SAST: CodeQL transition is ongoing, PRs to add corresponding workflows is ongoing. Veracode license will expire at the end of March, so everyone is encouraged to review their workflows to ensure a timely transition to CodeQL.
DAST: Invicti license will expire at the end of August and already exceeded the website limit. There will be no DAST tool required for the next Quality Gate.
Secret scanning
Gitguardian is currently set up, but Gitleaks is a potential successor.
Testing of Github secret scanning is still in progress.
TRG 8.0 has been published as a draft, adjustments as PR are warmly welcome.
Role of the committer is being discussed, it will be presented in the next committer meeting.
Basic role descriptions come from the Eclipse Foundation, but we want to specify in Tractus-X
what else can be expected from a contributor,
commiter and project lead.
Association release process and Eclipse Tractus-X needs to be aligned as the first is managed by
the association and the second should be driven by the community.
We should align on how and where a migration documentation should be created for products.
This would ensure that upon Breaking Changes the upgrade processes can run smoothly with
a guide available for everyone. The guide could include property, configuration, API changes
and everything else that would affect the upgrade process from and old version to the new.
A draft will be available on a working model that could be implemented by the products soon.
A TRG could include information on where these guide should be located and in which format.
An overarching issue for tracking the tool shifts was discussed, as it is necessary for proper planning by teams.
Teams need to estimate efforts to adjust Github workflows
The PR for the new Security TRG was discussed, which includes a new requirement of remediation of findings with medium severity, but not for the 25.05 release.
Concerns were raised about the need for additional planned team resources for triaging these issues, and it was suggested that the TRG should be finalized and teams made aware.
What are best-practices for scheduling security tools Action workflows, with every PR or another frequency?
The TRG claims at least once, this is mandatory baseline for all.
Best practice is more frequently, recommendations differ per tool (e.g. secret scanning for every PR, dependency scan on a weekly basis).
The trigger will be on push + on pull + scheduled - frequency depends on repositories activity, so the team has to decide.
Best practice recommendations will be published in the sig-security repository.
Still looking for volunteers to work on QG reviews together with the system team
Goal is to spread knowledge on how TRGs are checked
Especially interesting for committers, that already know they will stay post consortia
Preparing an open description on our release process. Feel free to comment any suggestion or important topics, you think should be covered on this draft
Markdown linting will again be enabled for KITs. Findings will be collected as issue per KIT
OpenAPI plugin for docusaurus will be removed
OpenAPI definitions will be pushed to SwaggerHub. User credentials available as org secrets
Ongoing discussions: Some definitions might be published through standard and therefore out of eclipse-tractusx
New TRG/s from security team was presented requesting for feedback Security TRG 8.0.
Suggested to contact security team directly for any support required to use, complete Invicti related issues/tasks.
Update for static application security testing/source code scanning, ongoing transition from Veracode to CodeQL. Reach out to security team for any assistance.
Question related to TRG 1.04 Diagrams as code, if there a need/requirement to convert already existing .png diagrams. It is recommended to use described in the TRG toolset to keep good level of maintainability of the diagrams, not a hard requirement though in case there is lack of source.
Please be aware of our Markdown lint problem in the eclipse-tractusx.github.io that currently only the /docs folder is checked and should be extended to more markdown file directories
TRG Update information about TRG 3-1 that was superseded by TRG 5-09
Upcoming Office Hours meeting minutes will be reported in the community section of our webpage and you can find here
Whenever a new room is created in the Eclipse Matrix chat, please announce it in the main Tractux-X room,
office hour and mailing list so everybody can learn about it and join.
There was a new election for a project lead role for Stephan Bauer
The Eclipse Project Handbook changed the section about handling copyright headers. A year range is not longer necessary, only the year when
the file was created so there is no need to keep an eye on updating the headers. It is still allowed to put year range (creation date and
last modification year) in the header but they have to be separated with comma character.
Please sign the Eclipse Contributor Agreement when trying to contribute to the webpage. Without that it is not possible to merge commits
to the main branch.
❗ Please don't put any Catena-X content or resource on the website without permission.
New Open Meetings Links are listed directly on our webpage to participate and separate calendar files can be downloaded from there.
Office hours will probably start a few minutes later so the people don't have to wait until everyone gets there.
Commiters and Contributors Meeting could be a new form of communication where the committers are more involved getting some pressure off the System Team.
Newjoiner rounds for basic introductions would be held every 2 weeks in a separate session.
Currently there is a temporary solution for the Managed Identity Wallet by SAP until the open source version is fixed. This is a COTS
application and it raises questions like how it can be integrated into an open source software stack like the umbrella chart. It is not confirmed yet
whether the version from SAP can be used without a license. Currently all components can run without MIW but data exchange functionality won't work.
Public API versioning is still an open topic where no decision has been made to create a TRG or guide the Tractus-X community to follow
one versioning strategy.
An alternative for MS Teams should be found as it is hard to manage for an open community (e.g. Discord).
discussion regarding the "Notice for docker image" to be moved into a separate file.
TRG 4.06 will be updated to mandate a dedicated file.
Please keep in mind to update your docker build workflow to include the new file instead of the README.md. See example of TRG 4.05 for reference.
discussion on where to discuss about new / changes to existing TRGs: TRG draft section, within the PR or GitHub discussions
Sebastian is going to create a PR so everybody can vote on it
As multiple people struggle with our current docusaurus1 setup, there will be a training/hands-on session soon. It's will be announced on the mailing list.
Content updates for KITs: Please ensure that no copyrighted content (incl. Catena-X) is contributed to Tractus-X.
False-positive issues opened by Trivy - please raise a "tooling support" issue in the sig-security repository
docusaurus: the generator for the pages you are reading right now↩
