fix: upgrade to Ontop 5.1.0 and resolve important trivy and veracode issues #64
Conversation
… being generated by the base image.
…issues. Upgrade own version and publish version update script
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
@scherersebastian this PR is to get trivy and veracode vulnerabilities to a minimum. @Martin0815bla will check the business logic consequences but I would you ask to perform the required license checks and finally merge this PR. |
@SebastianBezold it would be great if you could merge this PR. Be aware that we still rely on two non-base images (tontop and tomcat which will probably change with 24.03). So we kept the update/upgrade packages there temporarily. |
|
Hi @drcgjung, I'll have a look. The current dependencies fiel has restricted libs listed though. This prevents us from creating a release. |
|
IP issues created:
please keep track of the issues and re-run dash, as soon as they are resolved |
|
A single one needs to be resolved manually https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/11624 (wherever they managed to dig out the OGL reference, most likely some demo/test file from open spatial/geography provinence ... |
|
@SebastianBezold due to the latest "surprises" with veracode in the knowledge-agents repo and the projected target date of 28th Nov from eclipse, it would appreciate if we could already merge this PR and do the remaining IP check/release afterwards. Thx. |
Just pushed the latest update to the |
WHAT
This PR updates the main dependency on ontop and patches additional dependencies to resolve important trivy and veracode issues.
It fixes the user ids used by the base image of the provisioning agent.
Introduces version upgrade script and upgrades version.
Pins (and upgrades) the github actions (and some kind/kubernetes-related versions) in the workflow.
Makes this repo a leading repo for all agent-related artifacts.
WHY
Ontop is the only "unproper" base image (which itself lends from ubuntu jammy 22.04 LTS). So going with its latest release
is mandatory.
When mounting additional filesystems and/or using the builtin H2 database (for demo purposes on stable), the actual docker user (999:999) is incompatible to the pod security user/group/fs ids. The H2 database could not start/be connected.
KICS, trivy and veracode accumulated some issues and were complaining about unpinned github actions (vulnarable to supply chain attack)
Lot of dependabot hints to new github action versions
Tractus-X introduces new reference versions for kubernetes and kind.
Instead of having three different products in the Tractus-X dashboards and reports, all agent-related repos should be aggregated into a single product with this as the leading repo.
Finally we update our own version to prepare an upcoming release.
FURTHER NOTES
Ontop itself as well as some of its dependencies lead to "restricted" license checks (see DEPENDENCIES)
maven/mavencentral/io.github.solf/nullanno/3.0.0, NOASSERTION, restricted, clearlydefined
maven/mavencentral/it.unibz.inf.ontop/ontop-model/5.1.0, , restricted, clearlydefined
maven/mavencentral/it.unibz.inf.ontop/ontop-obda-core/5.1.0, , restricted, clearlydefined
maven/mavencentral/it.unibz.inf.ontop/ontop-rdb/5.1.0, , restricted, clearlydefined
maven/mavencentral/org.apache.tomcat/tomcat-annotations-api/9.0.81, , restricted, clearlydefined
A quick check on those libs show that they are either EPL (nullanno) or Apache 2.0 (rest) but the License checks need to be issued at Eclipse nevertheless.