From de0c9b0af85f395ea22776e405bf4ce7ea987219 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Mon, 22 Jan 2024 14:09:54 +0100 Subject: [PATCH 01/12] chore(deps):[#xxx] update logback.version to 1.4.14 because of CVE-2023-6378(7.5) --- irs-parent-spring-boot/pom.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/irs-parent-spring-boot/pom.xml b/irs-parent-spring-boot/pom.xml index 879e62f3b6..fcadfd2285 100644 --- a/irs-parent-spring-boot/pom.xml +++ b/irs-parent-spring-boot/pom.xml @@ -15,6 +15,10 @@ IRS Spring Boot Parent Parent module for Spring Boot modules. + + 1.4.14 + + @@ -24,6 +28,18 @@ pom import + + ch.qos.logback + logback-classic + ${logback.version} + test + + + ch.qos.logback + logback-core + ${logback.version} + test + From a5ea055c5a1bc90b3f0a089bf700b1b684fe7773 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Mon, 22 Jan 2024 17:40:57 +0100 Subject: [PATCH 02/12] chore(deps):[#xxx] correct scope for logback dependency --- irs-parent-spring-boot/pom.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/irs-parent-spring-boot/pom.xml b/irs-parent-spring-boot/pom.xml index fcadfd2285..0948d0bb0c 100644 --- a/irs-parent-spring-boot/pom.xml +++ b/irs-parent-spring-boot/pom.xml @@ -32,13 +32,11 @@ ch.qos.logback logback-classic ${logback.version} - test ch.qos.logback logback-core ${logback.version} - test From c07d38aa28df115cf7b994c8912ad014b338057c Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Mon, 22 Jan 2024 18:10:26 +0100 Subject: [PATCH 03/12] chore(deps):[#xxx] remove unused maven property graal-sdk.version graal-sdk comes via transitive dependency from jsonschemafriend but newest version of this still uses 21.2.0. The property with the newer version isn't used anywhere anymore. --- pom.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/pom.xml b/pom.xml index 0201230116..db96b8efd0 100644 --- a/pom.xml +++ b/pom.xml @@ -95,7 +95,6 @@ 3.5.0 1.76 3.2.0 - 23.1.0 1.16.1 0.12.0 2.14.0 From d88a890455e3a59cbb8d7525a038afa1296c78d8 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Mon, 22 Jan 2024 18:11:37 +0100 Subject: [PATCH 04/12] chore(deps):[#xxx] add owasp suppression for CVE-2024-20932 reason: https://nvd.nist.gov/vuln/detail/CVE-2024-20932 "... This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator)..." --- .config/owasp-suppressions.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.config/owasp-suppressions.xml b/.config/owasp-suppressions.xml index d77ddac247..325b8ae21a 100644 --- a/.config/owasp-suppressions.xml +++ b/.config/owasp-suppressions.xml @@ -28,4 +28,11 @@ ^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$ CVE-2023-22006 + + + ^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$ + CVE-2024-20932 + \ No newline at end of file From 03b903baad24b154c163238a097160af9ee983d1 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Mon, 22 Jan 2024 19:07:30 +0100 Subject: [PATCH 05/12] chore(deps):[#xxx] Update CHANGELOG.md --- CHANGELOG.md | 369 ++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 294 insertions(+), 75 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e09e7bc65f..1950166290 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ # Changelog + All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), @@ -9,51 +10,76 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Updated license header to "Copyright (c) 2021,2024 Contributors to the Eclipse Foundation" +- Suppressed CVE-2024-20932 from graal-sdk-21.2.0.jar because this is not applicable for IRS. + +### Fixed + +- Fixed CVE-2023-6378 by custom dependency management entry for logback (1.4.14). ## [4.4.0] - 2024-01-15 + ### Added + - Added EDR token cache to reuse token after contract negotiation - Added cache mechanism in DiscoveryFinderClientImpl for findDiscoveryEndpoints ### Changed -- Authentication was redesigned to use API keys, instead of OAuth2 protocol. The api key has to be sent as a X-API-KEY request header. IRS is supporting two types of API keys - one for admin and one for regular/view usage. Use new ``apiKeyAdmin`` and ``apiKeyRegular`` config entries to set up API keys. + +- Authentication was redesigned to use API keys, instead of OAuth2 protocol. The api key has to be sent as a X-API-KEY + request header. IRS is supporting two types of API keys - one for admin and one for regular/view usage. Use + new ``apiKeyAdmin`` and ``apiKeyRegular`` config entries to set up API keys. ### Removed + - Removed ``oauth.resourceClaim``, ``oauth.irsNamespace``,``oauth.roles``,``oauth2.jwkSetUri`` config entries ## [4.3.0] - 2023-12-08 + ### Added + - Added support for `hasAlternatives` property in SingleLevelBomAsBuilt aspect ### Changed + - Updated edc dependencies to 0.2.1 - Update deprecated field `providerUrl` to `counterPartyAddress` in EDC catalog request - Update ESS EDC notification creation asset endpoint to v3 ## [4.2.0] - 2023-11-28 + ### Changed -- Changed default behaviour of IRS - when aspects list is not provided or empty in request body, IRS will not collect any submodel now (previously default aspects were collected). + +- Changed default behaviour of IRS - when aspects list is not provided or empty in request body, IRS will not collect + any submodel now (previously default aspects were collected). - ESS - - Added 'hops' parameter to SupplyChainImpacted Aspect model - contains relative distance in the supply chain - - Added `impactedSuppliersOnFirstTier` parameter to Supply SupplyChainImpacted Aspect model - contains information of first level supply chain impacted + - Added 'hops' parameter to SupplyChainImpacted Aspect model - contains relative distance in the supply chain + - Added `impactedSuppliersOnFirstTier` parameter to Supply SupplyChainImpacted Aspect model - contains information + of first level supply chain impacted - Exported health endpoints to prometheus (see HealthMetricsExportConfiguration, DependenciesHealthMetricsExportConfiguration) and added [system health dashboard](charts/irs-helm/dashboards/system-health-dashboard.json) in order to visualize health metrics of IRS and its dependencies ### Fixed + - Fixed incorrect passing of incidentBPNS for ESS Orders ### Known knowns + - [#253] Cancelation of order jobs is not working stable ## [4.1.0] - 2023-11-15 + ### Added -- IRS can now check the readiness of external services. Use the new ``management.health.dependencies.enabled`` config entry to determine if external dependencies health checks should be checked (false by default). - - The map of external services healthcheck endpoints can be configured with ``management.health.dependencies.urls`` property, eg. ``service_name: http://service_name_host/health`` + +- IRS can now check the readiness of external services. Use the new ``management.health.dependencies.enabled`` config + entry to determine if external dependencies health checks should be checked (false by default). + - The map of external services healthcheck endpoints can be configured with ``management.health.dependencies.urls`` + property, eg. ``service_name: http://service_name_host/health`` - Added cache mechanism for ConnectorEndpointService for fetchConnectorEndpoints method cache ### Changed + - Changed name of spring's OAuth2 client registration from 'keycloak' to 'common' like below: ``` spring: @@ -87,37 +113,52 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Update IRS API Swagger documentation to match AAS 3.0.0 ### Fixed + - IRS will return 206 Http status from GET /jobs/{id} endpoint if Job is still running ## [4.0.2] - 2023-11-20 + ### Changed + - Remove `apk upgrade --no-cache libssl3 libcrypto3` in Docker base image to be TRG compliant ## [4.0.1] - 2023-11-10 + ### Changed + - Added state `STARTED` as acceptable state to complete the EDC transfer process to be compatible with EDC 0.5.1 ## [4.0.0] - 2023-10-27 + ### Added + - Introduced new API endpoint to register ESS Jobs in Batch - POST {{IRS_HOST}}/irs/ess/orders - Added role "admin_irs" again ### Changed + - Deprecated query parameter 'jobStates' was removed from GET {{IRS_HOST}}/irs/jobs endpoint -- Moved OAuth2 JWT token claim to configuration. The fields can be configured with `oauth.resourceClaim`, `oauth.irsNamespace`, `oauth.roles`. +- Moved OAuth2 JWT token claim to configuration. The fields can be configured + with `oauth.resourceClaim`, `oauth.irsNamespace`, `oauth.roles`. - ESS - - Added Tombstone to ESS investigation in case required aspect models "PartAsPlanned" or "PartSiteInformationAsPlanned" are missing + - Added Tombstone to ESS investigation in case required aspect models "PartAsPlanned" or " + PartSiteInformationAsPlanned" are missing - Update dependencies to mitigate third party vulnerabilities ## [3.5.4] - 2023-10-25 + ### Changed + - removed role "admin_irs" ## [3.5.3] - 2023-10-09 + ### Fixed + - Fixed default policy creation. ### Changed + - Changed configuration for default policies from: ``` irs-edc-client: @@ -141,275 +182,378 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ``` ## [3.5.2] - 2023-10-06 + ### Changed + - Updated dependencies ## [3.5.1] - 2023-10-05 + ### Fixed + - Fix json schema validation ## [3.5.0] - 2023-09-27 + ### Changed -- IRS now makes use of the value `dspEndpoint` in `subprotocolBody` of the Asset Administration Shell to request submodel data directly. + +- IRS now makes use of the value `dspEndpoint` in `subprotocolBody` of the Asset Administration Shell to request + submodel data directly. - Policy Store API is extended to handle: - - multi permissions per each allowed Policy in POST call to create Policy - - multi constraint per each permission in POST call to create Permission - - logical AndConstraint and OrConstraint to give possibility to create complex restriction + - multi permissions per each allowed Policy in POST call to create Policy + - multi constraint per each permission in POST call to create Permission + - logical AndConstraint and OrConstraint to give possibility to create complex restriction ### Fixed + - Fixed a case where IRS submodel requests did not reuqest all EDC endpoints discovered by Discovery Finder - ESS - - Updated investigation request body field `incidentBPNs` to `incidentBPNSs`. - - Streamlined EDC notification flow and adjusted it to existing EDC client methods - - Changed investigation from BPNL to BPNS (`catenaXSiteId` of `PartSiteInformationAsPlanned`) - - Additional validation for `validityPeriod` of `PartAsPlanned` + - Updated investigation request body field `incidentBPNs` to `incidentBPNSs`. + - Streamlined EDC notification flow and adjusted it to existing EDC client methods + - Changed investigation from BPNL to BPNS (`catenaXSiteId` of `PartSiteInformationAsPlanned`) + - Additional validation for `validityPeriod` of `PartAsPlanned` ## [3.4.1] - 2023-09-22 + ### Changed + - Updated SingleLevelUsageAsBuilt schema to 2.0.0 version. ### Fixed + - Fixed missing access control for Batch and ESS API. ## [3.4.0] - 2023-09-01 + ### Added + - Added fetchCatalog to EDCCatalogFacade - Introduced new API endpoint to update 'validUntil' property of Policy - PUT {{IRS_HOST}}/irs/policies/{policyId} - Introduced new IRS role `admin_irs` which has unrestricted access to every API endpoint ### Changed -- Adjusted API access control. Users with role `view_irs` can only access jobs they created themselves. PolicyStore API access is restricted to role `admin_irs`. + +- Adjusted API access control. Users with role `view_irs` can only access jobs they created themselves. PolicyStore API + access is restricted to role `admin_irs`. ### Fixed + - Fixed bug where BPN's were delivered without 'manufacturerName' property filled ## [3.3.5] - 2023-08-30 + ### Changed + - Updated IRS Digital Twin Registry Client to support latest version 0.3.14-M1 ## [3.3.4] - 2023-08-24 + ### Fixed + - Added missing license information to documentation and docker image ## [3.3.3] - 2023-08-11 + ### Changed -- IRS now calls the entire dataplane URL retrieved from the registry href instead of building it from the URL of the EDC token and the path + +- IRS now calls the entire dataplane URL retrieved from the registry href instead of building it from the URL of the EDC + token and the path ### Fixed + - Switched to POST for DTR lookup request -- Added Base64 encoding to identifier for DTR shell-descriptor request +- Added Base64 encoding to identifier for DTR shell-descriptor request - Fixed an issue where IRS did not pass the BPN correctly for the ESS use-case ## [3.3.2] - 2023-07-31 + ### Fixed + - BPN is now passed on correctly when traversing the item graph - EDC Policies now get validated regardless of the type of constraint. - EDC Policies of type FrameworkAgreement are now validated correctly. - Fixed error in BPN handling for IRS Batch requests ## [3.3.1] - 2023-07-24 + ### Fixed + - Added missing field `businessPartner` for relationship aspect SingleLevelUsageAsBuilt ## [3.3.0] - 2023-07-20 + ### Changed + - BPN is now taken from the submodel data while traversing the item graph - Tombstone is created if no BPN is available for a child item ## [3.2.1] - 2023-07-19 + ### Fixed + - EDC Policies now get validated regardless of the type of constraint. - EDC Policies of type `FrameworkAgreement` are now validated correctly. - Fixed error in BPN handling for IRS Batch requests ## [3.2.0] - 2023-07-14 + ### Changed -- The client code for accessing the Digital Twin Registry (central and decentral) is now available as a spring boot maven library. See the README in the irs-registry-client module for more information. + +- The client code for accessing the Digital Twin Registry (central and decentral) is now available as a spring boot + maven library. See the README in the irs-registry-client module for more information. - Update EDC dependencies to 0.1.3 - Add Transformer to support new EDC constraint operator format -- IRS now supports the AAS API 3.0 and its updated models. **Note**: this also reflects in the Job response shells, please check the new schema. +- IRS now supports the AAS API 3.0 and its updated models. **Note**: this also reflects in the Job response shells, + please check the new schema. ### Known knowns -- [TRI-1460] ESS Notifications endpoints are not working in the decentral Digital Twin Registry scenario because endpoints does not provide bpn as a parameter. + +- [TRI-1460] ESS Notifications endpoints are not working in the decentral Digital Twin Registry scenario because + endpoints does not provide bpn as a parameter. - [TRI-1096] No limiting of requests in parallel - IRS allows sending API requests unlimited -- [TRI-1100] Potential denial-of-service (DoS) attack - IRS allows to enter a large number of characters, which are reflected in the response of the server -- [TRI-1098] Software related information disclosure - IRS returns redundant information about the type and version of used software -- [TRI-793] Misconfigured Access-Control-Allow- Origin Header - by intercepting network traffic it could be possible to read and modify any messages that are exchanged with server -- [TRI-1095] HTTP security headers configuration could be improved and allow for additional protection against some web application attacks -- [TRI-1441] Synchronous communication with shared C-X services without circuit breaker pattern - potentially could affect IRS resilience when other services becomes non-responsive. -- [TRI-1441] Cascading effects of failure when Digital Twin Registry becomes non-responsive - potentially bulkhead pattern could improve IRS resilience -- [TRI-1477] Retry mechanism used inside IRS could potentially affect IRS resilience - DDOS other services on which IRS is dependent, exhaustion of resources and available threads, etc. +- [TRI-1100] Potential denial-of-service (DoS) attack - IRS allows to enter a large number of characters, which are + reflected in the response of the server +- [TRI-1098] Software related information disclosure - IRS returns redundant information about the type and version of + used software +- [TRI-793] Misconfigured Access-Control-Allow- Origin Header - by intercepting network traffic it could be possible to + read and modify any messages that are exchanged with server +- [TRI-1095] HTTP security headers configuration could be improved and allow for additional protection against some web + application attacks +- [TRI-1441] Synchronous communication with shared C-X services without circuit breaker pattern - potentially could + affect IRS resilience when other services becomes non-responsive. +- [TRI-1441] Cascading effects of failure when Digital Twin Registry becomes non-responsive - potentially bulkhead + pattern could improve IRS resilience +- [TRI-1477] Retry mechanism used inside IRS could potentially affect IRS resilience - DDOS other services on which IRS + is dependent, exhaustion of resources and available threads, etc. - [TRI-1478] Lack of resources management - thread pooling, heap limitation etc. - [TRI-1024] IRS does not support scale out on multiple instances ## [3.1.0] - 2023-07-07 + ### Changed + - Removed catalog cache - Changed EDC catalog retrieval from pagination to filter -- Item graphs with asBuilt lifecycle & downward direction are now built with usage of SingleLevelBomAsBuilt aspect, instead of AssemblyPartRelationship aspect +- Item graphs with asBuilt lifecycle & downward direction are now built with usage of SingleLevelBomAsBuilt aspect, + instead of AssemblyPartRelationship aspect - Changed retrieval of BPN value from AAS Shell to SingleLevelBomAsBuilt - Renamed SerialPartTypization to SerialPart aspect - ESS - - Update ESS notification asset creation to new EDC DSP protocol - - Include DiscoveryFinder into ESS flow + - Update ESS notification asset creation to new EDC DSP protocol + - Include DiscoveryFinder into ESS flow ## [3.0.1] - 2023-06-28 + ### Fixed + - Added missing participantId to contract negotiation for decentral DTR contract negotiation - Fixed default value for contract negotiation and transfer process state-suffix ## [3.0.0] - 2023-06-26 + ### Added + - Handling of Decentral Digital Twin Registry as a way of request AAS for identifier - - Extend Register Job with key field that contain BPN and globalAssetId - - Requesting BPN endpoint catalog over Discrovery Finder - - Requesting EDC endpoint addresses for BPN over EDC Discovery Finder - - Add filter for catalog item search in EDC - - Authorize Digital Twin client with EDC Endpoint Reference + - Extend Register Job with key field that contain BPN and globalAssetId + - Requesting BPN endpoint catalog over Discrovery Finder + - Requesting EDC endpoint addresses for BPN over EDC Discovery Finder + - Add filter for catalog item search in EDC + - Authorize Digital Twin client with EDC Endpoint Reference - Added new Policy Store API to manage acceptable EDC policies - - `GET /irs/policies` - - `POST /irs/policies` - - `DELETE /irs/policies/{policyId}` + - `GET /irs/policies` + - `POST /irs/policies` + - `DELETE /irs/policies/{policyId}` ### Changed + - Updated EDC Client to use version 0.4.1 - - Adjusted Protocol from IDS to DSP - - Paths for catalog, contract negotiation and transfer process are now configurable via properties - - `edc.controlplane.endpoint.catalog` - - `edc.controlplane.endpoint.contract-negotiation` - - `edc.controlplane.endpoint.transfer-process` + - Adjusted Protocol from IDS to DSP + - Paths for catalog, contract negotiation and transfer process are now configurable via properties + - `edc.controlplane.endpoint.catalog` + - `edc.controlplane.endpoint.contract-negotiation` + - `edc.controlplane.endpoint.transfer-process` - EDR Callback is now configurable via property `edc.callback-url` ## [2.6.1] - 2023-05-15 + ### Added + - Validation if bpnEndpoint is set in properties before starting a job with lookupBPNs set to true - Automate release workflow - Validate if callback url starts with http or https before register a job ## [2.6.0] - 2023-05-05 + ### Added -- IRS now checks the EDC policies and only negotiates contracts if the policy matches the ones defined in the configuration at `edc.catalog.policies.allowedNames` (comma separated string) + +- IRS now checks the EDC policies and only negotiates contracts if the policy matches the ones defined in the + configuration at `edc.catalog.policies.allowedNames` (comma separated string) ### Changed + - Restructured the repository to make it more comprehensive -- Improved API descriptions regarding errors +- Improved API descriptions regarding errors ## [2.5.1] - 2023-04-28 + ### Changed + - Replaced Discovery Service mock with real implementation ## [2.5.0] - 2023-04-17 + ### Added -- Introduced Batch processing API endpoints. Batch Order is registered and executed for a bunch of globalAssetIds in one call. - - API Endpoint POST Register Batch Order {{IRS_HOST}}/irs/orders - - API Endpoint GET Batch Order {{IRS_HOST}}/irs/orders/:orderId - - API Endpoint GET Batch {{IRS_HOST}}/irs/orders/:orderId/batches/:batchId -- Introduced Environmental- and Social Standards processing API endpoints. - - API Endpoint POST Register job to start an investigation if a given bpn is contained in a part chain {{IRS_HOST}}/ess/bpn/investigations - - API Endpoint GET BPN Investigation {{IRS_HOST}}/ess/bpn/investigations/:id - - API Endpoint POST EDC Notification receive {{IRS_HOST}}/ess/notification/receive +- Introduced Batch processing API endpoints. Batch Order is registered and executed for a bunch of globalAssetIds in one + call. + - API Endpoint POST Register Batch Order {{IRS_HOST}}/irs/orders + - API Endpoint GET Batch Order {{IRS_HOST}}/irs/orders/:orderId + - API Endpoint GET Batch {{IRS_HOST}}/irs/orders/:orderId/batches/:batchId +- Introduced Environmental- and Social Standards processing API endpoints. + - API Endpoint POST Register job to start an investigation if a given bpn is contained in a part chain + {{IRS_HOST}}/ess/bpn/investigations + - API Endpoint GET BPN Investigation {{IRS_HOST}}/ess/bpn/investigations/:id + - API Endpoint POST EDC Notification receive {{IRS_HOST}}/ess/notification/receive ## [2.4.1] - 2023-04-21 + ### Fixed + - Updated spring-boot version to 3.0.6 to fix security issue - change GID in Dockerfile to fix https://github.com/eclipse-tractusx/item-relationship-service/issues/101 - ## [2.4.0] - 2023-03-30 + ### Added -- IRS is now able to cache the EDC catalog. Caching can be disabled via application config. Maximum amount of cached items and item time-to-live can be configured as well. + +- IRS is now able to cache the EDC catalog. Caching can be disabled via application config. Maximum amount of cached + items and item time-to-live can be configured as well. - EDC policies retrieved from contract offer are now added to the contract negotiation ### Changed -- API endpoints have now additional layer of security and require BPN claim in token. Allowed BPN that can access API can be configured with (*env:API_ALLOWED_BPN*) variable. + +- API endpoints have now additional layer of security and require BPN claim in token. Allowed BPN that can access API + can be configured with (*env:API_ALLOWED_BPN*) variable. - Updated Spring Boot dependency to 3.0.5 ### Fixed -- Fixed issue in paging when calling SemanticsHub with some page size configurations +- Fixed issue in paging when calling SemanticsHub with some page size configurations ## [2.3.2] - 2023-03-20 + ### Changed + - Replace pandoc with downdoc for conversion asciidoc to markdown ### Fixed + - In AssemblyPartRelationship the ``measurementUnit`` can be both parsed from both string and object versions - Decode URLs for ``assetId`` to prevent bug that encoded ``assetId`` cannot be found in the catalog ## [2.3.1] - 2023-03-07 + ### Changed + - Updated Spring Boot dependency to 3.0.3 ## [2.3.0] - 2023-02-21 + ### Added -- Introduced new endpoint ``/irs/aspectmodels`` which will list all available aspect models (from semantic hub or locally provided files if present) + +- Introduced new endpoint ``/irs/aspectmodels`` which will list all available aspect models (from semantic hub or + locally provided files if present) ### Fixed + - If Grafana is enabled - dashboards will be automatically imported on startup ### Changed + - Job creation validates ``aspects`` by using models available in semantic hub or locally provided. ## [2.2.1] - 2023-03-15 + ### Fixed -- Property "measurementUnit" of AssemblyPartRelationship can now be a String or a Map. According to the latest model, it is supposed to be a String, but due to varying test data, IRS supports both variants. + +- Property "measurementUnit" of AssemblyPartRelationship can now be a String or a Map. According to the latest model, it + is supposed to be a String, but due to varying test data, IRS supports both variants. - EDC Catalog IDs are now being URL decoded before usage ## [2.2.0] - 2023-01-20 + ### Added + - Added new job parameter flag "lookupBPNs" which toggles lookup of BPN numbers using the configured BPN URL -- Added new summary item "bpnLookups" which tracks completed and failed BPN requests. Excluded these metrics from "asyncFetchedItems" +- Added new summary item "bpnLookups" which tracks completed and failed BPN requests. Excluded these metrics from " + asyncFetchedItems" - Model schema JSON files can now be provided locally as a backup to the Semantic Hub. Use the new ``semanticsHub.localModelDirectory`` config entry to provide a folder with the models. - Added pagination to EDC catalog retrieval. ### Fixed + - BPNs array is now filled correctly when requesting a running job with parameter "returnUncompletedJob=true" ## [2.1.0] - 2023-01-11 + ### Changed + - Change 'jobParameter' to 'parameter' in GET calls in IRS API - Change 'jobStates' to 'states' request parameter in GET call for jobs by states, 'jobStates' is now deprecated - REST clients for DTR, SemHub and BPDM now use their own RestTemplates and configuration - application.yaml received some documentation ## [2.0.0] - 2022-12-09 + ### Added + - Added pagination to GET /irs/jobs endpoint (eg. {{IRS_HOST}}/irs/jobs?page=0&size=10&sort=completedOn,asc) ### Changed + - IRS API now requires 'view_irs' resource access inside Keycloak JWT token. - New 2.0.0 version of IRS API. Main goal was to remove 'job' prefix from attribute names - - change 'jobId' to 'id' in GET and POST calls - - change 'jobState' to 'state' in GET calls - - change 'jobCompleted' to 'completedOn' in GET calls - - change 'jobId' to 'id' and 'jobState' to 'state' in callback URI variables + - change 'jobId' to 'id' in GET and POST calls + - change 'jobState' to 'state' in GET calls + - change 'jobCompleted' to 'completedOn' in GET calls + - change 'jobId' to 'id' and 'jobState' to 'state' in callback URI variables ## [1.6.0] - 2022-11-25 + ### Added + - EDC client implementation (for negotiation and data exchange) - New callback endpoint for EDC (path: /internal/endpoint-data-reference) - Optional trusted port to make internal interfaces only available via that (config: server.trustedPort) ### Removed + - Removed the need for the API wrapper by directly communicating with the EDC control and data plane. ## [1.5.0] - 2022-11-11 + ### Added + - Added new parameters 'startedOn' and 'jobCompleted' to Job status response ### Changed + - Updated Spring Boot to 2.7.5 and Spring Security (Web and OAuth2 Client) dependencies to 5.7.5 due to CVEs - Renamed parameter from 'status' to 'jobState' in Job status response - Time to live for finished jobs is now configurable ## [1.4.0] - 2022-10-28 + ### Added -- Added new 'asPlanned' value for bomLifecycle request parameter - now BomAsPlanned can be traversed by the IRS to build relationships + +- Added new 'asPlanned' value for bomLifecycle request parameter - now BomAsPlanned can be traversed by the IRS to build + relationships ## [1.3.0] - 2022-10-18 + ### Added + - BPDM URL (*env:BPDM_URL*) is now configurable - SemanticsHub URL (*env:SEMANTICSHUB_URL*) and default URNs (*env:SEMANTICSHUB_DEFAULT_URNS*) are now configurable - Added an administration guide covering installation and configuration topics (TRI-593) @@ -417,38 +561,49 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added new optional parameter 'callbackUrl' to Job registration request ### Known knowns -- discovered lack of circuit breaker for communication with submodel server which is not responding (low risk) - will be addressed in future release + +- discovered lack of circuit breaker for communication with submodel server which is not responding (low risk) - will be + addressed in future release ## [1.2.0] - 2022-09-30 + ### Added + - Automatic eclipse dash IP-ticket creation - Automatic cucumber execution based on Tests in Jira ### Fixed + - Update HSTS header configuration (TRI-659) - Encode log output to avoid log forging (TRI-653) - Add missing X-Frame-Options header (TRI-661) - Switching to a distroless Docker base image to avoid vulnerable library (TRI-729) ### Changed + - Update EDC components to version 0.1.1 - Update testdata set to 1.3.2 - Create Tombstone for faulty/null/none BPN ManufactureId - Update aaswrapper to 0.0.7 ## [1.1.0] - 2022-09-12 + ### Added -- **Aspect Model validation** IRS now validates the aspect model responses requested via EDC. JSON schema files are requested on demand using Semantic Hub API. + +- **Aspect Model validation** IRS now validates the aspect model responses requested via EDC. JSON schema files are + requested on demand using Semantic Hub API. - **BPN mapping** IRS job result includes BPNs and the corresponding names. - **Enabled collecting of "Batch" submodels** IRS supports aspect model "Batch" ### Fixed + - **Malformed date-time in IRS job result** (TRI-627) - **Job cleanup process** Jobs are completely deleted after retention period exceeded. (TRI-631) - **IRS job processing** IRS jobs no longer stay stuck in state RUNNING due to malformed URLs. (TRI-675) - **Security fixes** Fixed various security findings. ### Changed + - **IRS monitoring** Added more metrics and improved Grafana dashboards. - **Submodel payload in IRS job response** Submodels are stored as object instead of string. - **CORS** Enabled CORS configuration @@ -458,85 +613,149 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **IRS stability and code quality** - **API docs** - **Test data and upload script** -- **Helm charts** Improved security and performance configurations. Created a All-in-One Helm Chart for IRS which includes all IRS dependencies. Helm Chart is released separately. +- **Helm charts** Improved security and performance configurations. Created a All-in-One Helm Chart for IRS which + includes all IRS dependencies. Helm Chart is released separately. - **Refactor relationship result object of IRS** - **FOSS initial GitHub & code preparation** Change package structure to `org.eclipse.tractusx`. ## [1.0.0] - 2022-07-25 + ### Changed + * **Improved Minio Helmchart** Latest Minio version is used now * **Submodel Information** If requested, the IRS collects submodel information now and adds it to the job result * **Improved job response** The job response object contains all the required fields now with correct values ## [0.9.1] - 2022-06-14 + ### Removed + - **Remove AAS Proxy** The IRS works without the AASProxy component ## [0.9.0] - 2022-04-27 + ### Added -- **Build traceability BoM as built tree** You can now use the IRS to retrieve a BoM tree with lifecycle stage "as built" for serialized components, which are distributed across the Catena-X network. In this release, the tree is being built on the aspects "SerialPartTypization" and "AssemblyPartRelationship". Focus is a tree built in the direction top-down/parent-child. + +- **Build traceability BoM as built tree** You can now use the IRS to retrieve a BoM tree with lifecycle stage "as + built" for serialized components, which are distributed across the Catena-X network. In this release, the tree is + being built on the aspects "SerialPartTypization" and "AssemblyPartRelationship". Focus is a tree built in the + direction top-down/parent-child. - *IRS API v1.0.0* First release of the IRS API. ### Fixed -- **Cloud Agnostic Solution** You have the ability now to deploy the solution on different cloud vendor solutions. We decoupled the application from its former Azure Stack. + +- **Cloud Agnostic Solution** You have the ability now to deploy the solution on different cloud vendor solutions. We + decoupled the application from its former Azure Stack. - **Security fixes** Various security fixes. ### Changed -- **Asynchronous Job Management** Since we cannot rely on a synchronous answer of each request within the network, we provide a job management for this process. + +- **Asynchronous Job Management** Since we cannot rely on a synchronous answer of each request within the network, we + provide a job management for this process. - **AAS Proxy** Requests to Digital Twin Registry are executed via the AAS Proxy. -- **Quality Gate for Release 1** The quality measures were implemented in accordance with the requirements for Release 1. +- **Quality Gate for Release 1** The quality measures were implemented in accordance with the requirements for Release + 1. - **Hotel Budapest catenax-ng** C-X-NG ready using the provided catenax-ng infrastructure. - **SCA Composition Analysis** Enablement of SCA Composition Analysis using Veracode and CodeQl. - **Github Integrations** VeraCode/Dependabot/SonarCloud/CodeQl ### Unresolved -- **Select Aspects you need** You are able to select the needed aspects for which you want to collect the correct endpoint information. + +- **Select Aspects you need** You are able to select the needed aspects for which you want to collect the correct + endpoint information. [Unreleased]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.4.0...HEAD + [4.4.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.3.0...4.4.0 + [4.3.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.2.0...4.3.0 + [4.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.1.0...4.2.0 + [4.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.0.2...4.1.0 + [4.0.2]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.0.1...4.0.2 + [4.0.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.0.0...4.0.1 + [4.0.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.4...4.0.0 + [3.5.4]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.3...3.5.4 + [3.5.3]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.2...3.5.3 + [3.5.2]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.1...3.5.2 + [3.5.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.0...3.5.1 + [3.5.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.4.1...3.5.0 + [3.4.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.4.0...3.4.1 + [3.4.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.5...3.4.0 + [3.3.5]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.4...3.3.5 + [3.3.4]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.3...3.3.4 + [3.3.3]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.2...3.3.3 + [3.3.2]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.1...3.3.2 + [3.3.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.0...3.3.1 + [3.3.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.2.1...3.3.0 + [3.2.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.2.0...3.2.1 + [3.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.1.0...3.2.0 + [3.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.0.1...3.1.0 + [3.0.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.0.0...3.0.1 + [3.0.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.6.1...3.0.0 + [2.6.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.6.0...2.6.1 + [2.6.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.5.1...2.6.0 + [2.5.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.5.0...2.5.1 + [2.5.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.4.0...2.5.0 + [2.4.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.4.0...2.4.1 + [2.4.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.3.2...2.4.0 + [2.3.2]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.3.1...2.3.2 + [2.3.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.3.0...2.3.1 + [2.3.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.2.0...2.3.0 + [2.2.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.2.0...2.2.1 + [2.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.1.0...2.2.0 + [2.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.0.0...2.1.0 + [2.0.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.6.0...2.0.0 + [1.6.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.5.0...1.6.0 + [1.5.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.4.0...1.5.0 + [1.4.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.3.0...1.4.0 + [1.3.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.2.0...1.3.0 + [1.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/v1.1.0...1.2.0 + [1.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/v1.0.0...v1.1.0 + [1.0.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/v0.9.1...v1.0.0 + [0.9.1]: https://github.com/eclipse-tractusx/item-relationship-service/commits/v0.9.1 + [0.9.0]: https://github.com/eclipse-tractusx/item-relationship-service/commits/v0.9.0 From d290dbe06526f4afe103a452d9eae2c93268272f Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Tue, 23 Jan 2024 19:50:28 +0100 Subject: [PATCH 06/12] chore(deps):[#xxx] Undo unintended autoformatting in CHANGELOG.md --- CHANGELOG.md | 365 +++++++++++---------------------------------------- 1 file changed, 75 insertions(+), 290 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f366a39d0..f8d4b9234c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,4 @@ # Changelog - All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), @@ -8,7 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Changed - - Updated license header to "Copyright (c) 2021,2024 Contributors to the Eclipse Foundation" - Suppressed CVE-2024-20932 from graal-sdk-21.2.0.jar because this is not applicable for IRS. @@ -17,70 +15,50 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixed CVE-2023-6378 by custom dependency management entry for logback (1.4.14). ## [4.4.0] - 2024-01-15 - ### Added - - Added EDR token cache to reuse token after contract negotiation - Added cache mechanism in DiscoveryFinderClientImpl for findDiscoveryEndpoints - Add concept docs/#322-Provisioning-of-contractAgreementId-for-assets.md ### Changed - -- Authentication was redesigned to use API keys, instead of OAuth2 protocol. The api key has to be sent as a X-API-KEY - request header. IRS is supporting two types of API keys - one for admin and one for regular/view usage. Use - new ``apiKeyAdmin`` and ``apiKeyRegular`` config entries to set up API keys. +- Authentication was redesigned to use API keys, instead of OAuth2 protocol. The api key has to be sent as a X-API-KEY request header. IRS is supporting two types of API keys - one for admin and one for regular/view usage. Use new ``apiKeyAdmin`` and ``apiKeyRegular`` config entries to set up API keys. ### Removed - - Removed ``oauth.resourceClaim``, ``oauth.irsNamespace``,``oauth.roles``,``oauth2.jwkSetUri`` config entries ## [4.3.0] - 2023-12-08 - ### Added - - Added support for `hasAlternatives` property in SingleLevelBomAsBuilt aspect ### Changed - - Updated edc dependencies to 0.2.1 - Update deprecated field `providerUrl` to `counterPartyAddress` in EDC catalog request - Update ESS EDC notification creation asset endpoint to v3 ## [4.2.0] - 2023-11-28 - ### Changed - -- Changed default behaviour of IRS - when aspects list is not provided or empty in request body, IRS will not collect - any submodel now (previously default aspects were collected). +- Changed default behaviour of IRS - when aspects list is not provided or empty in request body, IRS will not collect any submodel now (previously default aspects were collected). - ESS - - Added 'hops' parameter to SupplyChainImpacted Aspect model - contains relative distance in the supply chain - - Added `impactedSuppliersOnFirstTier` parameter to Supply SupplyChainImpacted Aspect model - contains information - of first level supply chain impacted + - Added 'hops' parameter to SupplyChainImpacted Aspect model - contains relative distance in the supply chain + - Added `impactedSuppliersOnFirstTier` parameter to Supply SupplyChainImpacted Aspect model - contains information of first level supply chain impacted - Exported health endpoints to prometheus (see HealthMetricsExportConfiguration, DependenciesHealthMetricsExportConfiguration) and added [system health dashboard](charts/irs-helm/dashboards/system-health-dashboard.json) in order to visualize health metrics of IRS and its dependencies ### Fixed - - Fixed incorrect passing of incidentBPNS for ESS Orders ### Known knowns - - [#253] Cancelation of order jobs is not working stable ## [4.1.0] - 2023-11-15 - ### Added - -- IRS can now check the readiness of external services. Use the new ``management.health.dependencies.enabled`` config - entry to determine if external dependencies health checks should be checked (false by default). - - The map of external services healthcheck endpoints can be configured with ``management.health.dependencies.urls`` - property, eg. ``service_name: http://service_name_host/health`` +- IRS can now check the readiness of external services. Use the new ``management.health.dependencies.enabled`` config entry to determine if external dependencies health checks should be checked (false by default). + - The map of external services healthcheck endpoints can be configured with ``management.health.dependencies.urls`` property, eg. ``service_name: http://service_name_host/health`` - Added cache mechanism for ConnectorEndpointService for fetchConnectorEndpoints method cache ### Changed - - Changed name of spring's OAuth2 client registration from 'keycloak' to 'common' like below: ``` spring: @@ -114,52 +92,37 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Update IRS API Swagger documentation to match AAS 3.0.0 ### Fixed - - IRS will return 206 Http status from GET /jobs/{id} endpoint if Job is still running ## [4.0.2] - 2023-11-20 - ### Changed - - Remove `apk upgrade --no-cache libssl3 libcrypto3` in Docker base image to be TRG compliant ## [4.0.1] - 2023-11-10 - ### Changed - - Added state `STARTED` as acceptable state to complete the EDC transfer process to be compatible with EDC 0.5.1 ## [4.0.0] - 2023-10-27 - ### Added - - Introduced new API endpoint to register ESS Jobs in Batch - POST {{IRS_HOST}}/irs/ess/orders - Added role "admin_irs" again ### Changed - - Deprecated query parameter 'jobStates' was removed from GET {{IRS_HOST}}/irs/jobs endpoint -- Moved OAuth2 JWT token claim to configuration. The fields can be configured - with `oauth.resourceClaim`, `oauth.irsNamespace`, `oauth.roles`. +- Moved OAuth2 JWT token claim to configuration. The fields can be configured with `oauth.resourceClaim`, `oauth.irsNamespace`, `oauth.roles`. - ESS - - Added Tombstone to ESS investigation in case required aspect models "PartAsPlanned" or " - PartSiteInformationAsPlanned" are missing + - Added Tombstone to ESS investigation in case required aspect models "PartAsPlanned" or "PartSiteInformationAsPlanned" are missing - Update dependencies to mitigate third party vulnerabilities ## [3.5.4] - 2023-10-25 - ### Changed - - removed role "admin_irs" ## [3.5.3] - 2023-10-09 - ### Fixed - - Fixed default policy creation. ### Changed - - Changed configuration for default policies from: ``` irs-edc-client: @@ -183,378 +146,275 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ``` ## [3.5.2] - 2023-10-06 - ### Changed - - Updated dependencies ## [3.5.1] - 2023-10-05 - ### Fixed - - Fix json schema validation ## [3.5.0] - 2023-09-27 - ### Changed - -- IRS now makes use of the value `dspEndpoint` in `subprotocolBody` of the Asset Administration Shell to request - submodel data directly. +- IRS now makes use of the value `dspEndpoint` in `subprotocolBody` of the Asset Administration Shell to request submodel data directly. - Policy Store API is extended to handle: - - multi permissions per each allowed Policy in POST call to create Policy - - multi constraint per each permission in POST call to create Permission - - logical AndConstraint and OrConstraint to give possibility to create complex restriction + - multi permissions per each allowed Policy in POST call to create Policy + - multi constraint per each permission in POST call to create Permission + - logical AndConstraint and OrConstraint to give possibility to create complex restriction ### Fixed - - Fixed a case where IRS submodel requests did not reuqest all EDC endpoints discovered by Discovery Finder - ESS - - Updated investigation request body field `incidentBPNs` to `incidentBPNSs`. - - Streamlined EDC notification flow and adjusted it to existing EDC client methods - - Changed investigation from BPNL to BPNS (`catenaXSiteId` of `PartSiteInformationAsPlanned`) - - Additional validation for `validityPeriod` of `PartAsPlanned` + - Updated investigation request body field `incidentBPNs` to `incidentBPNSs`. + - Streamlined EDC notification flow and adjusted it to existing EDC client methods + - Changed investigation from BPNL to BPNS (`catenaXSiteId` of `PartSiteInformationAsPlanned`) + - Additional validation for `validityPeriod` of `PartAsPlanned` ## [3.4.1] - 2023-09-22 - ### Changed - - Updated SingleLevelUsageAsBuilt schema to 2.0.0 version. ### Fixed - - Fixed missing access control for Batch and ESS API. ## [3.4.0] - 2023-09-01 - ### Added - - Added fetchCatalog to EDCCatalogFacade - Introduced new API endpoint to update 'validUntil' property of Policy - PUT {{IRS_HOST}}/irs/policies/{policyId} - Introduced new IRS role `admin_irs` which has unrestricted access to every API endpoint ### Changed - -- Adjusted API access control. Users with role `view_irs` can only access jobs they created themselves. PolicyStore API - access is restricted to role `admin_irs`. +- Adjusted API access control. Users with role `view_irs` can only access jobs they created themselves. PolicyStore API access is restricted to role `admin_irs`. ### Fixed - - Fixed bug where BPN's were delivered without 'manufacturerName' property filled ## [3.3.5] - 2023-08-30 - ### Changed - - Updated IRS Digital Twin Registry Client to support latest version 0.3.14-M1 ## [3.3.4] - 2023-08-24 - ### Fixed - - Added missing license information to documentation and docker image ## [3.3.3] - 2023-08-11 - ### Changed - -- IRS now calls the entire dataplane URL retrieved from the registry href instead of building it from the URL of the EDC - token and the path +- IRS now calls the entire dataplane URL retrieved from the registry href instead of building it from the URL of the EDC token and the path ### Fixed - - Switched to POST for DTR lookup request -- Added Base64 encoding to identifier for DTR shell-descriptor request +- Added Base64 encoding to identifier for DTR shell-descriptor request - Fixed an issue where IRS did not pass the BPN correctly for the ESS use-case ## [3.3.2] - 2023-07-31 - ### Fixed - - BPN is now passed on correctly when traversing the item graph - EDC Policies now get validated regardless of the type of constraint. - EDC Policies of type FrameworkAgreement are now validated correctly. - Fixed error in BPN handling for IRS Batch requests ## [3.3.1] - 2023-07-24 - ### Fixed - - Added missing field `businessPartner` for relationship aspect SingleLevelUsageAsBuilt ## [3.3.0] - 2023-07-20 - ### Changed - - BPN is now taken from the submodel data while traversing the item graph - Tombstone is created if no BPN is available for a child item ## [3.2.1] - 2023-07-19 - ### Fixed - - EDC Policies now get validated regardless of the type of constraint. - EDC Policies of type `FrameworkAgreement` are now validated correctly. - Fixed error in BPN handling for IRS Batch requests ## [3.2.0] - 2023-07-14 - ### Changed - -- The client code for accessing the Digital Twin Registry (central and decentral) is now available as a spring boot - maven library. See the README in the irs-registry-client module for more information. +- The client code for accessing the Digital Twin Registry (central and decentral) is now available as a spring boot maven library. See the README in the irs-registry-client module for more information. - Update EDC dependencies to 0.1.3 - Add Transformer to support new EDC constraint operator format -- IRS now supports the AAS API 3.0 and its updated models. **Note**: this also reflects in the Job response shells, - please check the new schema. +- IRS now supports the AAS API 3.0 and its updated models. **Note**: this also reflects in the Job response shells, please check the new schema. ### Known knowns - -- [TRI-1460] ESS Notifications endpoints are not working in the decentral Digital Twin Registry scenario because - endpoints does not provide bpn as a parameter. +- [TRI-1460] ESS Notifications endpoints are not working in the decentral Digital Twin Registry scenario because endpoints does not provide bpn as a parameter. - [TRI-1096] No limiting of requests in parallel - IRS allows sending API requests unlimited -- [TRI-1100] Potential denial-of-service (DoS) attack - IRS allows to enter a large number of characters, which are - reflected in the response of the server -- [TRI-1098] Software related information disclosure - IRS returns redundant information about the type and version of - used software -- [TRI-793] Misconfigured Access-Control-Allow- Origin Header - by intercepting network traffic it could be possible to - read and modify any messages that are exchanged with server -- [TRI-1095] HTTP security headers configuration could be improved and allow for additional protection against some web - application attacks -- [TRI-1441] Synchronous communication with shared C-X services without circuit breaker pattern - potentially could - affect IRS resilience when other services becomes non-responsive. -- [TRI-1441] Cascading effects of failure when Digital Twin Registry becomes non-responsive - potentially bulkhead - pattern could improve IRS resilience -- [TRI-1477] Retry mechanism used inside IRS could potentially affect IRS resilience - DDOS other services on which IRS - is dependent, exhaustion of resources and available threads, etc. +- [TRI-1100] Potential denial-of-service (DoS) attack - IRS allows to enter a large number of characters, which are reflected in the response of the server +- [TRI-1098] Software related information disclosure - IRS returns redundant information about the type and version of used software +- [TRI-793] Misconfigured Access-Control-Allow- Origin Header - by intercepting network traffic it could be possible to read and modify any messages that are exchanged with server +- [TRI-1095] HTTP security headers configuration could be improved and allow for additional protection against some web application attacks +- [TRI-1441] Synchronous communication with shared C-X services without circuit breaker pattern - potentially could affect IRS resilience when other services becomes non-responsive. +- [TRI-1441] Cascading effects of failure when Digital Twin Registry becomes non-responsive - potentially bulkhead pattern could improve IRS resilience +- [TRI-1477] Retry mechanism used inside IRS could potentially affect IRS resilience - DDOS other services on which IRS is dependent, exhaustion of resources and available threads, etc. - [TRI-1478] Lack of resources management - thread pooling, heap limitation etc. - [TRI-1024] IRS does not support scale out on multiple instances ## [3.1.0] - 2023-07-07 - ### Changed - - Removed catalog cache - Changed EDC catalog retrieval from pagination to filter -- Item graphs with asBuilt lifecycle & downward direction are now built with usage of SingleLevelBomAsBuilt aspect, - instead of AssemblyPartRelationship aspect +- Item graphs with asBuilt lifecycle & downward direction are now built with usage of SingleLevelBomAsBuilt aspect, instead of AssemblyPartRelationship aspect - Changed retrieval of BPN value from AAS Shell to SingleLevelBomAsBuilt - Renamed SerialPartTypization to SerialPart aspect - ESS - - Update ESS notification asset creation to new EDC DSP protocol - - Include DiscoveryFinder into ESS flow + - Update ESS notification asset creation to new EDC DSP protocol + - Include DiscoveryFinder into ESS flow ## [3.0.1] - 2023-06-28 - ### Fixed - - Added missing participantId to contract negotiation for decentral DTR contract negotiation - Fixed default value for contract negotiation and transfer process state-suffix ## [3.0.0] - 2023-06-26 - ### Added - - Handling of Decentral Digital Twin Registry as a way of request AAS for identifier - - Extend Register Job with key field that contain BPN and globalAssetId - - Requesting BPN endpoint catalog over Discrovery Finder - - Requesting EDC endpoint addresses for BPN over EDC Discovery Finder - - Add filter for catalog item search in EDC - - Authorize Digital Twin client with EDC Endpoint Reference + - Extend Register Job with key field that contain BPN and globalAssetId + - Requesting BPN endpoint catalog over Discrovery Finder + - Requesting EDC endpoint addresses for BPN over EDC Discovery Finder + - Add filter for catalog item search in EDC + - Authorize Digital Twin client with EDC Endpoint Reference - Added new Policy Store API to manage acceptable EDC policies - - `GET /irs/policies` - - `POST /irs/policies` - - `DELETE /irs/policies/{policyId}` + - `GET /irs/policies` + - `POST /irs/policies` + - `DELETE /irs/policies/{policyId}` ### Changed - - Updated EDC Client to use version 0.4.1 - - Adjusted Protocol from IDS to DSP - - Paths for catalog, contract negotiation and transfer process are now configurable via properties - - `edc.controlplane.endpoint.catalog` - - `edc.controlplane.endpoint.contract-negotiation` - - `edc.controlplane.endpoint.transfer-process` + - Adjusted Protocol from IDS to DSP + - Paths for catalog, contract negotiation and transfer process are now configurable via properties + - `edc.controlplane.endpoint.catalog` + - `edc.controlplane.endpoint.contract-negotiation` + - `edc.controlplane.endpoint.transfer-process` - EDR Callback is now configurable via property `edc.callback-url` ## [2.6.1] - 2023-05-15 - ### Added - - Validation if bpnEndpoint is set in properties before starting a job with lookupBPNs set to true - Automate release workflow - Validate if callback url starts with http or https before register a job ## [2.6.0] - 2023-05-05 - ### Added - -- IRS now checks the EDC policies and only negotiates contracts if the policy matches the ones defined in the - configuration at `edc.catalog.policies.allowedNames` (comma separated string) +- IRS now checks the EDC policies and only negotiates contracts if the policy matches the ones defined in the configuration at `edc.catalog.policies.allowedNames` (comma separated string) ### Changed - - Restructured the repository to make it more comprehensive -- Improved API descriptions regarding errors +- Improved API descriptions regarding errors ## [2.5.1] - 2023-04-28 - ### Changed - - Replaced Discovery Service mock with real implementation ## [2.5.0] - 2023-04-17 - ### Added +- Introduced Batch processing API endpoints. Batch Order is registered and executed for a bunch of globalAssetIds in one call. + - API Endpoint POST Register Batch Order {{IRS_HOST}}/irs/orders + - API Endpoint GET Batch Order {{IRS_HOST}}/irs/orders/:orderId + - API Endpoint GET Batch {{IRS_HOST}}/irs/orders/:orderId/batches/:batchId +- Introduced Environmental- and Social Standards processing API endpoints. + - API Endpoint POST Register job to start an investigation if a given bpn is contained in a part chain {{IRS_HOST}}/ess/bpn/investigations + - API Endpoint GET BPN Investigation {{IRS_HOST}}/ess/bpn/investigations/:id + - API Endpoint POST EDC Notification receive {{IRS_HOST}}/ess/notification/receive -- Introduced Batch processing API endpoints. Batch Order is registered and executed for a bunch of globalAssetIds in one - call. - - API Endpoint POST Register Batch Order {{IRS_HOST}}/irs/orders - - API Endpoint GET Batch Order {{IRS_HOST}}/irs/orders/:orderId - - API Endpoint GET Batch {{IRS_HOST}}/irs/orders/:orderId/batches/:batchId -- Introduced Environmental- and Social Standards processing API endpoints. - - API Endpoint POST Register job to start an investigation if a given bpn is contained in a part chain - {{IRS_HOST}}/ess/bpn/investigations - - API Endpoint GET BPN Investigation {{IRS_HOST}}/ess/bpn/investigations/:id - - API Endpoint POST EDC Notification receive {{IRS_HOST}}/ess/notification/receive ## [2.4.1] - 2023-04-21 - ### Fixed - - Updated spring-boot version to 3.0.6 to fix security issue - change GID in Dockerfile to fix https://github.com/eclipse-tractusx/item-relationship-service/issues/101 -## [2.4.0] - 2023-03-30 +## [2.4.0] - 2023-03-30 ### Added - -- IRS is now able to cache the EDC catalog. Caching can be disabled via application config. Maximum amount of cached - items and item time-to-live can be configured as well. +- IRS is now able to cache the EDC catalog. Caching can be disabled via application config. Maximum amount of cached items and item time-to-live can be configured as well. - EDC policies retrieved from contract offer are now added to the contract negotiation ### Changed - -- API endpoints have now additional layer of security and require BPN claim in token. Allowed BPN that can access API - can be configured with (*env:API_ALLOWED_BPN*) variable. +- API endpoints have now additional layer of security and require BPN claim in token. Allowed BPN that can access API can be configured with (*env:API_ALLOWED_BPN*) variable. - Updated Spring Boot dependency to 3.0.5 ### Fixed +- Fixed issue in paging when calling SemanticsHub with some page size configurations -- Fixed issue in paging when calling SemanticsHub with some page size configurations ## [2.3.2] - 2023-03-20 - ### Changed - - Replace pandoc with downdoc for conversion asciidoc to markdown ### Fixed - - In AssemblyPartRelationship the ``measurementUnit`` can be both parsed from both string and object versions - Decode URLs for ``assetId`` to prevent bug that encoded ``assetId`` cannot be found in the catalog ## [2.3.1] - 2023-03-07 - ### Changed - - Updated Spring Boot dependency to 3.0.3 ## [2.3.0] - 2023-02-21 - ### Added - -- Introduced new endpoint ``/irs/aspectmodels`` which will list all available aspect models (from semantic hub or - locally provided files if present) +- Introduced new endpoint ``/irs/aspectmodels`` which will list all available aspect models (from semantic hub or locally provided files if present) ### Fixed - - If Grafana is enabled - dashboards will be automatically imported on startup ### Changed - - Job creation validates ``aspects`` by using models available in semantic hub or locally provided. ## [2.2.1] - 2023-03-15 - ### Fixed - -- Property "measurementUnit" of AssemblyPartRelationship can now be a String or a Map. According to the latest model, it - is supposed to be a String, but due to varying test data, IRS supports both variants. +- Property "measurementUnit" of AssemblyPartRelationship can now be a String or a Map. According to the latest model, it is supposed to be a String, but due to varying test data, IRS supports both variants. - EDC Catalog IDs are now being URL decoded before usage ## [2.2.0] - 2023-01-20 - ### Added - - Added new job parameter flag "lookupBPNs" which toggles lookup of BPN numbers using the configured BPN URL -- Added new summary item "bpnLookups" which tracks completed and failed BPN requests. Excluded these metrics from " - asyncFetchedItems" +- Added new summary item "bpnLookups" which tracks completed and failed BPN requests. Excluded these metrics from "asyncFetchedItems" - Model schema JSON files can now be provided locally as a backup to the Semantic Hub. Use the new ``semanticsHub.localModelDirectory`` config entry to provide a folder with the models. - Added pagination to EDC catalog retrieval. ### Fixed - - BPNs array is now filled correctly when requesting a running job with parameter "returnUncompletedJob=true" ## [2.1.0] - 2023-01-11 - ### Changed - - Change 'jobParameter' to 'parameter' in GET calls in IRS API - Change 'jobStates' to 'states' request parameter in GET call for jobs by states, 'jobStates' is now deprecated - REST clients for DTR, SemHub and BPDM now use their own RestTemplates and configuration - application.yaml received some documentation ## [2.0.0] - 2022-12-09 - ### Added - - Added pagination to GET /irs/jobs endpoint (eg. {{IRS_HOST}}/irs/jobs?page=0&size=10&sort=completedOn,asc) ### Changed - - IRS API now requires 'view_irs' resource access inside Keycloak JWT token. - New 2.0.0 version of IRS API. Main goal was to remove 'job' prefix from attribute names - - change 'jobId' to 'id' in GET and POST calls - - change 'jobState' to 'state' in GET calls - - change 'jobCompleted' to 'completedOn' in GET calls - - change 'jobId' to 'id' and 'jobState' to 'state' in callback URI variables + - change 'jobId' to 'id' in GET and POST calls + - change 'jobState' to 'state' in GET calls + - change 'jobCompleted' to 'completedOn' in GET calls + - change 'jobId' to 'id' and 'jobState' to 'state' in callback URI variables ## [1.6.0] - 2022-11-25 - ### Added - - EDC client implementation (for negotiation and data exchange) - New callback endpoint for EDC (path: /internal/endpoint-data-reference) - Optional trusted port to make internal interfaces only available via that (config: server.trustedPort) ### Removed - - Removed the need for the API wrapper by directly communicating with the EDC control and data plane. ## [1.5.0] - 2022-11-11 - ### Added - - Added new parameters 'startedOn' and 'jobCompleted' to Job status response ### Changed - - Updated Spring Boot to 2.7.5 and Spring Security (Web and OAuth2 Client) dependencies to 5.7.5 due to CVEs - Renamed parameter from 'status' to 'jobState' in Job status response - Time to live for finished jobs is now configurable ## [1.4.0] - 2022-10-28 - ### Added - -- Added new 'asPlanned' value for bomLifecycle request parameter - now BomAsPlanned can be traversed by the IRS to build - relationships +- Added new 'asPlanned' value for bomLifecycle request parameter - now BomAsPlanned can be traversed by the IRS to build relationships ## [1.3.0] - 2022-10-18 - ### Added - - BPDM URL (*env:BPDM_URL*) is now configurable - SemanticsHub URL (*env:SEMANTICSHUB_URL*) and default URNs (*env:SEMANTICSHUB_DEFAULT_URNS*) are now configurable - Added an administration guide covering installation and configuration topics (TRI-593) @@ -562,49 +422,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added new optional parameter 'callbackUrl' to Job registration request ### Known knowns - -- discovered lack of circuit breaker for communication with submodel server which is not responding (low risk) - will be - addressed in future release +- discovered lack of circuit breaker for communication with submodel server which is not responding (low risk) - will be addressed in future release ## [1.2.0] - 2022-09-30 - ### Added - - Automatic eclipse dash IP-ticket creation - Automatic cucumber execution based on Tests in Jira ### Fixed - - Update HSTS header configuration (TRI-659) - Encode log output to avoid log forging (TRI-653) - Add missing X-Frame-Options header (TRI-661) - Switching to a distroless Docker base image to avoid vulnerable library (TRI-729) ### Changed - - Update EDC components to version 0.1.1 - Update testdata set to 1.3.2 - Create Tombstone for faulty/null/none BPN ManufactureId - Update aaswrapper to 0.0.7 ## [1.1.0] - 2022-09-12 - ### Added - -- **Aspect Model validation** IRS now validates the aspect model responses requested via EDC. JSON schema files are - requested on demand using Semantic Hub API. +- **Aspect Model validation** IRS now validates the aspect model responses requested via EDC. JSON schema files are requested on demand using Semantic Hub API. - **BPN mapping** IRS job result includes BPNs and the corresponding names. - **Enabled collecting of "Batch" submodels** IRS supports aspect model "Batch" ### Fixed - - **Malformed date-time in IRS job result** (TRI-627) - **Job cleanup process** Jobs are completely deleted after retention period exceeded. (TRI-631) - **IRS job processing** IRS jobs no longer stay stuck in state RUNNING due to malformed URLs. (TRI-675) - **Security fixes** Fixed various security findings. ### Changed - - **IRS monitoring** Added more metrics and improved Grafana dashboards. - **Submodel payload in IRS job response** Submodels are stored as object instead of string. - **CORS** Enabled CORS configuration @@ -614,149 +463,85 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **IRS stability and code quality** - **API docs** - **Test data and upload script** -- **Helm charts** Improved security and performance configurations. Created a All-in-One Helm Chart for IRS which - includes all IRS dependencies. Helm Chart is released separately. +- **Helm charts** Improved security and performance configurations. Created a All-in-One Helm Chart for IRS which includes all IRS dependencies. Helm Chart is released separately. - **Refactor relationship result object of IRS** - **FOSS initial GitHub & code preparation** Change package structure to `org.eclipse.tractusx`. ## [1.0.0] - 2022-07-25 - ### Changed - * **Improved Minio Helmchart** Latest Minio version is used now * **Submodel Information** If requested, the IRS collects submodel information now and adds it to the job result * **Improved job response** The job response object contains all the required fields now with correct values ## [0.9.1] - 2022-06-14 - ### Removed - - **Remove AAS Proxy** The IRS works without the AASProxy component ## [0.9.0] - 2022-04-27 - ### Added - -- **Build traceability BoM as built tree** You can now use the IRS to retrieve a BoM tree with lifecycle stage "as - built" for serialized components, which are distributed across the Catena-X network. In this release, the tree is - being built on the aspects "SerialPartTypization" and "AssemblyPartRelationship". Focus is a tree built in the - direction top-down/parent-child. +- **Build traceability BoM as built tree** You can now use the IRS to retrieve a BoM tree with lifecycle stage "as built" for serialized components, which are distributed across the Catena-X network. In this release, the tree is being built on the aspects "SerialPartTypization" and "AssemblyPartRelationship". Focus is a tree built in the direction top-down/parent-child. - *IRS API v1.0.0* First release of the IRS API. ### Fixed - -- **Cloud Agnostic Solution** You have the ability now to deploy the solution on different cloud vendor solutions. We - decoupled the application from its former Azure Stack. +- **Cloud Agnostic Solution** You have the ability now to deploy the solution on different cloud vendor solutions. We decoupled the application from its former Azure Stack. - **Security fixes** Various security fixes. ### Changed - -- **Asynchronous Job Management** Since we cannot rely on a synchronous answer of each request within the network, we - provide a job management for this process. +- **Asynchronous Job Management** Since we cannot rely on a synchronous answer of each request within the network, we provide a job management for this process. - **AAS Proxy** Requests to Digital Twin Registry are executed via the AAS Proxy. -- **Quality Gate for Release 1** The quality measures were implemented in accordance with the requirements for Release - 1. +- **Quality Gate for Release 1** The quality measures were implemented in accordance with the requirements for Release 1. - **Hotel Budapest catenax-ng** C-X-NG ready using the provided catenax-ng infrastructure. - **SCA Composition Analysis** Enablement of SCA Composition Analysis using Veracode and CodeQl. - **Github Integrations** VeraCode/Dependabot/SonarCloud/CodeQl ### Unresolved - -- **Select Aspects you need** You are able to select the needed aspects for which you want to collect the correct - endpoint information. +- **Select Aspects you need** You are able to select the needed aspects for which you want to collect the correct endpoint information. [Unreleased]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.4.0...HEAD - [4.4.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.3.0...4.4.0 - [4.3.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.2.0...4.3.0 - [4.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.1.0...4.2.0 - [4.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.0.2...4.1.0 - [4.0.2]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.0.1...4.0.2 - [4.0.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.0.0...4.0.1 - [4.0.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.4...4.0.0 - [3.5.4]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.3...3.5.4 - [3.5.3]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.2...3.5.3 - [3.5.2]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.1...3.5.2 - [3.5.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.5.0...3.5.1 - [3.5.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.4.1...3.5.0 - [3.4.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.4.0...3.4.1 - [3.4.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.5...3.4.0 - [3.3.5]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.4...3.3.5 - [3.3.4]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.3...3.3.4 - [3.3.3]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.2...3.3.3 - [3.3.2]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.1...3.3.2 - [3.3.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.3.0...3.3.1 - [3.3.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.2.1...3.3.0 - [3.2.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.2.0...3.2.1 - [3.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.1.0...3.2.0 - [3.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.0.1...3.1.0 - [3.0.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.0.0...3.0.1 - [3.0.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.6.1...3.0.0 - [2.6.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.6.0...2.6.1 - [2.6.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.5.1...2.6.0 - [2.5.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.5.0...2.5.1 - [2.5.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.4.0...2.5.0 - [2.4.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.4.0...2.4.1 - [2.4.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.3.2...2.4.0 - [2.3.2]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.3.1...2.3.2 - [2.3.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.3.0...2.3.1 - [2.3.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.2.0...2.3.0 - [2.2.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.2.0...2.2.1 - [2.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.1.0...2.2.0 - [2.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/2.0.0...2.1.0 - [2.0.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.6.0...2.0.0 - [1.6.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.5.0...1.6.0 - [1.5.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.4.0...1.5.0 - [1.4.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.3.0...1.4.0 - [1.3.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/1.2.0...1.3.0 - [1.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/v1.1.0...1.2.0 - [1.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/v1.0.0...v1.1.0 - [1.0.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/v0.9.1...v1.0.0 - [0.9.1]: https://github.com/eclipse-tractusx/item-relationship-service/commits/v0.9.1 - [0.9.0]: https://github.com/eclipse-tractusx/item-relationship-service/commits/v0.9.0 From 54411092d683a3082f7a7398c8df2ce8e741ed7f Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Tue, 23 Jan 2024 20:23:36 +0100 Subject: [PATCH 07/12] chore(deps):[#xxx] Update DEPENDENCIES file --- DEPENDENCIES | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DEPENDENCIES b/DEPENDENCIES index 1d6bd77288..9197d6e308 100644 --- a/DEPENDENCIES +++ b/DEPENDENCIES @@ -1,5 +1,5 @@ -maven/mavencentral/ch.qos.logback/logback-classic/1.4.11, EPL-1.0 OR LGPL-2.1-only, approved, #3435 -maven/mavencentral/ch.qos.logback/logback-core/1.4.11, EPL-1.0 OR LGPL-2.1-only, approved, #3373 +maven/mavencentral/ch.qos.logback/logback-classic/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3435 +maven/mavencentral/ch.qos.logback/logback-core/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3373 maven/mavencentral/com.aayushatharva.brotli4j/brotli4j/1.11.0, Apache-2.0, approved, clearlydefined maven/mavencentral/com.aayushatharva.brotli4j/native-linux-aarch64/1.11.0, Apache-2.0, approved, clearlydefined maven/mavencentral/com.aayushatharva.brotli4j/native-linux-x86_64/1.11.0, Apache-2.0, approved, clearlydefined From b8a96fcc0c0428ce8edb553270ef2e280e26fc18 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Thu, 25 Jan 2024 13:39:16 +0100 Subject: [PATCH 08/12] chore(deps):[#xxx] add suppression for CVE-2023-51074 because only used in tests --- .config/owasp-suppressions.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.config/owasp-suppressions.xml b/.config/owasp-suppressions.xml index 325b8ae21a..50fc202188 100644 --- a/.config/owasp-suppressions.xml +++ b/.config/owasp-suppressions.xml @@ -30,9 +30,9 @@ - ^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$ - CVE-2024-20932 + ^pkg:maven/com\.jayway\.jsonpath@.*$ + CVE-2023-51074 \ No newline at end of file From 4dceefbc0bc1fc7386a09b6437fde9c74ad91812 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Fri, 26 Jan 2024 02:13:37 +0100 Subject: [PATCH 09/12] chore(deps):[#xxx] fix suppression for CVE-2023-51074 because only used in tests --- .config/owasp-suppressions.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.config/owasp-suppressions.xml b/.config/owasp-suppressions.xml index 50fc202188..051a11d32b 100644 --- a/.config/owasp-suppressions.xml +++ b/.config/owasp-suppressions.xml @@ -32,7 +32,7 @@ - ^pkg:maven/com\.jayway\.jsonpath@.*$ + ^pkg:maven/com.jayway.jsonpath/json-path@2.8.0$ CVE-2023-51074 \ No newline at end of file From 2b375d99d295091c82507b352ab2318266a2c219 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Fri, 26 Jan 2024 02:29:35 +0100 Subject: [PATCH 10/12] chore(deps):[#xxx] fix spring-core-6.0.14.jar: CVE-2024-22233(7.5) by updating spring boot to 3.1.8 also fixes CVE-2023-6378 logback serialization vulnerability therefore undo of manual dependency management for logback --- irs-parent-spring-boot/pom.xml | 14 -------------- pom.xml | 2 +- 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/irs-parent-spring-boot/pom.xml b/irs-parent-spring-boot/pom.xml index 0948d0bb0c..879e62f3b6 100644 --- a/irs-parent-spring-boot/pom.xml +++ b/irs-parent-spring-boot/pom.xml @@ -15,10 +15,6 @@ IRS Spring Boot Parent Parent module for Spring Boot modules. - - 1.4.14 - - @@ -28,16 +24,6 @@ pom import - - ch.qos.logback - logback-classic - ${logback.version} - - - ch.qos.logback - logback-core - ${logback.version} - diff --git a/pom.xml b/pom.xml index 97ad8c7a40..2e47b76a2d 100644 --- a/pom.xml +++ b/pom.xml @@ -76,7 +76,7 @@ 1.5.1-SNAPSHOT - 3.1.6 + 3.1.8 2.2.0 1.11.4 1.9.0 From 8bada1716d53cc165167658eeb2a02a1523f7aa0 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Fri, 26 Jan 2024 03:00:01 +0100 Subject: [PATCH 11/12] chore(deps):[#xxx] update DEPENDENCIES file --- DEPENDENCIES | 197 +++++++++++++++++++++++++++------------------------ 1 file changed, 105 insertions(+), 92 deletions(-) diff --git a/DEPENDENCIES b/DEPENDENCIES index 9197d6e308..cc0f92a3fe 100644 --- a/DEPENDENCIES +++ b/DEPENDENCIES @@ -124,33 +124,33 @@ maven/mavencentral/io.github.resilience4j/resilience4j-retry/2.1.0, Apache-2.0, maven/mavencentral/io.github.resilience4j/resilience4j-spring-boot3/2.1.0, Apache-2.0, approved, #10913 maven/mavencentral/io.github.resilience4j/resilience4j-spring6/2.1.0, Apache-2.0, approved, #10915 maven/mavencentral/io.github.resilience4j/resilience4j-timelimiter/2.1.0, Apache-2.0, approved, #10166 -maven/mavencentral/io.micrometer/micrometer-commons/1.11.6, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #9243 -maven/mavencentral/io.micrometer/micrometer-core/1.11.6, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #9238 -maven/mavencentral/io.micrometer/micrometer-observation/1.11.6, Apache-2.0, approved, #9242 +maven/mavencentral/io.micrometer/micrometer-commons/1.11.8, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #9243 +maven/mavencentral/io.micrometer/micrometer-core/1.11.8, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #9238 +maven/mavencentral/io.micrometer/micrometer-observation/1.11.8, Apache-2.0, approved, #9242 maven/mavencentral/io.micrometer/micrometer-registry-prometheus/1.11.4, Apache-2.0, approved, #9805 maven/mavencentral/io.minio/minio/8.5.6, Apache-2.0, approved, #9097 maven/mavencentral/io.netty.incubator/netty-incubator-transport-classes-io_uring/0.0.21.Final, Apache-2.0, approved, #9622 maven/mavencentral/io.netty.incubator/netty-incubator-transport-native-io_uring/0.0.21.Final, GPL-2.0-only WITH Linux-syscall-note OR MIT AND Apache-2.0 AND MIT, approved, #9649 -maven/mavencentral/io.netty/netty-buffer/4.1.101.Final, Apache-2.0, approved, CQ21842 -maven/mavencentral/io.netty/netty-codec-dns/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-codec-http/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-codec-http2/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-codec-mqtt/4.1.101.Final, Apache-2.0 OR LicenseRef-Public-Domain OR BSD-2-Clause OR MIT, approved, CQ15280 -maven/mavencentral/io.netty/netty-codec-socks/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-codec/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-common/4.1.101.Final, Apache-2.0 AND MIT AND CC0-1.0, approved, CQ21843 -maven/mavencentral/io.netty/netty-handler-proxy/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-handler/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-resolver-dns-classes-macos/4.1.101.Final, Apache-2.0, approved, #6367 -maven/mavencentral/io.netty/netty-resolver-dns-native-macos/4.1.101.Final, Apache-2.0, approved, #7004 -maven/mavencentral/io.netty/netty-resolver-dns/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-resolver/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-buffer/4.1.105.Final, Apache-2.0, approved, CQ21842 +maven/mavencentral/io.netty/netty-codec-dns/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-codec-http/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-codec-http2/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-codec-mqtt/4.1.105.Final, Apache-2.0 OR LicenseRef-Public-Domain OR BSD-2-Clause OR MIT, approved, CQ15280 +maven/mavencentral/io.netty/netty-codec-socks/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-codec/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-common/4.1.105.Final, Apache-2.0 AND MIT AND CC0-1.0, approved, CQ21843 +maven/mavencentral/io.netty/netty-handler-proxy/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-handler/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-resolver-dns-classes-macos/4.1.105.Final, Apache-2.0, approved, #6367 +maven/mavencentral/io.netty/netty-resolver-dns-native-macos/4.1.105.Final, Apache-2.0, approved, #7004 +maven/mavencentral/io.netty/netty-resolver-dns/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-resolver/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 maven/mavencentral/io.netty/netty-tcnative-boringssl-static/2.0.61.Final, Apache-2.0 OR LicenseRef-Public-Domain OR BSD-2-Clause OR MIT, approved, CQ15280 maven/mavencentral/io.netty/netty-tcnative-classes/2.0.61.Final, Apache-2.0, approved, clearlydefined -maven/mavencentral/io.netty/netty-transport-classes-epoll/4.1.101.Final, Apache-2.0, approved, #6366 -maven/mavencentral/io.netty/netty-transport-native-epoll/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-transport-native-unix-common/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 -maven/mavencentral/io.netty/netty-transport/4.1.101.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-transport-classes-epoll/4.1.105.Final, Apache-2.0, approved, #6366 +maven/mavencentral/io.netty/netty-transport-native-epoll/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-transport-native-unix-common/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 +maven/mavencentral/io.netty/netty-transport/4.1.105.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926 maven/mavencentral/io.opentelemetry/opentelemetry-api/1.25.0, Apache-2.0, approved, clearlydefined maven/mavencentral/io.opentelemetry/opentelemetry-api/1.29.0, Apache-2.0, approved, #10088 maven/mavencentral/io.opentelemetry/opentelemetry-context/1.25.0, Apache-2.0, approved, clearlydefined @@ -186,10 +186,10 @@ maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.1, BSD-3-Clause, ap maven/mavencentral/javax.jms/javax.jms-api/2.0.1, CDDL-1.1 OR GPL-2.0 WITH Classpath-exception-2.0, approved, #1516 maven/mavencentral/joda-time/joda-time/2.10.2, Apache-2.0, approved, clearlydefined maven/mavencentral/junit/junit/4.13.2, EPL-2.0, approved, CQ23636 -maven/mavencentral/net.bytebuddy/byte-buddy-agent/1.14.10, Apache-2.0, approved, #7164 +maven/mavencentral/net.bytebuddy/byte-buddy-agent/1.14.11, Apache-2.0, approved, #7164 maven/mavencentral/net.bytebuddy/byte-buddy-agent/1.14.4, Apache-2.0, approved, #7164 maven/mavencentral/net.bytebuddy/byte-buddy/1.12.21, Apache-2.0 AND BSD-3-Clause, approved, #1811 -maven/mavencentral/net.bytebuddy/byte-buddy/1.14.10, Apache-2.0 AND BSD-3-Clause, approved, #7163 +maven/mavencentral/net.bytebuddy/byte-buddy/1.14.11, Apache-2.0 AND BSD-3-Clause, approved, #7163 maven/mavencentral/net.datafaker/datafaker/1.9.0, Apache-2.0, approved, #8797 maven/mavencentral/net.debasishg/redisclient_2.13/3.42, Apache-2.0, approved, clearlydefined maven/mavencentral/net.java.dev.jna/jna/5.12.1, Apache-2.0 OR LGPL-2.1-or-later, approved, #3217 @@ -209,9 +209,9 @@ maven/mavencentral/org.apache.commons/commons-compress/1.23.0, Apache-2.0 AND BS maven/mavencentral/org.apache.commons/commons-compress/1.24.0, Apache-2.0 AND BSD-3-Clause AND bzip2-1.0.6 AND LicenseRef-Public-Domain, approved, #10368 maven/mavencentral/org.apache.commons/commons-lang3/3.12.0, Apache-2.0, approved, clearlydefined maven/mavencentral/org.apache.commons/commons-pool2/2.11.1, Apache-2.0, approved, CQ23795 -maven/mavencentral/org.apache.groovy/groovy-json/4.0.15, Apache-2.0, approved, #7411 -maven/mavencentral/org.apache.groovy/groovy-xml/4.0.15, Apache-2.0, approved, #10179 -maven/mavencentral/org.apache.groovy/groovy/4.0.15, Apache-2.0 AND BSD-3-Clause AND MIT, approved, #1742 +maven/mavencentral/org.apache.groovy/groovy-json/4.0.17, Apache-2.0, approved, #7411 +maven/mavencentral/org.apache.groovy/groovy-xml/4.0.17, Apache-2.0, approved, #10179 +maven/mavencentral/org.apache.groovy/groovy/4.0.17, Apache-2.0 AND BSD-3-Clause AND MIT, approved, #1742 maven/mavencentral/org.apache.httpcomponents/httpclient/4.5.13, Apache-2.0 AND LicenseRef-Public-Domain, approved, CQ23527 maven/mavencentral/org.apache.httpcomponents/httpcore/4.4.16, Apache-2.0, approved, CQ23528 maven/mavencentral/org.apache.httpcomponents/httpmime/4.5.13, Apache-2.0, approved, CQ11718 @@ -220,11 +220,11 @@ maven/mavencentral/org.apache.logging.log4j/log4j-core/2.20.0, Apache-2.0 AND (A maven/mavencentral/org.apache.logging.log4j/log4j-jul/2.20.0, Apache-2.0, approved, clearlydefined maven/mavencentral/org.apache.logging.log4j/log4j-slf4j2-impl/2.20.0, Apache-2.0, approved, #8801 maven/mavencentral/org.apache.logging.log4j/log4j-to-slf4j/2.20.0, Apache-2.0, approved, #8799 -maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-core/10.1.16, Apache-2.0 AND (EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND (CDDL-1.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND W3C AND CC0-1.0, approved, #5949 -maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-el/10.1.16, Apache-2.0, approved, #6997 -maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.16, Apache-2.0, approved, #7920 +maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-core/10.1.18, Apache-2.0 AND (EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND (CDDL-1.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND W3C AND CC0-1.0, approved, #5949 +maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-el/10.1.18, Apache-2.0, approved, #6997 +maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.18, Apache-2.0, approved, #7920 maven/mavencentral/org.apiguardian/apiguardian-api/1.1.2, Apache-2.0, approved, clearlydefined -maven/mavencentral/org.aspectj/aspectjweaver/1.9.20.1, Apache-2.0 AND BSD-3-Clause AND EPL-1.0 AND BSD-3-Clause AND Apache-1.1, approved, #7695 +maven/mavencentral/org.aspectj/aspectjweaver/1.9.21, Apache-2.0 AND BSD-3-Clause AND EPL-1.0 AND BSD-3-Clause AND Apache-1.1, approved, #7695 maven/mavencentral/org.assertj/assertj-core/3.24.2, Apache-2.0, approved, #6161 maven/mavencentral/org.awaitility/awaitility/4.2.0, Apache-2.0, approved, clearlydefined maven/mavencentral/org.bouncycastle/bcpkix-jdk18on/1.76, MIT, approved, #9825 @@ -284,45 +284,45 @@ maven/mavencentral/org.eclipse.edc/web-spi/0.2.1, Apache-2.0, approved, technolo maven/mavencentral/org.eclipse.jetty.toolchain/jetty-jakarta-servlet-api/5.0.2, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api/2.0.0, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-client/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-client/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-client/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-common/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-common/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-common/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-server/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-server/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty.websocket/websocket-core-server/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-client/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-client/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-client/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-common/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-common/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-common/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-server/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-server/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty.websocket/websocket-jakarta-server/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty.websocket/websocket-servlet/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty.websocket/websocket-servlet/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty.websocket/websocket-servlet/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-alpn-client/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-alpn-client/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-alpn-client/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-annotations/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-annotations/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-annotations/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-client/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-client/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-client/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-http/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-http/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-http/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-io/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-io/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-io/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-jndi/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-jndi/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-jndi/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-plus/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-plus/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-plus/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-security/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-security/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-security/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-server/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-server/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-server/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-util/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-util/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-util/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-xml/11.0.17, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.jetty/jetty-xml/11.0.18, EPL-2.0 OR Apache-2.0, approved, rt.jetty +maven/mavencentral/org.eclipse.jetty/jetty-xml/11.0.19, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.tractusx.irs/irs-api/0.0.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx maven/mavencentral/org.eclipse.tractusx.irs/irs-common/0.0.2-SNAPSHOT, Apache-2.0, approved, automotive.tractusx maven/mavencentral/org.eclipse.tractusx.irs/irs-edc-client/1.5.1-SNAPSHOT, Apache-2.0, approved, automotive.tractusx @@ -331,19 +331,32 @@ maven/mavencentral/org.eclipse.tractusx.irs/irs-policy-store/0.0.2-SNAPSHOT, Apa maven/mavencentral/org.eclipse.tractusx.irs/irs-registry-client/1.5.1-SNAPSHOT, Apache-2.0, approved, automotive.tractusx maven/mavencentral/org.eclipse.tractusx.irs/irs-testing/1.5.1-SNAPSHOT, Apache-2.0, approved, automotive.tractusx maven/mavencentral/org.glassfish.hk2.external/aopalliance-repackaged/3.0.4, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish +maven/mavencentral/org.glassfish.hk2.external/aopalliance-repackaged/3.0.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish maven/mavencentral/org.glassfish.hk2/hk2-api/3.0.4, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish +maven/mavencentral/org.glassfish.hk2/hk2-api/3.0.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish maven/mavencentral/org.glassfish.hk2/hk2-locator/3.0.4, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish +maven/mavencentral/org.glassfish.hk2/hk2-locator/3.0.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish maven/mavencentral/org.glassfish.hk2/hk2-utils/3.0.4, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish +maven/mavencentral/org.glassfish.hk2/hk2-utils/3.0.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.glassfish maven/mavencentral/org.glassfish.hk2/osgi-resource-locator/1.0.3, CDDL-1.0, approved, CQ10889 maven/mavencentral/org.glassfish.jersey.containers/jersey-container-servlet-core/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey +maven/mavencentral/org.glassfish.jersey.containers/jersey-container-servlet-core/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish.jersey.containers/jersey-container-servlet/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey +maven/mavencentral/org.glassfish.jersey.containers/jersey-container-servlet/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish.jersey.core/jersey-client/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey +maven/mavencentral/org.glassfish.jersey.core/jersey-client/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish.jersey.core/jersey-common/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey +maven/mavencentral/org.glassfish.jersey.core/jersey-common/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish.jersey.core/jersey-server/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey +maven/mavencentral/org.glassfish.jersey.core/jersey-server/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish.jersey.ext/jersey-entity-filtering/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey +maven/mavencentral/org.glassfish.jersey.ext/jersey-entity-filtering/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish.jersey.inject/jersey-hk2/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey +maven/mavencentral/org.glassfish.jersey.inject/jersey-hk2/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish.jersey.media/jersey-media-json-jackson/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey +maven/mavencentral/org.glassfish.jersey.media/jersey-media-json-jackson/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.3, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey +maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish/jakarta.json/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jsonp maven/mavencentral/org.graalvm.js/js/21.2.0, UPL-1.0 AND (MPL-2.0 AND LicenseRef-MIT-style) AND (BSD-3-Clause AND UPL-1.0) AND (GPL-2.0-only WITH Classpath-exception-2.0 AND UPL-1.0) AND (UPL-1.0 AND LicenseRef-Permission-Notice), approved, #10176 maven/mavencentral/org.graalvm.regex/regex/21.2.0, UPL-1.0 AND (Unicode-TOU AND UPL-1.0), approved, #10181 @@ -408,51 +421,51 @@ maven/mavencentral/org.scala-lang/scala-reflect/2.13.10, Apache-2.0, approved, # maven/mavencentral/org.simpleflatmapper/lightning-csv/8.2.3, MIT, approved, clearlydefined maven/mavencentral/org.simpleflatmapper/sfm-util/8.2.3, MIT, approved, clearlydefined maven/mavencentral/org.skyscreamer/jsonassert/1.5.1, Apache-2.0, approved, clearlydefined -maven/mavencentral/org.slf4j/jul-to-slf4j/2.0.9, MIT, approved, #7698 -maven/mavencentral/org.slf4j/slf4j-api/2.0.9, MIT, approved, #5915 +maven/mavencentral/org.slf4j/jul-to-slf4j/2.0.11, MIT, approved, #7698 +maven/mavencentral/org.slf4j/slf4j-api/2.0.11, MIT, approved, #5915 maven/mavencentral/org.springdoc/springdoc-openapi-starter-common/2.2.0, Apache-2.0, approved, clearlydefined maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-api/2.2.0, Apache-2.0, approved, clearlydefined maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-ui/2.2.0, Apache-2.0, approved, clearlydefined -maven/mavencentral/org.springframework.boot/spring-boot-actuator-autoconfigure/3.1.6, Apache-2.0, approved, #9348 -maven/mavencentral/org.springframework.boot/spring-boot-actuator/3.1.6, Apache-2.0, approved, #9342 -maven/mavencentral/org.springframework.boot/spring-boot-autoconfigure/3.1.6, Apache-2.0, approved, #9341 -maven/mavencentral/org.springframework.boot/spring-boot-configuration-metadata/3.1.6, Apache-2.0, approved, #11032 -maven/mavencentral/org.springframework.boot/spring-boot-properties-migrator/3.1.6, Apache-2.0, approved, #10675 -maven/mavencentral/org.springframework.boot/spring-boot-starter-actuator/3.1.6, Apache-2.0, approved, #9344 -maven/mavencentral/org.springframework.boot/spring-boot-starter-aop/3.1.6, Apache-2.0, approved, #9338 -maven/mavencentral/org.springframework.boot/spring-boot-starter-json/3.1.6, Apache-2.0, approved, #9336 -maven/mavencentral/org.springframework.boot/spring-boot-starter-log4j2/3.1.6, Apache-2.0, approved, #8800 -maven/mavencentral/org.springframework.boot/spring-boot-starter-logging/3.1.6, Apache-2.0, approved, #9343 -maven/mavencentral/org.springframework.boot/spring-boot-starter-oauth2-client/3.1.6, Apache-2.0, approved, #8806 -maven/mavencentral/org.springframework.boot/spring-boot-starter-oauth2-resource-server/3.1.6, Apache-2.0, approved, #8804 -maven/mavencentral/org.springframework.boot/spring-boot-starter-security/3.1.6, Apache-2.0, approved, #9337 -maven/mavencentral/org.springframework.boot/spring-boot-starter-test/3.1.6, Apache-2.0, approved, #9353 -maven/mavencentral/org.springframework.boot/spring-boot-starter-tomcat/3.1.6, Apache-2.0, approved, #9351 -maven/mavencentral/org.springframework.boot/spring-boot-starter-validation/3.1.6, Apache-2.0, approved, #9335 -maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.1.6, Apache-2.0, approved, #9347 -maven/mavencentral/org.springframework.boot/spring-boot-starter/3.1.6, Apache-2.0, approved, #9349 -maven/mavencentral/org.springframework.boot/spring-boot-test-autoconfigure/3.1.6, Apache-2.0, approved, #9339 -maven/mavencentral/org.springframework.boot/spring-boot-test/3.1.6, Apache-2.0, approved, #9346 -maven/mavencentral/org.springframework.boot/spring-boot/3.1.6, Apache-2.0, approved, #9352 -maven/mavencentral/org.springframework.data/spring-data-commons/3.1.6, Apache-2.0, approved, #8805 -maven/mavencentral/org.springframework.security/spring-security-config/6.1.5, Apache-2.0, approved, #9736 -maven/mavencentral/org.springframework.security/spring-security-core/6.1.5, Apache-2.0, approved, #9801 -maven/mavencentral/org.springframework.security/spring-security-crypto/6.1.5, Apache-2.0 AND ISC, approved, #9735 -maven/mavencentral/org.springframework.security/spring-security-oauth2-client/6.1.5, Apache-2.0, approved, #9740 -maven/mavencentral/org.springframework.security/spring-security-oauth2-core/6.1.5, Apache-2.0, approved, #9741 -maven/mavencentral/org.springframework.security/spring-security-oauth2-jose/6.1.5, Apache-2.0, approved, #9345 -maven/mavencentral/org.springframework.security/spring-security-oauth2-resource-server/6.1.5, Apache-2.0, approved, #8798 -maven/mavencentral/org.springframework.security/spring-security-test/6.1.5, Apache-2.0, approved, #10674 -maven/mavencentral/org.springframework.security/spring-security-web/6.1.5, Apache-2.0, approved, #9800 -maven/mavencentral/org.springframework/spring-aop/6.0.14, Apache-2.0, approved, #5940 -maven/mavencentral/org.springframework/spring-beans/6.0.14, Apache-2.0, approved, #5937 -maven/mavencentral/org.springframework/spring-context/6.0.14, Apache-2.0, approved, #5936 -maven/mavencentral/org.springframework/spring-core/6.0.14, Apache-2.0 AND BSD-3-Clause, approved, #5948 -maven/mavencentral/org.springframework/spring-expression/6.0.14, Apache-2.0, approved, #3284 -maven/mavencentral/org.springframework/spring-jcl/6.0.14, Apache-2.0, approved, #3283 -maven/mavencentral/org.springframework/spring-test/6.0.14, Apache-2.0, approved, #7003 -maven/mavencentral/org.springframework/spring-web/6.0.14, Apache-2.0, approved, #5942 -maven/mavencentral/org.springframework/spring-webmvc/6.0.14, Apache-2.0, approved, #5944 +maven/mavencentral/org.springframework.boot/spring-boot-actuator-autoconfigure/3.1.8, Apache-2.0, approved, #9348 +maven/mavencentral/org.springframework.boot/spring-boot-actuator/3.1.8, Apache-2.0, approved, #9342 +maven/mavencentral/org.springframework.boot/spring-boot-autoconfigure/3.1.8, Apache-2.0, approved, #9341 +maven/mavencentral/org.springframework.boot/spring-boot-configuration-metadata/3.1.8, Apache-2.0, approved, #11032 +maven/mavencentral/org.springframework.boot/spring-boot-properties-migrator/3.1.8, Apache-2.0, approved, #10675 +maven/mavencentral/org.springframework.boot/spring-boot-starter-actuator/3.1.8, Apache-2.0, approved, #9344 +maven/mavencentral/org.springframework.boot/spring-boot-starter-aop/3.1.8, Apache-2.0, approved, #9338 +maven/mavencentral/org.springframework.boot/spring-boot-starter-json/3.1.8, Apache-2.0, approved, #9336 +maven/mavencentral/org.springframework.boot/spring-boot-starter-log4j2/3.1.8, Apache-2.0, approved, #8800 +maven/mavencentral/org.springframework.boot/spring-boot-starter-logging/3.1.8, Apache-2.0, approved, #9343 +maven/mavencentral/org.springframework.boot/spring-boot-starter-oauth2-client/3.1.8, Apache-2.0, approved, #8806 +maven/mavencentral/org.springframework.boot/spring-boot-starter-oauth2-resource-server/3.1.8, Apache-2.0, approved, #8804 +maven/mavencentral/org.springframework.boot/spring-boot-starter-security/3.1.8, Apache-2.0, approved, #9337 +maven/mavencentral/org.springframework.boot/spring-boot-starter-test/3.1.8, Apache-2.0, approved, #9353 +maven/mavencentral/org.springframework.boot/spring-boot-starter-tomcat/3.1.8, Apache-2.0, approved, #9351 +maven/mavencentral/org.springframework.boot/spring-boot-starter-validation/3.1.8, Apache-2.0, approved, #9335 +maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.1.8, Apache-2.0, approved, #9347 +maven/mavencentral/org.springframework.boot/spring-boot-starter/3.1.8, Apache-2.0, approved, #9349 +maven/mavencentral/org.springframework.boot/spring-boot-test-autoconfigure/3.1.8, Apache-2.0, approved, #9339 +maven/mavencentral/org.springframework.boot/spring-boot-test/3.1.8, Apache-2.0, approved, #9346 +maven/mavencentral/org.springframework.boot/spring-boot/3.1.8, Apache-2.0, approved, #9352 +maven/mavencentral/org.springframework.data/spring-data-commons/3.1.8, Apache-2.0, approved, #8805 +maven/mavencentral/org.springframework.security/spring-security-config/6.1.6, Apache-2.0, approved, #9736 +maven/mavencentral/org.springframework.security/spring-security-core/6.1.6, Apache-2.0, approved, #9801 +maven/mavencentral/org.springframework.security/spring-security-crypto/6.1.6, Apache-2.0 AND ISC, approved, #9735 +maven/mavencentral/org.springframework.security/spring-security-oauth2-client/6.1.6, Apache-2.0, approved, #9740 +maven/mavencentral/org.springframework.security/spring-security-oauth2-core/6.1.6, Apache-2.0, approved, #9741 +maven/mavencentral/org.springframework.security/spring-security-oauth2-jose/6.1.6, Apache-2.0, approved, #9345 +maven/mavencentral/org.springframework.security/spring-security-oauth2-resource-server/6.1.6, Apache-2.0, approved, #8798 +maven/mavencentral/org.springframework.security/spring-security-test/6.1.6, Apache-2.0, approved, #10674 +maven/mavencentral/org.springframework.security/spring-security-web/6.1.6, Apache-2.0, approved, #9800 +maven/mavencentral/org.springframework/spring-aop/6.0.16, Apache-2.0, approved, #5940 +maven/mavencentral/org.springframework/spring-beans/6.0.16, Apache-2.0, approved, #5937 +maven/mavencentral/org.springframework/spring-context/6.0.16, Apache-2.0, approved, #5936 +maven/mavencentral/org.springframework/spring-core/6.0.16, Apache-2.0 AND BSD-3-Clause, approved, #5948 +maven/mavencentral/org.springframework/spring-expression/6.0.16, Apache-2.0, approved, #3284 +maven/mavencentral/org.springframework/spring-jcl/6.0.16, Apache-2.0, approved, #3283 +maven/mavencentral/org.springframework/spring-test/6.0.16, Apache-2.0, approved, #7003 +maven/mavencentral/org.springframework/spring-web/6.0.16, Apache-2.0, approved, #5942 +maven/mavencentral/org.springframework/spring-webmvc/6.0.16, Apache-2.0, approved, #5944 maven/mavencentral/org.testcontainers/junit-jupiter/1.18.3, MIT, approved, #7941 maven/mavencentral/org.testcontainers/junit-jupiter/1.19.1, MIT, approved, #10344 maven/mavencentral/org.testcontainers/testcontainers/1.18.3, MIT, approved, #7938 From 2042dd34dcf57ff40560b8d5ad5bb16e0ea7f735 Mon Sep 17 00:00:00 2001 From: Matthias Fischer Date: Fri, 26 Jan 2024 03:22:34 +0100 Subject: [PATCH 12/12] chore(deps):[#xxx] correct CHANGELOG.md --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12be290d34..458cdcad76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Suppressed CVE-2024-20932 from graal-sdk-21.2.0.jar because this is not applicable for IRS. ### Fixed -- Fixed CVE-2023-6378 by custom dependency management entry for logback (1.4.14). +- Update to Spring Boot 3.1.8. This fixes the following CVEs: + - CVE-2023-6378 serialization vulnerability in logback + - CVE-2023-51074 json-path v2.8.0 stack overflow + - CVE-2024-22233 Spring Framework server Web DoS Vulnerability ## [4.4.0] - 2024-01-15 ### Added