eclipse-tractusx · ds-jhartmann · Jul 19, 2023 · Jul 6, 2023 · Jul 10, 2023 · Jul 10, 2023
diff --git a/.config/.trivyignore b/.config/.trivyignore
@@ -2,4 +2,7 @@
 CVE-2022-42003
 
 # HttpInvokerServiceExporter is not loaded as a bean in the IRS.
-CVE-2016-1000027
+CVE-2016-1000027
+
+# Vulnerability method not in IRS codebase (Files.createTempDir from guava). https://github.com/google/guava/issues/2575
+CVE-2023-2976
diff --git a/.github/workflows/integration-test-DEV.yaml b/.github/workflows/integration-test-DEV.yaml
@@ -0,0 +1,20 @@
+name: IRS DEV Cucumber Integration test execution
+
+on:
+  workflow_dispatch: # Trigger manually
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  trigger-integration-test:
+    uses: ./.github/workflows/xray-cucumber-integration.yaml
+    secrets:
+      keycloakTokenUrl: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_TOKEN_URI }}
+      clientId: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_ID }}
+      clientSecret: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_SECRET }}
+      jiraUser: ${{ secrets.ORG_IRS_JIRA_USERNAME }}
+      jiraPassword: ${{ secrets.ORG_IRS_JIRA_PASSWORD }}
+    with:
+      executionFilter: "not @Ignore and @INTEGRATION_TEST and @DEV"
+      exportFilter: "11349"
diff --git a/.github/workflows/integration-test-INT.yaml b/.github/workflows/integration-test-INT.yaml
@@ -0,0 +1,18 @@
+name: IRS INT Cucumber Integration test execution
+
+on:
+  workflow_dispatch: # Trigger manually
+
+jobs:
+  trigger-integration-test:
+    uses: ./.github/workflows/xray-cucumber-integration.yaml
+    secrets:
+      keycloakTokenUrl: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_TOKEN_URI }}
+      clientId: ${{ secrets.ORG_IRS_OAUTH2_CLIENT_ID_INT }}
+      clientSecret: ${{ secrets.ORG_IRS_OAUTH2_CLIENT_SECRET_INT }}
+      jiraUser: ${{ secrets.ORG_IRS_JIRA_USERNAME }}
+      jiraPassword: ${{ secrets.ORG_IRS_JIRA_PASSWORD }}
+    with:
+      executionFilter: "not @Ignore and @INTEGRATION_TEST and @INT"
+      exportFilter: "11349"
+
diff --git a/.github/workflows/irs-build.yml b/.github/workflows/irs-build.yml
@@ -173,16 +173,3 @@ jobs:
           username: ${{ secrets.DOCKER_HUB_USER }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
           repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
-
-  trigger-trivy-image-scan:
-    if: >-
-      (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) &&
-      github.actor != 'dependabot[bot]'
-    needs:
-      - build_images
-    uses: ./.github/workflows/trivy-image-scan.yml
-    with:
-      image-tag: ${{ needs.build_images.outputs.image_tag }}
-      ref: ${{ github.ref }}
-      sha: ${{ github.sha }}
-
diff --git a/.github/workflows/tavern.yml b/.github/workflows/tavern.yml
@@ -21,11 +21,21 @@ on:
         description: Global Asset ID to use for the asPlanned tests
         default: 'urn:uuid:0733946c-59c6-41ae-9570-cb43a6e4c79e'
         required: true
+      bpn-asPlanned:
+        type: string
+        description: BPN to use for the asPlanned Global Asset ID
+        default: 'BPNL00000003AYRE'
+        required: true
       global-asset-id-asBuild:
         type: string
         description: Global Asset ID to use for the asBuild tests
         default: 'urn:uuid:7940e0cc-7814-41eb-8b04-d984a325deec'
         required: true
+      bpn-asBuild:
+        type: string
+        description: BPN to use for the asBuild Global Asset ID
+        default: 'BPNL00000003AYRE'
+        required: true
       execution-ticket:
         type: string
         description: JIRA execution ticket to safe results in.
@@ -60,7 +70,9 @@ jobs:
           KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_ID }}
           KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_SECRET }}
           GLOBAL_ASSET_ID_AS_PLANNED: ${{ github.event.inputs.global-asset-id-asPlanned || 'urn:uuid:0733946c-59c6-41ae-9570-cb43a6e4c79e' }}
+          BPN_AS_PLANNED: ${{ github.event.inputs.bpn-asPlanned || 'BPNL00000003AYRE' }}
           GLOBAL_ASSET_ID_AS_BUILD: ${{ github.event.inputs.global-asset-id-asBuild || 'urn:uuid:7940e0cc-7814-41eb-8b04-d984a325deec' }}
+          BPN_AS_BUILD: ${{ github.event.inputs.bpn-asBuild || 'BPNL00000003AYRE' }}
         run: |
           python -m pytest local/testing/api-tests/irs-api-tests.tavern.yaml --junitxml=tavern-results.xml
 

diff --git a/.github/workflows/trivy-image-scan.yml b/.github/workflows/trivy-image-scan.yml
@@ -5,19 +5,19 @@ name: "Trivy vulnerability scanner for image"
 
 on:
   workflow_dispatch: # Trigger manually
-    inputs:
-      image-tag:
-        required: false
-        type: string
-  workflow_call: # Trigger by another workflow
-    inputs:
-      image-tag:
-        required: true
-        type: string
-      ref:
-        type: string
-      sha:
-        type: string
+  pull_request:
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - 'charts/**'
+      - 'docs/**'
+      - 'local/**'
+      - 'CHANGELOG.md'
+  push:
+    branches:
+      - main
+    tags:
+      - '**'
   schedule:
     - cron: '0 0 * * *' # Once a day
 
@@ -28,26 +28,22 @@ jobs:
       actions: read
       contents: read
       security-events: write
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      - name: Determine image version
-        id: version
-        run: |
-          # Strip git ref prefix from version
-          VERSION=$(echo "${{ github.head_ref || github.ref }}" | sed -e 's,.*/\(.*\),\1,')
-          # Strip "v" prefix from tag name
-          [[ "${{ github.head_ref || github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
-          # Support PR ref versions
-          [[ "${{ github.ref }}" == "refs/pull/"* ]] && VERSION=PR-$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\)/merge,\1,')
-          # Use Docker `latest` tag convention
-          [ "$VERSION" == "main" ] && VERSION=latest
-          # Use input parameter 'image-tag' if present
-          [[ "${{ github.event.inputs.image-tag }}" != '' ]] && VERSION=$(echo "${{ github.event.inputs.image-tag }}")
-          echo VERSION=$VERSION
-          echo "::set-output name=image_tag::$VERSION"
+      - name: Build image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: true
+          tags: localhost:5000/irs-api:testing
 
       # It's also possible to scan your private registry with Trivy's built-in image scan.
       # All you have to do is set ENV vars.
@@ -59,7 +55,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           # Path to Docker image
-          image-ref: "ghcr.io/catenax-ng/irs-api:${{ steps.version.outputs.image_tag }} "
+          image-ref: "localhost:5000/irs-api:testing"
           format: "sarif"
           output: "trivy-results2.sarif"
           exit-code: "1"

diff --git a/.github/workflows/xray-cucumber-integration.yaml b/.github/workflows/xray-cucumber-integration.yaml
@@ -1,10 +1,25 @@
 name: IRS Cucumber Integration test Xray execution
 
 on:
-  workflow_dispatch: # Trigger manually
-  push:
-    branches:
-      - 'main'
+  workflow_call: # Trigger by another workflow
+    secrets:
+      keycloakTokenUrl:
+        required: true
+      clientId:
+        required: true
+      clientSecret:
+        required: true
+      jiraUser:
+        required: true
+      jiraPassword:
+        required: true
+    inputs:
+      executionFilter:
+        required: true
+        type: string
+      exportFilter:
+        required: true
+        type: string
 
 jobs:
   build:
@@ -29,32 +44,32 @@ jobs:
       - name: Download Feature Files
         id: download
         env:
-          JIRA_USERNAME: ${{ secrets.ORG_IRS_JIRA_USERNAME }}
-          JIRA_PASSWORD: ${{ secrets.ORG_IRS_JIRA_PASSWORD }}
+          JIRA_USERNAME: ${{ secrets.jiraUser }}
+          JIRA_PASSWORD: ${{ secrets.jiraPassword }}
+          EXPORT_FILTER: ${{ inputs.exportFilter }}
           # JIRA filter 11349: project = TRI AND type = Test AND "Test Type" = Cucumber
           # Downloads all feature files of cucumber tests inside TRI project
         run: |
-          export HTTP_RESULT=$(curl -s --show-error -w "%{http_code}" -u $JIRA_USERNAME:$JIRA_PASSWORD "https://jira.catena-x.net/rest/raven/1.0/export/test?filter=11349&fz=true" -o features.zip)
+          export HTTP_RESULT=$(curl -s --show-error -w "%{http_code}" -u $JIRA_USERNAME:$JIRA_PASSWORD "https://jira.catena-x.net/rest/raven/1.0/export/test?filter=$EXPORT_FILTER&fz=true" -o features.zip)
           [[ $HTTP_RESULT == 200 || $HTTP_RESULT == 400 ]]
           echo "::set-output name=http_response::$HTTP_RESULT"
 
       - name: Build with Maven
         if: ${{ steps.download.outputs.http_response == '200' }}
         env:
-          KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_TOKEN_URI }}
-          KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_ID }}
-          KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_SECRET }}
-          IRS_INT: https://irs.int.demo.catena-x.net
-          IRS_DEV: https://irs.dev.demo.catena-x.net
+          KEYCLOAK_HOST: ${{ secrets.keycloakTokenUrl }}
+          KEYCLOAK_CLIENT_ID: ${{ secrets.clientId }}
+          KEYCLOAK_CLIENT_SECRET: ${{ secrets.clientSecret }}
+          ISSUE_FILTER: ${{ inputs.executionFilter }}
         run: |
           unzip -o features.zip -d irs-cucumber-tests/src/test/resources/features
-          mvn --batch-mode clean install -pl irs-cucumber-tests,irs-models -D"cucumber.filter.tags"="not @Ignore and @INTEGRATION_TEST"
+          mvn --batch-mode clean install -pl irs-cucumber-tests,irs-models -D"cucumber.filter.tags"="$ISSUE_FILTER"
 
       - name: Submit results to Xray
         if: ${{ always() && steps.download.outputs.http_response == '200' }}
         env:
-          JIRA_USERNAME: ${{ secrets.ORG_IRS_JIRA_USERNAME }}
-          JIRA_PASSWORD: ${{ secrets.ORG_IRS_JIRA_PASSWORD }}
+          JIRA_USERNAME: ${{ secrets.jiraUser }}
+          JIRA_PASSWORD: ${{ secrets.jiraPassword }}
         run: |
           curl --request POST \
           -u $JIRA_USERNAME:$JIRA_PASSWORD \

diff --git a/.github/workflows/xray-cucumber.yaml b/.github/workflows/xray-cucumber.yaml
@@ -1,4 +1,4 @@
-name: IRS Cucumber Xray execution
+name: IRS Cucumber test execution
 
 on:
   workflow_dispatch: # Trigger manually
@@ -8,6 +8,12 @@ on:
     paths-ignore:
       - '**/*.md'
       - '**/*.txt'
+      - 'charts/**'
+      - '.config/**'
+      - 'docs/**'
+      - 'local/**'
+      - 'README.md'
+      - 'CHANGELOG.md'
   pull_request:
     branches:
       - main
@@ -22,61 +28,14 @@ on:
       - 'CHANGELOG.md'
 
 jobs:
-  build:
-    # This job does not need to run unless we can access the credentials
-    if: >-
-      (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) &&
-      github.actor != 'dependabot[bot]'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Set up JDK 17
-        uses: actions/setup-java@v3
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-
-      - name: Cache maven packages
-        uses: actions/cache@v3
-        with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2
-
-      - name: Download Feature Files
-        id: download
-        env:
-          JIRA_USERNAME: ${{ secrets.ORG_IRS_JIRA_USERNAME }}
-          JIRA_PASSWORD: ${{ secrets.ORG_IRS_JIRA_PASSWORD }}
-        # JIRA filter 11349: project = TRI AND type = Test AND "Test Type" = Cucumber
-        # Downloads all feature files of cucumber tests inside TRI project
-        run: |
-          export HTTP_RESULT=$(curl -s --show-error -w "%{http_code}" -u $JIRA_USERNAME:$JIRA_PASSWORD "https://jira.catena-x.net/rest/raven/1.0/export/test?filter=11349&fz=true" -o features.zip)
-          [[ $HTTP_RESULT == 200 || $HTTP_RESULT == 400 ]]
-          echo "::set-output name=http_response::$HTTP_RESULT"
-
-      - name: Build with Maven
-        if: ${{ steps.download.outputs.http_response == '200' }}
-        env:
-          KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_TOKEN_URI }}
-          KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_ID }}
-          KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_SECRET }}
-          IRS_INT: https://irs.int.demo.catena-x.net
-          IRS_DEV: https://irs.dev.demo.catena-x.net
-        run: |
-          unzip -o features.zip -d irs-cucumber-tests/src/test/resources/features
-          mvn --batch-mode clean install -pl irs-cucumber-tests,irs-models -D"cucumber.filter.tags"="not @Ignore and not @INTEGRATION_TEST"
-
-      - name: Submit results to Xray
-        if: ${{ always() && steps.download.outputs.http_response == '200' }}
-        env:
-          JIRA_USERNAME: ${{ secrets.ORG_IRS_JIRA_USERNAME }}
-          JIRA_PASSWORD: ${{ secrets.ORG_IRS_JIRA_PASSWORD }}
-        run: |
-          curl --request POST \
-          -u $JIRA_USERNAME:$JIRA_PASSWORD \
-          --header 'Content-Type: application/json' \
-          --data-binary '@irs-cucumber-tests/report.json' \
-          "https://jira.catena-x.net/rest/raven/1.0/import/execution/cucumber"
+  trigger-integration-test:
+    uses: ./.github/workflows/xray-cucumber-integration.yaml
+    secrets:
+      keycloakTokenUrl: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_TOKEN_URI }}
+      clientId: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_ID }}
+      clientSecret: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_SECRET }}
+      jiraUser: ${{ secrets.ORG_IRS_JIRA_USERNAME }}
+      jiraPassword: ${{ secrets.ORG_IRS_JIRA_PASSWORD }}
+    with:
+      executionFilter: "not @Ignore and not @INTEGRATION_TEST"
+      exportFilter: "11349"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.2.1] - 2023-07-19
+### Fixed
+- EDC Policies now get validated regardless of the type of constraint.
+- EDC Policies of type `FrameworkAgreement` are now validated correctly.
+- Fixed error in BPN handling for IRS Batch requests
+
 ## [3.2.0] - 2023-07-14
 ### Changed
 - The client code for accessing the Digital Twin Registry (central and decentral) is now available as a spring boot maven library. See the README in the irs-registry-client module for more information.
@@ -14,9 +20,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - IRS now supports the AAS API 3.0 and its updated models. **Note**: this also reflects in the Job response shells, please check the new schema.
 
 ### Known knowns
-- PLACEHOLDER REMOVE IF EMPTY: risks that were introduced or discovered in the release and are known but not resolved
-
-## [3.1.0] - 2023-06-28
+- [TRI-1460] ESS Notifications endpoints are not working in the decentral Digital Twin Registry scenario because endpoints does not provide bpn as a parameter. 
+- [TRI-1096] No limiting of requests in parallel - IRS allows sending API requests unlimited
+- [TRI-1100] Potential denial-of-service (DoS) attack - IRS allows to enter a large number of characters, which are reflected in the response of the server
+- [TRI-1098] Software related information disclosure - IRS returns redundant information about the type and version of used software
+- [TRI-793] Misconfigured Access-Control-Allow- Origin Header - by intercepting network traffic it could be possible to read and modify any messages that are exchanged with server
+- [TRI-1095] HTTP security headers configuration could be improved and allow for additional protection against some web application attacks
+- [TRI-1441] Synchronous communication with shared C-X services without circuit breaker pattern - potentially could affect IRS resilience when other services becomes non-responsive.
+- [TRI-1441] Cascading effects of failure when Digital Twin Registry becomes non-responsive - potentially bulkhead pattern could improve IRS resilience
+- [TRI-1477] Retry mechanism used inside IRS could potentially affect IRS resilience - DDOS other services on which IRS is dependent, exhaustion of resources and available threads, etc.
+- [TRI-1478] Lack of resources management - thread pooling, heap limitation etc.
+- [TRI-1024] IRS does not support scale out on multiple instances
+
+## [3.1.0] - 2023-07-07
 ### Changed
 - Removed catalog cache
 - Changed EDC catalog retrieval from pagination to filter
@@ -266,7 +282,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Unresolved
 - **Select Aspects you need**  You are able to select the needed aspects for which you want to collect the correct endpoint information.
 
-[Unreleased]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.2.0...HEAD
+[Unreleased]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.2.1...HEAD
+[3.2.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.2.0...3.2.1
 [3.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.1.0...3.2.0
 [3.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.0.1...3.1.0
 [3.0.1]: https://github.com/eclipse-tractusx/item-relationship-service/compare/3.0.0...3.0.1