QG 4 checks (Release 24.05)

[almadigabor]

QG checks

Please keep this issue open until QG is concluded and will be managed by the Issue Creator!
We will inform you about finding and proposals in separated issues, this issue here is for the Overview of the Checks!

Please keep this issue open until QG is concluded!

Product Owner: @drcgjung
Dev SPOC: @drcgjung
Helm Chart Version: 1.12.19
App Version: 1.12.19

Release Managemnet Reference Issue:

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• TRG 1.03 appropriate CHANGELOG.md
• TRG 1.04 editable static files

TRG 2 Git

• TRG 2.01 default branch is named main
• TRG 2.03 repository structure
• TRG 2.04 leading product repository
• TRG 2.05 .tractusx metafile in a proper format

TRG 3 Kubernetes

• TRG 3.02 persistent volume and persistent volume claim is used when needed

TRG 4 Container

• TRG 4.01 semantic versioning and tagging
• TRG 4.02 base image is agreed
• TRG 4.03 image has USER command and Non Root Container
• TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• TRG 4.06 separate notice file for DockerHub has all necessary information

TRG 5 Helm

• TRG 5.01 Helm chart requirements
• TRG 5.02 Helm chart location in /charts directory and correct structure
• TRG 5.03 proper version strategy
• TRG 5.04 CPU / MEM resource requests and limits and are properly set
• TRG 5.06 Application must be configurable through the Helm chart
• TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• TRG 5.08 Product has a single deployable helm chart that contains all components
• TRG 5.09 Helm Test running properly
• TRG 5.10 Products need to support 3 versions at a time
• TRG 5.11 Upgradeability

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation
• TRG 7.02 License and copyright header
• TRG 7.03 IP checks for project content
• TRG 7.04 IP checks for 3rd party content
• TRG 7.05 Legal information for distributions
• TRG 7.06 Legal information for end user content
• TRG 7.07 Legal notice for documentation
• TRG 7.08 Legal notice for KIT documentation

TRG 8 Security

• TRG 8.01 Mitigate high and above findings in CodeQL #128
• TRG 8.02 Mitigate high and above findings in KICS
• TRG 8.03 Mitigate high and above findings in GitGuardian
• TRG 8.04 Mitigate high and above findings in Trivy

Hints

Information Sharing

[almadigabor]

Hi all, before I start I need the following info:

Product Owner:
Dev SPOC:
Helm Chart Version:
App Version:

Also I will need a volunteer committer who does the checks alongside with me. Can you find me someone? Thanks!

[almadigabor]

Version I'm checking: 1.12.19

[almadigabor]

I'm done with the first round of checks. There is one issues open regarding critical security findings in the knowledge-agents repository by CodeQL. #128

[RolaH1t]

@drcgjung & @almadigabor do we expect a resolution on this one today?

[drcgjung]

@drcgjung & @almadigabor do we expect a resolution on this one today?

here eclipse-tractusx/knowledge-agents-edc#196
and here #131

Best,
CGJ

[RolaH1t]

cool!
so please mark #122(#122) completed and update #641(eclipse-tractusx/sig-release#641) so QG can be fully approved

[RoKrish14]

CodeQl: I approve the findings as FP. The security checks is approved.

[almadigabor]

As the security findings were false positives as they've already been fixed, the last check is also marked. I approve the QG with the following versions:

App version: 1.12.19
Chart version: 1.12.19