Merge remote-tracking branch 'refs/remotes/ng/catena-x-environments' …

…into catena-x-environments

# Conflicts:
#	.github/workflows/release.yaml

.config/.trivyignore

@@ -2,4 +2,7 @@
 CVE-2022-42003
 
 # HttpInvokerServiceExporter is not loaded as a bean in the IRS.
-CVE-2016-1000027
+CVE-2016-1000027
+
+# Vulnerability method not in IRS codebase (Files.createTempDir from guava). https://github.com/google/guava/issues/2575
+CVE-2023-2976

.config/irs.header

@@ -11,7 +11,8 @@
  *
  * This program and the accompanying materials are made available under the
  * terms of the Apache License, Version 2.0 which is available at
- * https://www.apache.org/licenses/LICENSE-2.0. *
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

.config/owasp-suppressions.xml

@@ -2,140 +2,30 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
         <notes><![CDATA[
-        Transitive dependency of OkHttp. CVE is only relevant for Gradle builds, not relevant for IRS.
+        Vulnerability is a false positive.
         ]]></notes>
-        <gav regex="true">org\.jetbrains\.kotlin:.*</gav>
-        <vulnerabilityName>CVE-2022-24329</vulnerabilityName>
+        <gav regex="true">com\.fasterxml\.jackson\.core:jackson\-databind.*</gav>
+        <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
     </suppress>
     <suppress>
         <notes><![CDATA[
-        OkHttp vulnerability only relevant for Android platform.
+        Pulled in by EDC client - needs to be accepted for now.
         ]]></notes>
-        <gav regex="true">com\.squareup\.okhttp3:okhttp.*</gav>
-        <vulnerabilityName>CVE-2021-0341</vulnerabilityName>
+        <gav regex="true">org\.eclipse\.edc:jetty\-core.*</gav>
+        <vulnerabilityName regex="true">.*</vulnerabilityName>
     </suppress>
     <suppress>
         <notes><![CDATA[
-        IRS does not expose any HttpInvoker endpoints, CVE not relevant.
+        Pulled in by EDC client - needs to be accepted for now.
         ]]></notes>
-        <gav regex="true">org\.springframework:spring-web.*</gav>
-        <vulnerabilityName>CVE-2016-1000027</vulnerabilityName>
+        <gav regex="true">org\.eclipse\.jetty\.toolchain:jetty\-jakarta\-websocket\-api.*</gav>
+        <vulnerabilityName regex="true">.*</vulnerabilityName>
     </suppress>
     <suppress>
         <notes><![CDATA[
-        False positive, version in use is not affected.
+        This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code. This is not exploitable in IRS.
         ]]></notes>
-        <gav regex="true">org\.springframework\.security:spring-security-crypto.*</gav>
-        <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Not relevant for IRS, only regards example application which we don't provide.
-        ]]></notes>
-        <gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-.*</gav>
-        <vulnerabilityName>CVE-2022-34305</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        False positive, only affects a patched AWS version of log4j.
-        ]]></notes>
-        <gav regex="true">org\.apache\.logging\.log4j:log4j.*</gav>
-        <vulnerabilityName>CVE-2022-33915</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes>Irrelevant for IRS, see discussion here: https://github.com/github/securitylab/issues/669</notes>
-        <vulnerabilityName>CVE-2022-31514</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Data Faker ships with a vulnerable version of snakeyaml, but is only used in tests.
-        ]]></notes>
-        <filePath regex="true">.*\bdatafaker.*</filePath>
-        <vulnerabilityName>CVE-2022-25857</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Data Faker ships with a vulnerable version of snakeyaml, but is only used in tests.
-        ]]></notes>
-        <filePath regex="true">.*\bdatafaker.*</filePath>
-        <vulnerabilityName>CVE-2022-38751</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Data Faker ships with a vulnerable version of snakeyaml, but is only used in tests.
-        ]]></notes>
-        <filePath regex="true">.*\bdatafaker.*</filePath>
-        <vulnerabilityName>CVE-2022-41854</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        False positive, version in use (> 1.31) is not affected anymore.
-        ]]></notes>
-        <gav regex="true">org\.yaml:snakeyaml.*</gav>
-        <vulnerabilityName>CVE-2022-38752</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        False positive, version in use (> 1.31) is not affected anymore.
-        ]]></notes>
-        <gav regex="true">org\.yaml:snakeyaml.*</gav>
-        <vulnerabilityName>CVE-2022-1471</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        IRS is not parsing user YAML input, thus this CVE is irrelevant.
-        ]]></notes>
-        <gav regex="true">org\.yaml:snakeyaml.*</gav>
-        <vulnerabilityName>CVE-2021-4235</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        IRS is not parsing user YAML input, thus this CVE is irrelevant.
-        ]]></notes>
-        <gav regex="true">org\.yaml:snakeyaml.*</gav>
-        <vulnerabilityName>CVE-2022-3064</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Only relevant if UNWRAP_SINGLE_VALUE_ARRAYS is activated, which is not the case here.
-        ]]></notes>
-        <gav regex="true">com\.fasterxml\.jackson\.core:jackson-databind.*</gav>
-        <vulnerabilityName>CVE-2022-42003</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Accepted - potentially vulnerable library is only used in metric actuator, which is not reachable from outside.
-        ]]></notes>
-        <gav regex="true">org\.latencyutils.*</gav>
-        <vulnerabilityName>CVE-2021-4277</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Accepted - potentially vulnerable library is not in irs code.
-        ]]></notes>
-        <gav regex="true">jakarta\.activation:jakarta.activation-api.*</gav>
-        <vulnerabilityName>CVE-2010-4647</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Accepted - potentially vulnerable library is not in irs code.
-        ]]></notes>
-        <gav regex="true">jakarta\.activation:jakarta.activation-api.*</gav>
-        <vulnerabilityName>CVE-2008-7271</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        False positive - suppress various improper matches to the CPE that belongs only to pkg:maven/org.json/json
-        ]]></notes>
-        <packageUrl regex="true">^(?!pkg:maven/org\.json/json@).+$</packageUrl>
-        <cpe>cpe:/a:json-java_project:json-java</cpe>
-        <vulnerabilityName>CVE-2022-45688</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Vulnerability method not in IRS codebase (Files.createTempDir from guava).
-        ]]></notes>
-        <gav regex="true">com\.google\.guava:guava.*</gav>
-        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
+        <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-22006</vulnerabilityName>
     </suppress>
 </suppressions>

.config/pmd-rules.xml

@@ -33,6 +33,8 @@
         <exclude name="LoosePackageCoupling"/>
         <!-- There are too many false positives especially with streams -->
         <exclude name="LawOfDemeter"/>
+        <!-- Detects false positives -->
+        <exclude name="DataClass"/>
     </rule>
     <rule ref="category/java/design.xml/UseUtilityClass">
         <properties>
@@ -56,7 +58,7 @@
 
     <rule ref="category/java/documentation.xml/CommentSize">
         <properties>
-            <property name="maxLines" value="22"/>
+            <property name="maxLines" value="23"/>
             <property name="maxLineLength" value="100"/>
         </properties>
     </rule>
@@ -67,4 +69,6 @@
             <property name="protectedMethodCommentRequirement" value="Ignored"/>
         </properties>
     </rule>
+
+
 </ruleset>

.config/spotbugs-excludes.xml

@@ -60,9 +60,22 @@
         <Class name="org.eclipse.tractusx.irs.configuration.RestTemplateConfig"/>
         <Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON"/>
     </Match>
+    <Match>
+        <Class name="org.eclipse.tractusx.irs.registryclient.central.DigitalTwinRegistryClientImpl"/>
+        <Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON"/>
+    </Match>
+    <Match>
+        <Class name="org.eclipse.tractusx.irs.registryclient.decentral.DecentralDigitalTwinRegistryClient"/>
+        <Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON"/>
+    </Match>
     <Match>
         <!-- The folder path is not provided by a user, the file name is normalized heavily, and we use a recent JRE -->
         <Class name="org.eclipse.tractusx.irs.semanticshub.SemanticsHubClientImpl"/>
         <Bug pattern="PATH_TRAVERSAL_IN,WEAK_FILENAMEUTILS"/>
     </Match>
+    <Match>
+        <!-- The application is intended to access all files -->
+        <Class name="org.eclipse.tractusx.irs.testing.dataintegrity.TestdataTransformer"/>
+        <Bug pattern="PATH_TRAVERSAL_IN"/>
+    </Match>
 </FindBugsFilter>

.github/ISSUE_TEMPLATE/irs-bug.md

@@ -0,0 +1,25 @@
+---
+name: Report a Bug
+about: report bugs or unexpected behavior.
+---
+
+<!-- 
+Thanks for your contribution! Please fill out this template as good as possible. 
+Important: Contributing Guidelines can be found here: https://eclipse-tractusx.github.io/docs/oss/how-to-contribute
+Checkout the repository README for process description. 
+-->
+
+## Description
+<!-- A clear and concise description of what the bug is. Give as much hints as possible
+- On which Environment did the bug occur
+-->
+## Current behaviour
+
+## Expected behavior
+<!-- A clear and concise description of what you expected to happen. -->
+
+## Steps to reproduce the Bug
+<!-- Please provide a clear procedure how to reproduce the bug. 
+Important technical details: 
+user information, screenshots, browser, app-version, environment, device, etc.
+-->

.github/ISSUE_TEMPLATE/irs-story.md

@@ -0,0 +1,32 @@
+---
+name: Propose a Story
+about: propose a new story, new task
+labels: Story
+---
+<!-- 
+A clear and concise description of what the desired story will look like. 
+-->
+**As** ... ,
+**I want** ... ,
+**so that** ... .
+
+## Hints / Details
+<!--
+Provide as much information regarding this request as possible
+-->
+- ...
+
+## Outcome / Acceptance Criteria
+<!--
+Describe the Outcome & acceptance criterias the result of the story
+-->
+### Outcome
+- ...
+### Acceptance Criteria
+- ...
+
+## Out of Scope
+<!--
+Describe the topics which are out of scope
+-->
+- ...

.github/actions/import-gpg-key/action.yaml

@@ -0,0 +1,46 @@
+#
+#  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#  Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+---
+name: "Import GPG Key"
+description: "Imports a GPG key given in the input"
+inputs:
+  gpg-private-key:
+    required: true
+    description: "The GPG Private Key in plain text. Can be a sub-key."
+runs:
+  using: "composite"
+  steps:
+    # this is necessary because it creates gpg.conf, etc.
+    - name: List Keys
+      shell: bash
+      run: |
+        gpg -K --keyid-format=long
+
+    - name: Import GPG Private Key
+      shell: bash
+      run: |
+        echo "use-agent" >> ~/.gnupg/gpg.conf
+        echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
+        echo -e "${{ inputs.gpg-private-key }}" | gpg --import --batch
+        for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u);
+        do
+          echo -e "5\\ny\\n" |  gpg --batch --command-fd 0 --expert --edit-key $fpr trust;
+        done

.github/configs/codeql-config.yml

@@ -0,0 +1,9 @@
+name: "IRS CodeQL config"
+
+query-filters:
+  # Exclude "Unused classes and interfaces"
+  - exclude:
+      id: java/unused-reference-type
+  # Exclude "Log Injection". This is a false positive, since IRS uses a log configuration which encodes all log messages in "irs-api/src/main/resources/log4j2.xml"
+  - exclude:
+      id: java/log-injection

.github/configs/cr-config.yml

@@ -0,0 +1 @@
+release-notes-file: CHANGELOG-temp.md

.github/workflows/BETA-xray-cucumber-integration.yaml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up JDK 17
         uses: actions/setup-java@v3
@@ -38,7 +38,7 @@ jobs:
       - name: Build with Maven
         if: ${{ steps.download.outputs.http_response == '200' }}
         env:
-          KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_OAUTH2_CLIENT_SECRET_BETA }}
+          OAUTH2_CLIENT_SECRET: ${{ secrets.OAUTH2_CLIENT_SECRET_BETA }}
         run: |
           unzip -o features.zip -d irs-cucumber-tests/src/test/resources/features
           mvn --batch-mode clean install -pl irs-cucumber-tests,irs-models -D"cucumber.filter.tags"="not @Ignore and @INTEGRATION_TEST"