Merge branch 'main' into feature/639-policy-store-api-paging

.github/workflows/trivy-image-scan.yml

@@ -58,9 +58,11 @@ jobs:
           image-ref: "localhost:5000/irs-api:testing"
           format: "sarif"
           output: "trivy-results2.sarif"
-          exit-code: "1"
+          exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
           severity: "CRITICAL,HIGH"
           trivyignores: .config/.trivyignore
+          limit-severities-for-sarif: true
+
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: always()

CHANGELOG.md

@@ -12,6 +12,7 @@ _**For better traceability add the corresponding GitHub issue number in each cha
 
 - Fixed ESS Investigation job processing not starting #579
 - Policy store API returns 'rightOperand' without 'odrl:' prefix now (see traceability-foss/issues/970).
+- Fixed trivy workflow to fail only on CRITICAL, HIGH (according to https://github.com/eclipse-tractusx/eclipse-tractusx.github.io/pull/949/files).
 
 ### Changed
 

DEPENDENCIES

@@ -305,12 +305,12 @@ maven/mavencentral/org.eclipse.tractusx.edc/core-spi/0.6.0, Apache-2.0, approved
 maven/mavencentral/org.eclipse.tractusx.edc/edr-api/0.6.0, Apache-2.0, approved, automotive.tractusx
 maven/mavencentral/org.eclipse.tractusx.edc/edr-spi/0.6.0, Apache-2.0, approved, automotive.tractusx
 maven/mavencentral/org.eclipse.tractusx.irs/irs-api/0.0.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
-maven/mavencentral/org.eclipse.tractusx.irs/irs-common/2.1.0, Apache-2.0, approved, automotive.tractusx
-maven/mavencentral/org.eclipse.tractusx.irs/irs-edc-client/2.1.0, Apache-2.0, approved, automotive.tractusx
-maven/mavencentral/org.eclipse.tractusx.irs/irs-models/2.1.0, Apache-2.0, approved, automotive.tractusx
+maven/mavencentral/org.eclipse.tractusx.irs/irs-common/2.1.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
+maven/mavencentral/org.eclipse.tractusx.irs/irs-edc-client/2.1.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
+maven/mavencentral/org.eclipse.tractusx.irs/irs-models/2.1.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
 maven/mavencentral/org.eclipse.tractusx.irs/irs-policy-store/0.0.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
-maven/mavencentral/org.eclipse.tractusx.irs/irs-registry-client/2.1.0, Apache-2.0, approved, automotive.tractusx
-maven/mavencentral/org.eclipse.tractusx.irs/irs-testing/2.1.0, Apache-2.0, approved, automotive.tractusx
+maven/mavencentral/org.eclipse.tractusx.irs/irs-registry-client/2.1.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
+maven/mavencentral/org.eclipse.tractusx.irs/irs-testing/2.1.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
 maven/mavencentral/org.glassfish/jakarta.json/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jsonp
 maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined

irs-api/src/test/java/org/eclipse/tractusx/irs/aaswrapper/job/delegate/RelationshipDelegateTest.java

@@ -391,7 +391,7 @@ void shouldCatchUsagePolicyExceptionAndPutTombstone() throws EdcClientException
 
         // when
         when(submodelFacade.getSubmodelPayload(any(), any(), any(), any())).thenThrow(
-                new UsagePolicyPermissionException("itemId", null, businessPartnerNumber));
+                new UsagePolicyPermissionException(List.of(), null, businessPartnerNumber));
         when(connectorEndpointsService.fetchConnectorEndpoints(any())).thenReturn(List.of("connector.endpoint.nl"));
         final ItemContainer result = relationshipDelegate.process(itemContainerWithShell, jobParameter(),
                 new AASTransferProcess(), createKey());

irs-api/src/test/java/org/eclipse/tractusx/irs/aaswrapper/job/delegate/SubmodelDelegateTest.java

@@ -153,7 +153,7 @@ void shouldCatchUsagePolicyExceptionAndPutTombstone() throws EdcClientException
 
         // when
         when(submodelFacade.getSubmodelPayload(any(), any(), any(), any())).thenThrow(
-                new UsagePolicyPermissionException("itemId", null, businessPartnerNumber));
+                new UsagePolicyPermissionException(List.of(), null, businessPartnerNumber));
         when(connectorEndpointsService.fetchConnectorEndpoints(any())).thenReturn(List.of("connector.endpoint.nl"));
         final ItemContainer result = submodelDelegate.process(itemContainerShellWithTwoSubmodels,
                 jobParameterCollectAspects(), new AASTransferProcess(), createKey());

irs-edc-client/src/main/java/org/eclipse/tractusx/irs/edc/client/ContractNegotiationService.java

@@ -127,13 +127,13 @@ private CompletableFuture<NegotiationResponse> startNewNegotiation(final String
 
         if (!policyCheckerService.isValid(catalogItem.getPolicy(), bpn)) {
             log.warn("Policy was not allowed, canceling negotiation.");
-            throw new UsagePolicyPermissionException(catalogItem.getItemId(), catalogItem.getPolicy(),
+            throw new UsagePolicyPermissionException(policyCheckerService.getValidStoredPolicies(catalogItem.getConnectorId()), catalogItem.getPolicy(),
                     catalogItem.getConnectorId());
         }
 
         if (policyCheckerService.isExpired(catalogItem.getPolicy(), bpn)) {
             log.warn("Policy is expired, canceling negotiation.");
-            throw new UsagePolicyExpiredException(catalogItem.getItemId(), catalogItem.getPolicy(),
+            throw new UsagePolicyExpiredException(catalogItem.getPolicy(),
                     catalogItem.getConnectorId());
         }
 

irs-edc-client/src/main/java/org/eclipse/tractusx/irs/edc/client/exceptions/UsagePolicyExpiredException.java

@@ -31,10 +31,10 @@ public class UsagePolicyExpiredException extends EdcClientException {
     private final transient Policy policy;
     private final String businessPartnerNumber;
 
-    public UsagePolicyExpiredException(final String itemId, final Policy policy, final String businessPartnerNumber) {
-        super("Consumption of asset '" + itemId
-                + "' is not permitted as the required catalog offer policies are expired.");
+    public UsagePolicyExpiredException(final Policy policy, final String businessPartnerNumber) {
+        super("Policy  from " + businessPartnerNumber + " has expired.");
         this.policy = policy;
         this.businessPartnerNumber = businessPartnerNumber;
     }
+
 }

irs-edc-client/src/main/java/org/eclipse/tractusx/irs/edc/client/exceptions/UsagePolicyPermissionException.java

@@ -23,8 +23,11 @@
  ********************************************************************************/
 package org.eclipse.tractusx.irs.edc.client.exceptions;
 
+import java.util.List;
+
 import lombok.Getter;
 import org.eclipse.edc.policy.model.Policy;
+import org.eclipse.tractusx.irs.edc.client.policy.AcceptedPolicy;
 
 /**
  * Usage Policy Permission Exception errors in the contract negotiation.
@@ -35,11 +38,15 @@ public class UsagePolicyPermissionException extends EdcClientException {
     private final transient Policy policy;
     private final String businessPartnerNumber;
 
-    public UsagePolicyPermissionException(final String itemId, final Policy policy,
-            final String businessPartnerNumber) {
-        super("Consumption of asset '" + itemId
-                + "' is not permitted as the required catalog offer policies do not comply with defined policies.");
-        this.policy = policy;
+    public UsagePolicyPermissionException(final List<AcceptedPolicy> acceptedPolicies,
+            final Policy providedCatalogItemPolicy, final String businessPartnerNumber) {
+        super("Policies "
+                + acceptedPolicies.stream().map(policy -> policy.policy().getPolicyId()).toList()
+                + " did not match with policy from " + businessPartnerNumber + ".");
+
+        this.policy = providedCatalogItemPolicy;
         this.businessPartnerNumber = businessPartnerNumber;
+
     }
+
 }

irs-edc-client/src/main/java/org/eclipse/tractusx/irs/edc/client/policy/PolicyCheckerService.java

@@ -70,7 +70,7 @@ private boolean hasExpiredConstraint(final Permission permission, final List<Acc
                                           acceptedPolicy -> acceptedPolicy.validUntil().isBefore(OffsetDateTime.now()));
     }
 
-    private List<AcceptedPolicy> getValidStoredPolicies(final String bpn) {
+    public List<AcceptedPolicy> getValidStoredPolicies(final String bpn) {
         return policyStore.getAcceptedPolicies(bpn).stream().toList();
     }
 

irs-edc-client/src/test/java/org/eclipse/tractusx/irs/edc/client/SubmodelFacadeWiremockTest.java

@@ -37,6 +37,7 @@
 import static org.eclipse.tractusx.irs.testing.wiremock.SubmodelFacadeWiremockSupport.TRACEABILITY_1_0;
 import static org.eclipse.tractusx.irs.testing.wiremock.WireMockConfig.responseWithStatus;
 import static org.eclipse.tractusx.irs.testing.wiremock.WireMockConfig.restTemplateProxy;
+import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -235,13 +236,13 @@ void shouldThrowExceptionWhenPoliciesAreNotAccepted() {
         final AcceptedPolicy acceptedPolicy = new AcceptedPolicy(policy("IRS Policy", List.of(permission)),
                 OffsetDateTime.now().plusYears(1));
 
-        when(acceptedPoliciesProvider.getAcceptedPolicies("bpn")).thenReturn(List.of(acceptedPolicy));
+        when(acceptedPoliciesProvider.getAcceptedPolicies(anyString())).thenReturn(List.of(acceptedPolicy));
 
         prepareNegotiation();
         givenThat(get(urlPathEqualTo(SUBMODEL_DATAPLANE_PATH)).willReturn(responseWithStatus(200).withBody("test")));
 
         // Act & Assert
-        final String errorMessage = "Consumption of asset '5a7ab616-989f-46ae-bdf2-32027b9f6ee6-31b614f5-ec14-4ed2-a509-e7b7780083e7' is not permitted as the required catalog offer policies do not comply with defined policies.";
+        final String errorMessage = "Policies [IRS Policy] did not match with policy from BPNL00000000TEST.";
         assertThatExceptionOfType(UsagePolicyPermissionException.class).isThrownBy(
                 () -> edcSubmodelClient.getSubmodelPayload(CONNECTOR_ENDPOINT_URL, SUBMODEL_DATAPLANE_URL, ASSET_ID, "bpn")
                                        .get()).withMessageEndingWith(errorMessage);

pom.xml

@@ -75,7 +75,7 @@
         </sonar.coverage.jacoco.xmlReportPaths>
 
         <!-- IRS Registry Client Library -->
-        <irs-registry-client.version>2.1.0</irs-registry-client.version>
+        <irs-registry-client.version>2.1.2-SNAPSHOT</irs-registry-client.version>
 
         <!-- Dependencies -->
         <springboot.version>3.1.11</springboot.version>