[TRACE-X] QG 4 checks (Release 24.08)

[mkanal]

---

name: Quality Gate Checklist
about: 'product check for a upcoming Release'
title: 'QG X checks (Release 24.8)'
labels: documentation
assignees: @mkanal

---

QG checks

Please open and fill in this issue in your product repository to document the compliance with our Tractus-X Release Guideline (TRGs)

Show compliance with TRGs by referencing to a tagged link in the respective repository where possible, example: TRG 1.01 (see github.com/eclipse-tractusx/example-repo/tree/1.0.0/README.md)

Close this issue once the compliance with the TRGs has been documented

Committer(s): https://github.com/eclipse-tractusx/traceability-foss/blob/main/AUTHORS.md
Helm Chart Version: https://github.com/eclipse-tractusx/traceability-foss/releases/tag/helm-charts-1.3.43
App Version: https://github.com/eclipse-tractusx/traceability-foss/releases/tag/13.0.1

Release Management Reference Issue:

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• TRG 1.03 appropriate CHANGELOG.md
• TRG 1.04 editable static files

TRG 2 Git

• TRG 2.01 default branch is named main
• TRG 2.03 repository structure
• TRG 2.04 leading product repository
• TRG 2.05 .tractusx metafile in a proper format
• TRG 2.06 Dependabot

TRG 3 Kubernetes

• TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

TRG 4 Container

• TRG 4.01 semantic versioning and tagging
• TRG 4.02 base image is agreed
• TRG 4.03 image has USER command and Non Root Container
• TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• TRG 4.06 separate notice file for DockerHub has all necessary information
• TRG 4.07 root file system is set to read access by default, but can be overwritten by the user

TRG 5 Helm

• TRG 5.01 Helm chart requirements
• TRG 5.02 Helm chart location in /charts directory and correct structure
• TRG 5.03 proper version strategy
• TRG 5.04 CPU / MEM resource requests and limits and are properly set
• TRG 5.06 Application must be configurable through the Helm chart
• TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• TRG 5.08 Product has a single deployable helm chart that contains all components
• TRG 5.09 Helm Test running properly
• TRG 5.10 Products need to support 3 versions at a time
• TRG 5.11 Upgradeability

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation
• TRG 7.02 License and copyright header
• TRG 7.03 IP checks for project content
• TRG 7.04 IP checks for 3rd party content
• TRG 7.05 Legal information for distributions
• TRG 7.06 Legal information for end user content
• TRG 7.07 Legal notice for documentation
• TRG 7.08 Legal notice for KIT documentation

TRG 8 Security

• TRG 8.01 Mitigate high and above findings in CodeQL
• TRG 8.02 Mitigate high and above findings in KICS
• TRG 8.04 Mitigate high and above findings in Trivy #1273
• TRG 8.03 No secret findings by GitGuardian or TruffleHog

Hints

Information Sharing

[mkanal]

Hi @ds-jhartmann would you please proceed the TRG checks for Trace-X. Thank you very much.

[mkanal]

appropriate CHANGELOG.md

• latest released version should be on top
• each released version should have a separate block entry and each version should be linked to the corresponding tag
• use the "unreleased section" to track updates to features or functions of upcoming releases
• same kinds of changes should be grouped (e.g. changed, fixed, removed, etc.) and each change should be linked to the corresponding issue or pull request

[mkanal]

TRG 1.04 editable static files

• Chore/#1070 release checks 24.8 chore(png):[#1070] add changelog entry #1250
• chore(png):[#1070] Convert png to svg #1249

[mkanal]

TRG 2.03 repository structure

• /docs
• /charts
• CODE_OF_CONDUCT.md
• CONTRIBUTING.md
• DEPENDENCIES
• LICENSE
• NOTICE.md
• README.md
• SECURITY.md
• AUTHORS.md
• INSTALL.md

[mkanal]

https://github.com/eclipse-tractusx/traceability-foss/blob/main/.tractusx LGFM

[mkanal]

TRG 1.02 appropriate install instructions either INSTALL.md or in README.md

• @ds-jhartmann description is required to have a proper and working install instruction this will be resolved with [PRIO 2] Local development setup #511

[mkanal]

TRG 2.06 Dependabot

• Checked https://github.com/eclipse-tractusx/traceability-foss/blob/main/.github/dependabot.yml

[mkanal]

TRG 4.01 semantic versioning and tagging

• https://github.com/eclipse-tractusx/traceability-foss/releases/tag/13.0.0

[mkanal]

TRG 7.01 Legal Documentation

• LICENSE
• LICENSE_non-code
• NOTICE.md
• DEPENDENCIES
• SECURITY.md
• CONTRIBUTING.md
• CODE_OF_CONDUCT.md
• Apache-2.0 for code
• CC-BY-4.0 for non-code

[mkanal]

[mkanal]

TRG 7.05 Legal information for distributions

• LICENSE
• NOTICE.md
• DEPENDENCIES file(s)
• SECURITY

[mkanal]

TRG 7.06 Legal information for end user content

• Copyright statements https://github.com/eclipse-tractusx/traceability-foss/blob/49bbbed1da45a4f46b85602ad333c19c8a0e78aa/NOTICE.md
• License https://github.com/eclipse-tractusx/traceability-foss/blob/49bbbed1da45a4f46b85602ad333c19c8a0e78aa/NOTICE.md
• Trademarks owned by the Eclipse Foundation on behalf of the project >> NOTICE.md
• The source code repositories
• Used 3rd party libraries
• When applicable a cryptography notice https://github.com/eclipse-tractusx/traceability-foss/blob/49bbbed1da45a4f46b85602ad333c19c8a0e78aa/NOTICE.md

deploy: 49bbbed

[mkanal]

[mkanal]

@ds-lcapellino
KICS is outdated:

[mkanal]

KICS no findings

[mkanal]

PO acceptance in behalf of @jzbmw