From e8e4ef3410f6ee07cc178bd19ee9adb095d57105 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Fri, 22 Mar 2024 17:14:18 +0100 Subject: [PATCH 01/10] feat: added codeql workflow --- .github/workflows/codeql.yaml | 98 +++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 .github/workflows/codeql.yaml diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 000000000..847fba014 --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,98 @@ +################################################################################# +# Tractus-X - Digital Product Passport Application +# +# Copyright (c) 2022, 2024 BASF SE, BMW AG, Henkel AG & Co. KGaA +# Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, +# either express or implied. See the +# License for the specific language govern in permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +name: "CodeQL" + +on: + push: + branches: ["main"] + paths-ignore: + - "**/*.md" + - "**/*.txt" + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + paths-ignore: + - "**/*.md" + - "**/*.txt" + schedule: + - cron: "0 0 * * 0" + workflow_dispatch: + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + timeout-minutes: 360 + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["java"] # Define languages here + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file + # By default, queries listed here will override any specified in a config file + # Prefix the list here with "+" to use these queries and those in the config file + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # Use +security-extended,security-and-quality for wider security and better code quality + queries: +security-extended,security-and-quality + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift) + # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + run: cd dpp-backend + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + fail-on: error From 656832c511e279dd01d47bcf61ba0b10939d5a36 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Tue, 2 Apr 2024 16:24:51 +0200 Subject: [PATCH 02/10] chore(fix): fixed codeql workflow --- .github/workflows/codeql.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 847fba014..6df004392 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -25,7 +25,7 @@ name: "CodeQL" on: push: - branches: ["main"] + branches: ["main", "feature/cmp-1135/security-requirements"] paths-ignore: - "**/*.md" - "**/*.txt" @@ -80,7 +80,8 @@ jobs: # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2 - run: cd dpp-backend + with: + context: dpp-backend # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun From 1bdf16119094f735dd3f9672baf442879edef061 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Tue, 2 Apr 2024 16:50:13 +0200 Subject: [PATCH 03/10] chore(fix): replace Autobuild step with manual build to codeql workflow --- .github/workflows/codeql.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 25f748ed8..33d4c25fa 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -78,11 +78,14 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift) # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - with: - working-directory: dpp-backend/digitalproductpass - + - name: Setup Java + uses: ./.github/actions/setup-java + + - name: Build dpp-backend + #uses: github/codeql-action/autobuild@v2 + run: | + cd dpp-backend/digitalproductpass + mvn -B clean install # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun From 84ac2364d031cf43aa85c384201a7314b52f9f6e Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Tue, 2 Apr 2024 17:31:30 +0200 Subject: [PATCH 04/10] chore(fix): fixed CodeQL issues --- .github/workflows/codeql.yaml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 33d4c25fa..b27a6cfda 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -21,11 +21,11 @@ # SPDX-License-Identifier: Apache-2.0 ################################################################################# -name: "CodeQL" +name: "CodeQL Code Analysis" on: push: - branches: ["main", "feature/cmp-1135/security-requirements"] + branches: ["main"] paths-ignore: - "**/*.md" - "**/*.txt" @@ -62,6 +62,9 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + - name: Setup JDK 21 + uses: ./.github/actions/setup-java + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v2 @@ -78,25 +81,20 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift) # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup # If this step fails, then you should remove it and run the build manually (see below) - - name: Setup Java - uses: ./.github/actions/setup-java - - name: Build dpp-backend + # - name: Autobuild #uses: github/codeql-action/autobuild@v2 - run: | - cd dpp-backend/digitalproductpass - mvn -B clean install + # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun # If the Autobuild fails above, remove it and uncomment the following three lines modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + - name: Build Package + run: | + cd dpp-backend/digitalproductpass + mvn -B clean install --batch-mode -DskipTests - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - fail-on: error + From 89a2fa7944ff2fa21e6d73d3dd6406cd201300ab Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Mon, 8 Apr 2024 15:03:38 +0200 Subject: [PATCH 05/10] chore(fix): fixed springboot vulnerability in pom file --- dpp-backend/digitalproductpass/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dpp-backend/digitalproductpass/pom.xml b/dpp-backend/digitalproductpass/pom.xml index 0b71dc1b4..462ec92d5 100644 --- a/dpp-backend/digitalproductpass/pom.xml +++ b/dpp-backend/digitalproductpass/pom.xml @@ -29,7 +29,7 @@ org.springframework.boot spring-boot-starter-parent - 3.2.2 + 3.2.4 org.eclipse.tractusx From 16b377ee917f7c25a9e38fca2c9453c68f0a37b0 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Mon, 22 Apr 2024 13:20:48 +0200 Subject: [PATCH 06/10] chore(ip-checks): executed ip checks to scan backend dependencies --- DEPENDENCIES_BACKEND | 142 +++++++++++++++++++++---------------------- 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/DEPENDENCIES_BACKEND b/DEPENDENCIES_BACKEND index 2d807d652..6e9c69829 100644 --- a/DEPENDENCIES_BACKEND +++ b/DEPENDENCIES_BACKEND @@ -1,12 +1,12 @@ maven/mavencentral/ch.qos.logback/logback-classic/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3435 maven/mavencentral/ch.qos.logback/logback-core/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3373 -maven/mavencentral/com.fasterxml.jackson.core/jackson-annotations/2.15.3, Apache-2.0, approved, #7947 -maven/mavencentral/com.fasterxml.jackson.core/jackson-core/2.15.3, MIT AND Apache-2.0, approved, #7932 -maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.15.3, Apache-2.0, approved, #7934 -maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.3, Apache-2.0, approved, #8802 -maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jdk8/2.15.3, Apache-2.0, approved, #8808 -maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.15.3, Apache-2.0, approved, #7930 -maven/mavencentral/com.fasterxml.jackson.module/jackson-module-parameter-names/2.15.3, Apache-2.0, approved, #8803 +maven/mavencentral/com.fasterxml.jackson.core/jackson-annotations/2.15.4, Apache-2.0, approved, #7947 +maven/mavencentral/com.fasterxml.jackson.core/jackson-core/2.15.4, MIT AND Apache-2.0, approved, #7932 +maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.15.4, Apache-2.0, approved, #7934 +maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.4, Apache-2.0, approved, #8802 +maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jdk8/2.15.4, Apache-2.0, approved, #8808 +maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.15.4, Apache-2.0, approved, #7930 +maven/mavencentral/com.fasterxml.jackson.module/jackson-module-parameter-names/2.15.4, Apache-2.0, approved, #8803 maven/mavencentral/com.github.stephenc.jcip/jcip-annotations/1.0-1, Apache-2.0, approved, CQ21949 maven/mavencentral/com.google.code.findbugs/jsr305/3.0.2, Apache-2.0, approved, #20 maven/mavencentral/com.google.code.gson/gson/2.10, Apache-2.0, approved, #6159 @@ -15,7 +15,7 @@ maven/mavencentral/com.google.guava/failureaccess/1.0.1, Apache-2.0, approved, C maven/mavencentral/com.google.guava/guava/32.0.0-jre, Apache-2.0 AND CC0-1.0 AND CC-PDDC, approved, #8772 maven/mavencentral/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava, Apache-2.0, approved, CQ22657 maven/mavencentral/com.google.j2objc/j2objc-annotations/2.8, Apache-2.0, approved, clearlydefined -maven/mavencentral/com.jayway.jsonpath/json-path/2.8.0, Apache-2.0, approved, clearlydefined +maven/mavencentral/com.jayway.jsonpath/json-path/2.9.0, Apache-2.0, approved, clearlydefined maven/mavencentral/com.nimbusds/content-type/2.2, Apache-2.0, approved, clearlydefined maven/mavencentral/com.nimbusds/lang-tag/1.7, Apache-2.0, approved, clearlydefined maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.24.4, Apache-2.0, approved, clearlydefined @@ -27,36 +27,36 @@ maven/mavencentral/commons-lang/commons-lang/2.6, Apache-2.0, approved, CQ6183 maven/mavencentral/commons-logging/commons-logging/1.2, Apache-2.0, approved, CQ10162 maven/mavencentral/commons-net/commons-net/3.9.0, Apache-2.0, approved, clearlydefined maven/mavencentral/io.github.classgraph/classgraph/4.8.149, MIT, approved, CQ22530 -maven/mavencentral/io.micrometer/micrometer-commons/1.12.2, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #11679 -maven/mavencentral/io.micrometer/micrometer-observation/1.12.2, Apache-2.0, approved, #11680 -maven/mavencentral/io.netty/netty-buffer/4.1.105.Final, Apache-2.0, approved, CQ21842 -maven/mavencentral/io.netty/netty-codec-dns/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-codec-http/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-codec-http2/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-codec-socks/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-codec/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-common/4.1.105.Final, Apache-2.0 AND MIT AND CC0-1.0, approved, CQ21843 -maven/mavencentral/io.netty/netty-handler-proxy/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-handler/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-resolver-dns-classes-macos/4.1.105.Final, Apache-2.0, approved, #6367 -maven/mavencentral/io.netty/netty-resolver-dns-native-macos/4.1.105.Final, Apache-2.0, approved, #7004 -maven/mavencentral/io.netty/netty-resolver-dns/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-resolver/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-transport-classes-epoll/4.1.105.Final, Apache-2.0, approved, #6366 -maven/mavencentral/io.netty/netty-transport-native-epoll/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-transport-native-unix-common/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-transport/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.projectreactor.netty/reactor-netty-core/1.1.15, Apache-2.0, approved, #5946 -maven/mavencentral/io.projectreactor.netty/reactor-netty-http/1.1.15, Apache-2.0, approved, #6999 -maven/mavencentral/io.projectreactor/reactor-core/3.6.2, Apache-2.0, approved, #13392 +maven/mavencentral/io.micrometer/micrometer-commons/1.12.4, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #11679 +maven/mavencentral/io.micrometer/micrometer-observation/1.12.4, Apache-2.0, approved, #11680 +maven/mavencentral/io.netty/netty-buffer/4.1.107.Final, Apache-2.0, approved, CQ21842 +maven/mavencentral/io.netty/netty-codec-dns/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-codec-http/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-codec-http2/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-codec-socks/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-codec/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-common/4.1.107.Final, Apache-2.0 AND MIT AND CC0-1.0, approved, CQ21843 +maven/mavencentral/io.netty/netty-handler-proxy/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-handler/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-resolver-dns-classes-macos/4.1.107.Final, Apache-2.0, approved, #6367 +maven/mavencentral/io.netty/netty-resolver-dns-native-macos/4.1.107.Final, Apache-2.0, approved, #7004 +maven/mavencentral/io.netty/netty-resolver-dns/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-resolver/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-transport-classes-epoll/4.1.107.Final, Apache-2.0, approved, #6366 +maven/mavencentral/io.netty/netty-transport-native-epoll/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-transport-native-unix-common/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-transport/4.1.107.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.projectreactor.netty/reactor-netty-core/1.1.17, Apache-2.0, approved, #5946 +maven/mavencentral/io.projectreactor.netty/reactor-netty-http/1.1.17, Apache-2.0, approved, #6999 +maven/mavencentral/io.projectreactor/reactor-core/3.6.4, Apache-2.0, approved, #13392 maven/mavencentral/io.swagger.core.v3/swagger-annotations-jakarta/2.2.7, Apache-2.0, approved, #5947 maven/mavencentral/io.swagger.core.v3/swagger-core-jakarta/2.2.7, Apache-2.0, approved, #5929 maven/mavencentral/io.swagger.core.v3/swagger-models-jakarta/2.2.7, Apache-2.0, approved, #5919 -maven/mavencentral/jakarta.activation/jakarta.activation-api/2.1.2, EPL-2.0 OR BSD-3-Clause OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jaf +maven/mavencentral/jakarta.activation/jakarta.activation-api/2.1.3, EPL-2.0 OR BSD-3-Clause OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jaf maven/mavencentral/jakarta.annotation/jakarta.annotation-api/2.1.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.ca maven/mavencentral/jakarta.servlet/jakarta.servlet-api/6.0.0, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.servlet maven/mavencentral/jakarta.validation/jakarta.validation-api/3.0.2, Apache-2.0, approved, ee4j.validation -maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.1, BSD-3-Clause, approved, ee4j.jaxb +maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.2, BSD-3-Clause, approved, ee4j.jaxb maven/mavencentral/net.minidev/accessors-smart/2.5.0, Apache-2.0, approved, clearlydefined maven/mavencentral/net.minidev/json-smart/2.5.0, Apache-2.0, approved, clearlydefined maven/mavencentral/org.apache.commons/commons-collections4/4.4, Apache-2.0, approved, clearlydefined @@ -65,9 +65,9 @@ maven/mavencentral/org.apache.commons/commons-text/1.10.0, Apache-2.0, approved, maven/mavencentral/org.apache.logging.log4j/log4j-api/2.21.1, Apache-2.0 AND (Apache-2.0 AND LGPL-2.0-or-later), approved, #11079 maven/mavencentral/org.apache.logging.log4j/log4j-core/2.21.1, Apache-2.0 AND (Apache-2.0 AND LGPL-2.0-or-later), approved, #12592 maven/mavencentral/org.apache.logging.log4j/log4j-to-slf4j/2.21.1, Apache-2.0, approved, #11919 -maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-core/10.1.18, Apache-2.0 AND (EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND (CDDL-1.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND W3C AND CC0-1.0, approved, #5949 -maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-el/10.1.18, Apache-2.0, approved, #6997 -maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.18, Apache-2.0, approved, #7920 +maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-core/10.1.19, Apache-2.0 AND (EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND (CDDL-1.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND W3C AND CC0-1.0, approved, #5949 +maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-el/10.1.19, Apache-2.0, approved, #6997 +maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.19, Apache-2.0, approved, #7920 maven/mavencentral/org.atteo/evo-inflector/1.3, Apache-2.0, approved, clearlydefined maven/mavencentral/org.bouncycastle/bcpkix-jdk15on/1.69, MIT, approved, clearlydefined maven/mavencentral/org.bouncycastle/bcprov-jdk15on/1.69, MIT, approved, clearlydefined @@ -76,8 +76,8 @@ maven/mavencentral/org.checkerframework/checker-qual/3.33.0, MIT, approved, clea maven/mavencentral/org.codehaus.plexus/plexus-utils/3.2.1, , approved, CQ20774 maven/mavencentral/org.ow2.asm/asm/9.3, BSD-3-Clause, approved, clearlydefined maven/mavencentral/org.reactivestreams/reactive-streams/1.0.4, CC0-1.0, approved, CQ16332 -maven/mavencentral/org.slf4j/jul-to-slf4j/2.0.11, MIT, approved, #7698 -maven/mavencentral/org.slf4j/slf4j-api/2.0.11, MIT, approved, #5915 +maven/mavencentral/org.slf4j/jul-to-slf4j/2.0.12, MIT, approved, #7698 +maven/mavencentral/org.slf4j/slf4j-api/2.0.12, MIT, approved, #5915 maven/mavencentral/org.sonarsource.scanner.api/sonar-scanner-api/2.16.2.588, LGPL-3.0-or-later, approved, #6945 maven/mavencentral/org.sonarsource.scanner.maven/sonar-maven-plugin/3.9.1.2184, LGPL-3.0-or-later, approved, #6944 maven/mavencentral/org.sonatype.plexus/plexus-cipher/1.4, Apache-2.0, approved, CQ4600 @@ -85,48 +85,48 @@ maven/mavencentral/org.sonatype.plexus/plexus-sec-dispatcher/1.4, Apache-2.0, ap maven/mavencentral/org.springdoc/springdoc-openapi-starter-common/2.0.2, Apache-2.0, approved, #5920 maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-api/2.0.2, Apache-2.0, approved, #5950 maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-ui/2.0.2, Apache-2.0, approved, #5923 -maven/mavencentral/org.springframework.boot/spring-boot-autoconfigure/3.2.2, Apache-2.0, approved, #11751 -maven/mavencentral/org.springframework.boot/spring-boot-starter-data-rest/3.2.2, Apache-2.0, approved, #12594 -maven/mavencentral/org.springframework.boot/spring-boot-starter-json/3.2.2, Apache-2.0, approved, #11894 -maven/mavencentral/org.springframework.boot/spring-boot-starter-logging/3.2.2, Apache-2.0, approved, #11890 -maven/mavencentral/org.springframework.boot/spring-boot-starter-oauth2-client/3.2.2, Apache-2.0, approved, #12587 -maven/mavencentral/org.springframework.boot/spring-boot-starter-reactor-netty/3.2.2, Apache-2.0, approved, #12590 +maven/mavencentral/org.springframework.boot/spring-boot-autoconfigure/3.2.4, Apache-2.0, approved, #11751 +maven/mavencentral/org.springframework.boot/spring-boot-starter-data-rest/3.2.4, Apache-2.0, approved, #12594 +maven/mavencentral/org.springframework.boot/spring-boot-starter-json/3.2.4, Apache-2.0, approved, #11894 +maven/mavencentral/org.springframework.boot/spring-boot-starter-logging/3.2.4, Apache-2.0, approved, #11890 +maven/mavencentral/org.springframework.boot/spring-boot-starter-oauth2-client/3.2.4, Apache-2.0, approved, #12587 +maven/mavencentral/org.springframework.boot/spring-boot-starter-reactor-netty/3.2.4, Apache-2.0, approved, #12590 maven/mavencentral/org.springframework.boot/spring-boot-starter-security/3.0.2, Apache-2.0, approved, #7329 -maven/mavencentral/org.springframework.boot/spring-boot-starter-tomcat/3.2.2, Apache-2.0, approved, #11923 +maven/mavencentral/org.springframework.boot/spring-boot-starter-tomcat/3.2.4, Apache-2.0, approved, #11923 maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.0.2, Apache-2.0, approved, #5945 -maven/mavencentral/org.springframework.boot/spring-boot-starter-webflux/3.2.2, Apache-2.0, approved, #12589 -maven/mavencentral/org.springframework.boot/spring-boot-starter/3.2.2, Apache-2.0, approved, #11935 -maven/mavencentral/org.springframework.boot/spring-boot/3.2.2, Apache-2.0, approved, #11752 +maven/mavencentral/org.springframework.boot/spring-boot-starter-webflux/3.2.4, Apache-2.0, approved, #12589 +maven/mavencentral/org.springframework.boot/spring-boot-starter/3.2.4, Apache-2.0, approved, #11935 +maven/mavencentral/org.springframework.boot/spring-boot/3.2.4, Apache-2.0, approved, #11752 maven/mavencentral/org.springframework.cloud/spring-cloud-commons/3.1.5, Apache-2.0, approved, #4726 maven/mavencentral/org.springframework.cloud/spring-cloud-context/3.1.5, Apache-2.0, approved, #4722 maven/mavencentral/org.springframework.cloud/spring-cloud-starter-bootstrap/3.1.5, Apache-2.0, approved, clearlydefined maven/mavencentral/org.springframework.cloud/spring-cloud-starter/3.1.5, Apache-2.0, approved, #4723 -maven/mavencentral/org.springframework.data/spring-data-commons/3.2.2, Apache-2.0, approved, #11917 -maven/mavencentral/org.springframework.data/spring-data-rest-core/4.2.2, Apache-2.0, approved, #12591 -maven/mavencentral/org.springframework.data/spring-data-rest-webmvc/4.2.2, Apache-2.0, approved, #12595 -maven/mavencentral/org.springframework.hateoas/spring-hateoas/2.2.0, Apache-2.0, approved, #11883 +maven/mavencentral/org.springframework.data/spring-data-commons/3.2.4, Apache-2.0, approved, #11917 +maven/mavencentral/org.springframework.data/spring-data-rest-core/4.2.4, Apache-2.0, approved, #12591 +maven/mavencentral/org.springframework.data/spring-data-rest-webmvc/4.2.4, Apache-2.0, approved, #12595 +maven/mavencentral/org.springframework.hateoas/spring-hateoas/2.2.1, Apache-2.0, approved, #11883 maven/mavencentral/org.springframework.plugin/spring-plugin-core/3.0.0, Apache-2.0, approved, #7104 -maven/mavencentral/org.springframework.security/spring-security-config/6.2.1, Apache-2.0, approved, #11896 -maven/mavencentral/org.springframework.security/spring-security-core/6.2.1, Apache-2.0, approved, #11904 -maven/mavencentral/org.springframework.security/spring-security-crypto/6.2.1, Apache-2.0 AND ISC, approved, #11908 -maven/mavencentral/org.springframework.security/spring-security-oauth2-client/6.2.1, Apache-2.0, approved, #12586 -maven/mavencentral/org.springframework.security/spring-security-oauth2-core/6.2.1, Apache-2.0, approved, #11925 -maven/mavencentral/org.springframework.security/spring-security-oauth2-jose/6.2.1, Apache-2.0, approved, #11893 +maven/mavencentral/org.springframework.security/spring-security-config/6.2.3, Apache-2.0, approved, #11896 +maven/mavencentral/org.springframework.security/spring-security-core/6.2.3, Apache-2.0, approved, #11904 +maven/mavencentral/org.springframework.security/spring-security-crypto/6.2.3, Apache-2.0 AND ISC, approved, #11908 +maven/mavencentral/org.springframework.security/spring-security-oauth2-client/6.2.3, Apache-2.0, approved, #12586 +maven/mavencentral/org.springframework.security/spring-security-oauth2-core/6.2.3, Apache-2.0, approved, #11925 +maven/mavencentral/org.springframework.security/spring-security-oauth2-jose/6.2.3, Apache-2.0, approved, #11893 maven/mavencentral/org.springframework.security/spring-security-rsa/1.0.11.RELEASE, Apache-2.0, approved, CQ20647 -maven/mavencentral/org.springframework.security/spring-security-web/6.2.1, Apache-2.0, approved, #11911 -maven/mavencentral/org.springframework.session/spring-session-core/3.2.1, Apache-2.0, approved, #12588 -maven/mavencentral/org.springframework.session/spring-session-jdbc/3.2.1, Apache-2.0, approved, #12596 -maven/mavencentral/org.springframework/spring-aop/6.1.3, Apache-2.0, approved, #11755 -maven/mavencentral/org.springframework/spring-beans/6.1.3, Apache-2.0, approved, #11754 -maven/mavencentral/org.springframework/spring-context/6.1.3, Apache-2.0, approved, #11753 -maven/mavencentral/org.springframework/spring-core/6.1.3, Apache-2.0 AND BSD-3-Clause, approved, #11750 -maven/mavencentral/org.springframework/spring-expression/6.1.3, Apache-2.0, approved, #11747 -maven/mavencentral/org.springframework/spring-jcl/6.1.3, Apache-2.0, approved, #11749 -maven/mavencentral/org.springframework/spring-jdbc/6.1.3, Apache-2.0, approved, #11897 -maven/mavencentral/org.springframework/spring-tx/6.1.3, Apache-2.0, approved, #11901 -maven/mavencentral/org.springframework/spring-web/6.1.3, Apache-2.0, approved, #11748 -maven/mavencentral/org.springframework/spring-webflux/6.1.3, Apache-2.0, approved, #12593 -maven/mavencentral/org.springframework/spring-webmvc/6.1.3, Apache-2.0, approved, #11879 +maven/mavencentral/org.springframework.security/spring-security-web/6.2.3, Apache-2.0, approved, #11911 +maven/mavencentral/org.springframework.session/spring-session-core/3.2.2, Apache-2.0, approved, #12588 +maven/mavencentral/org.springframework.session/spring-session-jdbc/3.2.2, Apache-2.0, approved, #12596 +maven/mavencentral/org.springframework/spring-aop/6.1.5, Apache-2.0, approved, #11755 +maven/mavencentral/org.springframework/spring-beans/6.1.5, Apache-2.0, approved, #11754 +maven/mavencentral/org.springframework/spring-context/6.1.5, Apache-2.0, approved, #11753 +maven/mavencentral/org.springframework/spring-core/6.1.5, Apache-2.0 AND BSD-3-Clause, approved, #11750 +maven/mavencentral/org.springframework/spring-expression/6.1.5, Apache-2.0, approved, #11747 +maven/mavencentral/org.springframework/spring-jcl/6.1.5, Apache-2.0, approved, #11749 +maven/mavencentral/org.springframework/spring-jdbc/6.1.5, Apache-2.0, approved, #11897 +maven/mavencentral/org.springframework/spring-tx/6.1.5, Apache-2.0, approved, #11901 +maven/mavencentral/org.springframework/spring-web/6.1.5, Apache-2.0, approved, #11748 +maven/mavencentral/org.springframework/spring-webflux/6.1.5, Apache-2.0, approved, #12593 +maven/mavencentral/org.springframework/spring-webmvc/6.1.5, Apache-2.0, approved, #11879 maven/mavencentral/org.webjars/swagger-ui/4.15.5, Apache-2.0 AND MIT, approved, #5921 maven/mavencentral/org.webjars/webjars-locator-core/0.55, MIT, approved, clearlydefined maven/mavencentral/org.yaml/snakeyaml/2.0, Apache-2.0 AND (Apache-2.0 OR BSD-3-Clause OR EPL-1.0 OR GPL-2.0-or-later OR LGPL-2.1-or-later), approved, #7275 From c9a769260f4bdc30d29d7b8d3be7d1e653fc728f Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Mon, 22 Apr 2024 15:31:26 +0200 Subject: [PATCH 07/10] chore(fix): fixed eslint workflow --- .github/workflows/eslint.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/eslint.yml b/.github/workflows/eslint.yml index 373fb1cfe..e9f08b564 100644 --- a/.github/workflows/eslint.yml +++ b/.github/workflows/eslint.yml @@ -53,5 +53,7 @@ jobs: npm install @microsoft/eslint-formatter-sarif@2.1.7 --legacy-peer-deps - name: Run ESLint - run: npx eslint . + run: | + cd dpp-frontend + npx eslint . continue-on-error: false From b11c7a2cc4ed249f670705431c5ac3efd1a6f630 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Mon, 22 Apr 2024 16:01:59 +0200 Subject: [PATCH 08/10] chore(ci): removed veracode workflows from git actions --- .github/workflows/veracode-pipeline.yml | 106 ------------------------ .github/workflows/veracode-upload.yml | 73 ---------------- 2 files changed, 179 deletions(-) delete mode 100644 .github/workflows/veracode-pipeline.yml delete mode 100644 .github/workflows/veracode-upload.yml diff --git a/.github/workflows/veracode-pipeline.yml b/.github/workflows/veracode-pipeline.yml deleted file mode 100644 index 242a41076..000000000 --- a/.github/workflows/veracode-pipeline.yml +++ /dev/null @@ -1,106 +0,0 @@ -################################################################################# -# Tractus-X - Digital Product Passport Application -# -# Copyright (c) 2022, 2024 BASF SE, BMW AG, Henkel AG & Co. KGaA -# Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, -# either express or implied. See the -# License for the specific language govern in permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -################################################################################# - -name: Veracode Static Analysis Pipeline Scan - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main", "develop"] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -permissions: - contents: read - -env: - VID: '${{ secrets.VERACODE_API_ID || secrets.ORG_VERACODE_API_ID }}' - VKEY: '${{ secrets.VERACODE_API_KEY || secrets.ORG_VERACODE_API_KEY }}' - - -jobs: - check-secrets: - runs-on: ubuntu-latest - outputs: - secrets-available: ${{ steps.secrets-exists.outputs.available }} - steps: - - name: Check for Secrets availability - id: secrets-exists - shell: bash - ## Check if the secrets are available in the environment - ## Check if the secrets are available in the environment - run: | - if [ "${{ env.VID }}" != '' ] && [ "${{ env.VKEY }}" != '' ]; then - echo "available=true" >> $GITHUB_OUTPUT; - echo "Secrets are available at this environment!" - else - echo "available=false" >> $GITHUB_OUTPUT; - echo "No secrets are available at this environment!" - fi - - # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter - build-and-pipeline-scan: - needs: [ check-secrets ] - if: needs.check-secrets.outputs.secrets-available == 'true' ## Require that the secrets are available - permissions: - contents: read - security-events: write - runs-on: ubuntu-latest - steps: - - - uses: actions/checkout@v3 - with: - repository: '' - - - uses: actions/setup-java@v3 - with: - java-version: 19 - distribution: 'adopt' - - - name: build - run: | - cd dpp-backend/digitalproductpass - mvn dependency:purge-local-repository clean verify - - - run: zip -r veracode-scan-target.zip ./ - - # download the Veracode Static Analysis Pipeline scan jar - - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - - run: unzip -o pipeline-scan-LATEST.zip - - - uses: actions/setup-java@v3 - with: - java-version: 8 - distribution: 'temurin' - - run: java -Dpipeline.debug=true -jar pipeline-scan.jar -p "Product-Passport-Consumer-App" --veracode_api_id "${{ env.VID }}" --veracode_api_key "${{ env.VKEY }}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip - continue-on-error: true - - name: Convert pipeline scan output to SARIF format - id: convert - uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be - with: - pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v2 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: veracode-results.sarif diff --git a/.github/workflows/veracode-upload.yml b/.github/workflows/veracode-upload.yml deleted file mode 100644 index 54464d566..000000000 --- a/.github/workflows/veracode-upload.yml +++ /dev/null @@ -1,73 +0,0 @@ -################################################################################# -# Tractus-X - Digital Product Passport Application -# -# Copyright (c) 2022, 2024 BASF SE, BMW AG, Henkel AG & Co. KGaA -# Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, -# either express or implied. See the -# License for the specific language govern in permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -################################################################################# - -name: "Veracode upload and scan" - -on: - push: - branches: [ "main" ] - workflow_dispatch: - inputs: - branch: - description: "Branch to use" - required: true - default: 'main' - type: string - - schedule: - # Once a day - - cron: "0 0 * * *" -jobs: - analyze: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - with: - repository: '' - - - uses: actions/setup-java@v3 - with: - java-version: 19 - distribution: 'adopt' - - - name: build - run: | - cd dpp-backend/digitalproductpass - mvn dependency:purge-local-repository clean verify - - - run: zip -r veracode-scan-target.zip ./ - - - name: Run Veracode Upload And Scan - uses: veracode/veracode-uploadandscan-action@0.2.1 - with: - appname: "Battery-Passport-Consumer-App" - createprofile: false - filepath: "./veracode-scan-target.zip" - vid: '${{ secrets.VERACODE_API_ID || secrets.ORG_VERACODE_API_ID }}' - vkey: '${{ secrets.VERACODE_API_KEY || secrets.ORG_VERACODE_API_KEY }}' From b950b6ddfcc409aa010f55f65f353ba5268bbc8a Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Tue, 23 Apr 2024 10:09:20 +0200 Subject: [PATCH 09/10] chore(fix): fixed full length commit SHA in codeql --- .github/workflows/codeql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index b27a6cfda..8dd00288e 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -96,5 +96,5 @@ jobs: mvn -B clean install --batch-mode -DskipTests - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@4355270 From 11230a8002e83e881385a8c61ce7768a205749aa Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Wed, 24 Apr 2024 11:35:47 +0200 Subject: [PATCH 10/10] chore(fix): resolved full length commit SHA in .github/actions/setup-java --- .github/actions/setup-java/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup-java/action.yaml b/.github/actions/setup-java/action.yaml index c0b316a4b..a4f042e34 100644 --- a/.github/actions/setup-java/action.yaml +++ b/.github/actions/setup-java/action.yaml @@ -28,7 +28,7 @@ runs: using: "composite" steps: - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: java-version: '21' distribution: 'temurin'