Merge remote-tracking branch 'origin/main' into release

eclipse-tractusx · Jul 10, 2024 · 4df4ceb · 4df4ceb
2 parents b20dd03 + f7a52d0
commit 4df4ceb
Show file tree

Hide file tree

Showing 10 changed files with 457 additions and 90 deletions.
diff --git a/.github/workflows/publish-image-semantic-hub.yml b/.github/workflows/publish-image-semantic-hub.yml
@@ -59,19 +59,6 @@ jobs:
       - name: install dependencies
         working-directory: ./.github/actions/generate-dependencies-notice
         run: npm install
-      - name: baselayer-licenses
-        uses: philips-labs/[email protected]
-        with:
-          image: eclipse-temurin:17-jre-alpine
-          format: json
-          output: ./base-image-layers.json
-      - name: dependency-licenses
-        uses: ./.github/actions/generate-dependencies-notice
-        with:
-          version: ${{ github.ref_name }}
-          base-path: ${{ github.workspace }}
-          maven-deps-path: ./backend/maven.deps
-          base-image-layers-path: ./base-image-layers.json
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v4

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -18,8 +18,16 @@
 name: Trivy
 
 on:
+  push:
+    branches: [main, master]
+  # pull_request:
+  # The branches below must be a subset of the branches above
+  #   branches: [main, master]
+  #   paths-ignore:
+  #     - "**/*.md"
+  #     - "**/*.txt"
   schedule:
-    - cron: 0 0 * * *
+    - cron: "0 0 * * *"
   workflow_dispatch:
 
 jobs:
@@ -35,17 +43,20 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.14.0
+        uses: aquasecurity/trivy-action@0.18.0
         with:
           scan-type: "config"
-          # ignore-unfixed: true
-          hide-progress: false
           format: "sarif"
           output: "trivy-results1.sarif"
+          severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
+          # ignore-unfixed: true
+          hide-progress: false
           vuln-type: "os,library"
+          exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
+          limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: "trivy-results1.sarif"
@@ -69,17 +80,20 @@ jobs:
         run: mvn clean package -DskipTests
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.14.0
+        uses: aquasecurity/trivy-action@0.18.0
         with:
           image-ref: "tractusx/sldt-semantic-hub:latest"
-          # ignore-unfixed: true
-          hide-progress: false
           format: "sarif"
           output: "trivy-results-semantic-hub.sarif"
+          severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
+          # ignore-unfixed: true
+          hide-progress: false
+          exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
           vuln-type: "os,library"
+          limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: "trivy-results-semantic-hub.sarif"
diff --git a/.github/workflows/veracode.yaml b/.github/workflows/veracode.yaml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.4.0
+### Added
+
+## fixed
+- Implemented mandatory changes in licensing and legal documentation
+
 ## 0.3.2
 ### Added
 - Update Springboot to version 3.2.4

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -8,24 +8,40 @@ The companies involved want to increase the automotive industry's
 competitiveness, improve efficiency through industry-specific cooperation and
 accelerate company processes through standardization and access to information
 and data. A special focus is also on SMEs, whose active participation is of
-central importance for the networkâ€™s success. That is why Catena-X has been
+central importance for the network's success. That is why Catena-X has been
 conceived from the outset as an open network with solutions ready for SMEs,
 where these companies will be able to participate quickly and with little IT
 infrastructure investment. Tractus-X is meant to be the PoC project of the
 Catena-X alliance focusing on parts traceability.
 
 * https://projects.eclipse.org/projects/automotive.tractusx
 
+## Project licenses
+
+The Tractus-X project uses the following licenses:
+
+* Apache-2.0 for code
+* CC-BY-4.0 for non-code
+
+## Terms of Use
+
+This repository is subject to the Terms of Use of the Eclipse Foundation
+
+* https://www.eclipse.org/legal/termsofuse.php
+
 ## Developer resources
 
 Information regarding source code management, builds, coding standards, and
 more.
 
 * https://projects.eclipse.org/projects/automotive.tractusx/developer
 
+Getting started:
+
+* https://eclipse-tractusx.github.io/docs/developer
+
 The project maintains the following source code repositories
 
-* https://github.com/eclipse/tractusx
 * https://github.com/eclipse-tractusx/sldt-semantic-hub
 * https://github.com/eclipse-tractusx/sldt-digital-twin-registry
 * https://github.com/eclipse-tractusx/portal-frontend