eclipse-tractusx · paullatzelsperger · Apr 5, 2024 · Feb 12, 2024 · Feb 12, 2024 · Feb 12, 2024
diff --git a/.github/actions/run-deployment-test/action.yml b/.github/actions/run-deployment-test/action.yml
@@ -40,10 +40,6 @@ inputs:
     required: true
     description: "The directory that contains the docker file, e.g. edc-controlplane/edc-runtime-memory"
 
-  values_file:
-    required: true
-    description: "A yaml file that contains the values for the test installation. will be modified!"
-
 runs:
   using: "composite"
   steps:
@@ -76,11 +72,6 @@ runs:
     ###################################################
     # Install the test infrastructure
     ###################################################
-    - name: "Generate test credentials"
-      shell: bash
-      run: |-
-        sh -c "edc-tests/deployment/src/main/resources/prepare-test.sh \
-               ${{ inputs.values_file }}"
 
     - name: Install Runtime
       shell: bash

diff --git a/.github/actions/setup-java/action.yml b/.github/actions/setup-java/action.yml
@@ -26,7 +26,7 @@ runs:
   using: "composite"
   steps:
     - name: Setup JDK 17
-      uses: actions/setup-java@v3.13.0
+      uses: actions/setup-java@v4.1.0
       with:
         java-version: '17'
         distribution: 'temurin'

diff --git a/.github/actions/setup-memory-runtime/action.yml b/.github/actions/setup-memory-runtime/action.yml
@@ -0,0 +1,73 @@
+#################################################################################
+#  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0.
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#################################################################################
+
+
+---
+name: "Setup TractusX EDC in memory runtime"
+description: "Setup TractusX EDC in memory runtime"
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v4
+    - uses: ./.github/actions/setup-java
+
+    - uses: actions/checkout@v4
+
+    - name: Dockerize TractusX EDC in memory distribution
+      shell: bash
+      run: |
+        ./gradlew :edc-controlplane:edc-runtime-memory:dockerize
+
+    - name: Starting MIW, Keycloak and Postgres Servers
+      shell: bash
+      run: |
+        cd edc-tests/miw-tests/src/test/resources/docker-environment
+        docker compose up -d --wait
+
+    - uses: nick-fields/retry@v3
+      name: Wait for MIW
+      with:
+        timeout_minutes: 5
+        max_attempts: 3
+        command: |
+          code=$(curl -IL -sw "%{http_code}" http://localhost:8000/api/actuator/health -o /dev/null)
+          if [ "$code" -ne "401" ]; then
+            echo "MIW not ready yet, status = $code"
+            exit 1;
+          fi   
+
+    - name: Starting in memory TractusX EDC
+      shell: bash
+      run: |
+        cd dast
+        docker compose up -d 
+
+
+    - uses: nick-fields/retry@v3
+      name: Wait for TractusX EDC
+      with:
+        timeout_minutes: 5
+        max_attempts: 3
+        command: |
+          code=$(curl -IL -sw "%{http_code}" http://localhost:8181/api/check/health -o /dev/null)
+          if [ "$code" -ne "401" ]; then
+            echo "TractusX EDC not ready yet, status = $code"
+            docker logs dast-edc-runtime-1
+            exit 1;
+          fi
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -0,0 +1,84 @@
+#################################################################################
+#  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0.
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#################################################################################
+
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+    paths-ignore:
+      - "**/*.md"
+      - "**/*.txt"
+  pull_request:
+    branches: [ "main" ]
+    paths-ignore:
+      - "**/*.md"
+      - "**/*.txt"
+  schedule:
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ "java" ] # Define languages here
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file
+          # By default, queries listed here will override any specified in a config file
+          # Prefix the list here with "+" to use these queries and those in the config file
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # Use +security-extended,security-and-quality for wider security and better code quality
+          queries: +security-extended,security-and-quality
+
+
+      # build only production code, no test sources
+      - uses: ./.github/actions/setup-java
+      - name: Build Production Code
+        run: |
+          ./gradlew compileJava --no-daemon
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+          fail-on: error
diff --git a/.github/workflows/dast-scan.yaml b/.github/workflows/dast-scan.yaml
@@ -0,0 +1,123 @@
+#################################################################################
+#  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0.
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#################################################################################
+
+name: ZAP_ALL
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: OWASP ZAP API Scan
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-memory-runtime
+
+      - name: Fetch MIW VP token
+        run: ./dast/fetch-token.sh
+
+      - name: API Catalog Request Test
+        id: catalog_request
+        run: |
+          dsp_response=$(curl -w "%{http_code}" --request POST \
+            --url http://localhost:8282/api/v1/dsp/catalog/request \
+            --header "Authorization: $VP_TOKEN" \
+            --header 'Content-Type: application/json' \
+              --data '{
+              "@type": "dspace:CatalogRequestMessage",
+              "dspace:filter": {
+                "@type": "QuerySpec",
+                "limit": 50,
+                "offset": 0,
+                "sortOrder": "ASC",
+                "filterExpression": []
+              },
+              "@context": {
+                "@vocab": "https://w3id.org/edc/v0.0.1/ns/",
+                "edc": "https://w3id.org/edc/v0.0.1/ns/",
+                "tx": "https://w3id.org/tractusx/v0.0.1/ns/",
+                "dcat": "http://www.w3.org/ns/dcat#",
+                "dct": "https://purl.org/dc/terms/",
+                "odrl": "http://www.w3.org/ns/odrl/2/",
+                "dspace": "https://w3id.org/dspace/v0.8/"
+              }
+            }')
+
+          echo "Response: $dsp_response"
+
+      - name: Generating report skeletons
+        if: success() || failure()
+        run: |
+          touch API_report.html
+          chmod a+w API_report.html
+          ls -lrt
+
+      - name: Run ZAP API scan
+        run: |
+          set +e
+
+          echo "Pulling ZAP image..."
+          docker pull ghcr.io/zaproxy/zaproxy:stable -q
+          echo "Starting ZAP Docker container..."
+          docker run --network miw-net -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t http://edc-runtime:8282/api/v1/dsp -f openapi -r API_report.html -T 1
+
+          echo "... done."
+
+      - name: Upload HTML report
+        if: success() || failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ZAP_API scan report
+          path: ./API_report.html
+
+  zap_scan2:
+    runs-on: ubuntu-latest
+    name: OWASP ZAP FULL Scan
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-memory-runtime
+
+      - name: Generating report skeletons
+        if: success() || failure()
+        run: |
+          touch fullscan_report.html
+          chmod a+w fullscan_report.html
+          ls -lrt
+
+      - name: Perform ZAP FULL scan
+        run: |
+          set +e
+
+          echo "Pulling ZAP image..."
+          docker pull ghcr.io/zaproxy/zaproxy:stable -q
+          echo "Starting ZAP Docker container..."
+          docker run --network miw-net -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t http://edc-runtime:8282/api/v1/dsp -r fullscan_report.html -T 1
+
+          echo "... done."
+
+      - name: Upload HTML report
+        if: success() || failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ZAP_FULL scan report
+          path: ./fullscan_report.html
diff --git a/.github/workflows/deployment-test.yaml b/.github/workflows/deployment-test.yaml
@@ -63,11 +63,9 @@ jobs:
         with:
           imagename: edc-runtime-memory
           rootDir: edc-controlplane/edc-runtime-memory
-          values_file: edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml
           helm_command: |-
             helm install tx-inmem charts/tractusx-connector-memory \
             -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml \
-            --set vault.secrets="client-secret:$(cat client.secret)" \
             --wait-for-jobs --timeout=120s --dependency-update
 
             # wait for the pod to become ready
@@ -87,7 +85,6 @@ jobs:
         with:
           imagename: "edc-controlplane-postgresql-hashicorp-vault edc-dataplane-hashicorp-vault"
           rootDir: "."
-          values_file: edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml
           helm_command: |-
             helm install tx-prod charts/tractusx-connector \
             -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml \
@@ -121,7 +118,6 @@ jobs:
         with:
           imagename: "edc-controlplane-postgresql-azure-vault edc-dataplane-azure-vault"
           rootDir: "."
-          values_file: edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml
           helm_command: |-
             az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name aes-keys --value "$(cat aes.key)" > /dev/null
             az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name client-secret --value "$(cat client.secret)" > /dev/null

diff --git a/.github/workflows/draft-new-release.yaml b/.github/workflows/draft-new-release.yaml
@@ -54,7 +54,7 @@ jobs:
           GITHUB_PACKAGE_USERNAME: ${{ github.actor }}
           GITHUB_PACKAGE_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
       - name: Bump version in /charts
-        uses: mikefarah/yq@v4.40.5
+        uses: mikefarah/yq@v4.43.1
         with:
           cmd: |-
             find charts -name Chart.yaml -maxdepth 3 | xargs -n1 yq -i '.appVersion = "${{ github.event.inputs.version }}" | .version = "${{ github.event.inputs.version }}"'

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -58,11 +58,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.12.0
+        uses: aquasecurity/trivy-action@0.19.0
         with:
           scan-type: "config"
           # ignore-unfixed: true
-          exit-code: "1"
+          exit-code: "0"
           hide-progress: false
           format: "sarif"
           output: "trivy-results-config.sarif"
@@ -102,12 +102,12 @@ jobs:
         ## the next two steps will only execute if the image exists check was successful
       - name: Run Trivy vulnerability scanner
         if: success() && steps.imageCheck.outcome != 'failure'
-        uses: aquasecurity/trivy-action@0.12.0
+        uses: aquasecurity/trivy-action@0.19.0
         with:
           image-ref: "tractusx/${{ matrix.image }}:sha-${{ needs.git-sha7.outputs.value }}"
           format: "sarif"
           output: "trivy-results-${{ matrix.image }}.sarif"
-          exit-code: "1"
+          exit-code: "0"
           severity: "CRITICAL,HIGH"
           timeout: "10m0s"
       - name: Upload Trivy scan results to GitHub Security tab