R24.03 PURIS Release Checks

[kelaja]

Release Info

Please provide information on what you want to be included in the Eclipse Tractus-X release. If you are not owner of this issue, please provide the information as comment to the issue.

Version to be included in Eclipse Tractus-X release: 1.0.0

Leading product repository: eclipse-tractusx/puris

Compliance Verifications

This issue tracks all compliance related checks, that need to be performed for a product release in Eclipse Tractus-X.

• [x] Gaia-X compliance confirmed
• [x] GDPR compliance confirmed (personal data, data protection + privacy DPP)
• [x] Interoperability checks performed
• [x] Data Sovereignty checks performed
• [x] Compliant with relevant published CX Standards (see the Catena-X standard library)

Documentation

• [x] Arc24 documentation up-to-date
• [x] Administrators Guide up-to-date
• [x] End-User manual up-to-date
• [x] Interface documentation up-to-date

Security Checks

• [x] Thread Modelling Analysis passed
• [x] Static Application Security Testing (SAST) scans passed
• [x] Dynamic Application Security Testing (DAST) tests passed
• [x] Secret Scans passed
• [x] Software Composition Analysis (SCA) passed
• [x] Container Scans passed
• [x] Infrastructure as Code (IaC) scans passed

General Checks

• [x] Tractus-X Release Guidelines fulfilled https://github.com/eclipse-tractusx/puris/issues/257
• [x] Compliant with the Style Guide not applicable

Test Results

• [x] E2E Integration Test passed
• [x] User Journey approved

Helpful Links

• Eclipse Tractus-X openAPI specs on SwaggerHub
• Catena-X standard library

[tom-rm-meyer-ISST]

@kelaja I already inserted the version and repository in your initial statement. Release still needs to be created, but version number will be 1.0.0 for R24.03

[szymonkowalczykzf]

Security Assessment Process (Threat Modeling Analysis) approved.

Re-assessment was done on Friday 16th Feb 2024. No open critical & high findings remains. Documentation of the assessment will be uploaded to the PURIS docs repo soon.

[DirkBTSI]

INT test performed/documented. E2E test performed/documented. No high defect. TM approved @kelaja  : please approve for "E2E Integration Test passed"

[tom-rm-meyer-ISST]

@vialkoje Please approve the documentation. The changes requested in your mail, habe been incorporated.

This link will guide you to the documents.

Please also approve data sovereignty. We have a concept, and configuration instructions / hints.

[tom-rm-meyer-ISST]

@wjost, could you please check the GAIA-X compliance, as this is our first assessment?

[tom-rm-meyer-ISST]

@HiHenrik, could you please approve the interoperability? We had a session with Thomas on 2024-01-29 during office hour that can be found in confluence.

[tom-rm-meyer-ISST]

@RoKrish14 could we align on the remaining security items?

[tom-rm-meyer-ISST]

@jjeroch Could you please check the styleguide open points. You'll find all details in my email from 2024-02-16.

[RolaH1t]

QG review executed as per plan. Tom actively consolidating the outstanding items. Approval postponed until topics are addressed. Cross-check scheduled for 28-Feb

[tom-rm-meyer-ISST]

Catena-X GDPR Declaration and Requirements_V3_filled.xlsx @RolaH1t, @kelaja, please find attached my Excel for GDPR. Only points would be IP (commonly company or ISP IP) and a uuid that is logged for user authentication. I guess it's not GDPR relevant, isn't it?

[HiHenrik]

@HiHenrik, could you please approve the interoperability? We had a session with Thomas on 2024-01-29 during office hour that can be found in confluence.

Approved for interoperability as discussed in interop office hour

[rauschg]

Customer journey is approved by me as BO after review with @tom-rm-meyer-ISST was done this week.

[RoKrish14]

Was a plesaure @tom-rm-meyer-ISST

SAST: Approved SCA: Approved DAST: Approved Secret scans: Approved Container scans: Approved IAC: Approved

[jjeroch]

@tom-rm-meyer-ISST as discussed - the gateway criteria "Compliant with the Style Guide" is for this release descoped/not under review due to the time criticality which we are currently facing. It is known that the PURIS solution does not yet follow the CX-UI-style-guide and need to get urgently updated as part of 24.05. release.

Please highlight this information in the release approval as well as under your ChangeLog of the FE component under "Known Knowns" Let me know in case you need anything else.

Just a couple of statements as preparation of 24.05.:

• please check the "view edc catalog" implementation - I wonder if this would make much more sense if you connect to the dataspace discovery service to find edc urls based on provider/customer business partner numbers
• /transfers running on a 500 service error 🚩
• /negotiations page is empty - unclear for the user whats happening here - I suggest a "currently no negotiations existing" screen. Likely things like filters, search, etc will be useful
• application help missing
• grey/white input field usage incorrect implemented. Grey-out if no input is expected
• missing uder feedback if I "add" or "update" anything in the stock
• same as above applies for "Update partner stock"
• already pre-info for 24.05.: configuration for auto-negotiation required or a management board to run negotiations

[tom-rm-meyer-ISST]

@tom-rm-meyer-ISST as discussed - the gateway criteria "Compliant with the Style Guide" is for this release descoped/not under review due to the time criticality which we are currently facing. It is known that the PURIS solution does not yet follow the CX-UI-style-guide and need to get urgently updated as part of 24.05. release.

Please highlight this information in the release approval as well as under your ChangeLog of the FE component under "Known Knowns" Let me know in case you need anything else.

Just a couple of statements as preparation of 24.05.:

• please check the "view edc catalog" implementation - I wonder if this would make much more sense if you connect to the dataspace discovery service to find edc urls based on provider/customer business partner numbers
• /transfers running on a 500 service error 🚩
• /negotiations page is empty - unclear for the user whats happening here - I suggest a "currently no negotiations existing" screen. Likely things like filters, search, etc will be useful
• application help missing
• grey/white input field usage incorrect implemented. Grey-out if no input is expected
• missing uder feedback if I "add" or "update" anything in the stock
• same as above applies for "Update partner stock"
• already pre-info for 24.05.: configuration for auto-negotiation required or a management board to run negotiations

Already incorporated in Changelog and Release.

[tom-rm-meyer-ISST]

@wjost, could you please check the GAIA-X compliance, as this is our first assessment?

Friendly reminder: @wjost, could you please check the GAIA-X compliance, as this is our first assessment?

[vialkoje]

Documentation existing and well structured. Content is looking consistent. regarding Itnerface documentation - please consider providing also an OpenAPI documentation e.g. in Swagger HUB !

Expert Approval Granted for Documentation.

No changed requirements for data sovereignty - Expert Approval granted. Please consider Sovereignty QG-Requirements for release 24.05 !

[tomaszbarwicki]

QG checks completed: https://github.com/eclipse-tractusx/puris/issues/257

[wjost]

For GX-Compliance the ServiceOffering SD for the related EDC instances had to be provided from the associated participants/operators of the Puris node and the LegalPerson SD of the operator/participant. These SD will be provided by the Portal hence nothing more to be done for PURIS. Expert Approval granted for GX Compliance

[RolaH1t]

all pre-conditions now fulfilled QG approval granted Congrats!!!