Merge pull request #83 from catenax-ng/securityfix

fix: fixed security issues

.github/workflows/kics.yml

@@ -18,7 +18,6 @@
 #* SPDX-License-Identifier: Apache-2.0
 #********************************************************************************
 
-
 name: "KICS"
 
 on:

.github/workflows/trivy.yml

@@ -1,23 +1,22 @@
-#*******************************************************************************
-#* Copyright (c) 2022, 2023 T-Systems International GmbH
-#* Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
-#*
-#* See the NOTICE file(s) distributed with this work for additional
-#* information regarding copyright ownership.
-#*
-#* This program and the accompanying materials are made available under the
-#* terms of the Apache License, Version 2.0 which is available at
-#* https://www.apache.org/licenses/LICENSE-2.0.
-#*
-#* Unless required by applicable law or agreed to in writing, software
-#* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#* License for the specific language governing permissions and limitations
-#* under the License.
-#*
-#* SPDX-License-Identifier: Apache-2.0
-#********************************************************************************
----
+#################################################################################
+# Copyright (c) 2022,2023 T-Systems International GmbH
+# Copyright (c) 2022,2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+################################################################################
 
 name: "Trivy"
 on:
@@ -39,50 +38,17 @@ jobs:
       security-events: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: "config"
-          exit-code: "1"
-          hide-progress: false
-          format: "sarif"
-          output: "trivy-results1.sarif"
-          severity: "CRITICAL,HIGH"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        if: always()
-        with:
-          sarif_file: "trivy-results1.sarif"
-
-  analyze-product-autosetup-backend:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
+
       - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.12.0
         with:
           # Path to Docker image
           image-ref: "tractusx/managed-service-orchestrator:latest"
           format: "sarif"
           output: "trivy-results.sarif"
-          exit-code: "1"
-          severity: "CRITICAL,HIGH"
+          vuln-type: "os,library"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: "trivy-results.sarif"
-

CHANGELOG.md

@@ -5,11 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased]
- - The customer already gets an email from Portal and the third-Party-provider after the successful deployment that the SDE-Service is ready to use. If the connector End2End test is unsuccessful (this might be based on the cloud communication issue), the customer will be informed about the failing connectivity. This behavior might need to be clarified for the customer. We will change this behavior in the next release.
+
 
-## [1.5.1] - 2023-10-16
+## [1.5.1] - 2023-11-16
 ### Changed
  - Update DT asset creation for oauth secret information
+ - Updated trivy workflow
+ - Changed the base image for security issue
 
 ## [1.5.0] - 2023-09-04
 

Dockerfile

@@ -33,7 +33,7 @@ COPY ./src ./src
 # build for release
 RUN mvn clean install -Dmaven.test.skip=true 
 
-FROM eclipse-temurin:17-jdk-alpine
+FROM eclipse-temurin:17.0.8.1_1-jdk
 
 ENV USER=autosetupuser
 ENV UID=1000

charts/orchestrator/README.md

@@ -1,6 +1,6 @@
 # managed-service-orchestrator
 
-![Version: 1.5.0](https://img.shields.io/badge/Version-1.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square)
+![Version: 1.5.1](https://img.shields.io/badge/Version-1.5.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square)
 
 This service will help service provider to set up DFT/SDE with EDC and EDC as service in service provider environment.
 
@@ -27,10 +27,10 @@ This service will help service provider to set up DFT/SDE with EDC and EDC as se
 | image.repository | string | `"tractusx/managed-service-orchestrator"` | Image to use for deploying an application |
 | image.tag | string | `""` | Image tage is defined in chart appVersion |
 | imagePullSecrets | list | `[]` |  |
-| ingress.annotations | object | `{"cert-manager.io/cluster-issuer":"letsencrypt-prod","nginx.ingress.kubernetes.io/affinity":"cookie","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/session-cookie-max-age":"172800"}` | Annotations to add to the ingress |
+| ingress.annotations | object | `{}` | Annotations to add to the ingress |
 | ingress.className | string | `"nginx"` | a reference to an Ingress Class resource that contains additional configuration including the name of the controller that should implement the class |
 | ingress.enabled | bool | `false` | If you want to enable or disable the ingress |
-| ingress.host | string | `""` |  |
+| ingress.host | string | `""` | Host of the application on which application runs |
 | livenessProbe.failureThreshold | int | `3` |  |
 | livenessProbe.initialDelaySeconds | int | `60` |  |
 | livenessProbe.periodSeconds | int | `10` |  |
@@ -40,11 +40,11 @@ This service will help service provider to set up DFT/SDE with EDC and EDC as se
 | podAnnotations | object | `{}` |  |
 | podSecurityContext.fsGroup | int | `2000` |  |
 | portContainer | int | `9999` |  |
-| postgresql.auth.database | string | `"orchdb"` |  |
-| postgresql.auth.existingSecret | string | `"managed-service-orchestrator-int-secret"` |  |
-| postgresql.auth.secretKeys.adminPasswordKey | string | `"postgres-password"` |  |
-| postgresql.auth.secretKeys.userPasswordKey | string | `"password"` |  |
-| postgresql.auth.username | string | `"orchdbuser"` |  |
+| postgresql.auth.database | string | `""` |  |
+| postgresql.auth.existingSecret | string | `""` |  |
+| postgresql.auth.secretKeys.adminPasswordKey | string | `""` |  |
+| postgresql.auth.secretKeys.userPasswordKey | string | `""` |  |
+| postgresql.auth.username | string | `""` |  |
 | postgresql.enabled | bool | `true` | Enable the dependency postgres database |
 | postgresql.metrics.containerSecurityContext.enabled | bool | `false` |  |
 | probe.endpoint | string | `"/api/healthz"` |  |
@@ -58,7 +58,7 @@ This service will help service provider to set up DFT/SDE with EDC and EDC as se
 | resources.limits.memory | string | `"2Gi"` | set a maximum amount of allows memory utilization by specifying a limit on the container. |
 | resources.requests.cpu | string | `"400m"` | sets the minimum amount of CPU required for the container |
 | resources.requests.memory | string | `"2Gi"` | set a minimum amount of allows memory utilization by specifying a limit on the container. |
-| secretRef | string | `"managed-service-orchestrator-int-secret"` |  |
+| secretRef | string | `""` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` | Controls whether a process can gain more privilege |
 | securityContext.runAsNonRoot | bool | `true` |  |
 | securityContext.runAsUser | int | `1000` |  |
@@ -71,4 +71,4 @@ This service will help service provider to set up DFT/SDE with EDC and EDC as se
 | tolerations | list | `[]` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3)