Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[R24.5] SAST / DAST PCWM conformity : TRG 8.01 & TRG 2-6 #499

Closed
4 tasks done
mkanal opened this issue Mar 21, 2024 · 5 comments
Closed
4 tasks done

[R24.5] SAST / DAST PCWM conformity : TRG 8.01 & TRG 2-6 #499

mkanal opened this issue Mar 21, 2024 · 5 comments
Assignees
@ds-ext-kmassalski
Labels
R24.5

Comments

@mkanal
Copy link
Contributor

mkanal commented Mar 21, 2024
edited
Loading

As product
I want migrate from deprecated S/DAST to new proposed S/DAST toolings
so that compliant to the TRGs for R24.5

Hints / Details

Please migrate to the new tools, which means using Static Application Security Testing CodeQl (https://eclipse-tractusx.github.io/docs/release/trg-0/trg-8-01/ ) for software security testing and Software Composition Analysis (https://eclipse-tractusx.github.io/docs/release/trg-2/trg-2-6/ ) for analyzing software components. It is also important to change/delete the related GitHub actions.

Acceptance Criteria

  • TRG 8 .1 Veracode is descoped from documentation, cd/cd pipeline, code, KIT docu etc
  • TRG 8 .1 CodeQl is used for SAST including extension documentation, cd/cd pipeline, code, KIT docu etc
  • TRG 2.1 Dependabot is used for SCA including extension documentation, cd/cd pipeline, code, KIT docu etc
  • TRG 2.1 Veracode is descoped from documentation, cd/cd pipeline, code, KIT docu etc

Out of Scope

  • ...
@mkanal mkanal added this to IRS Mar 21, 2024
@github-project-automation github-project-automation bot moved this to inbox in IRS Mar 21, 2024
@mkanal mkanal changed the title TRG 8.01 & TRG 2-6 SAST / DAST PCWM conformity : TRG 8.01 & TRG 2-6 Mar 21, 2024
@mkanal mkanal added the R24.5 label Mar 21, 2024
@mkanal mkanal changed the title SAST / DAST PCWM conformity : TRG 8.01 & TRG 2-6 [R24.5] SAST / DAST PCWM conformity : TRG 8.01 & TRG 2-6 Mar 21, 2024
@ds-jhartmann
Copy link
Contributor

See #421

@jzbmw jzbmw moved this from inbox to next in IRS Apr 2, 2024
@ds-ext-kmassalski ds-ext-kmassalski moved this from next to wip in IRS Apr 4, 2024
@ds-ext-kmassalski ds-ext-kmassalski moved this from wip to test in IRS Apr 9, 2024
@ds-ext-kmassalski
Copy link
Contributor

  • DONE - TRG 8 .1 Veracode is descoped from documentation, cd/cd pipeline, code, KIT docu etc
  • DONE - TRG 8 .1 CodeQl is used for SAST including extension documentation, cd/cd pipeline, code, KIT docu etc
  • DONE - TRG 2.1 Dependabot is used for SCA including extension documentation, cd/cd pipeline, code, KIT docu etc
  • DONE - TRG 2.1 Veracode is descoped from documentation, cd/cd pipeline, code, KIT docu etc

@mkanal
Copy link
Contributor Author

mkanal commented Apr 9, 2024
edited
Loading

Outcome:

There is only one rule available
image

@dsmf dsmf mentioned this issue Apr 10, 2024
Merged
2 tasks
@ds-ext-kmassalski
Copy link
Contributor

@ds-ext-kmassalski as there are no alerts I wonder if this is configures correctly https://github.com/eclipse-tractusx/item-relationship-service/security/dependabot

I compared it with other teams config files from 'eclipse-tractusx', and it seems fine to me.

@ds-jhartmann
Copy link
Contributor

We did not change any Dependabot rules, so the Organization default is used. From what I can see, everything works as expected.
Alerts are enabled:
image

@jzbmw jzbmw moved this from test to done in IRS Apr 15, 2024
@jzbmw jzbmw closed this as completed Apr 15, 2024
ds-jhartmann pushed a commit that referenced this issue Apr 15, 2024
@ds-ext-kmassalski
feat(impl):[#499] docs cleanup
a9793e4
ds-jhartmann pushed a commit that referenced this issue Apr 15, 2024
@ds-ext-kmassalski
Merge pull request #851 from catenax-ng/feat/499-cleanup-docs
9e73ea9 
feat(impl):[#499] docs cleanup
ds-jhartmann added a commit to ds-jhartmann/item-relationship-service that referenced this issue Jun 13, 2024
@ds-jhartmann
Merge pull request eclipse-tractusx#499 from catenax-ng/TRI-XXX]-Chan…
c82a2db 
…ge-readme-adding-new-github-action

Update README.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ds-ext-kmassalski ds-ext-kmassalski

Labels
R24.5
Projects
IRS
Status: done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jzbmw @ds-jhartmann @mkanal @ds-ext-kmassalski