From faec5ec874aa6ed774b41c6a0e1fb17e0984c789 Mon Sep 17 00:00:00 2001 From: Carlos Diez Date: Fri, 14 Feb 2025 16:50:44 +0100 Subject: [PATCH 1/7] feat: Add License Header workflow --- .github/workflows/verify.yml | 81 ++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 .github/workflows/verify.yml diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml new file mode 100644 index 00000000..b0e30cb9 --- /dev/null +++ b/.github/workflows/verify.yml @@ -0,0 +1,81 @@ +############################################################### +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +name: "Verify" + +# source: https://github.com/eclipse-tractusx/ssi-dim-wallet-stub/blob/main/.github/workflows/verify.yaml + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + workflow_dispatch: + +jobs: + verify-license-headers: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Verify License Headers + run: |- + # List of allowed licenses + allowed_licenses=( + "Apache-1.0" "Apache-1.1" "Apache-2.0" "Artistic-2.0" "BSD-2-Clause" "BSD-3-Clause" + "BSD-4-Clause" "0BSD" "BSL-1.0" "CDDL-1.0" "CDDL-1.1" "CPL-1.0" "CC-BY-3.0" + "CC-BY-4.0" "CC-BY-2.5" "CC-BY-SA-3.0" "CC-BY-SA-4.0" "CC0-1.0" "EPL-1.0" + "EPL-2.0" "FTL" "GFDL-1.3-only" "IPL-1.0" "ISC" "MIT" "MIT-0" "MPL-1.1" + "MPL-2.0" "NTP" "OpenSSL" "PHP-3.01" "PostgreSQL" "OFL-1.1" "Unlicense" + "Unicode-DFS-2015" "Unicode-DFS-2016" "Unicode-TOU" "UPL-1.0" "W3C-20150513" + "W3C-19980720" "W3C" "WTFPL" "X11" "Zlib" "ZPL-2.1" "AGPL-3.0" + ) + + # Join the list into a pattern for grep + pattern=$(IFS=\|; echo "${allowed_licenses[*]}") + + # Check for files missing the license header + cmd="grep -riL \"SPDX-License-Identifier: \\($pattern\\)\" --include=\\*.{py,yaml,yml,sql} --exclude-dir={.gradle,**/openapi} ." + violations=$(eval $cmd | wc -l) + + if [[ $violations -ne 0 ]] ; then + echo "$violations files without valid license headers were found:"; + eval $cmd; + exit 1; + fi + + Review-Allowed-Licenses: + runs-on: ubuntu-latest + continue-on-error: false + if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Check Allowed Licenses' + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 + with: + fail-on-severity: critical + # Representation of this list: https://www.eclipse.org/legal/licenses.php# + # Expressed with the help of the following IDs: https://spdx.org/licenses/ + allow-licenses: >- + Adobe-Glyph, Apache-1.0, Apache-1.1, Apache-2.0, Artistic-2.0, BSD-2-Clause, BSD-3-Clause, + BSD-4-Clause, 0BSD, BSL-1.0, CDDL-1.0, CDDL-1.1, CPL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-2.5, + CC-BY-SA-3.0, CC-BY-SA-4.0, CC0-1.0, EPL-1.0, EPL-2.0, FTL, GFDL-1.3-only, IPL-1.0, ISC, + MIT, MIT-0, MPL-1.1, MPL-2.0, NTP, OpenSSL, PHP-3.01, PostgreSQL, OFL-1.1, Unlicense, + Unicode-DFS-2015, Unicode-DFS-2016, Unicode-TOU, UPL-1.0, W3C-20150513, W3C-19980720, W3C, + WTFPL, X11, Zlib, ZPL-2.1, AGPL-3.0 \ No newline at end of file From 47faeb9ae1fa0a5cdf574e0d27106c695721c9de Mon Sep 17 00:00:00 2001 From: Carlos Diez Date: Fri, 14 Feb 2025 16:55:21 +0100 Subject: [PATCH 2/7] fix: The License problem --- .github/workflows/verify.yml | 24 ++++-------------------- 1 file changed, 4 insertions(+), 20 deletions(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index b0e30cb9..b12f7d47 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -36,28 +36,12 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Verify License Headers run: |- - # List of allowed licenses - allowed_licenses=( - "Apache-1.0" "Apache-1.1" "Apache-2.0" "Artistic-2.0" "BSD-2-Clause" "BSD-3-Clause" - "BSD-4-Clause" "0BSD" "BSL-1.0" "CDDL-1.0" "CDDL-1.1" "CPL-1.0" "CC-BY-3.0" - "CC-BY-4.0" "CC-BY-2.5" "CC-BY-SA-3.0" "CC-BY-SA-4.0" "CC0-1.0" "EPL-1.0" - "EPL-2.0" "FTL" "GFDL-1.3-only" "IPL-1.0" "ISC" "MIT" "MIT-0" "MPL-1.1" - "MPL-2.0" "NTP" "OpenSSL" "PHP-3.01" "PostgreSQL" "OFL-1.1" "Unlicense" - "Unicode-DFS-2015" "Unicode-DFS-2016" "Unicode-TOU" "UPL-1.0" "W3C-20150513" - "W3C-19980720" "W3C" "WTFPL" "X11" "Zlib" "ZPL-2.1" "AGPL-3.0" - ) - - # Join the list into a pattern for grep - pattern=$(IFS=\|; echo "${allowed_licenses[*]}") - - # Check for files missing the license header - cmd="grep -riL \"SPDX-License-Identifier: \\($pattern\\)\" --include=\\*.{py,yaml,yml,sql} --exclude-dir={.gradle,**/openapi} ." + cmd="grep -riL \"SPDX-License-Identifier: Apache-2.0\" --include=\*.{py,yaml,yml,sql} --exclude-dir={\*\openapi} ." violations=$(eval $cmd | wc -l) - if [[ $violations -ne 0 ]] ; then - echo "$violations files without valid license headers were found:"; - eval $cmd; - exit 1; + echo "$violations files without license headers were found:"; + eval $cmd; + exit 1; fi Review-Allowed-Licenses: From 90de93cf1d6bb78d2e8929dfbe02730433d597fe Mon Sep 17 00:00:00 2001 From: Carlos Diez Date: Fri, 14 Feb 2025 16:58:15 +0100 Subject: [PATCH 3/7] fix: License file --- .github/dependabot.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 32215228..aa574aa9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,22 @@ +############################################################### +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + version: 2 registries: github-central-pipelines: From 688c0fed300cf6568d832d55dce1de13f577a14e Mon Sep 17 00:00:00 2001 From: Carlos Diez <137300347+CDiezRodriguez@users.noreply.github.com> Date: Mon, 17 Feb 2025 10:17:07 +0100 Subject: [PATCH 4/7] feat: Add the change proposed by @matbmoser --- .github/workflows/verify.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index b12f7d47..10e8b3bf 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -44,6 +44,20 @@ jobs: exit 1; fi + verify-md-license: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Verify License Headers + run: |- + cmd="grep -riL \"SPDX-License-Identifier: CC-BY-4.0\" --include=\*.{md} --exclude-dir={\*\openapi} ." + violations=$(eval $cmd | wc -l) + if [[ $violations -ne 0 ]] ; then + echo "$violations files without license headers were found:"; + eval $cmd; + exit 1; + fi + Review-Allowed-Licenses: runs-on: ubuntu-latest continue-on-error: false @@ -62,4 +76,4 @@ jobs: CC-BY-SA-3.0, CC-BY-SA-4.0, CC0-1.0, EPL-1.0, EPL-2.0, FTL, GFDL-1.3-only, IPL-1.0, ISC, MIT, MIT-0, MPL-1.1, MPL-2.0, NTP, OpenSSL, PHP-3.01, PostgreSQL, OFL-1.1, Unlicense, Unicode-DFS-2015, Unicode-DFS-2016, Unicode-TOU, UPL-1.0, W3C-20150513, W3C-19980720, W3C, - WTFPL, X11, Zlib, ZPL-2.1, AGPL-3.0 \ No newline at end of file + WTFPL, X11, Zlib, ZPL-2.1, AGPL-3.0 From b105c6b1bea187426c81444df4f0eb7d5f41dc37 Mon Sep 17 00:00:00 2001 From: Carlos Diez <137300347+CDiezRodriguez@users.noreply.github.com> Date: Mon, 17 Feb 2025 10:21:47 +0100 Subject: [PATCH 5/7] fix: Name of the jobs and the folder --- .github/workflows/verify.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 10e8b3bf..fea60aa7 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -48,9 +48,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Verify License Headers + - name: Verify the MD footer run: |- - cmd="grep -riL \"SPDX-License-Identifier: CC-BY-4.0\" --include=\*.{md} --exclude-dir={\*\openapi} ." + cmd="grep -riL \"SPDX-License-Identifier: CC-BY-4.0\" --include=\*.md --exclude-dir={\*\openapi} ." violations=$(eval $cmd | wc -l) if [[ $violations -ne 0 ]] ; then echo "$violations files without license headers were found:"; From 1e08055322fcb025e8a798e15401d76a0a33422b Mon Sep 17 00:00:00 2001 From: mgarciaLKS Date: Mon, 17 Feb 2025 09:17:56 +0100 Subject: [PATCH 6/7] trivy after tractus-sdk creation --- .github/workflows/trivy.yml | 70 ------------------------------------- 1 file changed, 70 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 825849c9..d829ea8f 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -67,73 +67,3 @@ jobs: if: always() with: sarif_file: "trivy-results-ichub-backend.sarif" - - analyze-dataspace-sdk: - name: Analyze Dataspace SDK - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Build dataspace-sdk Docker image - id: build-docker-dataspace-sdk - run: | - cd tractusx_sdk/dataspace - docker build -t ${{ env.IMAGE_NAMESPACE }}/${{ env.DATASPACE_SDK_IMAGE_NAME }}:latest . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 - with: - image-ref: "${{ env.IMAGE_NAMESPACE }}/${{ env.DATASPACE_SDK_IMAGE_NAME }}:latest" # Pull image from Docker Hub and run Trivy vulnerability scanner - format: "sarif" - output: "trivy-results-dataspace-sdk.sarif" - severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). - hide-progress: false - exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail. - limit-severities-for-sarif: true - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 - if: always() - with: - sarif_file: "trivy-results-dataspace-sdk.sarif" - - analyze-industry-sdk: - name: Analyze Industry SDK - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Build industry-sdk Docker image - id: build-docker-industry-sdk - run: | - cd tractusx_sdk/industry - docker build -t ${{ env.IMAGE_NAMESPACE }}/${{ env.INDUSTRY_SDK_IMAGE_NAME }}:latest . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 - with: - image-ref: "${{ env.IMAGE_NAMESPACE }}/${{ env.INDUSTRY_SDK_IMAGE_NAME }}:latest" # Pull image from Docker Hub and run Trivy vulnerability scanner - format: "sarif" - output: "trivy-results-industry-sdk.sarif" - severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). - hide-progress: false - exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail. - limit-severities-for-sarif: true - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 - if: always() - with: - sarif_file: "trivy-results-industry-sdk.sarif" From 0fd10dd267d8a415c6c1aea7bcfb125288020976 Mon Sep 17 00:00:00 2001 From: Carlos Diez Date: Mon, 17 Feb 2025 11:23:20 +0100 Subject: [PATCH 7/7] fix: Check MD in subdirectories --- .github/workflows/verify.yml | 2 +- charts/industry-core-hub/README.md | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index fea60aa7..d50c5799 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -50,7 +50,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Verify the MD footer run: |- - cmd="grep -riL \"SPDX-License-Identifier: CC-BY-4.0\" --include=\*.md --exclude-dir={\*\openapi} ." + cmd="grep -riL \"SPDX-License-Identifier: CC-BY-4.0\" --include=\*.md --exclude-dir={\*\openapi} $(find . -mindepth 2 -type f)" violations=$(eval $cmd | wc -l) if [[ $violations -ne 0 ]] ; then echo "$violations files without license headers were found:"; diff --git a/charts/industry-core-hub/README.md b/charts/industry-core-hub/README.md index 99c28ddd..7cabf6b0 100644 --- a/charts/industry-core-hub/README.md +++ b/charts/industry-core-hub/README.md @@ -78,4 +78,12 @@ helm install industry-core-hub tractusx/industry-core-hub | updateStrategy.rollingUpdate.maxUnavailable | int | `0` | | | updateStrategy.type | string | `"RollingUpdate"` | Update strategy type, rolling update configuration parameters, [reference](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies). | -Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) \ No newline at end of file +Autogenerated with [helm docs](https://github.com/norwoodj/helm-docs) + +## NOTICE + +This work is licensed under the [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/legalcode). + +- SPDX-License-Identifier: CC-BY-4.0 +- SPDX-FileCopyrightText: 2025 Contributors to the Eclipse Foundation +- Source URL: https://github.com/eclipse-tractusx/industry-core-hub