusx metafile in a proper format

TRG 3 Kubernetes

• [x] TRG 3.02 persistent volume and persistent volume claim is used when needed

TRG 4 Container

• [x] TRG 4.01 semantic versioning and tagging
• [x] TRG 4.02 base image is agreed
• [x] TRG 4.03 image has USER command and Non Root Container
• [x] TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• [x] TRG 4.06 separate notice file for DockerHub has all necessary information

TRG 5 Helm

• [x] TRG 5.01 Helm chart requirements
• [x] TRG 5.02 Helm chart location in /charts directory and correct structure
• [x] TRG 5.03 proper version strategy
• [x] TRG 5.04 CPU / MEM resource requests and limits and are properly set
• [x] TRG 5.06 Application must be configurable through the Helm chart
• [x] TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• [x] TRG 5.08 Product has a single deployable helm chart that contains all components
• [x] TRG 5.09 Helm Test running properly
• [x] TRG 5.10 Products need to support 3 versions at a time
• [x] TRG 5.11 Upgradeability

TRG 6 Released Helm Chart

• [x] TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• [x] TRG 7.01 Legal Documentation
• [x] TRG 7.02 License and copyright header
• [x] TRG 7.03 IP checks for project content
• [x] TRG 7.04 IP checks for 3rd party content
• [x] TRG 7.05 Legal information for distributions
• [x] TRG 7.06 Legal information for end user content
• [x] TRG 7.07 Legal notice for documentation
• [x] TRG 7.08 Legal notice for KIT documentation

TRG 8 Security

• [x] TRG 8.01 Mitigate high and above findings in CodeQL
• [x] TRG 8.02 Mitigate high and above findings in KICS
• [x] TRG 8.03 Mitigate high and above findings in GitGuardian
• [x] TRG 8.04 Mitigate high and above findings in Trivy

Hints

Information Sharing

[evegufy]

Hi @tom-rm-meyer-ISST the repo is ready for review Hi @RoKrish14 could you please take over the security checks?

[tom-rm-meyer-ISST]

First of all: Sorry for waiting that long. Currently everything is a rush :( But I also used this QGate check to cross check some things I need to update for our repo, too :)

Review (additional things beside checklist)

QGate checklist lacks TRG 2.06, which is successfully fulfilled.

TRG 7.06 (frontend about license) is not applicable thus ticked.

Discussions

Dear co-pilot @carslen, I would like to have your opinion on the following topics (also feel free to check the findings). @evegufy feel free to also discuss - maybe we should schedule a meeting :)

TRG 3.02, TRG 5.06 PVC claims

From my understanding this is fulfilled (already ticked 3.02) as this is only applicable to the Postgres dependency, which comes with it by default.

The values.yaml by default does not make the PVC / StatefulSet configurable, which is OK from my point of view as I don't think I've currently seen it anywhere (and we also didn't do it).

Do you agree, that it's fine or do you think it's not following the TRG?

Dash Tool in the repository, but no notice

TRG 7.04 clarifies third party content while TRG 7.01 explains the Notice file.

This repository currently contains the Dashtool as a jar at ./scripts/download. I would expect to have a NOTICE.md beside it or better even remove it and add a step to download it to the respective point in workflows / development documentation. I'm also not fully sure about the license here (we're apache 2.0, dash is EPL-2.0). What do you think.

Also following the EF handbook, I noticed that the following excerpt of the NOTICE.md that should be used. It mentions the dash tool usage, but we don't have it mentioned in the TRG example. Any idea because I think no repo has it mentioned at all (we until now don't have it):

# Notices for Dash, Tools for Committers

This content is produced and maintained by the Eclipse Dash, Tools for
Committers project.

 * Project home: https://projects.eclipse.org/projects/technology.dash

TRG 5.05 expects digest in helm values

The digest stated in the should example is only a SHOULD and not a MUST, isn't it? If it's a must I would need to uncheck TRG 5.05.

Findings

Note: As a few findings are pretty small, I fixed them already in a PR.

• [x] #140 TRG 1.01: Readme lacks information about policy hub
• [x] #144 TRG 5.02: Prerequisites missing in helm README
• [x] #141 TRG 1.02 / 5.07: Documentation misses dependency update
• [x] #142 TRG 7.02: Missing license headers on a few files
• [x] #143 TRG 7.05: Docker image must contain distribution information

Recommendations

• The repository's documentation files are inconsistently named in terms of space( ), dash(-), underscore (_). Please refactor the naming in the future because you currently can't link to files with spaces in the filename.
• The helm chart's values file has a few application specific settings I can understand, but for which a short documentation may be beneficial (e.g. potential settings in logging if applicable): idp, dbConnection, dotnetEnvironment, policyhubmigrations.seeding and logging
• Add CI workflow for QGate Checks (included in PR mentioned above)
• For TRG 4.03 a uid and group user is used I don't know. Following the documentation of the asp.net image, you could use the user app with 1654:1654 since version 8 (that you use). I would go for it :)

[evegufy]

Hi @tom-rm-meyer-ISST Thank you for performing the thorough review and especially for opening #145! Regarding the findings: I've already commented some of the issues and I think only https://github.com/eclipse-tractusx/policy-hub/issues/142 is remaining, that one I'll implement today or tomorrow. Regarding the Dash Tool: I'll just change to downloading at every run, I had that anyway on my TODO list but due to time constraints, I wasn't able to come around to. Regarding the recommendations: thank you for the input and we might look into those in the future. Just letting you know that it's possible to link to files with spaces in the file name by using %20: https://github.com/eclipse-tractusx/policy-hub/blob/main/docs/technical-documentation/architecture/Development%20Concept.md

[evegufy]

Hi @tom-rm-meyer-ISST the repo is ready for review Hi @RoKrish14 could you please take over the security checks?

Hi @RoKrish14 could you please take over the security checks and leave a comment on the following issue as well https://github.com/eclipse-tractusx/sig-release/issues/672? Thank you!

[tom-rm-meyer-ISST]

Hi @tom-rm-meyer-ISST Thank you for performing the thorough review and especially for opening #145! Regarding the findings: I've already commented some of the issues and I think only #142 is remaining, that one I'll implement today or tomorrow. Regarding the Dash Tool: I'll just change to downloading at every run, I had that anyway on my TODO list but due to time constraints, I wasn't able to come around to. Regarding the recommendations: thank you for the input and we might look into those in the future. Just letting you know that it's possible to link to files with spaces in the file name by using %20: https://github.com/eclipse-tractusx/policy-hub/blob/main/docs/technical-documentation/architecture/Development%20Concept.md

Thanks for the fast answers and clarifications! Also thanks for pointing out the encoding of spaces. Didn't think about that! :)

[RoKrish14]

Hi @tom-rm-meyer-ISST the repo is ready for review Hi @RoKrish14 could you please take over the security checks?

Hi @RoKrish14 could you please take over the security checks and leave a comment on the following issue as well eclipse-tractusx/sig-release#672? Thank you!

Done 👍

[RoKrish14]

Hi @tom-rm-meyer-ISST the repo is ready for review Hi @RoKrish14 could you please take over the security checks?

Also done 👍

[tom-rm-meyer-ISST]

Finally walked through closed issues and PRs. Everything fine from my perspective. Some issues were false positive, recommendations and discussion points are already resolved. Thanks for collaborating; it was fun!

[evegufy]

Finally walked through closed issues and PRs. Everything fine from my perspective. Some issues were false positive, recommendations and discussion points are already resolved. Thanks for collaborating; it was fun!

Thank you for the great review! The final version is released now: https://github.com/eclipse-tractusx/policy-hub/releases/tag/policy-hub-1.0.0