R24.03 Trace-X - Release Checks

[kelaja]

Release Info

Please provide information on what you want to be included in the Eclipse Tractus-X release. If you are not owner of this issue, please provide the information as comment to the issue.

Version to be included in Eclipse Tractus-X release:

• 10.3.0

Helm Chart Version: 1.3.28 App Version: 10.3.0

Leading product repository:

• TRACE-X Repos

Compliance Verifications

This issue tracks all compliance related checks, that need to be performed for a product release in Eclipse Tractus-X.

• [x] Gaia-X compliance confirmed
• Note: @wjost requested approval
• [x] GDPR compliance confirmed (personal data, data protection + privacy DPP)
• Requested Jens Weiss for approval based on R23.12
• [x] Interoperability checks performed
• Note: Business Hours on 19.2.2024
• [x] Data Sovereignty checks performed
• Note: Business Hours on 19.2.2024 - alignment with @vialkoje
• [x] Compliant with relevant published CX Standards (see the Catena-X standard library)

Documentation

• [x] Arc24 documentation up-to-date
• Alignment in progress with @vialkoje
• [x] Administrators Guide up-to-date
• Alignment in progress with @vialkoje
• [x] End-User manual up-to-date
• Alignment in progress with @vialkoje
• [x] Interface documentation up-to-date
• Alignment in progress with @vialkoje

Security Checks

• [x] Threat Modeling Analysis passed
• Note: Requested SecOps team for approval on base of R23.12
• [x] Static Application Security Testing (SAST) scans passed
• [x] Dynamic Application Security Testing (DAST) tests passed
• [x] Secret Scans passed
• [x] Software Composition Analysis (SCA) passed
• [x] Container Scans passed
• [x] Infrastructure as Code (IaC) scans passed

General Checks

• [x] Tractus-X Release Guidelines fulfilled https://github.com/eclipse-tractusx/traceability-foss/issues/661
• [x] Compliant with the Style Guide
• Note: Alignment with @jjeroch in progress

Test Results

• [x] E2E Integration Test passed
• Note: @ds-alexander-bulgakov covering approval of E2E with testmanagement
• [x] User Journey approved

Helpful Links

• Eclipse Tractus-X openAPI specs on SwaggerHub
• Catena-X standard library

[mkanal]

Hello @vialkoje

Documentation:

Docu Arc24 documentation Administrators Guide End-User manual Interface documentation

Thank you very much Martin

[mkanal]

@kelaja please update the status based on the following information:

• [ ] "User Journey approved": User Journey has not changed since release 23.12. For this reason, the approval of the User Journey is based on the approval given by BO of R23.12.

• [ ] GDPR compliance confirmed - There is no change since release 23.12 regarding the processing ans storing of GDPR related data (personal data, data protection + privacy DPP) For this reason, the approval of the User Journey is based on the approval given by GDPR experts of R23.12.

  fyi @jzbmw

[mkanal]

@wjost, kindly ask for your approval regarding Gaia-X compliance. There are no changes between 24.3 and already approved version 23.12. Thank you very much Martin

[wjost]

For Release R24.03 we do not support Targus-Release auf GXDCH. Hence „Gaia-X compliance“ is still on the level of R23.12. I confirm this release is GAIA-X compliant.

[mkanal]

Interoperability checks

Preparation for Business Hour 19.2.2024 17:30 - 18:15 Participants @jzbmw & @mkanal https://confluence.catena-x.net/display/PL/2024-02-12+InterOp+for+TraceX+and+IRS

[mkanal]

Threat Modeling Analysis passed

@pablosec @scherersebastian There are no relevant changes in either product compared to R23.12. For this reason, we would like to request the release of the QGC "Threat Modelling Analysis passed" based on the R23.12 release.

[mkanal]

Data Sovereignty checks performed

@vialkoje @cwBMW Data Sovereignty Guardrails for Release 24-03 referring to the QG or Q-Gate Criteria Release 23-12. As Trace-X has an approval of Data Sov Guardrails for R23.12 this approval might be valid for R24.3 as well. Trace-X team participates in Data Sov Weekly on Monday 19.2 to discuss the Data Sov of the product. Kindly ask for approval of Data Sovereignty

[mkanal]

Date: 14.2.2024

Static Application Security Testing (SAST) scans passed

@BANANAS1337 @RoKrish14

• [x] @ds-mmaul Please add mitigation comment for 3 medium findings

• [x] code must be scanned weekly with Veracode tool

• [x] medium risks require mitigation statement @ds-mmaul

• [x] only medium findings

Dynamic Application Security Testing (DAST) tests passed

Backend

Secret Scans passed

@DnlZF

Software Composition Analysis (SCA) passed

VeraCode

@klaudiaZF @ZFLokesh @RoKrish14 @Tim.herres Dependencies must be scanned with Veracode tool in regard to vulnerability

• [x] no high findings

Container Scans passed

@RoKrish14

• Trivy https://github.com/eclipse-tractusx/traceability-foss/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3ATrivy
• [ ] https://github.com/eclipse-tractusx/traceability-foss/security/code-scanning/4431
• [ ] https://github.com/eclipse-tractusx/traceability-foss/security/code-scanning/4575

• [ ] https://github.com/eclipse-tractusx/traceability-foss/security/code-scanning/4430

  Infrastructure as Code (IaC) scans passed

  @RoKrish14

• KICD: No findings https://github.com/eclipse-tractusx/traceability-foss/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3AKICS

[jjeroch]

Findings UI/UX

• update icon used for "Queued & Requested" Quality Investigations. Suggested Icon (Material UI):

• QUALITY INVESTIGATIONS table

  • missing frame on right and left side
  • button "view all" is unclear - I can see no-where how many records are even available - please add somewhere the information of record numbers
  • button "view all" is also displayed if the table has "0" records; in this case I suggest to disable the button/option

• same as the bullet points above also applies for QUALITY ALERTS

• used colors unclear - please recheck

• Navigation: please use checkboxes for such navigations where multiple selects are possible. Current used element is a single select element

• Overlay implementation does not follow the guidelines of cx

• User Infos: "createAlert" tooltip info unclear

• User direction - why does clicking "closed" on the right hand side results into such an overlay of investigation closure? Unclear

---

Functional Request Where can I find the details of the policies - I do not understand those policy details

[ds-mmaul]

Date: 14.2.2024

Static Application Security Testing (SAST) scans passed

• [x] @ds-mmaul Please add mitigation comment for 3 medium findings in frontend

• [x] code must be scanned weekly with Veracode tool

• [x] medium risks require mitigation statement @ds-mmaul

• [x] only medium findings

Dynamic Application Security Testing (DAST) tests passed

Backend

Secret Scans passed

Software Composition Analysis (SCA) passed

VeraCode

Dependencies must be scanned with Veracode tool in regard to vulnerability

• [x] no high findings

Container Scans passed

• Trivy https://github.com/eclipse-tractusx/traceability-foss/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3ATrivy
• [ ] openssl: Incorrect cipher key and IV length processing
• [ ] expat: parsing large tokens can trigger a denial of service
• [ ] openssl: Incorrect cipher key and IV length processing

Infrastructure as Code (IaC) scans passed

• KICD: No findings https://github.com/eclipse-tractusx/traceability-foss/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3AKICS

proposed mitigation for all three medium findings

[ds-mmaul]

Issues to address the UUX Feedback were created. You can find them with the "uux" label in our project

[BANANAS1337]

SCA: Approved SAST: Approved

[almadigabor]

My first round of checks have been completed here. I've opened 2 small issues that needs fixing before I approve the QG.

[vialkoje]

Expert Approval granted - documents existing and looking consistent

[DirkBTSI]

INT test performed/documented. E2E test performed/documented. No high defect. TM approved @kelaja : please approve for "E2E Integration Test passed"

[mkanal]

[jzbmw]

As the PO i assure that in this minor release there have not been changes regarding interoperability to a earlier version

[RolaH1t]

Secret scans pending 2 minor findings wrt TRGs StyleGuide findings must be rated (critical?) QG approval postponed until those topics are addressed

[mkanal]

Hello @DnlZF could you please approve the secrets scanning for product Trace-X. Thank you very much, Martin

[DnlZF]

Secret scans: approved

[jzbmw]

Findings UI/UX

• update icon used for "Queued & Requested" Quality Investigations. Suggested Icon (Material UI):

• QUALITY INVESTIGATIONS table

  • missing frame on right and left side
  • button "view all" is unclear - I can see no-where how many records are even available - please add somewhere the information of record numbers
  • button "view all" is also displayed if the table has "0" records; in this case I suggest to disable the button/option
• same as the bullet points above also applies for QUALITY ALERTS
• used colors unclear - please recheck
• Navigation: please use checkboxes for such navigations where multiple selects are possible. Current used element is a single select element
• Overlay implementation does not follow the guidelines of cx
• User Infos: "createAlert" tooltip info unclear
• User direction - why does clicking "closed" on the right hand side results into such an overlay of investigation closure? Unclear

Functional Request Where can I find the details of the policies - I do not understand those policy details

The Frontend findings will be refactored with the Release 24.05. With the major release we plan to implement further bigger frontend changes.

[almadigabor]

I'm done with the QG checks, all issues have been fixed, I approve it.

[mkanal]

Findings UI/UX

• update icon used for "Queued & Requested" Quality Investigations. Suggested Icon (Material UI):

• QUALITY INVESTIGATIONS table

  • missing frame on right and left side
  • button "view all" is unclear - I can see no-where how many records are even available - please add somewhere the information of record numbers
  • button "view all" is also displayed if the table has "0" records; in this case I suggest to disable the button/option
• same as the bullet points above also applies for QUALITY ALERTS
• used colors unclear - please recheck
• Navigation: please use checkboxes for such navigations where multiple selects are possible. Current used element is a single select element
• Overlay implementation does not follow the guidelines of cx
• User Infos: "createAlert" tooltip info unclear
• User direction - why does clicking "closed" on the right hand side results into such an overlay of investigation closure? Unclear

Functional Request Where can I find the details of the policies - I do not understand those policy details

Hello @jjeroch , complete feedback is covered in pbis: https://github.com/orgs/eclipse-tractusx/projects/45/views/1?filterQuery=label%3Auux Thank you very much Martin

[szymonkowalczykzf]

Security Assessment Process (Threat Modeling Analysis) approved.

No significant changes detected since last release. No open critical & high finding remaining for this release.

Documentation of the assessment will be moved out to the GitHub repositories of the Products before the next release.

[RoKrish14]

DAST: Approved

For below approval, based on discussion with @ds-mmaul and @ds-mwesener - Container Scans: Approved IAC: Approved

[RolaH1t]

@mkanal , @jzbmw , @jjeroch what is your conclusion on StyleGuide pls? All other Q-criteria are passed.

[jjeroch]

@mkanal , @jzbmw , @jjeroch what is your conclusion on StyleGuide pls? All other Q-criteria are passed.

Based on Johannes comment above, provisional approval was granted. In release 24.05. the review MUST get scheduled earlier and findings must get fixed in time

[RolaH1t]

pre-conditions all fulfilled; QG approval granted! Congrats!