Merge pull request #53 from catenax-ng/fix/QG4

 Fix QG4 findings

.github/workflows/build.yml

@@ -5,7 +5,6 @@ on:
     branches:
       - "main"
       - "dev"
-      - "fix/*"
     tags:
       - "v*.*.*"
       - "v*.*.*-*"

.github/workflows/helm-chart-test.yaml

@@ -10,7 +10,8 @@ on:
   pull_request:
     paths:
       - 'charts/country-risk/**'
-
+  workflow_dispatch:
+  # Trigger manually
 jobs:
   lint-test:
     runs-on: ubuntu-latest

.github/workflows/trivy.yml

@@ -1,4 +1,4 @@
-name: "Trivy"
+name: "Trivy Stable"
 
 on:
   push:
@@ -9,12 +9,6 @@ on:
       - 'src/**'
       - 'package.json'
       - 'Dockerfile'
-  # pull_request:
-  # The branches below must be a subset of the branches above
-  # branches: [ main ]
-  # paths-ignore:
-  #   - "**/*.md"
-  #   - "**/*.txt"
   schedule:
     # Once a day
     - cron: "0 0 * * *"
@@ -34,15 +28,13 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.14.0
         with:
           scan-type: "config"
-          # ignore-unfixed: true
-          exit-code: "1"
           hide-progress: false
           format: "sarif"
           output: "trivy-results1.sarif"
-          severity: "CRITICAL,HIGH"
+          vuln-type: "os,library"
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
@@ -68,10 +60,10 @@ jobs:
       # For public images, no ENV vars must be set.
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.14.0
         with:
           # Path to Docker image
-          image-ref: "ghcr.io/catenax-ng/tx-vas-country-risk-frontend:main"
+          image-ref: "tractusx/vas-country-risk:latest"
           format: "sarif"
           output: "trivy-results2.sarif"
           exit-code: "1"

Dockerfile

@@ -31,6 +31,8 @@ COPY public ./public
 COPY --chown=node:node .env .
 COPY src ./src
 
+COPY LICENSE NOTICE.md DEPENDENCIES SECURITY.md /app/dist/
+
 # Set permissions
 RUN chown -R node:node /app && \
     chmod -R u+rwx,g+rx,o-rwx /app

SECURITY.md

@@ -2,5 +2,18 @@
 
 ## Reporting a Vulnerability
 
-Please report a found vulnerability here:
-[https://www.eclipse.org/security/](https://www.eclipse.org/security/)
+Please do **not** report security vulnerabilities through public GitHub issues.
+
+Please report vulnerabilities to this repository via **GitHub security advisories** instead.
+
+How? Inside affected repository → security tab
+
+for contributor:  
+→ Report a vulnerability
+
+for committer:  
+→ advisories → New draft security advisory
+
+In severe cases, you can also report a found vulnerability via mail or eclipse issue here: https://www.eclipse.org/security/
+
+See [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/projects/handbook/#vulnerability)

charts/country-risk/Chart.yaml

@@ -20,8 +20,8 @@
 apiVersion: v2
 name: country-risk
 type: application
-version: 1.1.1
-appVersion: "1.2.0"
+version: 3.0.3
+appVersion: "1.2.1"
 description: A Helm chart for deploying the Country Risk service
 home: https://github.com/eclipse-tractusx/vas-country-risk-frontend
 sources:
@@ -38,6 +38,6 @@ dependencies:
   repository: https://helm.runix.net
   version: 1.x.x
 - name: country-risk-backend
-  version: 3.0.2
+  version: 3.0.3
 - name: country-risk-frontend
-  version: 3.0.2
+  version: 3.0.3

charts/country-risk/charts/country-risk-backend/Chart.yaml

@@ -36,13 +36,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.0.2
+version: 3.0.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.2.0"
+appVersion: "1.2.1"
 
 dependencies:
   - name: postgresql

charts/country-risk/charts/country-risk-backend/README.md

@@ -148,7 +148,7 @@ vas:
 
 ### country-risk-backend
 
-![Version: 2.0.6](https://img.shields.io/badge/Version-2.0.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 3.0.3](https://img.shields.io/badge/Version-3.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square)
 
 A Helm chart for deploying the Country Risk service
 

charts/country-risk/charts/country-risk-backend/values.yaml

@@ -25,9 +25,9 @@
 replicaCount: 1
 
 image:
-  registry: "ghcr.io"
+  registry: "tractusx"
   # -- Name of the docker image
-  name: "catenax-ng/tx-vas-country-risk-backend"
+  name: "vas-country-risk-backend"
   pullPolicy: Always
   # -- Overrides the image tag whose default is the chart appVersion.
   tag: ""

charts/country-risk/charts/country-risk-frontend/Chart.yaml

@@ -34,10 +34,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.0.2
+version: 3.0.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.2.0"
+appVersion: "1.2.1"

charts/country-risk/charts/country-risk-frontend/README.md

@@ -88,57 +88,57 @@ This way you are able to overwrite any configuration property of the `.env` file
 
 # country-risk-frontend
 
-![Version: 2.0.7](https://img.shields.io/badge/Version-2.0.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 3.0.3](https://img.shields.io/badge/Version-3.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square)
 
 A Helm chart for deploying the Country Risk service
 
 ## Values
 
-| Key | Type | Default                                                      | Description |
-|-----|------|--------------------------------------------------------------|-------------|
+| Key | Type | Default                                               | Description |
+|-----|------|-------------------------------------------------------|-------------|
 | affinity..podAffinityTerm.labelSelector.matchExpressions[0] | object | `{"key":"app.kubernetes.io/name","operator":"DoesNotExist"}` | Match Pod rules |
-| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"`                                   | Key that is used to determine the topology of the cluster |
-| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `100`                                                        |  |
-| appName | string | `"vas-country-risk-frontend"`                                | Name of the backend service |
-| applicationSecret | object | `{"enabled":false}`                                          | Defines the client secret and client ID |
-| autoscaling | object | `{"enabled":false}`                                          | Specifies whether autoscaling should be enabled for the pod |
-| certificate.host | string | `"localhost"`                                                | Hostname for the certificate |
-| configmap.create | bool | `true`                                                       |  |
-| elastic.enabled | bool | `false`                                                      | Should elastic be enabled or not |
-| elastic.security.tls | object | `{"restEncryption":false}`                                   | Information about the transport layer security (TLS) |
-| elastic.security.tls.restEncryption | bool | `false`                                                      | Encryption for the REST requests made to the Elastic cluster |
-| image.name | string | `"catenax-ng/tx-vas-country-risk-frontend"`                  | Name of the docker image |
-| image.pullPolicy | string | `"Always"`                                                   |  |
-| image.registry | string | `"ghcr.io"`                                                  |  |
-| image.tag | string | `""`                                                         | Overrides the image tag whose default is the chart appVersion. |
-| imagePullSecrets | list | `[]`                                                         | List of secrets to be used |
-| ingress.annotations."nginx.ingress.kubernetes.io/force-ssl-redirect" | string | `"true"`                                                     | HTTP traffic should be redirected to HTTPS |
-| ingress.annotations."nginx.ingress.kubernetes.io/ssl-passthrough" | string | `"true"`                                                     | Ingress controller should pass SSL traffic directly to the backend pods |
-| ingress.className | string | `"nginx"`                                                    | Class name |
-| ingress.enabled | bool | `false`                                                      | Ingress enabled or not |
-| livenessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,...}`        | Determines if a pod is still alive or not |
-| livenessProbe.initialDelaySeconds | int | `10`                                                         | Number of seconds to wait before performing the first liveness probe |
-| livenessProbe.periodSeconds | int | `1000`                                                       | Number of seconds to wait between consecutive probes |
-| livenessProbe.successThreshold | int | `1`                                                          | Number of consecutive successful probes before a pod is considered healthy |
-| livenessProbe.timeoutSeconds | int | `1000`                                                       | Number of seconds after which a liveness probe times out |
-| nodeSelector | object | `{}`                                                         | Node placement constraints |
-| podAnnotations | object | `{}`                                                         | Annotations to be added to the running pod |
-| podSecurityContext | object | `{"fsGroup":2000}`                                           | Configuration for security-related options of the running pod |
-| podSecurityContext.fsGroup | int | `2000`                                                       | Set the file system group ID for all containers in the pod |
-| readinessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,...}`        | Determine when a pod is ready to start accepting requests |
-| replicaCount | int | `1`                                                          | Number of replicas of a Kubernetes deployment |
-| resources.limits | object | `{"cpu":"800m","memory":"2Gi"}`                              | Maximum amount of resources that the deployment should be able to consume |
-| resources.requests | object | `{"cpu":"300m","memory":"1Gi"}`                              | Minimum amount of resources that the deployment should be guaranteed to receive |
-| securityContext.allowPrivilegeEscalation | bool | `false`                                                      | Specifies if processes running inside the container can gain more privileges than its initial user |
-| securityContext.capabilities | object | `{"drop":["ALL"]}`                                           | Capabilities that the process inside the container should have |
-| securityContext.runAsGroup | int | `3000`                                                       | Specifies the group ID that the process inside the container should run |
-| securityContext.runAsNonRoot | bool | `true`                                                       | Specifies whether the process inside the container should run as a non-root user |
-| securityContext.runAsUser | int | `10001`                                                      | Specifies the user ID that the process inside the container should run |
-| service | object | `{"port":8080,"type":"ClusterIP"}`                           | Service that should be created for the pod |
-| service.port | int | `8080`                                                       | Service port |
-| service.type | string | `"ClusterIP"`                                                | Type of service to be used |
-| springProfiles[0] | string | `"dev"`                                                      |  |
-| tolerations | list | `[]`                                                         | Pod toleration constraints |
+| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"`                            | Key that is used to determine the topology of the cluster |
+| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `100`                                                 |  |
+| appName | string | `"vas-country-risk-frontend"`                         | Name of the backend service |
+| applicationSecret | object | `{"enabled":false}`                                   | Defines the client secret and client ID |
+| autoscaling | object | `{"enabled":false}`                                   | Specifies whether autoscaling should be enabled for the pod |
+| certificate.host | string | `"localhost"`                                         | Hostname for the certificate |
+| configmap.create | bool | `true`                                                |  |
+| elastic.enabled | bool | `false`                                               | Should elastic be enabled or not |
+| elastic.security.tls | object | `{"restEncryption":false}`                            | Information about the transport layer security (TLS) |
+| elastic.security.tls.restEncryption | bool | `false`                                               | Encryption for the REST requests made to the Elastic cluster |
+| image.name | string | `"vas-country-risk"`                  | Name of the docker image |
+| image.pullPolicy | string | `"Always"`                                            |  |
+| image.registry | string | `"tractusx"`                                           |  |
+| image.tag | string | `""`                                                  | Overrides the image tag whose default is the chart appVersion. |
+| imagePullSecrets | list | `[]`                                                  | List of secrets to be used |
+| ingress.annotations."nginx.ingress.kubernetes.io/force-ssl-redirect" | string | `"true"`                                              | HTTP traffic should be redirected to HTTPS |
+| ingress.annotations."nginx.ingress.kubernetes.io/ssl-passthrough" | string | `"true"`                                              | Ingress controller should pass SSL traffic directly to the backend pods |
+| ingress.className | string | `"nginx"`                                             | Class name |
+| ingress.enabled | bool | `false`                                               | Ingress enabled or not |
+| livenessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,...}` | Determines if a pod is still alive or not |
+| livenessProbe.initialDelaySeconds | int | `10`                                                  | Number of seconds to wait before performing the first liveness probe |
+| livenessProbe.periodSeconds | int | `1000`                                                | Number of seconds to wait between consecutive probes |
+| livenessProbe.successThreshold | int | `1`                                                   | Number of consecutive successful probes before a pod is considered healthy |
+| livenessProbe.timeoutSeconds | int | `1000`                                                | Number of seconds after which a liveness probe times out |
+| nodeSelector | object | `{}`                                                  | Node placement constraints |
+| podAnnotations | object | `{}`                                                  | Annotations to be added to the running pod |
+| podSecurityContext | object | `{"fsGroup":2000}`                                    | Configuration for security-related options of the running pod |
+| podSecurityContext.fsGroup | int | `2000`                                                | Set the file system group ID for all containers in the pod |
+| readinessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,...}` | Determine when a pod is ready to start accepting requests |
+| replicaCount | int | `1`                                                   | Number of replicas of a Kubernetes deployment |
+| resources.limits | object | `{"cpu":"800m","memory":"2Gi"}`                       | Maximum amount of resources that the deployment should be able to consume |
+| resources.requests | object | `{"cpu":"300m","memory":"1Gi"}`                       | Minimum amount of resources that the deployment should be guaranteed to receive |
+| securityContext.allowPrivilegeEscalation | bool | `false`                                               | Specifies if processes running inside the container can gain more privileges than its initial user |
+| securityContext.capabilities | object | `{"drop":["ALL"]}`                                    | Capabilities that the process inside the container should have |
+| securityContext.runAsGroup | int | `3000`                                                | Specifies the group ID that the process inside the container should run |
+| securityContext.runAsNonRoot | bool | `true`                                                | Specifies whether the process inside the container should run as a non-root user |
+| securityContext.runAsUser | int | `10001`                                               | Specifies the user ID that the process inside the container should run |
+| service | object | `{"port":8080,"type":"ClusterIP"}`                    | Service that should be created for the pod |
+| service.port | int | `8080`                                                | Service port |
+| service.type | string | `"ClusterIP"`                                         | Type of service to be used |
+| springProfiles[0] | string | `"dev"`                                               |  |
+| tolerations | list | `[]`                                                  | Pod toleration constraints |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

charts/country-risk/charts/country-risk-frontend/values.yaml

@@ -25,9 +25,9 @@
 replicaCount: 1
 
 image:
-  registry: "ghcr.io"
+  registry: "tractusx"
   # -- Name of the docker image
-  name: "catenax-ng/tx-vas-country-risk-frontend"
+  name: "vas-country-risk"
   pullPolicy: Always
   # -- Overrides the image tag whose default is the chart appVersion.
   tag: ""

charts/country-risk/values.yaml

@@ -23,9 +23,9 @@ country-risk-frontend:
   replicaCount: 1
 
   image:
-    registry: "ghcr.io"
+    registry: "tractusx"
     # -- Name of the docker image
-    name: "catenax-ng/tx-vas-country-risk-frontend"
+    name: "vas-country-risk"
     pullPolicy: Always
     # -- Overrides the image tag whose default is the chart appVersion.
     tag: ""
@@ -155,9 +155,9 @@ country-risk-backend:
 
   replicaCount: 1
   image:
-    registry: "ghcr.io"
+    registry: "tractusx"
     # -- Name of the docker image
-    name: "catenax-ng/tx-vas-country-risk-backend"
+    name: "vas-country-risk-backend"
     pullPolicy: Always
     # -- Overrides the image tag whose default is the chart appVersion.
     tag: ""