R24.03 Catena-X Portal - Release Checks

[kelaja]

Release Info

Please provide information on what you want to be included in the Eclipse Tractus-X release. If you are not owner of this issue, please provide the information as comment to the issue.

Version to be included in Eclipse Tractus-X release: 1.8.0

Portal:

• Portal Chart: portal-1.8.0
• Portal Frontend: v1.8.0
• Portal Backend: v1.8.0
• Portal Assets: v1.8.0
• Portal Frontend Registration: v1.6.0

IAM:

• CentralIdP: 2.1.0
• SharedIdP: 2.1.0

Leading product repository: https://github.com/eclipse-tractusx/portal

Compliance Verifications

This issue tracks all compliance related checks, that need to be performed for a product release in Eclipse Tractus-X.

• [x] Gaia-X compliance confirmed
• [x] GDPR compliance confirmed (personal data, data protection + privacy DPP)
• [x] Interoperability checks performed
• [x] Data Sovereignty checks performed https://github.com/eclipse-tractusx/sig-release/issues/499#issuecomment-1961635593
• [x] Compliant with relevant published CX Standards (see the Catena-X standard library)

Documentation

• [x] Arc24 documentation up-to-date
• [x] Administrators Guide up-to-date
• [x] End-User manual up-to-date
• [x] Interface documentation up-to-date

https://github.com/eclipse-tractusx/sig-release/issues/499#issuecomment-1961635593

Security Checks

• [x] Thread Modelling Analysis passed https://github.com/eclipse-tractusx/sig-security/issues/56
• [x] Static Application Security Testing (SAST) scans passed
• [x] Dynamic Application Security Testing (DAST) tests passed
• [x] Secret Scans passed
• [x] Software Composition Analysis (SCA) passed
• [x] Container Scans passed
• [x] Infrastructure as Code (IaC) scans passed

https://github.com/eclipse-tractusx/sig-release/issues/499#issuecomment-1970832097

General Checks

• [x] Tractus-X Release Guidelines fulfilled https://github.com/eclipse-tractusx/portal-cd/issues/203
• [x] Compliant with the Style Guide

Test Results

• [x] E2E Integration Test passed https://github.com/eclipse-tractusx/sig-release/issues/499#issuecomment-1948514961
• [x] User Journey approved

Helpful Links

• Eclipse Tractus-X openAPI specs on SwaggerHub
• Catena-X standard library

[evegufy]

added preliminary release info (version still in release candidate / e2e-testing phase)

[jjeroch]

@kelaja please update the status based on the following information:

• ACC "Compliant with the Style Guide" approved. Please update the ticket by clicking on the checkmark below "General Checks"
• Same applies for "User Journey approved" - user journey is approved. I am approving the journey since all user journeys and features are in my ownership. No separate BO existing.
• "GDPR compliance confirmed" - approved as well. The validation as per the previous releases is still valid. Reason: we had already the highest GDPR impact and coverage was approved by the GDPR validation team

Ongoing:

• Data Sovereignty
• Gaia-X

[wjost]

As agreed for R24.3 nothing will be changed. CX is still sticking to pre targus release. I confirm this solution is still GX compliant.

[ThomasObermeyer]

Interoperability check has already been done in last release; still valid - since there are no major architecture changes.

[evegufy]

@guenterban @RoKrish14 could you please perform the security checks?

[szymonkowalczykzf]

Security Assessment Process (Threat Modeling Analysis) approved.

Re-assessment was done on Tuesday 13th Feb 2024. No open findings remains. Documentation of the assessment will be updated in the Portal docs repo soon.

[BANANAS1337]

SCA: Approved SAST: Approved

[evegufy]

@guenterban @RoKrish14 could you please perform the security checks?

Please check the following scans or tools:

• SAST --> Veracode
• DAST --> Invicti
• Secret Scans --> Gitguardian
• SCA --> Veracode, Snyk
• Container Scans --> Trivy
• Infrastructure as Code (IaC) --> KICS

And please let me know if you need additional information. I've checked and as your anyway checking the state yourself, I'm not very keen on posting here screenshots of the security scans.

[RoKrish14]

DAST: Approved Secret Scans : Approved Infrastructure as Code (IaC): Approved

[vialkoje]

could you please add the links to the documentation documents to check ?

Arc24 documentation Administrators Guide End-User manual Interface documentation

[DirkBTSI]

INT test not performed/not documented. E2E test performed/documented. Three (3) high defect. TM not approved

Update 2024-03-04: Three (3) high defects - solved in meantime. TM approved @kelaja : please approve for "E2E Integration Test passed"

[jjeroch]

could you please add the links to the documentation documents to check ?

Arc24 documentation Administrators Guide End-User manual Interface documentation

@vialkoje we shared those last week wednesday via mail

System Docu
https://github.com/catenax-ng/tx-portal-assets/tree/main/docs

Helm Chart Docu
https://github.com/eclipse-tractusx/portal-cd/blob/main/charts/portal/README.md

Ticket in welchem du bitte schriftlich ein „ok“ dalassen musst.
https://github.com/eclipse-tractusx/sig-release/issues/499

[jjeroch]

Data Sovereignty checks performed - successful

[jjeroch]

Compliant with relevant published CX Standards => agreed

[RolaH1t]

Compliant with relevant published CX Standards => agreed

thx

[RolaH1t]

Data Sovereignty checks performed - successful

can you pls add any evidence (like screenshot etc)?!

[RolaH1t]

Data Sovereignty 4x Documentation SEC: Container Scans TRGs (due to final version) Test Mgmt approval pending closure of final test cases. Code update expected => therefore SEC scans need to be re-confirmed based on final code version. QG approval postponed.

[RoKrish14]

Container Scans: Approved

[vialkoje]

Documentation existing and looking consistent. No specific sovereignty requirements for 24.03 expert approval granted. Please add links to docs to the ticket next time and consider QGate criteria sovereignty for 24.05 !

[evegufy]

@SebastianBezold @FaGru3n could you please check the TRGs?

[evegufy]

@RoKrish14 could you please perform the security checks again?:

• SAST --> Veracode
• DAST --> Invicti
• Secret Scans --> Gitguardian
• SCA --> Veracode, Snyk
• Container Scans --> Trivy
• Infrastructure as Code (IaC) --> KICS

Just ping once you want you check the security tab. Thank you!

[evegufy]

@SebastianBezold @FaGru3n could you please check the TRGs?

FYI, I created https://github.com/eclipse-tractusx/portal-cd/issues/203

[RoKrish14]

Following re-request from @evegufy :

SCA: Approved SAST: Approved Secret Scans: Approved DAST: Approved Container Scans: Approved IAC: Approved

[RolaH1t]

@SebastianBezold with @FaGru3n on vacation this week, pls prioritize the completion of this TRG issue by 06-Mar latest, as we are approaching the March Release milestone on Friday. Thx, Roland

[SebastianBezold]

Hi @RolaH1t,

the TRG checks are done. There is one issue, violating a TRG. See eclipse-tractusx/portal#207. The team does not want to fix it for this release. See the specific issue comment So i'll close the TRG QG issue from my side and leave it up to you to decide, if it has to be fixed or if it can wait for next release

[evegufy]

Hi @RolaH1t see clarification, severity-wise this is not at all a topic which needs to be forced into the release.

[evegufy]

@Siegfriedk for writing the changelog: those are the final released versions for 24.03:

Final 24.03 versions

Portal

Portal Chart: portal-1.8.0

Portal Frontend: v1.8.0

Portal Backend: v1.8.0

Portal Assets: v1.8.0

Portal Frontend Registration: v1.6.0

IAM

CentralIdP: centralidp-2.1.0

SharedIdP: sharedidp-2.1.0

[RolaH1t]

all pre-conditions fulfilled => QG approval granted! Congrats ;-)