QG checks (Release 24.12)

[evegufy]

QG checks

Please open and fill in this issue in your product repository to document the compliance with our Tractus-X Release Guideline (TRGs)

Show compliance with TRGs by referencing to a tagged link in the respective repository where possible, example: TRG 1.01 (see github.com/eclipse-tractusx/example-repo/tree/1.0.0/README.md)

Close this issue once the compliance with the TRGs has been documented

Committer(s): @Phil91 @evegufy @ntruchsess Helm Chart Version: 1.2.0 App Version: 1.2.0

Release Management Reference Issue: https://github.com/eclipse-tractusx/sig-release/issues/921

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• [x] TRG 1.01 appropriate README.md
• [x] TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• [x] TRG 1.03 appropriate CHANGELOG.md
• [x] TRG 1.04 editable static files
• [x] TRG 1.05 architecture docs
• [x] TRG 1.06 administrator guide
• [x] TRG 1.07 user manual
• [x] TRG 1.08 open api docs

TRG 2 Git

• [x] TRG 2.01 default branch is named main
• [x] TRG 2.03 repository structure
• [x] TRG 2.04 leading product repository
• [x] TRG 2.05 .tractusx metafile in a proper format
• [x] TRG 2.06 Dependabot

TRG 3 Kubernetes

• [x] TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

TRG 4 Container

• [x] TRG 4.01 semantic versioning and tagging
• [x] TRG 4.02 base image is agreed
• [x] TRG 4.03 image has USER command and Non Root Container
• [x] TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• [x] TRG 4.06 separate notice file for DockerHub has all necessary information
• [x] TRG 4.07 root file system is set to read access by default, but can be overwritten by the user

TRG 5 Helm

• [x] TRG 5.01 Helm chart requirements
• [x] TRG 5.02 Helm chart location in /charts directory and correct structure
• [x] TRG 5.03 proper version strategy
• [x] TRG 5.04 CPU / MEM resource requests and limits and are properly set
• [x] TRG 5.06 Application must be configurable through the Helm chart
• [x] TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• [x] TRG 5.08 Product has a single deployable helm chart that contains all components
• [x] TRG 5.09 Helm Test running properly
• [x] TRG 5.10 Products need to support 3 versions at a time
• [x] TRG 5.11 Upgradeability

TRG 6 Released Helm Chart

• [x] TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• [x] TRG 7.01 Legal Documentation
• [x] TRG 7.02 License and copyright header
• [x] TRG 7.03 IP checks for project content
• [x] TRG 7.04 IP checks for 3rd party content
• [x] TRG 7.05 Legal information for distributions
• [x] TRG 7.06 Legal information for end user content
• [x] TRG 7.07 Legal notice for documentation (non-code)
• [x] TRG 7.08 Legal notice for KIT documentation

TRG 8 Security

• [x] TRG 8.01 Mitigate high and above findings in CodeQL
• [x] TRG 8.02 Mitigate high and above findings in KICS
• [x] TRG 8.04 Mitigate high and above findings in Trivy
• [x] TRG 8.03 No secret findings by GitGuardian or TruffleHog

TRG 9 UX/UI Styleguide

• [x] TRG 9.01 UI consistency/styleguide for UI

Hints

Information Sharing

[evegufy]

example from previous release https://github.com/eclipse-tractusx/ssi-credential-issuer/issues/223

[dhiren-singh-007]

TRG 1 Documentation

• [x] TRG 1.01 appropriate README.md: https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/README.md
• [x] TRG 1.02 appropriate install instructions either INSTALL.md or in README.md: https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/charts/ssi-credential-issuer/README.md
• [ ] TRG 1.03 appropriate CHANGELOG.md
• [x] TRG 1.04 editable static files https://github.com/eclipse-tractusx/ssi-credential-issuer/tree/v1.2.0-rc.2/docs
• [x] TRG 1.05 architecture docs https://github.com/eclipse-tractusx/ssi-credential-issuer/tree/v1.2.0-rc.2/docs/architecture
• [ ] TRG 1.06 administrator guide
• [ ] TRG 1.07 user manual
• [ ] TRG 1.08 open api docs

TRG 2 Git

• [x] TRG 2.01 default branch is named main
• [x] TRG 2.03 repository structure https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2
• [ ] TRG 2.04 leading product repository https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.tractusx
• [x] TRG 2.05 .tractusx metafile in a proper format https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.tractusx
• [ ] TRG 2.06 Dependabot @Phil91 @evegufy I don't have access to this to check this Dependabot

TRG 3 Kubernetes

• [ ] TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

TRG 4 Container

• [x] TRG 4.01 semantic versioning and tagging https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/release.yml
• [x] TRG 4.02 base image is agreed
• [x] TRG 4.03 image has USER command and Non Root Container Currently it is running as non root but bit differently then specified in TRG https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/charts/ssi-credential-issuer/templates/cronjob-issuer-processes.yaml#L49
• [x] TRG 4.05 released image must be placed in DockerHub, remove GHCR references expiry-app, process-worker, issuer-service, issuer-migrations
• [x] TRG 4.06 separate notice file for DockerHub has all necessary information https://github.com/eclipse-tractusx/ssi-credential-issuer/tree/v1.2.0-rc.2/docker
• [x] TRG 4.07 root file system is set to read access by default, but can be overwritten by the user

TRG 5 Helm

• [x] TRG 5.01 Helm chart requirements https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/release.yml#L33-L83
• [ ] TRG 5.02 Helm chart location in /charts directory and correct structure 1..hemlignore missing this values as mentioned in TRG values?.yaml values?.yml @Phil91 @evegufy ?
• [x] TRG 5.03 proper version strategy https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/charts/ssi-credential-issuer/Chart.yaml
• [x] TRG 5.04 CPU / MEM resource requests and limits and are properly set https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/charts/ssi-credential-issuer/values.yaml#L32
• [x] TRG 5.06 Application must be configurable through the Helm chart
• [x] TRG 5.07 Dependencies are present and properly configured in the Chart.yaml https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/charts/ssi-credential-issuer/Chart.yaml#L27-L31
• [x] TRG 5.08 Product has a single deployable helm chart that contains all components https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/charts/ssi-credential-issuer/Chart.yaml
• [x] TRG 5.09 Helm Test running properly https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/chart-test.ym
• [x] TRG 5.10 Products need to support 3 versions at a time https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/chart-test.ym
• [x] TRG 5.11 Upgradeability https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/chart-test.ym

TRG 6 Released Helm Chart

• [x] TRG 6.01 Released Helm Chart https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/release.yml

TRG 7 Open Source Governance

• [x] TRG 7.01 Legal Documentation https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/LICENSE
• [x] TRG 7.02 License and copyright header
• [ ] TRG 7.03 IP checks for project content
• [ ] TRG 7.04 IP checks for 3rd party content
• [x] TRG 7.05 Legal information for distributions https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/LICENSE https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/NOTICE.md https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/DEPENDENCIES https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/SECURITY.md
• [ ] TRG 7.06 Legal information for end user content
• [x] TRG 7.07 Legal notice for documentation (non-code) https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/NOTICE.md
• [x] TRG 7.08 Legal notice for KIT documentation https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/NOTICE.md

TRG 8 Security

• [x] TRG 8.01 Mitigate high and above findings in CodeQL https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/codeql.yml
• [x] TRG 8.02 Mitigate high and above findings in KICS https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/kics.yml
• [x] TRG 8.04 Mitigate high and above findings in Trivy https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/trivy.yml
• [x] TRG 8.03 No secret findings by GitGuardian or TruffleHog https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0-rc.2/.github/workflows/trufflehog.yml

Hints

Information Sharing

[evegufy]

Hi @dhiren-singh-007 it's great that you get to know the Tractus-X Release guidelines!

In the following some explanation for the TRG's which aren't check boxed yet:

• [x] TRG 1.03 appropriate CHANGELOG.md

Please see final version https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/CHANGELOG.md

• [x] TRG 1.06 administrator guide

Please see final version https://github.com/eclipse-tractusx/ssi-credential-issuer/tree/v1.2.0/docs/admin

• [x] TRG 1.07 user manual

N/A due to the nature of the product.

• [x] TRG 1.08 open api docs

Please see final version https://github.com/eclipse-tractusx/ssi-credential-issuer/tree/v1.2.0/docs/api

• [x] TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

The chart has a db subchart in place which manages the persistence https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/charts/ssi-credential-issuer/Chart.yaml#L27

• [x] TRG 5.02 Helm chart location in /charts directory and correct structure

helmignore file is available https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/charts/ssi-credential-issuer/.helmignore but adding values?.yaml values?.yml wouldn't make sense as we don't maintain any such file in the charts directory. Example for when such an entry makes sense: https://github.com/eclipse-tractusx/sd-factory/tree/v2.1.14/charts/sdfactory

• [x] TRG 7.03 IP checks for project content <!-- for each PR containing more than 1000 relevant lines there must be an approved [IP review for Code Contributions]

Here you should try to understand what the dependencies check does https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/.github/workflows/dependencies.yml and check if it rans without any error on the tag. In addition you should familiarise yourself with the Eclipse Dash Tool, and execute the Eclipse Dash Tool commands in the workflow locally to make sure that no dependencies restricted, see https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/DEPENDENCIES

• [x] TRG 7.04 IP checks for 3rd party content

In this repository there are no examples of such 3rd party content, but you should still be familiar with the content of the TRG

• [x] TRG 7.06 Legal information for end user content

The repository doesn't include a frontend component, therefore N/A.

[evegufy]

Regarding

• [x] TRG 2.06 Dependabot

Yes, right, in order to check this, you'd need access to the security tab of the repo, which requires maintenance/committer permissions. I check it's all fine.

The same applies also to the following TRGs:

TRG 8 Security

• [x] TRG 8.01 Mitigate high and above findings in CodeQL
• [x] TRG 8.02 Mitigate high and above findings in KICS
• [x] TRG 8.04 Mitigate high and above findings in Trivy
• [x] TRG 8.03 No secret findings by GitGuardian or TruffleHog

Checking the workflow, especially the runs is good, but constantly monitoring the security tab and making sure that security alerts are managed, is also the responsibly of a committer.