CRS Catalog issueshttps://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/issues2024-03-25T12:11:21Zhttps://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/issues/79Removal of CSPs Modules and Main Class Reassignment to the Core2024-03-25T12:11:21ZRustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comRemoval of CSPs Modules and Main Class Reassignment to the Core# ADR: Remove provider modules from the CRS Catalog.
Simplify the Development and maintenance of the CRS Catalog service by removing CSP modules.
## Status
- [x] Proposed
- [ ] Trialing
- [ ] Under review
- [ ] Approved
- [ ] Retire...# ADR: Remove provider modules from the CRS Catalog.
Simplify the Development and maintenance of the CRS Catalog service by removing CSP modules.
## Status
- [x] Proposed
- [ ] Trialing
- [ ] Under review
- [ ] Approved
- [ ] Retired
## Context & Scope
The CRS-Catalog service operates independently of cloud-specific technologies, conducting all calculations at runtime and storing necessary data within bundled service files. However, within the OSDU Community, four distinct artifacts are generated, each designated per CSP, tested, maintained, and patched for vulnerabilities separately.
## Decision
- Delete provider modules.
- Move the main class to the CRS Catalog Core. ([Azure](https://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/blob/master/provider/crs-catalog-azure/crs-catalog-aks/src/main/java/org/opengroup/osdu/crs/CrsAksApplication.java), [AWS](https://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/blob/master/provider/crs-catalog-aws/src/main/java/org/opengroup/osdu/crs/CrsApplicationAWS.java), [GC](https://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/blob/master/provider/crs-catalog-gc/crs-catalog-gke/src/main/java/org/opengroup/osdu/crs/CRSGKEApplication.java), [IBM](https://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/blob/master/provider/crs-catalog-ibm/crs-catalog-ocp/src/main/java/org/opengroup/osdu/crs/CrsOcpApplication.java))
- Merge and move Spring Security Configurations to the CRS Catalog Core. These configurations are used for service request handling and are independent of cloud technologies. Despite minimal differences, these configurations are dispersed across CSPs, leading to inconsistency in handling and increasing the risk of service misconfiguration. ([Azure](https://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/blob/master/provider/crs-catalog-azure/crs-catalog-aks/src/main/java/org/opengroup/osdu/crs/security/SecurityConfig.java),[AWS](https://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/blob/master/provider/crs-catalog-aws/src/main/java/org/opengroup/osdu/crs/security/AuthSecurityConfig.java),[GC](https://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/blob/master/provider/crs-catalog-gc/crs-catalog-gke/src/main/java/org/opengroup/osdu/crs/security/AuthSecurityConfig.java),[IBM](https://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/blob/master/provider/crs-catalog-ibm/crs-catalog-ocp/src/main/java/org/opengroup/osdu/crs/security/SecurityConfig.java))
- Merge and move properties files to the CRS Catalog Core.
- Determine the necessity of incorporating CSP libraries as pluggable utilities. These libraries could serve as background utilities for tasks such as log formatting and trace capture. If utilized within the CRS Catalog, establish a method to independently integrate them. This approach could subsequently be adopted for the Community Implementation.
## Rationale
The existing setup of the CRS Catalog multiplies the effort needed for maintenance and release processes without visible benefits. This service contains minimal cloud-specific code, primarily limited to occasional utilities from libraries. By excluding CSP modules, the OSDU Community can offer sustainable, thoroughly tested artifacts for the CRS Catalog, significantly reducing the necessary effort.
## Consequences
* Deletion of provider modules.
* Minor CI/CD refactoring to transition to a single artifact (JAR file) from four different artifacts.
* (Optional, pending agreement) Implement a solution for abstracting utility libraries used by CSPs, which could be beneficial in the future.
## Tradeoff Analysis
Beyond defining an abstraction mechanism for CSP utility libraries, the proposal aims to decrease the effort needed for support, releases, and vulnerability management. But if abstraction for libraries is needed it definitely should not introduce more complexity, as it would contradict the main goal of this ADR.
## Alternatives and implications
- Introducing the Core Plus module during the Community Implementation phase. Similar to existing CSP modules, it would be a shallow module. However, introducing custom utilities might pose complexities. On the other hand, it won't be hard to create the same shallow modules elsewhere, but Community OSDU is moving towards maintaining only a single version of the platform.
- Alternatively, we could include the main class, properties, and security configs in the Core, making those components optional without disrupting existing CSP providers.Rustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comRustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comhttps://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/issues/32Upgrade dependent libraries to resolve High and Critical security vulnerabili...2024-01-11T12:03:21ZYifan YeUpgrade dependent libraries to resolve High and Critical security vulnerabilitiesYauhen Shaliou [EPAM/GCP]Yauhen Shaliou [EPAM/GCP]https://community.opengroup.org/osdu/platform/system/reference/crs-catalog-service/-/issues/36[SAST] Missing HSTS Header in file AuthSecurityConfig.java2023-11-13T15:14:10ZYauhen Shaliou [EPAM/GCP][SAST] Missing HSTS Header in file AuthSecurityConfig.java**Description**
The web-application does not define an HSTS header, leaving it vulnerable to attack.
crs-catalog-service/provider/crs-catalog-aws/src/main/java/org/opengroup/osdu/crs/security/AuthSecurityConfig.java
line number: 114
...**Description**
The web-application does not define an HSTS header, leaving it vulnerable to attack.
crs-catalog-service/provider/crs-catalog-aws/src/main/java/org/opengroup/osdu/crs/security/AuthSecurityConfig.java
line number: 114
Setting an HSTS Header in an HTTP Response response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");