QG checks (Release 24.12)

[SujitMBRDI]

QG checks

Please open and fill in this issue in your product repository to document the compliance with our Tractus-X Release Guideline (TRGs)

Show compliance with TRGs by referencing to a tagged link in the respective repository where possible, example: TRG 1.01 (see github.com/eclipse-tractusx/example-repo/tree/1.0.0/README.md)

Close this issue once the compliance with the TRGs has been documented

Committer(s): @nicoprow, @SujitMBRDI
Helm Chart Version: 5.2.0
App Version: 6.2.0

Release Management Reference Issue:

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• TRG 1.03 appropriate CHANGELOG.md
• TRG 1.04 editable static files
• TRG 1.05 architecture docs
• TRG 1.06 administrator guide
• TRG 1.07 user manual
• TRG 1.08 open api docs

TRG 2 Git

• TRG 2.01 default branch is named main
• TRG 2.03 repository structure
• TRG 2.04 leading product repository
• TRG 2.05 .tractusx metafile in a proper format
• TRG 2.06 Dependabot

TRG 3 Kubernetes

• TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

TRG 4 Container

• TRG 4.01 semantic versioning and tagging
• TRG 4.02 base image is agreed
• TRG 4.03 image has USER command and Non Root Container
• TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• TRG 4.06 separate notice file for DockerHub has all necessary information
• TRG 4.07 root file system is set to read access by default, but can be overwritten by the user

TRG 5 Helm

• TRG 5.01 Helm chart requirements
• TRG 5.02 Helm chart location in /charts directory and correct structure
• TRG 5.03 proper version strategy
• TRG 5.04 CPU / MEM resource requests and limits and are properly set
• TRG 5.06 Application must be configurable through the Helm chart
• TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• TRG 5.08 Product has a single deployable helm chart that contains all components
• TRG 5.09 Helm Test running properly
• TRG 5.10 Products need to support 3 versions at a time
• TRG 5.11 Upgradeability

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation
• TRG 7.02 License and copyright header
• TRG 7.03 IP checks for project content
• TRG 7.04 IP checks for 3rd party content
• TRG 7.05 Legal information for distributions
• TRG 7.06 Legal information for end user content
• TRG 7.07 Legal notice for documentation (non-code)
• TRG 7.08 Legal notice for KIT documentation

TRG 8 Security

• TRG 8.01 Mitigate high and above findings in CodeQL
• TRG 8.02 Mitigate high and above findings in KICS
• TRG 8.04 Mitigate high and above findings in Trivy
• TRG 8.03 No secret findings by GitGuardian or TruffleHog

TRG 9 UX/UI Styleguide

• TRG 9.01 UI consistency/styleguide for UI

Hints

Information Sharing

[nicoprow]

Conditions Met:

TRG 3.02: BPDM does not use own persistence but relies on greenlit bitnami postgres dependency
TRG 4.02: All BPDM docker imgages use base image of 21-jre-alpine
TRG 4.03: USER command in place with user IDs and name that that can be changed by build arguments (all non-root)
TRG 4.05: workflow deploys docker images to dockerhub (for example https://hub.docker.com/r/tractusx/bpdm-pool)
TRG 4.07: default bpdm chart values set the root file system to read only but can be overwritten
TRG 5.01: Helm chart general requirements are met
TRG 5.02: Helm charts in correct directoy
TRG 5.03: Semantic versioning for helm chart version and app version in place
TRG 5.04: Default values set propery memory and cpu limits that are enough for setting up the Charts
TRG 5.06: Chart values provide application and secret config yaml properies to override the application configuration
TRG 5.07: Chart dependencies are configured to work out of the box when installing BPDM and the Postgres version matches the aligned release guideline version
TRG 5.08: BPDM comes with one BPDM helm chart in which all BPDM applications are deplyoed
TRG 5.09: In BPDM charts are tested separately in a liniting test workflow and a chart install and upgrade workflow, covering all aspects of this TRG
TRG 5.11: TRG 5.11 provides an upgradability test which fulfills this TRG
TRG 7.01: Legal Documentation exists in the repo root:

• LICENSE
• LICENSE_non-code
• NOTICE.md
• DEPENDENCIES
• SECURITY.md
• CONTRIBUTING.md
• CODE_OF_CONDUCT.md

TRG 7.03: All source code content has been reviewed and approved by repository maintainers
TRG 7.07: Notice section is added to all documentation files, for example here
TRG 8.01: Currently no high findings by CodeQL
TRG 8.02: Currently no findings by KICS
TRG 8.03: No secrets findings
TRG 9.01: No UI in BPDM

Conditions Not Met:

TRG 4.01: Semantic versioning in place and guaranteed by workflow. I hold of checking the check mark though until after we have released to provide it in dockerhub
TRG 5.10: The chart install and upgrade workflow comes with the configuration to test in different kubernetes versions. This has not been done yet and the workflow needs to be upgraded
TRG 6.01: Chart not released yet
TRG 7.02: copyright and license header are set in the source files but files that are governed by CC-BY-4.0 seem to be missing the suggested copyright header? @SujitMBRDI
TRG 7.04: DEPENDENCIES are not up-to-date
TRG 7.05: Currently, we distribute 4 different applications. Not in every application do we distirbute all the legal documents:

• Pool
• Gate
• Orchestrator does not include legal documents
• Cleaning Service Dummy does not include legal documents

TRG 7.06: I believe this is not met by the swagger open-api documentations
TRG 8.04: Need to wait until release to scan the released version

[nicoprow]

@stephanbcbauer regarding TRG 7.02 we noticed that we do not have CC-BY-4.0 copyright headers on our documentation files. However, we adhered to TRG 7.07 and added the necessary notices in those files (for example here).

The TRGs read like you need both the notice section and the copyright headers but that feels excessive. Also it seems tractusx repos are quite split on the matter. Do you have an insight regarding this?