Merge pull request #258 from eclipse-tractusx/release/v1.8.0-RC5

build(1.8.0-RC5): merge release into main

Author: evegufy

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 New features, fixed bugs, known defects and other noteworthy changes to each release of the Catena-X Portal Assets.
 
+## 1.8.0-RC5
+
+### Change
+
+- improved offer release process documentation
+- updated security assessment
+
+### Bugfix
+
+- fixed links (relative links, image links and links to GitHub) in documentation app
+
 ## 1.8.0-RC4
 
 ### Change

docs/developer/01. Registration/04. Registration Approval/03. Registration Approval Process.md

@@ -551,9 +551,8 @@ Response "Success" => set status to "DONE"
 ##### Details "Activation"
 
 <p align="center">
-<img width="687" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/identity-wallet-overview.png
-">
-</p>p>
+<img width="687" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/identity-wallet-overview.png">
+</p>
 
 <br>
 The complete company account activation (as a result of the successful application checklist finalization) is automatically executed when the following pre-requisites are fulfilled:

docs/developer/02. Technical Integration/02. Identity Provider Management/02. Configure Company IdP.md

@@ -11,7 +11,7 @@ The initial overlay is used to create the IdP record with the respective IdP typ
 <br>
 
 <p align="center">
-<img width="680" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/create-idp-start.png>
+<img width="680" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/create-idp-start.png">
 </p>
 
 <br>

docs/developer/03. User Management/04. App Access Management/02. Assign App Role Page Overview.md

@@ -84,7 +84,7 @@ Example:
 
 In case the api is responding with an empty array, the UI will display following messages:
 
-<img width="700" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/add-permissions-company-user.png">
+<img width="700" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/app-user-list.png">
 
 <br>
 <br>

docs/developer/04. Apps/02. App Release Process/App Release Process.md

@@ -417,15 +417,36 @@ In case the privacy policies can not get loaded, the response will look like def
 <br>
 <br>
 
-#### Step 3 - Terms & Conditions / Consent
+### Step 3 - Terms & Conditions / Consent
+
+<br>
+
+This step in the app release process is ensuring that your application meets the marketplace's standards and complies with all legal and regulatory requirements.
+Following actions are covered in the step:
+
+- Agreement to Marketplace Rules and Terms & Conditions
+- Upload of App Dataspace Conformity Certification
+
+<br>
 
 <img width="576" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/app-creation-consent-contract-input.png">
 
-Depending on the response of the endpoint #1 GET agreements, the user will be enabled to download related documents from the portal to read through the relevant agreement details. Expected formats are pdf, however other formats can get supported as well.
+<br>
+<br>
+
+### Agreement to Marketplace Rules and Terms & Conditions
+
+Before the app provider can proceed with the release process, they first must agree to the marketplace's rules and Terms & Conditions. This agreement is essential for ensuring that the provider app adheres to the marketplace's quality standards, operational guidelines, and legal requirements.
+To display the relevant agreements, respective linked documents and to store the provider consent, the following endpoints are to be used:
+
+- GET /api/apps/appreleaseprocess/agreementData - used to fetch all necessary appReleaseProcess agreements
+- GET /api/administration/documents/frameDocuments/{documentId} - used to enable the user to access agreement documents
+- POST /api/apps/appreleaseprocess/consent/{appId}/agreementConsents - post consent
+- GET /api/apps/AppReleaseProcess/{appId}/appStatus - to check the current given consent status
 
 <br>
 
-###### #1 Retrieve Terms & Conditions
+#### #1 Retrieve Terms & Conditions
 
 Terms and Conditions are fetched via the endpoint
 
@@ -439,9 +460,9 @@ Response Body
 
     [
       {
-        "agreementId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
+        "agreementId": "uuid",
         "name": "string",
-        "documentId": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
+        "documentId": "uuid"
       }
     ]
 
@@ -462,7 +483,7 @@ If the documentId is NULL, the agreement is displayed without link (as currently
 <br>
 <br>
 
-###### #2 Retrieve Documents
+#### #2 Retrieve Documents
 
 Terms and Conditions with an document ID in API endpoint #1 can get retrieved via the document endpoint GET /frameDocuments/{documentId}
 
@@ -479,7 +500,48 @@ Response Body
 <br>
 <br>
 
-###### #3 Upload Document
+<br>
+<br>
+
+#### #3 Store Consent for Agreements
+
+The given consent or the unapproved consent for the needed agreements are stored via the POST endpoint.
+The endpoint will store the newly added agreement status as well as update existing consent status if necessary.
+
+```diff
+! POST: /api/apps/appreleaseprocess/consent/{appId}/agreementConsents
+```
+
+<br>
+
+Response Body
+
+    {
+      "agreements": [
+        {
+          "agreementId": "uuid",
+          "consentStatus": "ACTIVE"
+        }
+      ]
+    }
+
+<br>
+<br>
+
+### Conformity Certification
+
+The Service Dataspace Conformity Certification is a document that certifies that the service provider service complies with specific data handling, privacy, and security standards. This certification is crucial for marketplaces that prioritize the safety and privacy of their users.
+To support the conformity certificate upload, following endpoints are available:
+
+- GET /api/apps/appeReleaseProcess/{appId}/appStatus - to retrieve already uploaded certificates (if any existing)
+- PUT /api/apps/appreleaseprocess/updateappdoc/{appId}/documentType/{documentTypeId}/documents - to store the conformity certificate
+- DELETE /api/apps/appreleaseprocess/documents/{documentId} - used to delete the conformity certificate
+
+Note, only PDF is supported.
+
+<br>
+
+#### #1 Upload Document
 
 The user has to upload the app conformity document.
 
@@ -491,18 +553,21 @@ Type: CONFORMITY_APPROVAL_BUSINESS_APPS
 
 <br>
 
-###### #4 DELETE Document
+#### #2 DELETE Document
 
 In case the user identifiers that a wrong document got uploaded in the respective step, the DELETE endpoint is used to delete documents linked to the app.
 Important: the deletion is not reversible - since the app is still under DRAFT, all app related details will get deleted immediately.
 
 ```diff
-! Delete: /api/apps/appreleaseprocess/documents/{documentId}
+! DELETE /api/apps/appreleaseprocess/documents/{documentId}
 ```
 
 <br>
 <br>
 
+<br>
+<br>
+
 #### Step 4 - Integration - Role Upload
 
 <br>

docs/developer/05. Service(s)/02. Service Release Process/03.Terms&Conditions.md

@@ -2,13 +2,28 @@
 
 <br>
 
-<img width="536" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/service-creation-contract-constent.png">
+This step in the service release process is ensuring that your application meets the marketplace's standards and complies with all legal and regulatory requirements.
+Following actions are covered in the step:
 
-Depending on the response of the endpoint #1 GET agreements, the user will be enabled to download related documents from the portal to read through the relevant agreement details. Expected formats are pdf, however other formats can get supported as well.
+- Agreement to Marketplace Rules and Terms & Conditions
+- Upload of App Dataspace Conformity Certification
 
 <br>
 
-### Implementation Details
+<img width="536" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/service-creation-contract-constent.png">
+
+<br>
+<br>
+
+### Agreement to Marketplace Rules and Terms & Conditions
+
+Before the service provider can proceed with the release process, they first must agree to the marketplace's rules and Terms & Conditions. This agreement is essential for ensuring that the service provider service adheres to the marketplace's quality standards, operational guidelines, and legal requirements.
+To display the relevant agreements, respective linked documents and to store the provider consent, the following endpoints are to be used:
+
+- GET /api/services/servicerelease/agreementData - used to fetch all necessary serviceReleaseProcess agreements
+- GET /api/administration/documents/frameDocuments/{documentId} - used to enable the user to access agreement documents
+- POST /api/services/servicerelease/consent/{serviceId}/agreementConsents - post consent
+- GET /api/services/ServiceRelease/{serviceId}/serviceStatus - to check the current given consent status
 
 #### #1 Retrieve Terms & Conditions
 
@@ -49,7 +64,7 @@ If the documentId is NULL, the agreement is displayed without link (as currently
 
 #### #2 Retrieve Documents
 
-Terms and Conditions with an document ID in API endpoint #1 can get retrieved via the document endpoint GET /frameDocuments/{documentId}
+Depending on the response of the endpoint #1 GET agreements, the user will be enabled to download related documents from the portal to read through the relevant agreement details. Expected formats are pdf, however other formats can get supported as well.
 
 ```diff
 Get: /api/administration/documents/frameDocuments/{documentId}
@@ -89,6 +104,20 @@ Response Body
 <br>
 <br>
 
+### Conformity Certification
+
+The Service Dataspace Conformity Certification is a document that certifies that the service provider service complies with specific data handling, privacy, and security standards. This certification is crucial for marketplaces that prioritize the safety and privacy of their users.
+To support the conformity certificate upload, following endpoints are available:
+
+- GET /api/services/ServiceRelease/{serviceId}/serviceStatus - to retrieve already uploaded certificates (if any existing)
+- PUT /api/services/ServiceRelease/updateservicedoc/{serviceId}/documentType/{documentTypeId}/documents - to store the conformity certificate
+- DELETE /api/services/ServiceRelease/documents/{documentId} - used to delete the conformity certificate
+
+Note, only PDF is supported.
+
+<br>
+<br>
+
 ## NOTICE
 
 This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).

docs/developer/Technical Documentation/Architecture/Security-Assessment.md

@@ -5,8 +5,8 @@
 | Contact for product       | [@evegufy](https://github.com/evegufy) <br> [@jjeroch](https://github.com/jjeroch)             |
 | Security responsible      | [@SSIRKC](https://github.com/SSIRKC) <br> [Szymon Kowalczyk]([email protected]) |
 | Version number of product | 23.12                                                                                          |
-| Dates of assessment       | 2023-11-14: Re-Assessment                                                                      |
-| Status of assessment      | RE-ASSESSMENT DRAFT                                                                            |
+| Dates of assessment       | 2024-02-13: Re-Assessment                                                                      |
+| Status of assessment      | RE-ASSESSMENT Finalized                                                                        |
 
 ## Product Description
 
@@ -133,7 +133,7 @@ RS <-->|Company data \n user role data \n T&C / consent agreements| RF
     MSS <--> PF
     MSS <-.-> K
     MSS ==>|Company app subscription data \n app service data + user preferences| PDB
-    SDF <--> CH
+    SDF <-->|Out of Scope \n details may be found in Gaia-X \n and SD Factory Repositories| CH
     SDT -.->|Product meta data| PF
     NC1 & CU-Shared1 & NC2 & CU-Shared2 & NC3 & CU-Shared3 & CU-Own -.-> |OIDC| K
     K <-.-> |"Authentication/authorization data (using JWT)"| RF & PF
@@ -208,6 +208,7 @@ All threats identified are mitigated.
 - Software Composition Analysis (SCA) - VeraCode
 - Container Scan conducted - Trivy
 - Infrastructure as Code - KICS
+- Securing code, dependencies, containers, IaC and Cloud Deployments - SNYK
 
 Also see [Penetrations Tests](../Tests/Tests.md#penetration-tests).
 

docs/static/consent-contract-tickbox-document.png

@@ -6,7 +6,7 @@
 - [User Migration](./03.%20User%20Migration.md)
 - [Identity Provider Disablement](./05.%20Disable%20Identity%20Provider.md)
 - [Identity Provider Deletion](./04.%20Identity%20Provider%20Deletion.md)
-- [FAQ](./04.%20FAQ.md)
+- [FAQ](./06.%20FAQ.md)
 
 <br>
 <br>

docs/user/02. Technical Integration/02. Identity Provider Management/index.md

@@ -1,6 +1,6 @@
 ### Step 3 - Terms & Conditions / Consent
 
-Under Step 3 - the user needs to agree to the terms and conditions of the app publish rules before getting on the marketplace. This section is mandatory and displays agreement documents; if any documents are linked to the relevant agreement types
+This step in the app release process is ensuring that your application meets the marketplace's standards and complies with all legal and regulatory requirements. Below is a detailed guide on how to complete this phase successfully.
 
 <br>
 
@@ -11,6 +11,31 @@ Under Step 3 - the user needs to agree to the terms and conditions of the app pu
 <br>
 <br>
 
+#### Agreement to Marketplace Rules and Terms & Conditions
+
+Before you can proceed with uploading your app to the marketplace, you must first agree to the marketplace's rules and Terms & Conditions. This agreement is essential for ensuring that your app adheres to the marketplace's quality standards, operational guidelines, and legal requirements. To complete this step, follow the instructions below:
+
+- **Review the Documents:** Carefully read through the marketplace rules and Terms & Conditions. Pay special attention to sections detailing your rights and responsibilities as a developer/provider, as well as any requirements your app must meet to be eligible for listing.
+
+- **Accept the Agreement:** After reviewing the documents, you will find an option to accept the Terms & Conditions. This usually involves checking a box to indicate your agreement and then clicking a button to confirm. By doing so, you are legally binding yourself to these terms, so ensure you understand them fully before agreeing.
+
+#### Upload of App Dataspace Conformity Certification
+
+The App Dataspace Conformity Certification is a document that certifies your app complies with specific catena-x dataspace, data handling, privacy, and security standards. This certification is crucial for marketplaces that prioritize the safety and privacy of their users as well as it gives the customer the trust that all catena-x dataspace quality standards are followed. Follow these steps to upload your certification:
+
+- **Prepare Your Certification:** Before you can upload your certification, you must obtain it from a recognized certifying authority. Ensure that your app meets all the criteria for certification and that your documentation is up to date. Respective certification authorities can get found on the catena-x homepage.
+
+- **Access the Certification Upload Section:** On the app submission page, look for the section designated for uploading conformity certifications. This section is typically found after the agreement to marketplace rules and Terms & Conditions.
+
+- **Upload Your Certification:** Click on the upload button and select your certification document from your files. The marketplace accepts PDF format. Ensure the document is clear and all information is legible.
+
+<br>
+
+Once you have successfully completed the page; proceed to the next step "Technical Integration".
+
+<br>
+<br>
+
 ## NOTICE
 
 This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).

docs/user/04. App(s)/02. App Release Process/03. Terms&Conditions.md

@@ -1,16 +1,37 @@
 ### Step 3 - Terms & Conditions / Consent
 
-Under Step 3 - the user needs to agree to the terms and conditions of the service publish rules before getting on the marketplace. This section is mandatory and displays agreement documents; if any documents are linked to the relevant agreement types
+This step in the service release process is ensuring that your service offer meets the marketplace's standards and complies with all legal and regulatory requirements. Below is a detailed guide on how to complete this phase successfully.
 
 <br>
 
 <p align="center">
 <img width="536" alt="image" src="https://raw.githubusercontent.com/eclipse-tractusx/portal-assets/main/docs/static/service-creation-contract-constent.png">
 </p>
 
+<br>
+<br>
+
+#### Agreement to Marketplace Rules and Terms & Conditions
+
+Before you can proceed with uploading your service offer to the marketplace, you must first agree to the marketplace's rules and Terms & Conditions. This agreement is essential for ensuring that your service adheres to the marketplace's quality standards, operational guidelines, and legal requirements. To complete this step, follow the instructions below:
+
+- **Review the Documents:** Carefully read through the marketplace rules and Terms & Conditions. Pay special attention to sections detailing your rights and responsibilities as a developer/provider, as well as any requirements your service must meet to be eligible for listing.
+
+- **Accept the Agreement:** After reviewing the documents, you will find an option to accept the Terms & Conditions. This usually involves checking a box to indicate your agreement and then clicking a button to confirm. By doing so, you are legally binding yourself to these terms, so ensure you understand them fully before agreeing.
+
+#### Upload of Service Dataspace Conformity Certification
+
+The Service Dataspace Conformity Certification is a document that certifies your service complies with specific catena-x dataspace, data handling, privacy, and security standards. This certification is crucial for marketplaces that prioritize the safety and privacy of their users as well as it gives the customer the trust that all catena-x dataspace quality standards are followed. Follow these steps to upload your certification:
+
+- **Prepare Your Certification:** Before you can upload your certification, you must obtain it from a recognized certifying authority. Ensure that your service meets all the criteria for certification and that your documentation is up to date. Respective certification authorities can get found on the catena-x homepage or within the portal company role details "Service Provider".
+
+- **Access the Certification Upload Section:** On the service submission page, look for the section designated for uploading conformity certifications. This section is typically found after the agreement to marketplace rules and Terms & Conditions.
+
+- **Upload Your Certification:** Click on the upload button and select your certification document from your files. The marketplace accepts PDF format. Ensure the document is clear and all information is legible.
+
 <br>
 
-In case any documents or further details to the agreements are available, the agreement will be blue highlighted and can get downloaded by clicking on the agreement title.
+Once you have successfully completed the page; proceed to the next step "Technical Integration" or you might directly get forwarded to the "Verify&Submit" step, depending on your service offering type.
 
 <br>
 <br>