R24.03 Discovery Service (BPN Finder) - Release Checks

[kelaja]

Release Info

Please provide information on what you want to be included in the Eclipse Tractus-X release. If you are not owner of this issue, please provide the information as comment to the issue.

Version to be included in Eclipse Tractus-X release: Helm Chart Version: 0.1.18 App Version: 0.2.8

Leading product repository: https://github.com/eclipse-tractusx/sldt-bpn-discovery

Compliance Verifications

This issue tracks all compliance related checks, that need to be performed for a product release in Eclipse Tractus-X.

• [x] Gaia-X compliance confirmed
• [x] GDPR compliance confirmed (personal data, data protection + privacy DPP)
• [x] Interoperability checks performed
• [x] Data Sovereignty checks performed
• [x] Compliant with relevant published CX Standards (see the Catena-X standard library)

Documentation

• [x] Arc24 documentation up-to-date
• [x] Administrators Guide up-to-date
• [x] End-User manual up-to-date
• [x] Interface documentation up-to-date

Security Checks

• [x] Thread Modelling Analysis passed
• [x] Static Application Security Testing (SAST) scans passed
• [x] Dynamic Application Security Testing (DAST) tests passed
• [x] Secret Scans passed
• [x] Software Composition Analysis (SCA) passed
• [x] Container Scans passed
• [x] Infrastructure as Code (IaC) scans passed

General Checks

• [x] Tractus-X Release Guidelines fulfilled https://github.com/eclipse-tractusx/sldt-bpn-discovery/issues/109
• [x] Compliant with the Style Guide

Test Results

• [x] E2E Integration Test passed
• [x] User Journey approved

Helpful Links

• Eclipse Tractus-X openAPI specs on SwaggerHub
• Catena-X standard library

[tunacicek]

Gaia-X compliance: @kelaja : No changes since Release 23.12 -> Could you please tick this checkbox? Gaia-X compliance is not relevant for the Discovery Finder.

[tunacicek]

Release Mangement

GDPR compliance: No changes since Release 23.12 Catena-X.GDPR.Declaration.and.Requirements_V2024.03_BPN.Discovery.xlsx

[tunacicek]

Interoperability Check: Interoperability was ensured to Release 23.12. Since then no changes have been made. @kelaja : Could you please tick this checkbox?

[tunacicek]

Data Sovereignty Check: @vialkoje : Could you please tick this checkbox? No significant changes since Release 23.12.

[tunacicek]

Verification of foreseen CX Standards: @thomas-henn : Could you please confirm? See also previous task for R23.12: https://github.com/eclipse-tractusx/sig-release/issues/121

[tunacicek]

Documentation

• [ ] Arc42 MD files for arc42-documentation in Tractus-X repo: https://github.com/eclipse-tractusx/sldt-bpn-discovery/tree/main/docs

• [ ] Administrator`s Guide (User assistance): MD files in Tractus-X repo: https://github.com/eclipse-tractusx/sldt-bpn-discovery/blob/main/README.md

• [ ] End-User Manual (User assistance): End-user of the services is the developer who uses the API endpoints. Hence the swagger-ui of the service serves as the documentation. https://semantics.int.demo.catena-x.net/bpndiscovery/swagger-ui/index.html Also there is a detailed documentation available: https://github.com/eclipse-tractusx/sldt-bpn-discovery/tree/main/docs

• [ ] Interfaces Documentation: Link to swagger UI documentation: https://semantics.int.demo.catena-x.net/bpndiscovery/swagger-ui/index.html

@vialkoje : Could you please check and approve the checkboxes?

[tunacicek]

Security Checks- Thread Modelling Analysis: No changes since Release 23.12. See also Security Assessment diagram: https://github.com/eclipse-tractusx/sldt-bpn-discovery/blob/main/docs/documentation.md#:~:text=Security-,Assessment,-Data%20Flow%20Diagram

@guenterban : Could you please check and approve it?

[tunacicek]

User Journey : @thomas-henn : Could you please confirm? See also previous task for R23.12: https://github.com/eclipse-tractusx/sig-release/issues/124

[tunacicek]

Compliant with the Style Guide: N/A → no User Interface / no Frontend for this Service

@jjeroch : Could you please check and approve it?

[thomas-henn]

Verification of foreseen CX Standards: @thomas-henn : Could you please confirm? See also previous task for R23.12: #121

Yes, BPN Discovery Service is compliant with relevant published CX Standards.

[thomas-henn]

User Journey : @thomas-henn : Could you please confirm? See also previous task for R23.12: #124

Yes, user journey of BPN Discovery is aligned along with e.g. Digital Twin Registry, Discovery Finder and Semantic Hub.

[tunacicek]

Security Checks - Dynamic Application Security Testing (DAST): Invicti scan has been made - the results can be seen here: https://www.netsparkercloud.com/scans/report/87f6d8d3119b4e596344b111023574bc/

@PiotrStys : Could you please review and approved it?

[PiotrStys]

@tunacicek, results approved with a side note to validate the current DAST findings. Thank you.

[tunacicek]

Security Check- Secret scanning:

Secret Scanning (gitleaks) is activated and available: https://github.com/eclipse-tractusx/sldt-bpn-discovery/actions/workflows/gitleaks.yml

@DnlZF Could you please review and approved it?

[tunacicek]

Security Checks - Static Application Security Testing (SAST): Please see the results here: https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsAllFlaws:47240:1739413:32851550:32821208:32836858::5382788

@BANANAS1337 : Could you please review and approved it?

[tunacicek]

Security Checks - Software Composition Analysis (SCA): https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1739413:32851550:32821208:32836858:::::5382788: @BANANAS1337 : Could you please review and approved it?

[tunacicek]

Security Checks - nfrastructure as Code https://github.com/eclipse-tractusx/sldt-bpn-discovery/actions/workflows/kics.yml @RoKrish14 : Could you please review and approved it?

[tunacicek]

Test Results - E2E Integration Test Tests done: See result here: https://jira.catena-x.net/browse/CXSOLUTION-489

[RoKrish14]

@tunacicek : As discussed-

SAST: Approved SCA: Approved IAC: Approved Secret Scanning: Approved

[jjeroch]

Compliant with the Style Guide: N/A → no User Interface / no Frontend for this Service

@jjeroch : Could you please check and approve it?

confirmed

[vialkoje]

Expert Approval granted for Documentation and data sovereignty.

[DirkBTSI]

INT test performed/documented. E2E test performed/documented. No high defect. TM approved @kelaja : please approve for "E2E Integration Test passed"

[RolaH1t]

Open: InterOP ThreatModeling & Container Scans TRG QG approval postponed until topics addressed / no follow-up mtg required.

[RoKrish14]

Discussed with @tunacicek Container Scans: Approved

[szymonkowalczykzf]

Security Assessment Process (Threat Modeling Analysis) approved.

No significant changes detected since last release (23.12). No open critical & high finding remaining for this release.

Documentation of the assessment will be moved out to the GitHub repositories of the Products before the next release.

[HiHenrik]

According to team no interoperability relevant changes for this release, therefore expert approval granted for interoperability

[FaGru3n]

Hi all are these the proper information for the QG-Checks?

Product Owner: @bs-sili Dev SPOC: @tunacicek Helm Chart Version: 0.2.3 App Version: 0.2.8

Issue created https://github.com/eclipse-tractusx/sldt-bpn-discovery/issues/109

[FaGru3n]

QG checks done.

[RolaH1t]

QG4 approval granted. Congrats!