Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: upgrade to Ontop 5.1.0 and resolve important trivy and veracode issues #64

Merged
merged 13 commits into from
Nov 22, 2023
Merged

fix: upgrade to Ontop 5.1.0 and resolve important trivy and veracode issues #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
3fe344c
fix(provisioning-agent): use the correct docker user and group ids as…
drcgjung Oct 18, 2023
f9c7ea3
chore: upgrade version and remove redundant cyclone SBOMs
drcgjung Oct 18, 2023
82f2421
chore: update DEPENDENCIES
drcgjung Oct 18, 2023
baec622
Merge remote-tracking branch 'eclipse/main' into fix/provider-agent-d…
drcgjung Oct 20, 2023
a3e076c
chore: upgrade version script and pin github actions
drcgjung Nov 15, 2023
97fa9ee
docs: cyclone link is obsolete
drcgjung Nov 15, 2023
d3a06bb
chore: update DEPENDENCIES
drcgjung Nov 15, 2023
e64d772
fix: upgrade to Ontop 5.1.0 and resolve important trivy and veracode …
drcgjung Nov 15, 2023
fd6f868
fix(workflow): wrong comment identiation in trivy workflow.
drcgjung Nov 16, 2023
a8b2423
fix: align to TRG guidelines and define as aggregate project.
drcgjung Nov 16, 2023
77e501d
fix(docker): minimize the use of apk/apt to stay with base images.
drcgjung Nov 20, 2023
02ddcd2
Merge branch 'fix/provider-agent-docker-user' into fix/upgrade-ontop-510
drcgjung Nov 20, 2023
146c3c5
chore(deps): update DEPENDENCIES
SebastianBezold Nov 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 14 additions & 14 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,17 +87,17 @@

# Get the Code
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive

# Setup build environment
- uses: ./.github/actions/setup-java

Check warning on line 95 in .github/workflows/build.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

# Enable deployment access (on demand or main branch and version tags only)
- name: Login to GitHub Container Registry
if: ${{ ( github.event.inputs.deploy_docker == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }}
uses: docker/login-action@v2
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ steps.set-docker-repo.outputs.REGISTRY }}
# Use existing DockerHub credentials present as secrets
Expand Down Expand Up @@ -125,7 +125,7 @@
# Create SemVer or ref tags dependent of trigger event
- name: Docker Meta Conforming
id: meta-conf
uses: docker/metadata-action@v4
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: |
${{ steps.set-docker-repo.outputs.REPO }}/conforming-agent
Expand All @@ -137,12 +137,12 @@
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=1.10.2-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=1.10.15-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}

# build in any case, but push only main and version tag settings
- name: Conforming Container Build and Push
uses: docker/build-push-action@v3
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: conforming/.
file: conforming/src/main/docker/Dockerfile
Expand All @@ -154,7 +154,7 @@
# Important step to push image description to DockerHub - since this is version independent, we always take it from main
- name: Update Docker Hub description for Conforming Agent
if: ${{ steps.set-docker-repo.outputs.REPO == 'docker.io' && github.ref == 'refs/heads/main' }}
uses: peter-evans/dockerhub-description@v3
uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864 # v3.4.2
with:
readme-filepath: conforming/README.md
username: ${{ secrets.DOCKER_HUB_USER || github.actor }}
Expand All @@ -164,7 +164,7 @@
# Create SemVer or ref tags dependent of trigger event
- name: Docker Meta Remoting
id: meta-remote
uses: docker/metadata-action@v4
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: |
${{ steps.set-docker-repo.outputs.REPO }}/remoting-agent
Expand All @@ -176,12 +176,12 @@
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=1.10.2-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=1.10.15-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}

# build in any case, but push only main and version tag settings
- name: Remoting Container Build and Push
uses: docker/build-push-action@v3
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: remoting/.
file: remoting/src/main/docker/Dockerfile
Expand All @@ -193,7 +193,7 @@
# Important step to push image description to DockerHub - since this is version independent, we always take it from main
- name: Update Docker Hub description for Remoting Agent
if: ${{ steps.set-docker-repo.outputs.REPO == 'docker.io' && github.ref == 'refs/heads/main' }}
uses: peter-evans/dockerhub-description@v3
uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864 # v3.4.2
with:
readme-filepath: remoting/README.md
username: ${{ secrets.DOCKER_HUB_USER || github.actor }}
Expand All @@ -203,7 +203,7 @@
# Create SemVer or ref tags dependent of trigger event
- name: Docker Meta Provisioning
id: meta-prov
uses: docker/metadata-action@v4
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: |
${{ steps.set-docker-repo.outputs.REPO }}/provisioning-agent
Expand All @@ -215,12 +215,12 @@
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=1.10.2-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=1.10.15-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}

# build in any case, but push only main and version tag settings
- name: Provisioning Container Build and Push
uses: docker/build-push-action@v3
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: provisioning/.
file: provisioning/src/main/docker/Dockerfile
Expand All @@ -232,7 +232,7 @@
# Important step to push image description to DockerHub - since this is version independent, we always take it from main
- name: Update Docker Hub description for Provisioning Agent
if: ${{ steps.set-docker-repo.outputs.REPO == 'docker.io' && github.ref == 'refs/heads/main' }}
uses: peter-evans/dockerhub-description@v3
uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864 # v3.4.2
with:
readme-filepath: provisioning/README.md
username: ${{ secrets.DOCKER_HUB_USER || github.actor }}
Expand Down
19 changes: 9 additions & 10 deletions .github/workflows/helm-chart-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,12 @@
inputs:
node_image:
description: 'kindest/node image for k8s kind cluster'
# k8s version from 3.1 release as default
default: 'kindest/node:v1.24.6'
# k8s version from 3.3 release as default
default: 'kindest/node:v1.27.3'
required: false
type: string
upgrade_from:
description: 'chart version to upgrade from'
# chart version from 3.2 release as default
default: 'x.x.x'
required: false
type: string
Expand All @@ -58,23 +57,23 @@
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0

- name: Set up Helm
uses: azure/setup-helm@v3
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: v3.10.3

- uses: ./.github/actions/setup-java

Check warning on line 69 in .github/workflows/helm-chart-lint.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

- uses: actions/setup-python@v4
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: 3.9

- name: Set up chart-testing
uses: helm/chart-testing-action@v2.3.1
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1

- name: Run chart-testing (lint)
run: ct lint --target-branch ${{ github.base_ref || github.ref_name }} --config charts/config/chart-testing-config.yaml
Expand All @@ -89,12 +88,12 @@

# Preparing a kind cluster to install and test charts on
- name: Create kind cluster
uses: container-tools/kind-action@v1
uses: container-tools/kind-action@61f1afd4807b0dac84f3232ec99e45c63701d220 # v2.0.1
with:
# upgrade version, default (v0.17.0) uses node image v1.21.1 and doesn't work with more recent node image versions
version: v0.19.0
version: v0.20.0
# default value for event_name != workflow_dispatch
node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.24.6' }}
node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }}
if: github.event_name != 'pull_request' || env.CHART_CHANGED == 'true'

- name: Build Java/Docker via Maven
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/helm-chart-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0

Expand All @@ -51,11 +51,11 @@ jobs:
git config user.email "[email protected]"

- name: Install Helm
uses: azure/setup-helm@v3
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
token: ${{ secrets.GITHUB_TOKEN }}

- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.4.1
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
7 changes: 4 additions & 3 deletions .github/workflows/kics.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@ jobs:
security-events: write

steps:
- uses: actions/[email protected]
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1


#
# Take out
Expand All @@ -58,7 +59,7 @@ jobs:
# - the "Administrative Boundaries" Info (e84eaf4d-2f45-47b2-abe8-e581b06deb66) would not be visible
#
- name: KICS scan
uses: checkmarx/[email protected]
uses: checkmarx/kics-github-action@8a44970e3d2eca668be41abe9d4e06709c3b3609 # v1.7.0
with:
path: "."
fail_on: high
Expand All @@ -69,6 +70,6 @@ jobs:

- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@689fdc5193eeb735ecb2e52e819e3382876f93f4 # v2.22.6
with:
sarif_file: kicsResults/results.sarif
21 changes: 11 additions & 10 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,19 +53,19 @@ jobs:
contents: read
security-events: write
steps:
- uses: actions/checkout@v3.5.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0
with:
scan-type: "config"
# ignore-unfixed: true
exit-code: "1"
exit-code: "0"
hide-progress: false
format: "sarif"
output: "trivy-results-config.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@689fdc5193eeb735ecb2e52e819e3382876f93f4 # v2.22.6
if: always()
with:
sarif_file: "trivy-results-config.sarif"
Expand Down Expand Up @@ -100,12 +100,12 @@ jobs:
fi
exit 0

- uses: actions/checkout@v3.5.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# Enable repository access (on main branch and version tags only)
- name: Login to GitHub Container Registry
if: ${{ ( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }}
uses: docker/login-action@v2
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ steps.set-docker-repo.outputs.REGISTRY }}
# Use existing DockerHub credentials present as secrets
Expand All @@ -119,19 +119,20 @@ jobs:
docker manifest inspect ${{ steps.set-docker-repo.outputs.REPO }}/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }}
continue-on-error: true

## the next two steps will only execute if the image exists check was successful
# the next two steps will only execute if the image exists check was successful
- name: Run Trivy vulnerability scanner
if: success() && steps.imageCheck.outcome != 'failure'
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0
with:
image-ref: "${{ steps.set-docker-repo.outputs.REPO }}/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }}"
format: "sarif"
output: "trivy-results-${{ matrix.image }}.sarif"
exit-code: "1"
exit-code: "0"
severity: "CRITICAL,HIGH"
timeout: "10m0s"

- name: Upload Trivy scan results to GitHub Security tab
if: success() && steps.imageCheck.outcome != 'failure'
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@689fdc5193eeb735ecb2e52e819e3382876f93f4 # v2.22.6
with:
sarif_file: "trivy-results-${{ matrix.image }}.sarif"
8 changes: 4 additions & 4 deletions .github/workflows/veracode.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
- uses: actions/[email protected]
with:
fetch-depth: 0
- uses: ./.github/actions/setup-java

Check warning on line 48 in .github/workflows/veracode.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
- name: Verify proper formatting
run: ./mvnw spotless:check

Expand All @@ -64,8 +64,8 @@
{dir: conforming, name: conforming-agent}]
steps:
# Set-Up
- uses: actions/checkout@v3.5.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: ./.github/actions/setup-java

Check warning on line 68 in .github/workflows/veracode.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
# Build
- name: Build ${{ matrix.variant.name }}
run: |-
Expand All @@ -77,7 +77,7 @@
run: |-
tar -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
- name: Veracode Upload And Scan
uses: veracode/[email protected]
uses: veracode/veracode-uploadandscan-action@c3c0b78bddb42d5f6b10d70562f692215a410d7b #v1.0
if: |
needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY
continue-on-error: true
Expand Down Expand Up @@ -107,8 +107,8 @@
variant: [{dir: provisioning, name: provisioning-agent}]
steps:
# Set-Up
- uses: actions/checkout@v3.5.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: ./.github/actions/setup-java

Check warning on line 111 in .github/workflows/veracode.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
# Build
- name: Build ${{ matrix.variant.name }}
run: |-
Expand All @@ -120,7 +120,7 @@
run: |-
tar --exclude='spring-web-5.3.28.jar' -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/lib/*.jar ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
- name: Veracode Upload And Scan
uses: veracode/[email protected]
uses: veracode/veracode-uploadandscan-action@c3c0b78bddb42d5f6b10d70562f692215a410d7b #v1.0
if: |
needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY
continue-on-error: true
Expand Down
13 changes: 11 additions & 2 deletions .tractusx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,15 @@
# SPDX-License-Identifier: Apache-2.0
###############################################################

product: "Tractus-X Knowledge Agents Reference Implementations (KA-RI)"
product: "knowledge-agents"
leadingRepository: "https://github.com/eclipse-tractusx/knowledge-agents"
repositories: []
repositories:
- name: "knowledge-agents"
usage: "Tractus-X Reference Implementations of Knowledge Agents (KA-RI)"
url: "https://github.com/eclipse-tractusx/knowledge-agents"
- name: "knowledge-agents-edc"
usage: "Tractus-X Knowledge Agents EDC Extensions (KA-EDC)"
url: "https://github.com/eclipse-tractusx/knowledge-agents-edc"
- name: "knowledge-agents-aas-bridge"
usage: "Tractus-X Knowledge Agents AAS Bridges (KA-AAS)"
url: "https://github.com/eclipse-tractusx/knowledge-agents-aas-bridge"
Loading