Skip to content

Commit

Permalink
Merge pull request eclipse-tractusx#633 from catenax-ng/main
Browse files Browse the repository at this point in the history
Merge main
  • Loading branch information
ds-ext-kmassalski authored Nov 14, 2023
2 parents 808f440 + 8d0f467 commit 65e7da2
Show file tree
Hide file tree
Showing 735 changed files with 4,083,225 additions and 301,540 deletions.
5 changes: 4 additions & 1 deletion .config/.trivyignore
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,7 @@
CVE-2022-42003

# HttpInvokerServiceExporter is not loaded as a bean in the IRS.
CVE-2016-1000027
CVE-2016-1000027

# Vulnerability method not in IRS codebase (Files.createTempDir from guava). https://github.com/google/guava/issues/2575
CVE-2023-2976
3 changes: 2 additions & 1 deletion .config/irs.header
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
*
* This program and the accompanying materials are made available under the
* terms of the Apache License, Version 2.0 which is available at
* https://www.apache.org/licenses/LICENSE-2.0. *
* https://www.apache.org/licenses/LICENSE-2.0.
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
Expand Down
25 changes: 16 additions & 9 deletions .config/owasp-suppressions.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,30 @@
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
Transitive dependency of OkHttp. CVE is only relevant for Gradle builds, not relevant for IRS.
Vulnerability is a false positive.
]]></notes>
<gav regex="true">org\.jetbrains\.kotlin:.*</gav>
<vulnerabilityName>CVE-2022-24329</vulnerabilityName>
<gav regex="true">com\.fasterxml\.jackson\.core:jackson\-databind.*</gav>
<vulnerabilityName>CVE-2023-35116</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Vulnerability method not in IRS codebase (Files.createTempDir from guava).
Pulled in by EDC client - needs to be accepted for now.
]]></notes>
<gav regex="true">com\.google\.guava:guava.*</gav>
<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
<gav regex="true">org\.eclipse\.edc:jetty\-core.*</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Vulnerability method not in IRS codebase (Files.createTempDir from guava).
Pulled in by EDC client - needs to be accepted for now.
]]></notes>
<gav regex="true">com\.google\.guava:guava.*</gav>
<vulnerabilityName>CVE-2023-2976</vulnerabilityName>
<gav regex="true">org\.eclipse\.jetty\.toolchain:jetty\-jakarta\-websocket\-api.*</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code. This is not exploitable in IRS.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
<vulnerabilityName>CVE-2023-22006</vulnerabilityName>
</suppress>
</suppressions>
6 changes: 5 additions & 1 deletion .config/pmd-rules.xml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@
<exclude name="LoosePackageCoupling"/>
<!-- There are too many false positives especially with streams -->
<exclude name="LawOfDemeter"/>
<!-- Detects false positives -->
<exclude name="DataClass"/>
</rule>
<rule ref="category/java/design.xml/UseUtilityClass">
<properties>
Expand All @@ -56,7 +58,7 @@

<rule ref="category/java/documentation.xml/CommentSize">
<properties>
<property name="maxLines" value="22"/>
<property name="maxLines" value="23"/>
<property name="maxLineLength" value="100"/>
</properties>
</rule>
Expand All @@ -67,4 +69,6 @@
<property name="protectedMethodCommentRequirement" value="Ignored"/>
</properties>
</rule>


</ruleset>
13 changes: 13 additions & 0 deletions .config/spotbugs-excludes.xml
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,22 @@
<Class name="org.eclipse.tractusx.irs.configuration.RestTemplateConfig"/>
<Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON"/>
</Match>
<Match>
<Class name="org.eclipse.tractusx.irs.registryclient.central.DigitalTwinRegistryClientImpl"/>
<Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON"/>
</Match>
<Match>
<Class name="org.eclipse.tractusx.irs.registryclient.decentral.DecentralDigitalTwinRegistryClient"/>
<Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON"/>
</Match>
<Match>
<!-- The folder path is not provided by a user, the file name is normalized heavily, and we use a recent JRE -->
<Class name="org.eclipse.tractusx.irs.semanticshub.SemanticsHubClientImpl"/>
<Bug pattern="PATH_TRAVERSAL_IN,WEAK_FILENAMEUTILS"/>
</Match>
<Match>
<!-- The application is intended to access all files -->
<Class name="org.eclipse.tractusx.irs.testing.dataintegrity.TestdataTransformer"/>
<Bug pattern="PATH_TRAVERSAL_IN"/>
</Match>
</FindBugsFilter>
25 changes: 25 additions & 0 deletions .github/ISSUE_TEMPLATE/irs-bug.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
name: Report a Bug
about: report bugs or unexpected behavior.
---

<!--
Thanks for your contribution! Please fill out this template as good as possible.
Important: Contributing Guidelines can be found here: https://eclipse-tractusx.github.io/docs/oss/how-to-contribute
Checkout the repository README for process description.
-->

## Description
<!-- A clear and concise description of what the bug is. Give as much hints as possible
- On which Environment did the bug occur
-->
## Current behaviour

## Expected behavior
<!-- A clear and concise description of what you expected to happen. -->

## Steps to reproduce the Bug
<!-- Please provide a clear procedure how to reproduce the bug.
Important technical details:
user information, screenshots, browser, app-version, environment, device, etc.
-->
32 changes: 32 additions & 0 deletions .github/ISSUE_TEMPLATE/irs-story.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
name: Propose a Story
about: propose a new story, new task
labels: Story
---
<!--
A clear and concise description of what the desired story will look like.
-->
**As** ... ,
**I want** ... ,
**so that** ... .

## Hints / Details
<!--
Provide as much information regarding this request as possible
-->
- ...

## Outcome / Acceptance Criteria
<!--
Describe the Outcome & acceptance criterias the result of the story
-->
### Outcome
- ...
### Acceptance Criteria
- ...

## Out of Scope
<!--
Describe the topics which are out of scope
-->
- ...
46 changes: 46 additions & 0 deletions .github/actions/import-gpg-key/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#
# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
# Copyright (c) 2023 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
#

---
name: "Import GPG Key"
description: "Imports a GPG key given in the input"
inputs:
gpg-private-key:
required: true
description: "The GPG Private Key in plain text. Can be a sub-key."
runs:
using: "composite"
steps:
# this is necessary because it creates gpg.conf, etc.
- name: List Keys
shell: bash
run: |
gpg -K --keyid-format=long
- name: Import GPG Private Key
shell: bash
run: |
echo "use-agent" >> ~/.gnupg/gpg.conf
echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
echo -e "${{ inputs.gpg-private-key }}" | gpg --import --batch
for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u);
do
echo -e "5\\ny\\n" | gpg --batch --command-fd 0 --expert --edit-key $fpr trust;
done
6 changes: 0 additions & 6 deletions .github/codeql/codeql-config.yml

This file was deleted.

9 changes: 9 additions & 0 deletions .github/configs/codeql-config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
name: "IRS CodeQL config"

query-filters:
# Exclude "Unused classes and interfaces"
- exclude:
id: java/unused-reference-type
# Exclude "Log Injection". This is a false positive, since IRS uses a log configuration which encodes all log messages in "irs-api/src/main/resources/log4j2.xml"
- exclude:
id: java/log-injection
1 change: 1 addition & 0 deletions .github/configs/cr-config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
release-notes-file: CHANGELOG-temp.md
2 changes: 1 addition & 1 deletion .github/workflows/BETA-xray-cucumber-integration.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4

- name: Set up JDK 17
uses: actions/setup-java@v3
Expand Down
55 changes: 55 additions & 0 deletions .github/workflows/changelog-changes.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: "Check if CHANGELOG file was modified in PR"

on:
pull_request:
branches: main
paths-ignore:
- '**/*.md'
- '**/*.txt'
- '.config/**'
- '.github/**'
- 'docs/**'
- 'local/**'

jobs:
analyze:
runs-on: ubuntu-latest
permissions:
pull-requests: write

name: changelog-check
steps:
- uses: actions/checkout@v4

- name: Check if CHANGELOG file was changed
id: changelog-changed
uses: tj-actions/changed-files@v40
with:
files: |
CHANGELOG.md
- name: Echo result if CHANGELOG file was changed
if: steps.changelog-changed.outputs.any_changed == 'true'
run: |
for file in ${{ steps.changelog-changed.outputs.all_changed_files }}; do
echo "$file was changed"
done
- name: Find previous comment in PR
if: steps.changelog-changed.outputs.any_changed == 'false'
uses: peter-evans/find-comment@v2
id: find-comment
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: CHANGELOG file was not updated! Make sure to include important changes.

- name: Create or update comment in PR
if: steps.changelog-changed.outputs.any_changed == 'false'
uses: peter-evans/create-or-update-comment@v3
with:
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
CHANGELOG file was not updated! Make sure to include important changes.
edit-mode: replace
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Set up JDK 17
uses: actions/setup-java@v3
Expand All @@ -67,7 +67,7 @@ jobs:
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# The queries security-extended and security-and-quality are built into CodeQL.
config-file: ./.github/codeql/codeql-config.yml
config-file: ./.github/configs/codeql-config.yml
queries: +security-and-quality,security-extended

- name: Cache maven packages
Expand Down
61 changes: 61 additions & 0 deletions .github/workflows/dependencies-update.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: "Update DEPENDENCIES file"

on:
push:
branches:
- main

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up JDK 17
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'

- name: Cache maven packages
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2

- name: Generate Dependencies file
run: mvn org.eclipse.dash:license-tool-plugin:license-check -Ddash.summary=DEPENDENCIES

- name: Check if file was changed
run: |
if git diff --name-only ${{ github.base_ref }}...${{ github.sha }} | grep -e 'DEPENDENCIES'; then
echo "The file was changed"
echo "was_file_changed=true" >> "$GITHUB_ENV"
git
else
echo "The file was not changed"
echo "was_file_changed=false" >> "$GITHUB_ENV"
fi
- name: Configure Git
if: ${{ env.was_file_changed }} == 'true'
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Create pull request
if: ${{ env.was_file_changed }} == 'true'
uses: peter-evans/create-pull-request@v5
with:
add-paths: |
DEPENDENCIES
token: ${{ secrets.GITHUB_TOKEN }}
branch: chore/update-DEPENDENCIES
commit-message: "chore(dependencies): Update DEPENDENCIES"
delete-branch: true
title: Update DEPENDENCIES
body: |
This PR updates the DEPENDENCIES
2 changes: 1 addition & 1 deletion .github/workflows/eclipse-dash.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4

- name: Set up JDK 17
uses: actions/setup-java@v3
Expand Down
Loading

0 comments on commit 65e7da2

Please sign in to comment.