Merge pull request #592 from catenax-ng/main

Security related adjustments

.github/workflows/.trivyignore

@@ -1,2 +1,5 @@
 # ref https://github.com/catenax-ng/product-traceability-foss-backend/security/code-scanning/1419
 CVE-2022-25857
+# ref https://github.com/catenax-ng/tx-traceability-foss/security/code-scanning/6879
+# this is acceptable due to custom environment variable injection script which is executed upon FE container startup
+AVD-KSV-0014

.github/workflows/helm-chart-release.yaml

@@ -81,6 +81,8 @@ jobs:
 
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1.6.0
+        with:
+          mark_as_latest: false
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "${{ env.RELEASE_VERSION }}"

CHANGELOG.md

@@ -8,8 +8,15 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [UNRELEASED - DD.MM.YYYY]
 
 ### Added
-
+- Added AVD-KSV-0014 to trivy ignore
+- Added tooltips on functionalities that are unauthorized or unavailable
+-
 ### Changed
+- Updated Irs Library from 1.4.1-SNAPSHOT to 1.5.1-SNAPSHOT
+- Changed some java implementations according to security findings ( business logic unchanged )
+- Adjusted sync logic to create jobs only for related BomLifecycles
+- Spring core updated from 6.0.14 to 6.0.16
+- Springboot updated from 3.1.6 to 3.1.7
 
 ### Removed
 
@@ -33,6 +40,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - Added GET /policies endpoint to retrieve accepted policies
 - Added POST assets/publish endpoint to publish transient assets
 
+
 ### Changed
 - Fixed security findings
 - Rework GET alerts and investigations endpoint to POST to send a request body

DEPENDENCIES_FRONTEND

@@ -577,7 +577,7 @@ npm/npmjs/-/json-stable-stringify-without-jsonify/1.0.1, MIT, approved, clearlyd
 npm/npmjs/-/json-stringify-safe/5.0.1, ISC, approved, clearlydefined
 npm/npmjs/-/json5/1.0.2, MIT, approved, CQ22351
 npm/npmjs/-/json5/2.2.3, MIT, approved, #2126
-npm/npmjs/-/jsonc-parser/3.2.0, MIT, approved, clearlydefined
+npm/npmjs/-/jsonc-parser/3.2.0, MIT, approved, #12891
 npm/npmjs/-/jsonfile/4.0.0, MIT, approved, clearlydefined
 npm/npmjs/-/jsonfile/6.1.0, MIT, approved, clearlydefined
 npm/npmjs/-/jsonparse/1.3.1, MIT, approved, clearlydefined

docs/RELEASE.md

@@ -11,24 +11,23 @@ Make sure eclipse / catena git repositories are in sync
 2) Create and Checkout release branch on catena /release/1.0.0
 4) Edit changelog: Align the new version (1.0.0) with the changes and add new UNRELEASED section
 5) Edit /charts/traceability-foss/CHANGELOG.md
-- Add an Entry for an incremented (patch) version (1.0.0 -> 1.0.1)
-5) Push onto /release/1.0.0 catena and eclipse
-6) Open Release App Page Catena: https://github.com/catenax-ng/tx-traceability-foss/releases
-7) Draft a new release
-8) On dropdown choose a tag - use the version 1.0.0 (Create new tag will appear - select it)
-9) On dropdown target use your /release/1.0.0
-10) Title = Version of app -> 1.0.0
-11) Description = Changelog Content of app
-12) Checkbox set as latest release
-- Verify that github action release generation has been triggered
-- Verify that an automatic pull request has been opened (Prepare Helm release for next version)
-- Validate that the versions within that pull requests are correct
-- Merge pull request
-- Open the github action for helm release generation: https://github.com/catenax-ng/tx-traceability-foss/actions/workflows/helm-chart-release.yaml
-- Execute it from main branch
-- Validate that the helm charts release has been generated within the release page
-- Edit the app release and set checkbox to latest release
-13) Repeat step 7 to 12 for tractus-x: [GitHub Releases page](https://github.com/eclipse-tractusx/traceability-foss/releases)
-14) Merge release branch into catena main branch
-15) Sync catena and eclipse main branch
+6) Add an Entry for an incremented (patch) version (1.0.0 -> 1.0.1)
+7) Push onto /release/1.0.0 catena and eclipse
+8) Open Release App Page Catena: https://github.com/catenax-ng/tx-traceability-foss/releases
+9) Draft a new release
+10) On dropdown choose a tag - use the version 1.0.0 (Create new tag will appear - select it)
+11) On dropdown target use your /release/1.0.0
+12) Title = Version of app -> 1.0.0
+13) Description = Changelog Content of app
+14) Checkbox set as latest release
+15) Verify that github action [Release](https://github.com/catenax-ng/tx-traceability-foss/actions/workflows/release.yaml) generation has been triggered
+16) Verify that an automatic pull request has been opened (Prepare Helm release for next version)
+17) Validate that the versions within that pull requests are correct
+18) Merge pull request (Prepare Helm release for next version)
+19) Merge release branch into main
+20) Open the github action for helm release generation: https://github.com/catenax-ng/tx-traceability-foss/actions/workflows/helm-chart-release.yaml
+21) Execute it from main branch
+22) Validate that the helm charts release has been generated within the release page
+23) Repeat step 8 to 23 for tractus-x: [GitHub Releases page](https://github.com/eclipse-tractusx/traceability-foss/releases)
+24) Sync catena and eclipse main branch
 

docs/src/docs/administration/configuration.adoc

@@ -2,8 +2,8 @@
 = Configuration
 
 :toc:
-
 include::frontend-configuration.adoc[leveloffset=+1]
 include::backend-configuration.adoc[leveloffset=+1]
+include::portal-configuration.adoc[leveloffset=+1]
 
 

docs/src/docs/administration/portal-configuration.adoc

@@ -0,0 +1,46 @@
+[#_portal_configuration]
+= Portal Configuration
+//:allow-uri-read:
+:icons: font
+:icon-set: fas
+
+The following process is required to successfully connect to the portal:
+
+== Company Registration
+https://portal.int.demo.catena-x.net/documentation[How To]
+
+=== Additional info
+Each instance of trace-x reflects an own company, which is associated with one BPN.
+
+== User Registration
+https://portal.int.demo.catena-x.net/documentation/[How To]
+
+=== Additional info
+The user registration is a self service. Each user can have one or multiple trace-x roles assigned.
+
+== Connector Registration
+https://portal.int.demo.catena-x.net/documentation/[How To]
+
+=== Additional info
+A connector in the context of trace-x is a Eclipse-Dataspace-Connector. This connector needs to be configured by the public controlplane url.
+
+== App Registration
+https://portal.int.demo.catena-x.net/documentation/[How To]
+
+=== Additional info
+A connector in the context of trace-x is a Eclipse-Dataspace-Connector. This connector needs to be configured by the public controlplane url.
+
+== Create App Subscription
+https://portal.int.demo.catena-x.net/documentation/[How To]
+
+=== Additional info
+An app subscription is necessary to be able to setup a frontend url which will be authorized through keycloak and accessible with the portal.
+
+== Activate App Subscription
+https://portal.int.demo.catena-x.net/documentation/[How To]
+
+=== Additional info
+The app subscription needs to be activated from all instances which want to participate in the trace-x use case.
+
+== Retrieve Wallet Configuration
+https://portal.int.demo.catena-x.net/documentation/[How To]

docs/src/docs/concepts/#534-policies/policy-handling-tracex.puml

@@ -0,0 +1,65 @@
+@startuml
+skinparam monochrome true
+skinparam shadowing false
+skinparam defaultFontName "Architects daughter"
+title Sequence Diagram: TraceX Interaction with IRS on startup
+participant "TraceXConfig" as Config
+participant "TraceX" as TraceX
+participant "IRS " as IRS
+
+Config -> TraceX : ID 3.0 Trace
+TraceX -> IRS : Get Policies
+IRS -> TraceX: Return policies (Default Policies from IRS (C1: Membership, C2: Framework, C3: ID3.0)
+TraceX -> IRS : Create(not exists) or update(exists)
+
+@enduml
+
+
+@startuml
+skinparam monochrome true
+skinparam shadowing false
+skinparam defaultFontName "Architects daughter"
+
+title Sequence Diagram: TraceX Interaction with EDC on startup (As is)
+participant "TraceXConfig" as Config
+participant "TraceX" as TraceX
+participant "EDC " as EDC
+Config -> TraceX : ID 3.0 Trace
+TraceX -> EDC : Create notification asset, policy, definition
+@enduml
+
+@startuml
+skinparam monochrome true
+skinparam shadowing false
+skinparam defaultFontName "Architects daughter"
+
+title Sequence Diagram: TraceX Interaction with EDC on startup (To be)
+participant "IRS" as IRS
+participant "TraceX" as TraceX
+participant "EDC " as EDC
+TraceX -> IRS: Get Policies
+IRS -> TraceX : return policy(c1,c2,c3,c4)
+TraceX -> EDC : Create notification asset, policy, definition
+@enduml
+
+@startuml
+skinparam monochrome true
+skinparam shadowing false
+skinparam defaultFontName "Architects daughter"
+
+title Sequence Diagram: Sending notifications
+participant "TraceX" as TraceX
+participant "TraceXIRSLib" as TraceXIRSLib
+participant "IRS " as IRS
+participant "EDC " as EDC
+
+TraceX -> TraceX: ...
+TraceX -> EDC: Get catalog
+EDC -> TraceX: -> Return catalog
+TraceX -> TraceX: Filter for notification type (alert / investigation) / method(update, receive)
+TraceX -> TraceXIRSLib: Validate if catalog policy matches the configured policies in IRS Lib (3 Default Policies)
+TraceXIRSLib -> TraceX: Valid
+TraceX -> EDC: Send out notification
+@enduml
+
+

frontend/src/app/modules/page/other-parts/presentation/customer-parts/customer-parts.component.html

@@ -38,6 +38,7 @@
       [tableHeader]='"page.asBuiltParts" | i18n'
       (filterActivated)="filterActivated(true, $event )"
       [tableType]="TableType.AS_BUILT_CUSTOMER"
+      [mainAspectType]="bomLifecycle"
     ></app-parts-table>
   </ng-template>
 </div>
@@ -64,6 +65,7 @@
       [multiSortList]="tableCustomerAsPlannedSortList"
       (filterActivated)="filterActivated(false, $event )"
       [tableType]="TableType.AS_PLANNED_CUSTOMER"
+      [mainAspectType]="bomLifecycle"
     ></app-parts-table>
   </ng-template>
 </div>

frontend/src/app/modules/page/other-parts/presentation/other-parts.component.html

@@ -87,10 +87,18 @@
             [bomLifecycle]="MainAspectType.AS_PLANNED"
           ></app-supplier-parts>
         </mat-tab>
-
-        <mat-tab>
+        <mat-tab disabled>
           <ng-template mat-tab-label>
+            <div class="table--header--select--button"
+                 matTooltip="{{'routing.noCustomerAsPlannedParts' | i18n}}"
+                 matTooltipClass="table--header--tooltip"
+                 matTooltipPosition="above"
+                 [class.mdc-tooltip--multiline]="true"
+                 [matTooltipShowDelay]="1000"
+                 [style.cursor]="'not-allowed'"
+            >
             <span [id]="customerTabLabelId">{{ 'pageOtherParts.tab.customer' | i18n }} </span>
+            </div>
           </ng-template>
           <app-customer-parts
             [bomLifecycle]="MainAspectType.AS_PLANNED"

frontend/src/app/modules/page/other-parts/presentation/supplier-parts/supplier-parts.component.html

@@ -45,6 +45,7 @@
                      [multiSortList]="tableSupplierAsBuiltSortList"
                      (filterActivated)="filterActivated(true, $event )"
                      [tableType]="TableType.AS_BUILT_SUPPLIER"
+                     [mainAspectType]="bomLifecycle"
     ></app-parts-table>
   </ng-template>
 </div>
@@ -75,6 +76,7 @@
                      [multiSortList]="tableSupplierAsPlannedSortList"
                      (filterActivated)="filterActivated(false, $event )"
                      [tableType]="TableType.AS_PLANNED_SUPPLIER"
+                     [mainAspectType]="bomLifecycle"
     ></app-parts-table>
   </ng-template>
 </div>

frontend/src/app/modules/page/parts/presentation/parts.component.html

@@ -54,7 +54,7 @@
               (click)="isPublisherOpen$.next(true)"
               [variant]="'raised'"
               [color]="'accent'"
-              [isDisabled]="!roleService.hasAccess(['wip'])"
+              [isDisabled]="!roleService.hasAccess(['admin'])"
       >
         <div class="flex justify-between items-center text-dark p-0.5">
           <mat-icon class="mr-2">published_with_changes</mat-icon>
@@ -89,6 +89,7 @@
                              [multiSortList]="tableAsBuiltSortList"
                              [tableHeader]='"page.asBuiltParts" | i18n'
                              [tableType]="TableType.AS_BUILT_OWN"
+                             [mainAspectType]="MainAspectType.AS_BUILT"
             ></app-parts-table>
           </ng-template>
         </div>
@@ -115,6 +116,7 @@
                              [multiSortList]="tableAsPlannedSortList"
                              [tableHeader]='"page.asPlannedParts" | i18n'
                              [tableType]="TableType.AS_PLANNED_OWN"
+                             [mainAspectType]="MainAspectType.AS_PLANNED"
             ></app-parts-table>
 
           </ng-template>

frontend/src/app/modules/shared/components/parts-table/parts-table.component.html

@@ -29,19 +29,19 @@
       <p
         class="regular-text table&#45;&#45;selected&#45;&#45;label">{{ selectedPartsInfoLabel | i18n : {count: selection?.selected?.length || 0} }}</p>
       <div class="table--header--select--button"
-           matTooltip="{{'routing.unauthorized' | i18n}}"
+           matTooltip="{{mainAspectType === MainAspectType.AS_PLANNED ? 'routing.notAllowedForAsPlanned' : 'routing.unauthorized' | i18n}}"
            matTooltipClass="table--header--tooltip"
            matTooltipPosition="above"
            [class.mdc-tooltip--multiline]="true"
            [matTooltipShowDelay]="1000"
-           [matTooltipDisabled]="roleService.hasAccess(['user','supervisor'])"
+           [matTooltipDisabled]="roleService.hasAccess(['user','supervisor']) && mainAspectType === MainAspectType.AS_BUILT"
       >
         <app-button
-          *ngIf="selection?.selected?.length && (tableType !== TableType.AS_PLANNED_CUSTOMER && tableType !== TableType.AS_BUILT_CUSTOMER)"
+          *ngIf="selection?.selected?.length"
           (click)="clickSelectAction.emit()"
           [variant]="'raised'"
           [color]="'accent'"
-          [isDisabled]="!roleService.hasAccess(['user','supervisor'])"
+          [isDisabled]="!roleService.hasAccess(['user','supervisor']) || mainAspectType === MainAspectType.AS_PLANNED"
         >
           <div class="flex justify-between items-center text-dark p-0.5">
             <mat-icon class="mr-2">announcement</mat-icon>