Merge pull request #138 from catenax-ng/release/v1.2.0-dpp-frontend

[1º] - Hotfix/v1.2.1-vulnerability-fix: Fixed Library Vulnerabilities
eclipse-tractusx · Oct 31, 2023 · c19d232 · c19d232
2 parents 06809e8 + c842390
commit c19d232
Show file tree

Hide file tree

Showing 11 changed files with 342 additions and 4,443 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,6 +24,20 @@
 
 The changelog format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [released]
+## [1.2.1] - 31-10-2023
+
+## Deleted
+- Removed cypress from `package.json` dependencies
+- Removed unused devDependencies of `@babel`
+
+## Security Issues 
+- Fixed vulnerabilities related to `crypto-js`, `semver`, `netty-codec`.
+  - Updated `Spring Boot` to version `v3.1.5`
+  - Updated `crypto-js` to version `v4.2.0`
+  - Overrided `semver` to versions over `^v7.5.3`
+
+
 ## [released]
 ## [1.2.0] - 30-10-2023
 
@@ -39,7 +53,7 @@ The changelog format is based on [Keep a Changelog](https://keepachangelog.com/e
 - Added a second check for "transfer-completed" in history when passport status is checked in the frontend
 
 ### Updated
-- The Submodels are search by their SemanticId instead of idShort parameter
+- The Aspect Submodels are searching in the Digital Twin by their `semanticId` instead of `idShort` parameter
 - Updated DTR search as type instead of ID
 - Updated the Apis that communicate with the backend
 - Updated DTR configuration to support the new DTR API `v1.0`
@@ -57,7 +71,6 @@ The changelog format is based on [Keep a Changelog](https://keepachangelog.com/e
 - Fixed a bug related to the discovery service when more than one search endpoint would be available
 - Fixed bug related to the passport search and the transfer data not being available sometimes
 
-
 ## [released]
 ## [1.1.0] - 19-10-2023
 

diff --git a/DEPENDENCIES_BACKEND b/DEPENDENCIES_BACKEND
diff --git a/DEPENDENCIES_FRONTEND b/DEPENDENCIES_FRONTEND
diff --git a/README.md b/README.md
@@ -35,9 +35,9 @@ In particular, the appliction is used to access the battery passport data provid
 
 ### Software Version
 #### Helm Chart Version
-<pre id="helm-version"><a href="https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/digital-product-pass-1.2.0">1.2.0</a></pre>
+<pre id="helm-version"><a href="https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/digital-product-pass-1.2.1">1.2.1</a></pre>
 #### Application Version
-<pre id="app-version"><a href="https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/v1.2.0">v1.2.0</a></pre>
+<pre id="app-version"><a href="https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/v1.2.1">v1.2.1</a></pre>
 
 
 ## Application Preview

diff --git a/charts/digital-product-pass/Chart.yaml b/charts/digital-product-pass/Chart.yaml
@@ -40,11 +40,10 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.2.0
-
+version: 1.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.2.0"
+appVersion: "1.2.1"
diff --git a/charts/digital-product-pass/README.md b/charts/digital-product-pass/README.md
diff --git a/charts/digital-product-pass/values.yaml b/charts/digital-product-pass/values.yaml
@@ -66,7 +66,6 @@ frontend:
       realm: ""
       onLoad: "login-required"
 
-
 # -- Backend configuration
 backend:
   name: "dpp-backend"
@@ -196,7 +195,7 @@ backend:
             # -- directory to store the passport when is not linked to a process
             dir: "data/transfer"
           # -- passport versions and aspects allowed
-          aspects: 
+          aspects:
             - "urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport"
             - "urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass"
       # -- configuration of the spring boot server

diff --git a/consumer-backend/productpass/pom.xml b/consumer-backend/productpass/pom.xml
@@ -28,12 +28,12 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.1.2</version>
+        <version>3.1.5</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
     <groupId>org.eclipse.tractusx</groupId>
     <artifactId>productpass</artifactId>
-    <version>1.2.0</version>
+    <version>1.2.1</version>
     <packaging>jar</packaging>
     <name>Catena-X Digital Product Passport Backend</name>
     <description>Product Passport Consumer Backend System for Product Passport Consumer Frontend Application

diff --git a/docs/RELEASE_USER.md b/docs/RELEASE_USER.md
@@ -23,6 +23,17 @@
 # Release Notes Digital Product Pass Application
 User friendly relase notes without especific technical details.
 
+**October 31 2023 (Version 1.2.1)**
+*31.10.2023*
+
+### Security Issues
+#### Fix the security issues related to 3 library dependencies
+The spring boot version was updated to `3.1.5` to fix the vulnerabilities with the `netty-codec-http2` library.
+In addition two frontend libraries were updated, the `semver` library was overrided for the latest version and the cypress reference was removed from the dependency list
+because of problems with the IP checks: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/11346, which required IP Team Review.
+The `crypto-js` library was also updated to the latest available version.
+
+
 
 **October 30 2023 (Version 1.2.0)**
 *30.10.2023*