Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix QG4 findings #53

Merged
merged 1 commit into from
Nov 27, 2023
Merged

Fix QG4 findings #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ on:
branches:
- "main"
- "dev"
- "fix/*"
tags:
- "v*.*.*"
- "v*.*.*-*"
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/helm-chart-test.yaml
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please have a close look at the TRG 5.09. It's not only about manually triggering, but also do the helm test (with ct install) and upgrade step. Therefore the workflow_dispatch needs to define some inputs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please, I will make the remaining changes in another PR right away.

Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ on:
pull_request:
paths:
- 'charts/country-risk/**'

workflow_dispatch:
# Trigger manually
jobs:
lint-test:
runs-on: ubuntu-latest
Expand Down
18 changes: 5 additions & 13 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: "Trivy"
name: "Trivy Stable"

on:
push:
Expand All @@ -9,12 +9,6 @@ on:
- 'src/**'
- 'package.json'
- 'Dockerfile'
# pull_request:
# The branches below must be a subset of the branches above
# branches: [ main ]
# paths-ignore:
# - "**/*.md"
# - "**/*.txt"
schedule:
# Once a day
- cron: "0 0 * * *"
Expand All @@ -34,15 +28,13 @@ jobs:
uses: actions/checkout@v3

- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.14.0
with:
scan-type: "config"
# ignore-unfixed: true
exit-code: "1"
hide-progress: false
format: "sarif"
output: "trivy-results1.sarif"
severity: "CRITICAL,HIGH"
vuln-type: "os,library"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
Expand All @@ -68,10 +60,10 @@ jobs:
# For public images, no ENV vars must be set.
- name: Run Trivy vulnerability scanner
if: always()
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.14.0
with:
# Path to Docker image
image-ref: "ghcr.io/catenax-ng/tx-vas-country-risk-frontend:main"
image-ref: "tractusx/vas-country-risk:latest"
format: "sarif"
output: "trivy-results2.sarif"
exit-code: "1"
Expand Down
2 changes: 2 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ COPY public ./public
COPY --chown=node:node .env .
COPY src ./src

COPY LICENSE NOTICE.md DEPENDENCIES SECURITY.md /app/dist/

# Set permissions
RUN chown -R node:node /app && \
chmod -R u+rwx,g+rx,o-rwx /app
Expand Down
17 changes: 15 additions & 2 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,18 @@

## Reporting a Vulnerability

Please report a found vulnerability here:
[https://www.eclipse.org/security/](https://www.eclipse.org/security/)
Please do **not** report security vulnerabilities through public GitHub issues.

Please report vulnerabilities to this repository via **GitHub security advisories** instead.

How? Inside affected repository → security tab

for contributor:
→ Report a vulnerability

for committer:
→ advisories → New draft security advisory

In severe cases, you can also report a found vulnerability via mail or eclipse issue here: https://www.eclipse.org/security/

See [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/projects/handbook/#vulnerability)
8 changes: 4 additions & 4 deletions charts/country-risk/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@
apiVersion: v2
name: country-risk
type: application
version: 1.1.1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is there such a huge jump in the umbrella Chart?
This will make it very confusing for users of your Chart. Could you at least explain this in the CHANGELOG.md

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I increased the chart version to 3.0.3 to be consistent with the subCharts. I think I have been failing to upgrade the version of this whenever there is a change in the charts, and now I have set it to align with them. I can put this explanation in the changelog if it makes it more explanatory.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes please do that. Jumping major versions and even skipping one seems odd at first sight

appVersion: "1.2.0"
version: 3.0.3
appVersion: "1.2.1"
description: A Helm chart for deploying the Country Risk service
home: https://github.com/eclipse-tractusx/vas-country-risk-frontend
sources:
Expand All @@ -38,6 +38,6 @@ dependencies:
repository: https://helm.runix.net
version: 1.x.x
- name: country-risk-backend
version: 3.0.2
version: 3.0.3
- name: country-risk-frontend
version: 3.0.2
version: 3.0.3
156 changes: 78 additions & 78 deletions charts/country-risk/README.md
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions charts/country-risk/charts/country-risk-backend/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,13 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 3.0.2
version: 3.0.3

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.2.0"
appVersion: "1.2.1"

dependencies:
- name: postgresql
Expand Down
2 changes: 1 addition & 1 deletion charts/country-risk/charts/country-risk-backend/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ vas:

### country-risk-backend

![Version: 2.0.6](https://img.shields.io/badge/Version-2.0.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
![Version: 3.0.3](https://img.shields.io/badge/Version-3.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square)

A Helm chart for deploying the Country Risk service

Expand Down
4 changes: 2 additions & 2 deletions charts/country-risk/charts/country-risk-backend/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@
replicaCount: 1

image:
registry: "ghcr.io"
registry: "tractusx"
# -- Name of the docker image
name: "catenax-ng/tx-vas-country-risk-backend"
name: "vas-country-risk-backend"
pullPolicy: Always
# -- Overrides the image tag whose default is the chart appVersion.
tag: ""
Expand Down
4 changes: 2 additions & 2 deletions charts/country-risk/charts/country-risk-frontend/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 3.0.2
version: 3.0.3

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.2.0"
appVersion: "1.2.1"
90 changes: 45 additions & 45 deletions charts/country-risk/charts/country-risk-frontend/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,57 +88,57 @@ This way you are able to overwrite any configuration property of the `.env` file

# country-risk-frontend

![Version: 2.0.7](https://img.shields.io/badge/Version-2.0.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
![Version: 3.0.3](https://img.shields.io/badge/Version-3.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square)

A Helm chart for deploying the Country Risk service

## Values

| Key | Type | Default | Description |
|-----|------|--------------------------------------------------------------|-------------|
| Key | Type | Default | Description |
|-----|------|-------------------------------------------------------|-------------|
| affinity..podAffinityTerm.labelSelector.matchExpressions[0] | object | `{"key":"app.kubernetes.io/name","operator":"DoesNotExist"}` | Match Pod rules |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` | Key that is used to determine the topology of the cluster |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `100` | |
| appName | string | `"vas-country-risk-frontend"` | Name of the backend service |
| applicationSecret | object | `{"enabled":false}` | Defines the client secret and client ID |
| autoscaling | object | `{"enabled":false}` | Specifies whether autoscaling should be enabled for the pod |
| certificate.host | string | `"localhost"` | Hostname for the certificate |
| configmap.create | bool | `true` | |
| elastic.enabled | bool | `false` | Should elastic be enabled or not |
| elastic.security.tls | object | `{"restEncryption":false}` | Information about the transport layer security (TLS) |
| elastic.security.tls.restEncryption | bool | `false` | Encryption for the REST requests made to the Elastic cluster |
| image.name | string | `"catenax-ng/tx-vas-country-risk-frontend"` | Name of the docker image |
| image.pullPolicy | string | `"Always"` | |
| image.registry | string | `"ghcr.io"` | |
| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| imagePullSecrets | list | `[]` | List of secrets to be used |
| ingress.annotations."nginx.ingress.kubernetes.io/force-ssl-redirect" | string | `"true"` | HTTP traffic should be redirected to HTTPS |
| ingress.annotations."nginx.ingress.kubernetes.io/ssl-passthrough" | string | `"true"` | Ingress controller should pass SSL traffic directly to the backend pods |
| ingress.className | string | `"nginx"` | Class name |
| ingress.enabled | bool | `false` | Ingress enabled or not |
| livenessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,...}` | Determines if a pod is still alive or not |
| livenessProbe.initialDelaySeconds | int | `10` | Number of seconds to wait before performing the first liveness probe |
| livenessProbe.periodSeconds | int | `1000` | Number of seconds to wait between consecutive probes |
| livenessProbe.successThreshold | int | `1` | Number of consecutive successful probes before a pod is considered healthy |
| livenessProbe.timeoutSeconds | int | `1000` | Number of seconds after which a liveness probe times out |
| nodeSelector | object | `{}` | Node placement constraints |
| podAnnotations | object | `{}` | Annotations to be added to the running pod |
| podSecurityContext | object | `{"fsGroup":2000}` | Configuration for security-related options of the running pod |
| podSecurityContext.fsGroup | int | `2000` | Set the file system group ID for all containers in the pod |
| readinessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,...}` | Determine when a pod is ready to start accepting requests |
| replicaCount | int | `1` | Number of replicas of a Kubernetes deployment |
| resources.limits | object | `{"cpu":"800m","memory":"2Gi"}` | Maximum amount of resources that the deployment should be able to consume |
| resources.requests | object | `{"cpu":"300m","memory":"1Gi"}` | Minimum amount of resources that the deployment should be guaranteed to receive |
| securityContext.allowPrivilegeEscalation | bool | `false` | Specifies if processes running inside the container can gain more privileges than its initial user |
| securityContext.capabilities | object | `{"drop":["ALL"]}` | Capabilities that the process inside the container should have |
| securityContext.runAsGroup | int | `3000` | Specifies the group ID that the process inside the container should run |
| securityContext.runAsNonRoot | bool | `true` | Specifies whether the process inside the container should run as a non-root user |
| securityContext.runAsUser | int | `10001` | Specifies the user ID that the process inside the container should run |
| service | object | `{"port":8080,"type":"ClusterIP"}` | Service that should be created for the pod |
| service.port | int | `8080` | Service port |
| service.type | string | `"ClusterIP"` | Type of service to be used |
| springProfiles[0] | string | `"dev"` | |
| tolerations | list | `[]` | Pod toleration constraints |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` | Key that is used to determine the topology of the cluster |
| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `100` | |
| appName | string | `"vas-country-risk-frontend"` | Name of the backend service |
| applicationSecret | object | `{"enabled":false}` | Defines the client secret and client ID |
| autoscaling | object | `{"enabled":false}` | Specifies whether autoscaling should be enabled for the pod |
| certificate.host | string | `"localhost"` | Hostname for the certificate |
| configmap.create | bool | `true` | |
| elastic.enabled | bool | `false` | Should elastic be enabled or not |
| elastic.security.tls | object | `{"restEncryption":false}` | Information about the transport layer security (TLS) |
| elastic.security.tls.restEncryption | bool | `false` | Encryption for the REST requests made to the Elastic cluster |
| image.name | string | `"vas-country-risk"` | Name of the docker image |
| image.pullPolicy | string | `"Always"` | |
| image.registry | string | `"tractusx"` | |
| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| imagePullSecrets | list | `[]` | List of secrets to be used |
| ingress.annotations."nginx.ingress.kubernetes.io/force-ssl-redirect" | string | `"true"` | HTTP traffic should be redirected to HTTPS |
| ingress.annotations."nginx.ingress.kubernetes.io/ssl-passthrough" | string | `"true"` | Ingress controller should pass SSL traffic directly to the backend pods |
| ingress.className | string | `"nginx"` | Class name |
| ingress.enabled | bool | `false` | Ingress enabled or not |
| livenessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,...}` | Determines if a pod is still alive or not |
| livenessProbe.initialDelaySeconds | int | `10` | Number of seconds to wait before performing the first liveness probe |
| livenessProbe.periodSeconds | int | `1000` | Number of seconds to wait between consecutive probes |
| livenessProbe.successThreshold | int | `1` | Number of consecutive successful probes before a pod is considered healthy |
| livenessProbe.timeoutSeconds | int | `1000` | Number of seconds after which a liveness probe times out |
| nodeSelector | object | `{}` | Node placement constraints |
| podAnnotations | object | `{}` | Annotations to be added to the running pod |
| podSecurityContext | object | `{"fsGroup":2000}` | Configuration for security-related options of the running pod |
| podSecurityContext.fsGroup | int | `2000` | Set the file system group ID for all containers in the pod |
| readinessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,...}` | Determine when a pod is ready to start accepting requests |
| replicaCount | int | `1` | Number of replicas of a Kubernetes deployment |
| resources.limits | object | `{"cpu":"800m","memory":"2Gi"}` | Maximum amount of resources that the deployment should be able to consume |
| resources.requests | object | `{"cpu":"300m","memory":"1Gi"}` | Minimum amount of resources that the deployment should be guaranteed to receive |
| securityContext.allowPrivilegeEscalation | bool | `false` | Specifies if processes running inside the container can gain more privileges than its initial user |
| securityContext.capabilities | object | `{"drop":["ALL"]}` | Capabilities that the process inside the container should have |
| securityContext.runAsGroup | int | `3000` | Specifies the group ID that the process inside the container should run |
| securityContext.runAsNonRoot | bool | `true` | Specifies whether the process inside the container should run as a non-root user |
| securityContext.runAsUser | int | `10001` | Specifies the user ID that the process inside the container should run |
| service | object | `{"port":8080,"type":"ClusterIP"}` | Service that should be created for the pod |
| service.port | int | `8080` | Service port |
| service.type | string | `"ClusterIP"` | Type of service to be used |
| springProfiles[0] | string | `"dev"` | |
| tolerations | list | `[]` | Pod toleration constraints |

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
Expand Down
4 changes: 2 additions & 2 deletions charts/country-risk/charts/country-risk-frontend/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@
replicaCount: 1

image:
registry: "ghcr.io"
registry: "tractusx"
# -- Name of the docker image
name: "catenax-ng/tx-vas-country-risk-frontend"
name: "vas-country-risk"
pullPolicy: Always
# -- Overrides the image tag whose default is the chart appVersion.
tag: ""
Expand Down
8 changes: 4 additions & 4 deletions charts/country-risk/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@ country-risk-frontend:
replicaCount: 1

image:
registry: "ghcr.io"
registry: "tractusx"
# -- Name of the docker image
name: "catenax-ng/tx-vas-country-risk-frontend"
name: "vas-country-risk"
pullPolicy: Always
# -- Overrides the image tag whose default is the chart appVersion.
tag: ""
Expand Down Expand Up @@ -155,9 +155,9 @@ country-risk-backend:

replicaCount: 1
image:
registry: "ghcr.io"
registry: "tractusx"
# -- Name of the docker image
name: "catenax-ng/tx-vas-country-risk-backend"
name: "vas-country-risk-backend"
pullPolicy: Always
# -- Overrides the image tag whose default is the chart appVersion.
tag: ""
Expand Down
Loading
Loading