Merge pull request #153 from eclipse-tractusx/feat/merge-both-repos

Merge Both Apps Frontend and Backend on the same repo

.dockerignore

@@ -1 +1,2 @@
-node_modules
+node_modules
+frontend/node_modules

.github/dependabot.yml

@@ -1,22 +1,17 @@
 version: 2
+
 updates:
-    # Maintain dependencies for Maven
-  - package-ecosystem: "npm"
-    directory: "/"
+  - package-ecosystem: "maven"
+    directory: "/backend/"
     schedule:
       interval: "daily"
-    # open-pull-requests-limit: 5
 
-    # Maintain dependencies for GitHub Actions
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: "npm"
+    directory: "/frontend/"
     schedule:
       interval: "daily"
-    # open-pull-requests-limit: 5
 
-    # Maintain dependencies for Docker
-  - package-ecosystem: "docker"
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-    # open-pull-requests-limit: 5
+      interval: "daily"

.github/workflows/build.yml → .github/workflows/build-frontend.yml

@@ -1,4 +1,4 @@
-name: Build Pipeline
+name: Build Frontend Pipeline
 
 on:
   push:

.github/workflows/codeql.yml

@@ -14,8 +14,11 @@ name: "CodeQL"
 on:
   push:
     branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
   schedule:
-    - cron: "0 0 * * *"
+    - cron: "36 1 * * 0"
   workflow_dispatch:
 
 jobs:
@@ -36,19 +39,19 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["javascript"]
+        language: ["java", "javascript"]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
         # Use only 'java' to analyze code written in Java, Kotlin or both
         # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,15 +60,25 @@ jobs:
 
           # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
           queries: +security-extended,security-and-quality
-
+
+      - name: Setup java for backend
+        # Ensures that the workflow only runs for 'java'
+        if: ${{ matrix.language == 'java' }}
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
+        with:
+          java-version: 17
+          distribution: temurin
+          java-package: jdk
+          cache: maven
+
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup.
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
 
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+      # Command-line programs to run using the OS shell.
+      # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
       #   If the Autobuild fails above, remove it and uncomment the following three lines.
       #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
@@ -75,6 +88,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
         with:
-          category: "/language:${{matrix.language}}"
+          category: "/language:${{matrix.language}}"

.github/workflows/docker-hub-build-backend.yml

@@ -0,0 +1,77 @@
+# Reference from https://github.com/eclipse-tractusx/app-dashboard/blob/main/.github/workflows/build-image.yaml
+# You might want to check the source for recent updates
+name: Build Backend - Docker image (SemVer)
+
+on:
+  push:
+    branches:
+      - main
+    # trigger events for SemVer like tags
+    tags:
+      - 'v*.*.*'
+      - 'v*.*.*-*'
+  pull_request:
+    branches:
+      - main
+
+env:
+  IMAGE_NAMESPACE: "tractusx"
+  IMAGE_NAME: "vas-country-risk-backend"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      # Create SemVer or ref tags dependent of trigger event
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
+          # Automatically prepare image tags; See action docs for more examples. 
+          # semver patter will generate tags like these for example :1 :1.2 :1.2.3
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: DockerHub login
+        if: github.event_name != 'pull_request'
+        uses: docker/[email protected]
+        with:
+          # Use existing DockerHub credentials present as secrets
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/[email protected]
+        with:
+          context: .
+          file: ./backend/Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: |
+            ${{ steps.meta.outputs.tags }},
+            ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:latest
+          labels: ${{ steps.meta.outputs.labels }}
+
+
+      # https://github.com/peter-evans/dockerhub-description
+      # Important step to push image description to DockerHub 
+      - name: Update Docker Hub description
+        if: github.event_name != 'pull_request'
+        uses: peter-evans/dockerhub-description@v4
+        with:
+          # readme-filepath defaults to toplevel README.md, Only necessary if you have a dedicated file with your 'Notice for docker images'
+          readme-filepath: ./backend/DOCKER_NOTICE.md
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+          repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}

.github/workflows/docker-hub-build.yml → .github/workflows/docker-hub-build-frontend.yml

@@ -1,6 +1,6 @@
 # Reference from https://github.com/eclipse-tractusx/app-dashboard/blob/main/.github/workflows/build-image.yaml
 # You might want to check the source for recent updates
-name: Build - Docker image (SemVer)
+name: Build Frontend - Docker image (SemVer)
 
 on:
   push:
@@ -35,6 +35,7 @@ jobs:
 
       - name: Add content to Legal Notice
         run: npm run build:legal-notice
+        working-directory: frontend
 
       # Create SemVer or ref tags dependent of trigger event
       - name: Docker meta
@@ -64,6 +65,7 @@ jobs:
         uses: docker/build-push-action@v3
         with:
           context: .
+          file: ./frontend/Dockerfile
           push: ${{ github.event_name != 'pull_request' }}
           tags: |
             ${{ steps.meta.outputs.tags }},
@@ -78,7 +80,7 @@ jobs:
         uses: peter-evans/dockerhub-description@v3
         with:
           # readme-filepath defaults to toplevel README.md, Only necessary if you have a dedicated file with your 'Notice for docker images'
-          readme-filepath: DOCKER_NOTICE.md
+          readme-filepath: ./frontend/DOCKER_NOTICE.md
           username: ${{ secrets.DOCKER_HUB_USER }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
           repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}

.github/workflows/trivy-test-images.yml

@@ -2,16 +2,14 @@ name: Trivy Docker Image Analysis
 
 on:
   push:
-    branches:
-      - main
   # Trigger manually
   workflow_dispatch:
 
 permissions:
   security-events: write # To upload sarif files
 
 jobs:
-  build-and-scan:
+  build-and-scan-frontend:
     runs-on: ubuntu-latest
 
     steps:
@@ -39,7 +37,7 @@ jobs:
         uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
         with:
           context: .
-          file: ./Dockerfile
+          file: ./frontend/Dockerfile
           push: false
           tags: frontend:latest
           load: true  # Load the image into Docker's local image store
@@ -53,3 +51,45 @@ jobs:
           severity: 'MEDIUM,HIGH,CRITICAL'
           format: 'table'
 
+  build-and-scan-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: '3.6.3'
+
+      - name: Set up python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.7'
+
+      # Workaround: https://github.com/docker/build-push-action/issues/461
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0
+        with:
+          context: .
+          file: ./backend/Dockerfile
+          push: false
+          tags: backend:latest
+          load: true  # Load the image into Docker's local image store
+
+
+      - name: Run Trivy Table
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          image-ref: 'backend:latest'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+          format: 'table'
+

.github/workflows/trivy.yml

@@ -1,22 +1,12 @@
 name: "Trivy Stable"
 
 on:
-  push:
-    branches:
-      - main
-      - dev
-    paths:
-      - 'src/**'
-      - 'package.json'
-      - 'Dockerfile'
-  schedule:
-    # Once a day
-    - cron: "0 0 * * *"
   workflow_dispatch:
   # Trigger manually
 
 jobs:
-  analyze-config:
+  analyze-frontend:
+    name: Analyze frontend
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -25,52 +15,41 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.19.0
+        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0
         with:
-          scan-type: "config"
-          hide-progress: false
+          image-ref: "tractusx/vas-country-risk:latest"
           format: "sarif"
-          output: "trivy-results1.sarif"
+          output: "trivy-results-1.sarif"
           vuln-type: "os,library"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
         if: always()
         with:
-          sarif_file: "trivy-results1.sarif"
+          sarif_file: "trivy-results-1.sarif"
 
-  analyze-product-vas-country-risk-frontend:
+  analyze-backend:
+    name: Analyze backend
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      # It's also possible to scan your private registry with Trivy's built-in image scan.
-      # All you have to do is set ENV vars.
-      # Docker Hub needs TRIVY_USERNAME and TRIVY_PASSWORD.
-      # You don't need to set ENV vars when downloading from a public repository.
-      # For public images, no ENV vars must be set.
+      # Pull image from Docker Hub and run Trivy vulnerability scanner
       - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/[email protected]
+        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0
         with:
-          # Path to Docker image
-          image-ref: "tractusx/vas-country-risk:latest"
+          image-ref: "tractusx/vas-country-risk-backend:latest"
           format: "sarif"
-          output: "trivy-results2.sarif"
-          exit-code: "1"
-          severity: "CRITICAL,HIGH"
+          output: "trivy-results-2.sarif"
+          vuln-type: "os,library"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
         with:
-          sarif_file: "trivy-results2.sarif"
+          sarif_file: "trivy-results-2.sarif"