Merge pull request #58 from catenax-ng/hot_fix_3.2_22

fix: _security issue hot fix_

.github/workflows/build.yaml

@@ -1,23 +1,22 @@
-#*******************************************************************************
-#* Copyright (c) 2022, 2023 T-Systems International GmbH
-#* Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
-#*
-#* See the NOTICE file(s) distributed with this work for additional
-#* information regarding copyright ownership.
-#*
-#* This program and the accompanying materials are made available under the
-#* terms of the Apache License, Version 2.0 which is available at
-#* https://www.apache.org/licenses/LICENSE-2.0.
-#*
-#* Unless required by applicable law or agreed to in writing, software
-#* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#* License for the specific language governing permissions and limitations
-#* under the License.
-#*
-#* SPDX-License-Identifier: Apache-2.0
-#********************************************************************************
-
+#################################################################################
+# Copyright (c) 2022,2023 T-Systems International GmbH
+# Copyright (c) 2022,2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+################################################################################
 
 name: build
 
@@ -37,11 +36,10 @@ on:
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
+
 env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: catenax-ng/tx-managed-service-orchestrator/autosetup
-  # Allows you to run this workflow manually from the Actions tab
-
+  IMAGE_NAMESPACE: "tractusx"
+  IMAGE_NAME: "managed-service-orchestrator"
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -63,7 +61,9 @@ jobs:
         uses: docker/metadata-action@v4
         with:
           images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+            ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
+          # Automatically prepare image tags; See action docs for more examples. 
+          # semver patter will generate tags like these for example :1 :1.2 :1.2.3
           tags: |
             type=ref,event=branch
             type=ref,event=pr
@@ -73,18 +73,31 @@ jobs:
           flavor: |
               latest=true
 
-      - name: Log into registry ${{ env.REGISTRY }}
+      - name: DockerHub login
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v2
         with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          # Use existing DockerHub credentials present as secrets
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
 
       - name: Build and push
         uses: docker/build-push-action@v3
         with:
           context: .
+          # Build image for verification purposes on every trigger event. Only push if event is not a PR
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      # https://github.com/peter-evans/dockerhub-description
+      # Important step to push image description to DockerHub 
+      - name: Update Docker Hub description
+        if: github.event_name != 'pull_request'
+        uses: peter-evans/dockerhub-description@v3
+        with:
+        # readme-filepath defaults to toplevel README.md, Only necessary if you have a dedicated file with your 'Notice for docker images'   
+        # readme-filepath: path/to/dedicated/notice-for-docker-image.md 
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+          repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}

.github/workflows/trivy.yml

@@ -74,7 +74,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           # Path to Docker image
-          image-ref: "ghcr.io/catenax-ng/tx-managed-service-orchestrator/autosetup:latest"
+          image-ref: "tractusx/managed-service-orchestrator:latest"
           format: "sarif"
           output: "trivy-results.sarif"
           exit-code: "1"

CHANGELOG.md

@@ -6,6 +6,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased]
  - NA
+
+## [1.4.2] - 2023-08-22
+
+### Changed
+ - Image creation on docker hub
+ - Image update for Trivy workflow
+ - Updated the deployment to take the image from tractusx
+ - Name change for the image
+
+### Fixed
+ - Security issue fix
 
 ## [1.4.1] - 2023-08-21
 

DEPENDENCIES

@@ -121,7 +121,7 @@ maven/mavencentral/org.springframework.data/spring-data-commons/3.1.0, Apache-2.
 maven/mavencentral/org.springframework.data/spring-data-jpa/3.1.0, Apache-2.0, approved, #9120
 maven/mavencentral/org.springframework.retry/spring-retry/2.0.1, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.springframework.security/spring-security-config/6.1.2, Apache-2.0, approved, #9736
-maven/mavencentral/org.springframework.security/spring-security-core/6.0.3, Apache-2.0, approved, #7325
+maven/mavencentral/org.springframework.security/spring-security-core/6.1.2, Apache-2.0, approved, #9801
 maven/mavencentral/org.springframework.security/spring-security-crypto/6.1.0, Apache-2.0 AND ISC, approved, #9735
 maven/mavencentral/org.springframework.security/spring-security-oauth2-client/6.1.0, Apache-2.0, approved, #9740
 maven/mavencentral/org.springframework.security/spring-security-oauth2-core/6.1.0, Apache-2.0, approved, #9741

README.md

@@ -2,7 +2,7 @@
 
 ## Description
 
-This repository is part of the overarching eclipse-tractusx project. It contains the Backend for the autoset up service.
+This repository is part of the overarching eclipse-tractusx project. It contains the Backend for the autosetup service.
 
 It is a standalone service which can be self-hosted. 
 It is prototype implementation for Service provider.
@@ -12,23 +12,37 @@ This service will help service provider to set up DFT/SDE with EDC and EDC as se
 ### Software Version
 
 ```shell
-Application version: 1.4.1
-Helm release version: 1.4.1
+Application version: 1.4.2
+Helm release version: 1.4.2
 ```
 
-### Container images
+# Container images
 
 This application provides container images for demonstration purposes. The base image used, to build this demo application image is eclipse-temurin:17-jdk-alpine
 
-Docker Hub:
+## Notice for Docker image
 
- - eclipse-temurin(https://hub.docker.com/_/eclipse-temurin)
- - 17.0.6_10-jdk(https://hub.docker.com/layers/library/eclipse-temurin/17.0.6_10-jdk/images/sha256-ec8d3b91c6e30208bf69ecbbc3abdbc0f9aeaa2b955162e46c089fd6e07f4fb0?context=explore)
+DockerHub: [https://hub.docker.com/r/tractusx/managed-service-orchestrator](https://hub.docker.com/r/tractusx/managed-service-orchestrator)  <br />
+Eclipse Tractus-X product(s) installed within the image:
 
-Source:
+__Autosetup__
 
- - temurin-build(https://github.com/adoptium/temurin-build)
- - temurin docker repo info(https://github.com/docker-library/repo-info/tree/master/repos/eclipse-temurin)
+- GitHub: https://github.com/eclipse-tractusx/managed-service-orchestrator
+- Project home: https://projects.eclipse.org/projects/automotive.tractusx
+- Dockerfile: https://github.com/eclipse-tractusx/managed-service-orchestrator/blob/main/Dockerfile
+- Project license: [Apache License, Version 2.0](https://github.com/eclipse-tractusx/managed-service-orchestrator/blob/main/LICENSE)
+
+**Used base image**
+
+- 17-jdk-alpine(https://hub.docker.com/layers/library/eclipse-temurin/17.0.6_10-jdk-alpine/images/sha256-c093675e143dc8023fb218c144e06491154491a7965d0664a93f99ada5259ec7?context=explore)
+- Official Eclipse Temurin DockerHub page: https://hub.docker.com/_/eclipse-temurin
+- Eclipse Temurin Project: https://projects.eclipse.org/projects/adoptium.temurin
+- Additional information about the Eclipse Temurin images: https://github.com/docker-library/repo-info/tree/master/repos/eclipse-temurin
+
+As with all Docker images, these likely also contain other software which may be under other licenses 
+(such as Bash, etc. from the base distribution, along with any direct or indirect dependencies of the primary software being contained).
+
+As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.
 
 ### For installation guide:
 

charts/orchestrator/Chart.yaml

@@ -38,13 +38,13 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.4.1
+version: 1.4.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.4.1"
+appVersion: "1.4.2"
 
 dependencies:
   - condition: postgresql.enabled

charts/orchestrator/README.md

@@ -1,6 +1,6 @@
 # autosetup
 
-![Version: 1.4.1](https://img.shields.io/badge/Version-1.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.1](https://img.shields.io/badge/AppVersion-1.4.1-informational?style=flat-square)
+![Version: 1.4.2](https://img.shields.io/badge/Version-1.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.2](https://img.shields.io/badge/AppVersion-1.4.2-informational?style=flat-square)
 
 This service will help service provider to set up DFT/SDE with EDC and EDC as service in service provider environment.
 

charts/orchestrator/values.yaml

@@ -23,7 +23,7 @@ replicaCount: 1
 
 image:
     # -- Image to use for deploying an application
-  repository: ghcr.io/catenax-ng/tx-managed-service-orchestrator/autosetup
+  repository: tractusx/managed-service-orchestrator
     # -- Set the Image Pull Policy
   pullPolicy: Always
     # -- Image tage is defined in chart appVersion

pom.xml

@@ -32,7 +32,7 @@
 	</parent>
 	<groupId>org.eclipse.tractusx</groupId>
 	<artifactId>auto-setup</artifactId>
-	<version>1.4.1</version>
+	<version>1.4.2</version>
 	<name>auto-setup</name>
 	<description>auto-setup</description>
 	<properties>
@@ -279,11 +279,17 @@
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-config</artifactId>
 			<version>6.1.2</version>
+			<exclusions>
+				<exclusion>
+					<groupId>org.springframework.security</groupId>
+					<artifactId>spring-security-core</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-core</artifactId>
-			<version>6.0.3</version>
+			<version>6.1.2</version>
 		</dependency>
 		<dependency>
 			<groupId>com.h2database</groupId>