R24.03 Policy Hub / Certificate Hub - Release Checks

[kelaja]

Release Info

Please provide information on what you want to be included in the Eclipse Tractus-X release. If you are not owner of this issue, please provide the information as comment to the issue.

Version to be included in Eclipse Tractus-X release: 0.1.0 Leading product repository: https://github.com/eclipse-tractusx/policy-hub

Compliance Verifications

This issue tracks all compliance related checks, that need to be performed for a product release in Eclipse Tractus-X.

• [x] Gaia-X compliance confirmed (not aplicable)
• [x] GDPR compliance confirmed (personal data, data protection + privacy DPP)
• [x] Interoperability checks performed https://github.com/eclipse-tractusx/sig-release/issues/504#issuecomment-1971007283
• [x] Data Sovereignty checks performed https://github.com/eclipse-tractusx/sig-release/issues/504#issuecomment-1961701620
• [x] Compliant with relevant published CX Standards (see the Catena-X standard library)

Documentation

• [x] Arc24 documentation up-to-date
• [x] Administrators Guide up-to-date
• [x] End-User manual up-to-date
• [x] Interface documentation up-to-date

https://github.com/eclipse-tractusx/sig-release/issues/504#issuecomment-1961701620

Security Checks

• [x] Thread Modelling Analysis passed https://github.com/eclipse-tractusx/sig-security/issues/56 https://github.com/eclipse-tractusx/sig-release/issues/504#issuecomment-1953803527
• [x] Static Application Security Testing (SAST) scans passed
• [x] Dynamic Application Security Testing (DAST) tests passed
• [x] Secret Scans passed
• [x] Software Composition Analysis (SCA) passed
• [x] Container Scans passed https://github.com/eclipse-tractusx/sig-release/issues/504#issuecomment-1953850866
• [x] Infrastructure as Code (IaC) scans passed

General Checks

• [x] Tractus-X Release Guidelines fulfilled eclipse-tractusx/policy-hub/issues/46
• [x] Compliant with the Style Guide

Test Results

• [x] E2E Integration Test passed
• [x] User Journey approved

Helpful Links

• Eclipse Tractus-X openAPI specs on SwaggerHub
• Catena-X standard library

[evegufy]

added preliminary release info (version still in release candidate / e2e-testing phase)

[jjeroch]

@kelaja please update the status based on the following information:

• ACC "Compliant with the Style Guide" approved. Please update the ticket by clicking on the checkmark below "General Checks"
• Same applies for "User Journey approved" - user journey is approved. I am approving the journey since all user journeys and features are in my ownership. No separate BO existing.
• "GDPR compliance confirmed" - this is a registry like semantic hub, no personal data usage

Ongoing:

• Data Sovereignty
• Gaia-X

[wjost]

These two components are only internal services not meant to share policies outside Catena-X. Hence not relevant for GAIA-X compliance.

[evegufy]

@guenterban @RoKrish14 could you please perform the security checks?

[evegufy]

@guenterban @RoKrish14 could you please perform the security checks?

Please check the following scans or tools:

• SAST --> CodeQL
• DAST --> OWASP ZAP
• Secret Scans --> Gitguardian
• SCA --> Snyk
• Container Scans --> Trivy
• Infrastructure as Code (IaC) --> KICS

And please let me know if you need additional information. I've checked and as your anyway checking the state yourself, I'm not very keen on posting here screenshots of the security scans.

[RoKrish14]

SAST: Approved SCA: Approved DAST: Approved Secret Scans: Approved Infrastructure as Code (IaC): Approved

[jjeroch]

@vialkoje we shared those last week Wednesday via mail

System Docu https://github.com/eclipse-tractusx/policy-hub/tree/main/docs/technical-documentation

Ticket in welchem du bitte schriftlich ein „ok“ dalassen musst. https://github.com/eclipse-tractusx/sig-release/issues/504

[jjeroch]

Data Sovereignty checks performed - successful

[jjeroch]

Compliant with relevant published CX Standards => agreed

[RolaH1t]

Data Sovereignty checks performed - successful

pls add relevant evidence here as well

[szymonkowalczykzf]

Threat Modeling (Security Assessment Process) - Approved The assessment was done on 13 & 16 February 2024.

There is no open critical & high findings.

Assessment documentation will be uploaded into the GitHub Repository of Policy-Hub in near future.

[RolaH1t]

QG postponed, due to InterOp DataSov & Docu ThreatModeling & Container Scans and TRGs

[RoKrish14]

@evegufy Container Scans: Approved

[vialkoje]

Documentation existing and looking consistent, Sovereignty requirements for 24.03 fulfilled. Expert Approval Granted.

Next release please add the Links to the ticket directly and consider the 24.05 Quality gate criteria ! have a good PI !

[carslen]

TRG check passed. Approval granted.

[RolaH1t]

Hi @evegufy (and @jjeroch ) what`s your plan to finalize Interoperability here? This is the only open item for the QG...

[ThomasObermeyer]

@kelaja Reviewed PolicyHub solution from a Interoperability perspective.

Conclusion: The solution is a helper tool that allows to create ODRL compliant policy description based on requester input. There are no interoperability requirements at this point in time that need to get met.

Approved from interoperability PoV for release 24.03

[evegufy]

Hi @evegufy (and @jjeroch ) what`s your plan to finalize Interoperability here? This is the only open item for the QG...

Hi @RolaH1t done https://github.com/eclipse-tractusx/sig-release/issues/504#issuecomment-1971007283

[RolaH1t]

all pre-conditions fullfilled QG approval granted Congrats

[evegufy]

@Siegfriedk for writing the changelog:

Final 24.03 version

Policy Hub: 0.1.0