R23.04 BPDM Country Risk - Release Checks

[kelaja]

Release Info

Please provide information on what you want to be included in the Eclipse Tractus-X release.
If you are not owner of this issue, please provide the information as comment to the issue.

Version to be included in Eclipse Tractus-X release: Chart Version: 3.0.9 App Version: 1.3.0

Leading product repository: vas-country-risk

Compliance Verifications

This issue tracks all compliance related checks, that need to be performed for a product release in Eclipse Tractus-X.

• Gaia-X compliance confirmed
• GDPR compliance confirmed (personal data, data protection + privacy DPP)
• Interoperability checks performed
• Data Sovereignty checks performed
• Compliant with relevant published CX Standards (see the Catena-X standard library)

Documentation

• Arc24 documentation up-to-date
• Administrators Guide up-to-date
• End-User manual up-to-date
• Interface documentation up-to-date

Security Checks

• Thread Modelling Analysis passed
• Static Application Security Testing (SAST) scans passed
• Dynamic Application Security Testing (DAST) tests passed
• Secret Scans passed
• Software Composition Analysis (SCA) passed
• Container Scans passed
• Infrastructure as Code (IaC) scans passed

General Checks

• [Tractus-X Release Guidelines] QG X checks (Release 24.03) vas-country-risk#88
• Compliant with the Style Guide

Test Results

• E2E Integration Test passed
• User Journey approved

Helpful Links

• Eclipse Tractus-X openAPI specs on SwaggerHub
• Catena-X standard library

[fabiodmota]

After some emails exchanged with @jjeroch and Werner Jost, the responsible, it was concluded that our product already has its app registered in the marketplace and, being a VAS, does not require any extra action for the Gaia-X compliance confirmed point.

[fabiodmota]

Documentation for @vialkoje

For Interfaces Documentation
https://github.com/eclipse-tractusx/vas-country-risk/blob/main/docs/Arc42-Documentation.md#interfaces
https://github.com/eclipse-tractusx/vas-country-risk-backend/tree/main/docs/swagger

Admin and User Guide:
Backend repo:
https://github.com/eclipse-tractusx/vas-country-risk-backend/blob/main/README.md
https://github.com/eclipse-tractusx/vas-country-risk-backend/blob/main/INSTALL.md
https://github.com/eclipse-tractusx/vas-country-risk-backend/blob/main/docs/User-Guide.md
Frontend repo:
https://github.com/eclipse-tractusx/vas-country-risk/blob/main/README.md
https://github.com/eclipse-tractusx/vas-country-risk/blob/main/INSTALL.md
https://github.com/eclipse-tractusx/vas-country-risk/blob/main/docs/User-Guide.md
Kit: https://eclipse-tractusx.github.io/docs-kits/kits/Business%20Partner%20Kit/Success%20Stories/Country%20Risk%20Score%C2%A0/

[fabiodmota]

Repo urls

https://github.com/eclipse-tractusx/vas-country-risk
https://github.com/eclipse-tractusx/vas-country-risk-backend

Veracode Scans can be checked

Trivy scans can be checked

https://github.com/eclipse-tractusx/vas-country-risk/actions/workflows/trivy.yml

https://github.com/eclipse-tractusx/vas-country-risk-backend/actions/workflows/trivy.yml

[BANANAS1337]

SAST and SCA approved

[BANANAS1337]

Secret Scanning approved

[vialkoje]

Documentation existing and looking consistent - Data sovereinty requirements unchanged for 24.03 - Expert Assessment passed.

Please consider the Data Sovereignty Criteria for 24.05 -> https://confluence.catena-x.net/x/NTeJBg

[RoKrish14]

Trivy: Container Scans : : Approved
KICKS: Infrastructure as Code (IaC): : Approved

[leonschand]

E2E test completed successfully. Please approve @phirabu

[jjeroch]

Findings:

High - check needed

• I can access the country-risk app with an user which does not have any app roles assigned

---

---

Medium - not blocking

• no info why I can only update own ratings, not company ratings

---

Medium - not blocking

• instead of showing in page success, please use snackbar (top right) option. You can find it as an shared-component element

---

Medium - not blocking

• same as above applies for "Save ratings" as well - please check if you used it anywhere else and fix it for all

---

Medium - not blocking

• export to csv seems to not work

---

Medium - not blocking

• table arrangement not useful - Rating has a unneeded width; same for country (where you could use Alpha2Code) - where actually fields such as company name and rating company are not displayed and even on hover the text is not getting displayed

[leonschand]

@kelaja As there were no significant changes which relates to GDPR, we can take the declaration from R.3.1. See Jira Ticket https://jira.catena-x.net/browse/CXRM-1025

[szymonkowalczykzf]

Security Assessment Process (Threat Modeling Analysis) approved.

Re-assessment was done on Wednesday 31st Jan 2024. No open critical & high findings remains.
Documentation of the assessment is available under vas_country_risk -> docs -> threat_model

[rybtim]

We herby confirm that we considered (as good as possible) all relevant CX-Standards as well as that we reviewed the content of upcoming STAN Request as good as possible @kelaja

[ThomasObermeyer]

From a pure Interoperability perspective, this VAS service does not need to be interoperable, since it is a value add on provided based on BPDM data provided by the operating company. There is not true interoperability requirement between compatible app providers at this point in time.

However, Catena-X architecture framework components (EDC and oAUTH) mechanisms have been applied, so there is no objection from an Enterprise Architecture perspective.

Approved!

[alexKeppler]

@kelaja: User Journey approved

[fabiodmota]

Findings:

High - check needed

• I can access the country-risk app with an user which does not have any app roles assigned

Medium - not blocking

• no info why I can only update own ratings, not company ratings

**Medium - not blocking**

• instead of showing in page success, please use snackbar (top right) option. You can find it as an shared-component element

**Medium - not blocking**

• same as above applies for "Save ratings" as well - please check if you used it anywhere else and fix it for all

Medium - not blocking

• export to csv seems to not work

**Medium - not blocking**

• table arrangement not useful - Rating has a unneeded width; same for country (where you could use Alpha2Code) - where actually fields such as company name and rating company are not displayed and even on hover the text is not getting displayed

Hi @jjeroch

So i created a issue for the High Findings and one for the Medium findings

• Style guide Medium Findings  vas-country-risk#85
• Page Redirect vas-country-risk#74

For the High Findings a Pull Request is already created with the solution eclipse-tractusx/vas-country-risk#87 everything can be checked on the country risk url https://country-risk-dashboard.int.demo.catena-x.net/

[FaGru3n]

Version to be included in Eclipse Tractus-X release: version placeholder

Hi all,

generated eclipse-tractusx/vas-country-risk#88 for QG-Checks

which version should be checked?

[RolaH1t]

Interim Status für Q check on 19.Feb.2024:
OPEN
-TRGs
-StyleGuide
-E2E Tests
-DataSOV

APPROVED
-GAIA-X
-GDPR
-CX Standards
-InterOP (partially not applicable for VAS)
-ARC42
-Admin & User-Guide
-Interface Docu
-Threat Model
-SAST
-DAST
-SCA
-Secrets
-Container Scans
-IaC
-User Journey

[fabiodmota]

Version to be included in Eclipse Tractus-X release: version placeholder

Hi all,

generated eclipse-tractusx/vas-country-risk#88 for QG-Checks

which version should be checked?

The current version is of the charts are 3.0.9 but once we have the fix accepted by @jjeroch commented above #497 (comment) i will release a new version

So the latest is https://github.com/eclipse-tractusx/vas-country-risk/releases/tag/country-risk-3.0.9 , can you check this one and after we can connect if something is missing

should we have also TRG issue for our backend ? https://github.com/eclipse-tractusx/vas-country-risk-backend ( no charts on this one )

[DirkBTSI]

INT test performed/documented.
E2E test performed/documented.
No high defect.
TM approved
@kelaja : please approve for "E2E Integration Test passed"

[RolaH1t]

CountryRisk team will provide latest code version to address high finding wrt StyleGuide.
Afterwards TRG checks will be finalized and SEC scans have to be repeated.
Gate Approval postponed until those actions are complete.

[RoKrish14]

Rescan requested by @fabiodmota

SAST: Approved
SCA: Approved
DAST: Approved
Secret Scans: Approved
IAC: Approved
Container Scans: Approved

[jjeroch]

High finding was resolved; the medium findings are moved to 24.05. release for fix

[FaGru3n]

QG-Checks done, thanks for the work @fabiodmota and dedicated information are shared in separate issue.

[fabiodmota]

Hi @RolaH1t and @kelaja everything is completed for the QG checks

[RolaH1t]

QG approval now complete!
Congrats!

[fabiodmota]

After all checks on QG and after approval a version was released contained all the fixes and pull requests done:

chart version: https://github.com/eclipse-tractusx/vas-country-risk/releases/tag/country-risk-3.0.11
app version: https://github.com/eclipse-tractusx/vas-country-risk/releases/tag/v1.3.1

[RolaH1t]

After all checks on QG and after approval a version was released contained all the fixes and pull requests done:

chart version: https://github.com/eclipse-tractusx/vas-country-risk/releases/tag/country-risk-3.0.11 app version: https://github.com/eclipse-tractusx/vas-country-risk/releases/tag/v1.3.1

thx for the info - and pls clarify:
this new version is more than welcome, but CANNOT be included in 24.03 package as it has not been E2E-tested. So it it good to be available in the BPDM repo and already prepared for 24.05. Let @Siegfriedk know!