QG X checks (Release 25.03)

[evegufy]

QG checks

Please open and fill in this issue in your product repository to document the compliance with our Tractus-X Release Guideline (TRGs)

Show compliance with TRGs by referencing to a tagged link in the respective repository where possible, example: TRG 1.01 (see github.com/eclipse-tractusx/example-repo/tree/1.0.0/README.md)

Close this issue once the compliance with the TRGs has been documented

Committer(s):
Helm Chart Version:
App Version:

Release Management Reference Issue:

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate install instructions either INSTALL.md or in README.md
• TRG 1.03 appropriate CHANGELOG.md
• TRG 1.04 editable static files
• TRG 1.05 architecture docs
• TRG 1.06 administrator guide
• TRG 1.07 user manual
• TRG 1.08 open api docs

TRG 2 Git

• TRG 2.01 default branch is named main
• TRG 2.03 repository structure
• TRG 2.04 leading product repository
• TRG 2.05 .tractusx metafile in a proper format
• TRG 2.06 Dependabot

TRG 3 Kubernetes

• TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

TRG 4 Container

• TRG 4.01 semantic versioning and tagging
• TRG 4.02 base image is agreed
• TRG 4.03 image has USER command and Non Root Container
• TRG 4.05 released image must be placed in DockerHub, remove GHCR references
• TRG 4.06 separate notice file for DockerHub has all necessary information
• TRG 4.07 root file system is set to read access by default, but can be overwritten by the user

TRG 5 Helm

• TRG 5.01 Helm chart requirements
• TRG 5.02 Helm chart location in /charts directory and correct structure
• TRG 5.03 proper version strategy
• TRG 5.04 CPU / MEM resource requests and limits and are properly set
• TRG 5.06 Application must be configurable through the Helm chart
• TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• TRG 5.08 Product has a single deployable helm chart that contains all components
• TRG 5.09 Helm Test running properly
• TRG 5.10 Products need to support 3 versions at a time
• TRG 5.11 Upgradeability

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation
• TRG 7.02 License and copyright header
• TRG 7.03 IP checks for project content
• TRG 7.04 IP checks for 3rd party content
• TRG 7.05 Legal information for distributions
• TRG 7.06 Legal information for end user content
• TRG 7.07 Legal notice for documentation (non-code)
• TRG 7.08 Legal notice for KIT documentation

TRG 8 Security

• TRG 8.01 Mitigate high and above findings in CodeQL
• TRG 8.02 Mitigate high and above findings in KICS
• TRG 8.04 Mitigate high and above findings in Trivy
• TRG 8.03 No secret findings by GitGuardian or TruffleHog

TRG 9 UX/UI Styleguide

• TRG 9.01 UI consistency/styleguide for UI

Hints

Information Sharing

[saadanzari]

following repositories have been reviewed:

https://github.com/eclipse-tractusx/portal
https://github.com/eclipse-tractusx/portal-frontend
https://github.com/eclipse-tractusx/portal-frontend-registration
https://github.com/eclipse-tractusx/portal-shared-components
https://github.com/eclipse-tractusx/portal-backend
https://github.com/eclipse-tractusx/portal-assets
https://github.com/eclipse-tractusx/portal-iam

TRG 1 Documentation

TRG 1.01 appropriate README.md

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 1.02 appropriate install instructions either INSTALL.md or in README.md (example: https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/README.md)

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 1.03 appropriate CHANGELOG.md (example: https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/CHANGELOG.md)

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 1.04 editable static files (example: https://github.com/eclipse-tractusx/portal-assets/blob/91008cc6a663b1556194f15ecf0d6baf7ed94231/docs/admin/Dev%20Process/Dev-flow_git-diagram.md)

• portal
• portal-frontend-registration
• portal-shared-components
• portal-assets
• portal-iam

TRG 1.05 architecture docs

• portal-assets https://github.com/eclipse-tractusx/portal-assets/tree/main/docs/architecture

TRG 1.06 administrator guide

• portal-assets https://github.com/eclipse-tractusx/portal-assets/tree/main/docs/admin

TRG 1.07 user manual

• portal-assets https://github.com/eclipse-tractusx/portal-assets/tree/main/docs/user

TRG 1.08 open api docs

• portal-assets https://github.com/eclipse-tractusx/portal-assets/tree/main/docs/api

TRG 2 Git

TRG 2.01 default branch is named main

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 2.03 repository structure

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 2.04 leading product repository (https://github.com/eclipse-tractusx/portal)

TRG 2.05 .tractusx metafile in a proper format (https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/.tractusx)

TRG 2.06 Dependabot (example: https://github.com/eclipse-tractusx/portal-frontend/blob/v2.4.0-RC2/.github/dependabot.yml)

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 3 Kubernetes

TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

• portal https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/charts/portal/Chart.yaml#L32

TRG 4 Container

TRG 4.01 semantic versioning and tagging (https://github.com/eclipse-tractusx/portal/tags)

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 4.02 base image is agreed

• portal-backend https://github.com/eclipse-tractusx/portal-backend/blob/v2.4.0-RC1/docker/Dockerfile-administration-service
• portal-iam https://github.com/eclipse-tractusx/portal-iam/blob/main/docker/Dockerfile.import

TRG 4.03 image has USER command and Non Root Container

• portal-frontend https://github.com/eclipse-tractusx/portal-frontend/blob/release/v2.4.0-RC2/.conf/Dockerfile.prebuilt#L42-L44

TRG 4.05 released image must be placed in DockerHub, remove GHCR references

• portal-frontend example: https://github.com/search?q=repo%3Aeclipse-tractusx%2Fportal-frontend+ghcr&type=code

TRG 4.06 separate notice file for DockerHub has all necessary information

• portal-frontend https://github.com/eclipse-tractusx/portal-frontend/blob/release/v2.4.0-RC2/.conf/docker-notice-portal.md

TRG 4.07 root file system is set to read access by default, but can be overwritten by the user

• portal-frontend https://github.com/eclipse-tractusx/portal-frontend/blob/release/v2.4.0-RC2/.conf/docker-notice-portal.md

TRG 5 Helm

TRG 5.01 Helm chart requirements

• portal https://github.com/eclipse-tractusx/portal/tree/main/charts

TRG 5.02 Helm chart location in /charts directory and correct structure (https://github.com/eclipse-tractusx/portal/tree/portal-2.4.0-RC1/charts/portal)

• portal https://github.com/eclipse-tractusx/portal/tree/main/charts
• portal-iam https://github.com/eclipse-tractusx/portal-iam/tree/main/charts

TRG 5.03 proper version strategy

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 5.04 CPU / MEM resource requests and limits and are properly set

• portal https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/charts/portal/values.yaml#L163-L202
• portal-iam https://github.com/eclipse-tractusx/portal-iam/blob/96155aa8654040dace7e83c6c09b269b5a61d590/charts/sharedidp/values.yaml#L195

TRG 5.06 Application must be configurable through the Helm chart (https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/charts/portal/values.yaml)

• portal https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/charts/portal/values.yaml
• portal-iam https://github.com/eclipse-tractusx/portal-iam/blob/96155aa8654040dace7e83c6c09b269b5a61d590/charts/sharedidp/values.yaml

TRG 5.07 Dependencies are present and properly configured in the Chart.yaml

• portal https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/charts/portal/Chart.yaml

TRG 5.08 Product has a single deployable helm chart that contains all components

• portal https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/charts/portal/Chart.yaml

TRG 5.09 Helm Test running properly

• portal https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/.github/workflows/portal-chart-test.yaml | https://github.com/eclipse-tractusx/portal/actions/workflows/portal-chart-test.yaml

TRG 5.10 Products need to support 3 versions at a time

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 5.11 Upgradeability

• portal https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/.github/workflows/portal-image-update.yml | https://github.com/eclipse-tractusx/portal/actions/workflows/portal-image-update.yml

TRG 6 Released Helm Chart

TRG 6.01 Released Helm Chart

• portal https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/.github/workflows/chart-release.yaml

TRG 7 Open Source Governance

TRG 7.01 Legal Documentation

• portal https://github.com/eclipse-tractusx/portal/tree/portal-2.4.0-RC1

TRG 7.02 License and copyright header

• portal https://github.com/search?q=repo%3Aeclipse-tractusx%2Fportal-frontend+SPDX-License-Identifier%3A+Apache-2.0&type=code
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 7.03 IP checks for project content

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 7.04 IP checks for 3rd party content

• portal-frontend https://github.com/eclipse-tractusx/portal-frontend/blob/v2.4.0-RC2/DEPENDENCIES
• portal-frontend-registration https://github.com/eclipse-tractusx/portal-frontend-registration/blob/v2.1.1-RC1/DEPENDENCIES
• portal-shared-components https://github.com/eclipse-tractusx/portal-shared-components/blob/v3.7.6/DEPENDENCIES
• portal-backend https://github.com/eclipse-tractusx/portal-backend/blob/v2.4.0-RC1/DEPENDENCIES
• portal-assets https://github.com/eclipse-tractusx/portal-assets/blob/v2.4.0-RC1/DEPENDENCIES

TRG 7.05 Legal information for distributions (https://github.com/eclipse-tractusx/portal/blob/portal-2.4.0-RC1/NOTICE.md)

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 7.06 Legal information for end user content (https://github.com/eclipse-tractusx/portal-frontend/blob/release/v2.4.0-RC2/NOTICE.md)

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 7.07 Legal notice for documentation (non-code) (https://github.com/eclipse-tractusx/portal-assets/blob/v2.0.0/NOTICE.md)

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 7.08 Legal notice for KIT documentation

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

TRG 8 Security (to be checked)

• TRG 8.01 Mitigate high and above findings in CodeQL
• TRG 8.02 Mitigate high and above findings in KICS
• TRG 8.04 Mitigate high and above findings in Trivy
• TRG 8.03 No secret findings by GitGuardian or TruffleHog

TRG 9 UX/UI Styleguide

TRG 9.01 UI consistency/styleguide for UI

• portal
• portal-frontend
• portal-frontend-registration
• portal-shared-components
• portal-backend
• portal-assets
• portal-iam

[evegufy]

@saadanzari thanks for the checks so far! for potential uncertainties, I would be great if you could check how those points were handled/documented in the previous check #481

[saadanzari]

thanks @evegufy I followed the same,
for TRG 8 Security, I dont have access, please review those. Thanks

[saadanzari]

@evegufy
For IP checks, I currently don't have access to run the tool. however I have checked them locally and found nones restricted ones. can you please run the piplelines check for the repos. thanks

• portal-frontend https://github.com/eclipse-tractusx/portal-frontend/blob/v2.4.0-RC2/DEPENDENCIES no restricted libs found while locally running the tool, since we have current release branch v2.4.0-RC2, the tool needs to run on this one.
• portal-frontend-registration https://github.com/eclipse-tractusx/portal-frontend-registration/blob/v2.1.1-RC1/DEPENDENCIES no restricted libs found while locally running the tool, we have different tagging for registration branch
• portal-shared-components https://github.com/eclipse-tractusx/portal-shared-components/blob/v3.7.6/DEPENDENCIES at current version v.3.7.6 no restricted libs found while locally running the tool, since shared components use its own versioning.
• portal-backend https://github.com/eclipse-tractusx/portal-backend/blob/v2.4.0-RC1/DEPENDENCIES added the latest tagged link for release branch
• portal-assets https://github.com/eclipse-tractusx/portal-assets/blob/v2.4.0-RC1/DEPENDENCIES the documentation will be updated in this repo, so v2.4.0 will be the final release tag. please run the pipline check for this one as well.