R24.03 Managed Service Orchestrator - Release Checks

[kelaja]

Release Info

Please provide information on what you want to be included in the Eclipse Tractus-X release. If you are not owner of this issue, please provide the information as comment to the issue.

Version to be included in Eclipse Tractus-X release: version placeholder

Leading product repository: repository link

Compliance Verifications

This issue tracks all compliance related checks, that need to be performed for a product release in Eclipse Tractus-X.

• [x] Gaia-X compliance confirmed
• [x] GDPR compliance confirmed (personal data, data protection + privacy DPP)
• [x] Interoperability checks performed
• [x] Data Sovereignty checks performed
• [x] Compliant with relevant published CX Standards (see the Catena-X standard library)

Documentation

• [x] Arc24 documentation up-to-date
• [x] Administrators Guide up-to-date
• [x] End-User manual up-to-date
• [x] Interface documentation up-to-date

Security Checks

• [x] Thread Modelling Analysis passed
• [x] Static Application Security Testing (SAST) scans passed
• [x] Dynamic Application Security Testing (DAST) tests passed
• [x] Secret Scans passed
• [x] Software Composition Analysis (SCA) passed
• [x] Container Scans passed
• [x] Infrastructure as Code (IaC) scans passed

General Checks

• [x] Tractus-X Release Guidelines fulfilled https://github.com/eclipse-tractusx/managed-service-orchestrator/issues/103
• [x] Compliant with the Style Guide

Test Results

• [x] E2E Integration Test passed
• [x] User Journey approved

Helpful Links

• Eclipse Tractus-X openAPI specs on SwaggerHub
• Catena-X standard library

[ciprianherciu]

Compliance Verifications Data Sovereignty: There are no changes from last release regarding the data Sovereignty for managed service Orchestrator. Approval of Standards: There is no changes since R3.2. Managed Service Orchastror does not define any standard. It is only using the existing standard. The tests show that we are compatible with the current standards. GPDR and Gaia-X: there are no changes regarding GPDR and Gaia-X Data Interoperability check: Not applicable

Test Results Internal Integration tests: A1IDSES-1536 Managed Service Orchestrator - Integration Testing with Portal: A1IDSES-1534

[sharathshivprasad]

Security Checks

Threat modelling Document:
https://confluence.catena-x.net/display/cxsecurity/Security+Assessment+-+Auto+Setup+API Static Application Security Testing (SAST): Latest Veracode report: https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsResultSummary:47240:1550110:33047817:33017393:33033043:4910813 DetailedReport_DFT_AutoSetup_18_Feb_2024.pdf

Dynamic Application Security Testing: Latest Invicti report : https://www.netsparkercloud.com/scans/report/a47fc6c147074d7e1dedb11b01aaf696/ Secret scanning and SCA: Latest veracode report uploaded above, please check git guardian from your side and approve. Container Scan conducted: Latest Trivy Scan Report: https://github.com/eclipse-tractusx/managed-service-orchestrator/actions/workflows/trivy.yml Infrastructure as Code: Latest KICS report: https://github.com/eclipse-tractusx/managed-service-orchestrator/actions/workflows/kics.yml

[galyshann]

@RoKrish14 Security scans looks good from our side (check previous comment), Could you please review and approve?

[sharathshivprasad]

Documentation

source code:
Latest release - https://github.com/eclipse-tractusx/managed-service-orchestrator/releases/tag/managed-service-orchestrator-1.5.3

Architecture Documents:
ARC 42 link - https://github.com/eclipse-tractusx/managed-service-orchestrator/blob/managed-service-orchestrator-1.5.3/docs/ARC42.md

Administrator`s Guide (User assistance):
Readme Link - https://github.com/eclipse-tractusx/managed-service-orchestrator/blob/managed-service-orchestrator-1.5.3/README.md


install.md link - https://github.com/eclipse-tractusx/managed-service-orchestrator/blob/managed-service-orchestrator-1.5.3/INSTALL.md

End-User Manual:
ARC 42 link - https://github.com/eclipse-tractusx/managed-service-orchestrator/blob/managed-service-orchestrator-1.5.3/docs/ARC42.md


Readme link - https://github.com/eclipse-tractusx/managed-service-orchestrator/blob/managed-service-orchestrator-1.5.3/README.md

Interfaces Documentation:
OpenAPI spec is available in the repository at - https://github.com/eclipse-tractusx/managed-service-orchestrator/blob/managed-service-orchestrator-1.5.3/docs/autosetup-api.yaml UX consistency:
Not Applicable

[DnlZF]

Secret Scans: Approved

[szymonkowalczykzf]

Security Assessment Process (Threat Modeling Analysis) approved.

No significant changes detected since last release. No open critical & high finding remaining for this release.

Documentation of the assessment will be moved out to the GitHub repositories of the Products before the next release.

[ciprianherciu]

@vialkoje Please approve the Data Sovereignty and documentation

[ciprianherciu]

@HiHenrik please approve interoperability. Last time it was agreed with @RolaH1t we do not need the interoperability check: https://github.com/eclipse-tractusx/sig-release/issues/81

[ciprianherciu]

@RoKrish14 please approve the security Checks

[RoKrish14]

SAST: Approved SCA: Approved DAST: Approved IAC: Approved

Pending- Container scans

[RolaH1t]

QG review comments: InterOP ok; StyleGuide not applicable @DirkBTSI pls confirm E2E test approval additional completed items will be documented by @RolaH1t 21-Feb

[ciprianherciu]

For User Journey, no changes from last releases

[DirkBTSI]

INT test performed/documented. E2E test performed/documented. No high defect. TM approved @kelaja : please approve for "E2E Integration Test passed"

[RoKrish14]

SAST: Approved SCA: Approved DAST: Approved Container scan: Approved IAC: Approved

[ciprianherciu]

@RolaH1t Container scans are passed. Open Topics:

• [x] - Documentation
• [x] - Data Sov
• [x] - Tractus-X Release Guidelines

[SebastianBezold]

HI @ciprianherciu,

just to make sure: i did not find any version information in this issue. Are you planning to use the latest release in your repo to be included in the Tractus-X release? This would be 1.5.3 as App and Chart version. If this is the correct one, I would ask you @kelaja to add that to the initial issue description

[ciprianherciu]

@SebastianBezold yes, the version 1.5.3 should be reviewed

[ciprianherciu]

@vialkoje Please approve the Data Sovereignty and documentation

[SebastianBezold]

Hi @ciprianherciu,

the TRG checks are done, but there was one issue already open, asking for better guidance on installation and quick-start. See eclipse-tractusx/managed-service-orchestrator#98 I think "outside" feedback is better than what I could ever provide on this topic, so I think it's highly valuable and would ask your team to address that, before I set the TRG checks to closed

[vialkoje]

Links for documentation are defective and do not work ! Please correct and make sure you provide appropriate links everywhere pointing to documentations.

Nevertheless the Documents exist after trying to find them manually. content is looking appropriate - Expert approval granted.

Requirements for data sovereignty unchanged. Expert approval granted. please consider the data sovereignty QG-requirements for 24.05.

[ciprianherciu]

Hi @SebastianBezold, the PR in regards with the installation guide and quick-start is open. In order to be able to close the QG ticket, could You please review it and let us know if there is something else that we need to do?

Thank You, Best regards, Ciprian Herciu

[SebastianBezold]

Hi @ciprianherciu,

since the missing install docs was actually mentioned by someone else, I would wait for feedback, if the new instructions do help. Otherwise I would leave it to release management @kelaja and @RolaH1t, if we will close the QG and work on this docs later on

[ciprianherciu]

Hi @SebastianBezold @kelaja @RolaH1t , In order to close the QG 4 for MSO, we need the TRG to be approved. In Order to get it approved, the condition was to update the installation guide and the quick start as requested here: https://github.com/eclipse-tractusx/managed-service-orchestrator/issues/98.

The updates were made, we have added a comment to @awellnitz-materna, to get it approved but no answer yet.

Since the QG is almost at the end, please let us know how can we get this ticket approved.

Thank You, Ciprian Herciu

[SebastianBezold]

Installation guide has been improved further, so the last open release guideline issue has been resolved.

[ciprianherciu]

@kelaja and @RolaH1t TRG approved. QG Ticket can be closed

[RolaH1t]

Congrats: all pre-conditions now fulfilled. QG approval granted!

[Siegfriedk]

@ciprianherciu i can't find the helm chart for 1.5.3/1.5.3 only 1.5.3/1.5.2:

tractusx-dev/managed-service-orchestrator 1.5.3 1.5.2

I also would like to highlight the postgresql issue: its 14 and not 15

@RolaH1t FYI

[RolaH1t]

final conclusion: TRG 5.07 violated (postgresql DB version 14.x) but successfully tested. this is covered in overall release note 24.03 QG closed with these conditions.

[Siegfriedk]

@RolaH1t i'm still missing the helm chart version @ciprianherciu !

[ciprianherciu]

@Siegfriedk The release version for 1.5.3 can be found here:

• https://github.com/eclipse-tractusx/managed-service-orchestrator/releases/tag/v1.5.3

  The changes which were done in regards with the documentation were release in the version 1.5.4 yesterday and this version will be deployed for 24.03

  • https://github.com/eclipse-tractusx/managed-service-orchestrator/releases/tag/v1.5.4

[Siegfriedk]

@ciprianherciu is it now 1.5.3 or 1.5.4?

I do see a helm chart with 1.5.4/1.5.4 ich kan reference that one

[ciprianherciu]

@Siegfriedk it is 1.5.4 since it was requested to change a documentation in order to get the TRG approval.

Please reference that