From 7cade82700671e83f75ffa2d91c15dfbfa0df8a3 Mon Sep 17 00:00:00 2001 From: "Krzysztof Massalski (Extern)" Date: Tue, 22 Aug 2023 15:36:59 +0200 Subject: [PATCH 1/7] feat(impl):[TRI-1569] container scan last image in docker hub --- .github/workflows/trivy-docker-hub-scan.yml | 72 +++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/trivy-docker-hub-scan.yml diff --git a/.github/workflows/trivy-docker-hub-scan.yml b/.github/workflows/trivy-docker-hub-scan.yml new file mode 100644 index 0000000000..2b302ade3d --- /dev/null +++ b/.github/workflows/trivy-docker-hub-scan.yml @@ -0,0 +1,72 @@ +name: "Trivy vulnerability scanner for Docker Hub Image" + +on: + push: + branches: [ "main" ] + schedule: + - cron: "0 0 * * *" + + workflow_dispatch: + inputs: + branch: + description: "Branch to use" + required: true + default: "main" + type: string + +env: + IMAGE_NAMESPACE: 'tractusx' + IMAGE_NAME: "irs-api" + +jobs: + image-scan: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'temurin' + + - name: Cache maven packages + uses: actions/cache@v3 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 + + - name: Build with Maven + run: | + mvn -B clean install + + # Build action for docker hub registry + - name: Build image from Dockerfile - Docker Hub + if: ${{ github.repository == 'eclipse-tractusx/item-relationship-service' }} + run: | + docker build -t ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:latest . + + # Build action for docker hub registry + - name: Run Trivy vulnerability scanner - Docker Hub + if: ${{ github.repository == 'eclipse-tractusx/item-relationship-service' }} + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}" + format: "sarif" + output: "trivy-results-irs.sarif" + exit-code: "1" + hide-progress: false + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results-irs.sarif" \ No newline at end of file From be54deb08e04d3590026ee64faae6590d9261436 Mon Sep 17 00:00:00 2001 From: "Krzysztof Massalski (Extern)" Date: Wed, 23 Aug 2023 08:34:58 +0200 Subject: [PATCH 2/7] feat(impl):[TRI-1569] commit suggestions --- .github/workflows/trivy-docker-hub-scan.yml | 58 ++++----------------- 1 file changed, 10 insertions(+), 48 deletions(-) diff --git a/.github/workflows/trivy-docker-hub-scan.yml b/.github/workflows/trivy-docker-hub-scan.yml index 2b302ade3d..d5d662480a 100644 --- a/.github/workflows/trivy-docker-hub-scan.yml +++ b/.github/workflows/trivy-docker-hub-scan.yml @@ -1,23 +1,12 @@ name: "Trivy vulnerability scanner for Docker Hub Image" on: + workflow_dispatch: # Trigger manually push: - branches: [ "main" ] + pull_request: schedule: - cron: "0 0 * * *" - workflow_dispatch: - inputs: - branch: - description: "Branch to use" - required: true - default: "main" - type: string - -env: - IMAGE_NAMESPACE: 'tractusx' - IMAGE_NAME: "irs-api" - jobs: image-scan: runs-on: ubuntu-latest @@ -27,46 +16,19 @@ jobs: security-events: write steps: - - name: Checkout repository + - name: Checkout code uses: actions/checkout@v3 - - name: Set up JDK 17 - uses: actions/setup-java@v3 - with: - java-version: '17' - distribution: 'temurin' - - - name: Cache maven packages - uses: actions/cache@v3 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 - - - name: Build with Maven - run: | - mvn -B clean install - - # Build action for docker hub registry - - name: Build image from Dockerfile - Docker Hub - if: ${{ github.repository == 'eclipse-tractusx/item-relationship-service' }} - run: | - docker build -t ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:latest . - - # Build action for docker hub registry - - name: Run Trivy vulnerability scanner - Docker Hub - if: ${{ github.repository == 'eclipse-tractusx/item-relationship-service' }} + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: "${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}" - format: "sarif" - output: "trivy-results-irs.sarif" - exit-code: "1" - hide-progress: false - severity: "CRITICAL,HIGH" + image-ref: 'tractusx/irs-api:latest' + format: 'sarif' + output: 'trivy-results.sarif' + + - run: cat trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab - if: always() uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: "trivy-results-irs.sarif" \ No newline at end of file + sarif_file: 'trivy-results.sarif' \ No newline at end of file From 5f266d9395713cbda9a8be9e547f3a73d7f64ec7 Mon Sep 17 00:00:00 2001 From: ds-ext-kmassalski <100765908+ds-ext-kmassalski@users.noreply.github.com> Date: Thu, 24 Aug 2023 10:07:22 +0200 Subject: [PATCH 3/7] Update .github/workflows/trivy-docker-hub-scan.yml Co-authored-by: Jaro Hartmann <57985712+ds-jhartmann@users.noreply.github.com> --- .github/workflows/trivy-docker-hub-scan.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/trivy-docker-hub-scan.yml b/.github/workflows/trivy-docker-hub-scan.yml index d5d662480a..1cf40378c2 100644 --- a/.github/workflows/trivy-docker-hub-scan.yml +++ b/.github/workflows/trivy-docker-hub-scan.yml @@ -2,8 +2,7 @@ name: "Trivy vulnerability scanner for Docker Hub Image" on: workflow_dispatch: # Trigger manually - push: - pull_request: + workflow_call: # Trigger by another workflow schedule: - cron: "0 0 * * *" From cb010bc198b9e0538504ee40507375c042bfcb11 Mon Sep 17 00:00:00 2001 From: "Krzysztof Massalski (Extern)" Date: Thu, 24 Aug 2023 10:13:36 +0200 Subject: [PATCH 4/7] feat(impl):[TRI-1569] update irs build --- .github/workflows/irs-build.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/irs-build.yml b/.github/workflows/irs-build.yml index f013d63385..0918fae1a3 100644 --- a/.github/workflows/irs-build.yml +++ b/.github/workflows/irs-build.yml @@ -173,3 +173,10 @@ jobs: username: ${{ secrets.DOCKER_HUB_USER }} password: ${{ secrets.DOCKER_HUB_TOKEN }} repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }} + + trigger-trivy-image-scan: + if: >- + github.event_name != 'pull_request' + needs: + - build_images + uses: ./.github/workflows/trivy-docker-hub-scan.yml From 8982c4717bdec704bb07b9e75a317dd93631be30 Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Thu, 24 Aug 2023 10:43:47 +0200 Subject: [PATCH 5/7] chore(charts): Add helmignore for values?*.yaml --- charts/irs-helm/.helmignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/irs-helm/.helmignore b/charts/irs-helm/.helmignore index c2701969e3..e3a0e85695 100644 --- a/charts/irs-helm/.helmignore +++ b/charts/irs-helm/.helmignore @@ -42,3 +42,7 @@ .idea/ *.tmproj .vscode/ + +# Accept only values.yaml +values?*.yaml +values?*.yml \ No newline at end of file From 7c9940b149ab3042739baca6a5584060ea856696 Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Thu, 24 Aug 2023 10:45:38 +0200 Subject: [PATCH 6/7] chore(changelog): prepare release 3.3.4 --- CHANGELOG.md | 7 ++++++- charts/irs-helm/CHANGELOG.md | 7 +++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 172793e337..3b38f914ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [3.3.4] - 2023-08-24 +### Fixed +- Added missing license information to documentation and docker image + ## [3.3.3] - 2023-08-11 ### Changed - IRS now calls the entire dataplane URL retrieved from the registry href instead of building it from the URL of the EDC token and the path @@ -307,7 +311,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Unresolved - **Select Aspects you need** You are able to select the needed aspects for which you want to collect the correct endpoint information. -[Unreleased]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.3...HEAD +[Unreleased]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.4...HEAD +[3.3.4]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.3...3.3.4 [3.3.3]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.2...3.3.3 [3.3.2]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.1...3.3.2 [3.3.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.0...3.3.1 diff --git a/charts/irs-helm/CHANGELOG.md b/charts/irs-helm/CHANGELOG.md index 259a38fff4..16a99c0a6e 100644 --- a/charts/irs-helm/CHANGELOG.md +++ b/charts/irs-helm/CHANGELOG.md @@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [6.4.2] - 2023-08-11 +### Added +- Added entry to .helmignore to only accept values.yaml + +### Changed +- Update IRS version to 3.3.4 + ## [6.4.1] - 2023-08-11 ### Changed - Update IRS version to 3.3.3 From fa6cd7cc7e3ee9eb89da5d1f2b0f8d0ea0b31556 Mon Sep 17 00:00:00 2001 From: ds-jhartmann Date: Thu, 24 Aug 2023 09:00:46 +0000 Subject: [PATCH 7/7] chore(release): Prepare release for Helm version 6.4.2 --- charts/irs-helm/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/irs-helm/Chart.yaml b/charts/irs-helm/Chart.yaml index 65ed6cdb26..1975c76a8c 100644 --- a/charts/irs-helm/Chart.yaml +++ b/charts/irs-helm/Chart.yaml @@ -35,12 +35,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 6.4.1 +version: 6.4.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "3.3.3" +appVersion: "3.3.4" dependencies: - name: common repository: https://charts.bitnami.com/bitnami