R24.03 Digital Product Pass DPP BatteryPass - Release Checks

[kelaja]

Release Info

Please provide information on what you want to be included in the Eclipse Tractus-X release.
If you are not owner of this issue, please provide the information as comment to the issue.

Version to be included in Eclipse Tractus-X release:
App Version: v2.1.3
Chart Version: 2.1.4

Leading product repository: https://github.com/eclipse-tractusx/digital-product-pass

QG4 Review Date: 21.02.2024

Compliance Verifications

This issue tracks all compliance related checks, that need to be performed for a product release in Eclipse Tractus-X.

• Gaia-X compliance confirmed
• GDPR compliance confirmed (personal data, data protection + privacy DPP)
• Interoperability checks performed
• Data Sovereignty checks performed
• Compliant with relevant published CX Standards (see the Catena-X standard library)

Documentation

• Arc24 documentation up-to-date
• Administrators Guide up-to-date
• End-User manual up-to-date
• Interface documentation up-to-date

Security Checks

• Thread Modelling Analysis passed
• Static Application Security Testing (SAST) scans passed
• Dynamic Application Security Testing (DAST) tests passed
• Secret Scans passed
• Software Composition Analysis (SCA) passed
• Container Scans passed
• Infrastructure as Code (IaC) scans passed

General Checks

• Tractus-X Release Guidelines fulfilled
  - R24.03 Digital Product Pass Tractus-X Release Guideline Check sig-infra#440
  - QG 4 checks Release 24.03 digital-product-pass#180
• Compliant with the Style Guide

Test Results

• E2E Integration Test passed
• User Journey approved

Helpful Links

• Eclipse Tractus-X openAPI specs on SwaggerHub
• Catena-X standard library

[matbmoser]

We have a release candidate: https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/v2.1.1

The TRGs were check for compliance in the following ticket: eclipse-tractusx/digital-product-pass#180

The Security Scans are all passed including Veracode (SCA and Code Scan). I have requested today the review from the Security Team.

• Also requested the Documentation review from our repository.
• Interoperability is also requested for approval.
• Requested UX Review

I will inform here of the status of the reviews and findings

[matbmoser]

Little remark here: eclipse-tractusx/digital-product-pass#224

There was a frontend import missing, so the basic E2E test of scanning a QR code was not working. We added it to the release candidate v2.1.1 in order for the E2E tests to be passed.

The security scans have been done again and since nothing has changed they are passed.

Today I had a meeting with @szymonkowalczykzf to talk about the Threat Modelling and this was informed there. He will add the security thread modelling in our repo in docs/security

[BANANAS1337]

SCA and SAST and SecretScan approved

[szymonkowalczykzf]

Security Assessment Process (Threat Modeling Analysis) approved.

Re-assessment was done on Wednesday 7th Feb 2024. All finding are properly addressed and mitigated.
Documentation of the assessment will be uploaded soon to the Docs part of the Product Repo.

[matbmoser]

Thank you @BANANAS1337 and @szymonkowalczykzf! @RoKrish14 can you do the review to the IaC, Container Scan and DAST?

[jjeroch]

@matbmoser - updates needed

Findings:

• please update the radio button used for the policy selection. The shared component is not used till now - https://eclipse-tractusx.github.io/portal-shared-components/?path=/story/form--radio;additionally to the radio button itself, the text value color is wrong

• wrong button design used - please use the buttons as per the shared component shared - https://dpp.int.demo.catena-x.net/passport/CX:M4GP456:IMR18650V1

• shared component overlay design not used - update needed. Shared component: https://eclipse-tractusx.github.io/portal-shared-components/?path=/docs/modal--docs

Functional Findings:

• the policy rule is not human readable; can you please setup a real policy rule; the one I can see there seems to be a fake rule. I can not find the actual ODRL details
• Even after "Confirming" the negotiation; the application ask for re-negotiation all the time again whenever I refresh - please check.
• System Help missing - where can I find the system documentation/enduser help?

Heads-up: the battery pass will not pass the 24.05. tests with the current implementation. Please review the Data Sovereignty Guidelines for 24.05. carefully to be able to pass 24.05.

[matbmoser]

It was missing to move this ticket to Expert Review. I adjusted it to the current status of the ticket.
it was mentioned to us that for asking review it needed to be in "Expert Review" Status

[matbmoser]

We needed to re-release the tag because there was a mistake in the header licenses:
https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/v2.1.3

The issue was raised here: eclipse-tractusx/digital-product-pass#231

There was no code changes, just comments in the files. We just request the security team @RoKrish14 to see the diff and re-approve the Security Aspects: eclipse-tractusx/digital-product-pass@v2.1.2...v2.1.3

In this release is also included the comments in the .trivyignore that were required to get the security approval before.

We needed to fix the mistake in the header license. And it was done and now is good to go :)

At the end in the release just the "Tractus-X" part was added.

[RoKrish14]

[v2.1.3]

SAST: Approved
SCA: Approved
Secret Scanning: Approved
DAST: Approved
Container Scanning: Approved
IAC: Approved

[thorstendikmann]

Confirming "Compliant with relevant published CX Standards".
The application follows Catena-X standards, most relevant:

• CX-0001 EDC Discovery API
• CX-0002 Digital Twins in Catena - X
• CX-0003 SAMM Semantic Aspect Meta Model
• CX-0006 Registration and initial onboarding
• CX-0008 Relevant standards for conformity assessments
• CX-0013 Identity of Member Companies
• CX-0014 Employees and Technical Users
• CX-0015 IAM & Access Control Paradigm
• CX-0016 Company Attribute Verification
• CX-0017 Company Role by the Connector
• CX-0018 Eclipse Data Space Connector (EDC)
• CX-0049 DID Document
• CX-0050 Framework Agreement Credential
• CX-0051 Summary Credential

plus additionally

• CX-0005 Item Relationship Service API

and for the data model:

• CX-0034 Data Model Battery Pass
• CX-0095 Data Model Transmission Pass
• CX-0103 Aspect Model Digital Product Passport

Furthere details are listed in the CX-0096 Triangle For Digital Product Pass.

[thorstendikmann]

Confirming // Internal documentation

• Gaia-X compliance confirmed [CMP-1081]
• GDPR compliance confirmed (personal data, data protection + privacy DPP) [CMP-1082]
• User Journey approved (by BO) [CMP-1092] and [TEST-1754]
• E2E Integration Test passed [CMP-1091] and [TEST-1754]

[thorstendikmann]

Confirming

• Compliant with the Style Guide // feedback of @jjeroch (feel free to comment :) )
• Data Sovereignty checks performed // see [CMP-1089], while continuing to follow the R3.2 DS guardrails, even improving on visual components and BPN Auth

[szymonkowalczykzf]

Security Assessment Process (Threat Modeling Analysis) approved.

Re-assessment was done on Wednesday 7th Feb 2024. All finding are properly addressed and mitigated.
Documentation of the assessment was updated in the Confluence - Security Assessment - Product Passport Application - Catena-X - IT Security - Confluence

It will be uploaded later to the Docs part of the Product Pass Repo.

[MonaBschaden]

As discussed earlier: since everything is the same as before approval it is approved

[DirkBTSI]

INT test not performed/not documented.
E2E test performed/documented.
No high defect.
TM - approval open

Updated 24-02-21
INT test performed/documented.
TM approved
@kelaja : please approve for "E2E Integration Test passed"

[hzierer]

System team check concluded successfully eclipse-tractusx/digital-product-pass#180

Small issue with documentation in github needs clarification, but this should not affect the release

[matbmoser]

System team check concluded successfully eclipse-tractusx/digital-product-pass#180

Small issue with documentation in github needs clarification, but this should not affect the release

Since the issue need further clarification and not affects the release I created a ticket to discuss that later: eclipse-tractusx/digital-product-pass#236

Therefore I will mark the TRGs as approved.

[matbmoser]

INT test not performed/not documented. E2E test performed/documented. No high defect. TM - approval open

Updated 24-02-21 INT test performed/documented. TM approved @kelaja : please approve for "E2E Integration Test passed"

I will include that as approved too

[vialkoje]

Documentation existing and content is looking reasonable. Also no specific sovereignty requirement for 24.03.Expert Approval granted.

Please consider the Q-Gate criteria for 24.05. have a good PI !

[matbmoser]

Thank you @vialkoje!!

Marking Documentation as Approved then! Thank you very much everyone for the review!

[matbmoser]

@kelaja are we ready to close this ticket? I am removing myself and all the other reviewers from the assignment.

[RolaH1t]

all pre-conditions fulfilled;
QG approval granted!
Congrats!