Merge branch 'main' into 56-image-repository-and-container-registry-f…

…or-the-backende8

.github/workflows/develop.yaml

@@ -36,13 +36,14 @@ jobs:
           echo "<settings>
                   <servers>
                     <server>
-                      <id>github-ledgers</id>
+                      <id>github-webank</id>
                       <username>${{ github.actor }}</username>
                       <password>${{ secrets.WEBANK_ACCESS_TOKEN }}</password>
                     </server>
                   </servers>
                 </settings>" > ~/.m2/settings.xml
 
+
       - name: Build with webank Online banking
         run: mvn clean install -s ~/.m2/settings.xml -DskipTests -DskipITs -Dmaven.javadoc.skip=true
 
@@ -59,9 +60,62 @@ jobs:
         with:
           java-version: '17'
           distribution: 'temurin'
+      - name: Cache Maven packages
+        uses: actions/cache@v2
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
+      - name: Set up Maven settings.xml
+        run: |
+          mkdir -p ~/.m2
+          echo "<settings>
+                  <servers>
+                    <server>
+                      <id>github-webank</id>
+                      <username>${{ github.actor }}</username>
+                      <password>${{ secrets.WEBANK_ACCESS_TOKEN }}</password>
+                    </server>
+                  </servers>
+                </settings>" > ~/.m2/settings.xml
+
+      - name: Run Unit and Integration Tests
+        run: mvn verify -s ~/.m2/settings.xml -Dmaven.javadoc.skip=true
+
+  security-scan:
+         runs-on: ubuntu-latest
+         needs: build  # Ensures that the security scan runs only if the build job succeeds
+
+         steps:
+           # Step 1: Checkout code
+          - name: Checkout code
+            uses: actions/checkout@v4
+
+           # Step 2: Set up Java
+          - name: Set up Java 17
+            uses: actions/setup-java@v4
+            with:
+             java-version: '17'
+             distribution: 'temurin'
 
-      - name: Run Unit Tests
-        run: mvn test
+           # Step 3: Run OWASP Dependency-Check
+          - name: Run OWASP Dependency-Check
+            uses: dependency-check/Dependency-Check_Action@main
+            env:
+           # actions/setup-java@v1 changes JAVA_HOME so it needs to be reset to match the depcheck image
+              JAVA_HOME: /opt/jdk
+            with:
+             project: 'webank-onlinebanking'
+             path: '.'
+             format: 'HTML'
+             out: 'reports'  
+             args: >
+              --failOnCVSS 5
+            # Step 4: Upload the Dependency-Check report as an artifact
+          - name: Upload Dependency Check report
+            uses: actions/upload-artifact@v3
+            with:
+              name: Dependency-Check Report
+              path: ${{ github.workspace }}/reports
 
-      - name: Run Integration Tests
-        run: mvn verify

Docs/OWASP-SETUP.md

@@ -0,0 +1,91 @@
+# OWASP Dependency-Check Integration in Multi-Module Maven Project
+
+## Overview
+
+This document provides the configuration and setup details for integrating **OWASP Dependency-Check** into a multi-module Maven project. The goal is to ensure that **all modules** within the project are properly scanned for vulnerabilities in their dependencies.
+
+## Prerequisites
+
+- Maven 3.x or higher
+- OWASP Dependency-Check plugin (version `11.1.0` or newer)
+- A multi-module Maven project setup
+
+## Project Structure
+
+The project has the following directory structure:
+
+root-pom.xml  
+├── obs  
+│ └── pom.xml  
+├── online-banking-app  
+│ └── pom.xml  
+└── target
+
+### Root `pom.xml`
+
+The parent POM (`root-pom.xml`) contains the common configurations and plugin definitions shared by all modules in the project. The OWASP Dependency-Check plugin is configured in this POM so that it can be inherited by child modules.
+
+## OWASP Dependency-Check Plugin Configuration
+
+### Parent `pom.xml` (root-pom.xml)
+
+In the root `pom.xml`, define the OWASP Dependency-Check plugin in the `<build>` section to ensure it is inherited by all child modules:
+
+```xml
+<build>
+    <plugins>
+        <!-- OWASP Dependency-Check Plugin -->
+        <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${owasp.dependency.check.version}</version>
+            <executions>
+                <execution>
+                    <goals>
+                        <goal>check</goal>
+                        <goal>update-only</goal>
+                    </goals>
+                </execution>
+            </executions>
+            <configuration>
+                <aggregate>true</aggregate>
+                <failBuildOnCVSS>0</failBuildOnCVSS>
+            </configuration>
+        </plugin>
+    </plugins>
+</build>
+```
+
+### Running the Plugin
+Once the OWASP Dependency-Check plugin is configured in the root POM, you can run the checks for all modules by executing the following Maven command from the root of the project:
+```mvn clean install``` or ```mvn dependency-check:check```
+
+### Viewing the Report
+
+After the build completes, the Dependency-Check plugin will generate a detailed report of any vulnerabilities found in the dependencies. The report will be saved in the following directory:
+```target/dependency-check-report``` of each project module
+
+### Troubleshooting
+
+**If you encounter issues where the modules are not being scanned:**
+
+1. Check that the child modules inherit the parent POM correctly.
+
+2. Ensure that the dependency-check-maven plugin version is correct 
+(version **11.1.0** in our case case).
+
+3. Verify that the executions block is correctly set up in the root POM.
+
+4. Ensure there are no exclusions or misconfigurations that could prevent the scan from running on a module.
+
+
+### Regular Database Updates
+It is important to keep the OWASP Dependency-Check database up to date. You can configure periodic updates for the vulnerability database using the **update-only** goal:
+
+```mvn dependency-check:update-only```
+
+This command will only update the vulnerability database, ensuring you are scanning with the latest data.
+
+### Conclusion
+
+With this setup, the OWASP Dependency-Check plugin will automatically scan all modules in the multi-module Maven project for known security vulnerabilities in their dependencies. This helps ensure that the project remains secure and that any vulnerabilities are identified early.

obs/obs-rest-api/pom.xml

@@ -35,17 +35,6 @@
             <artifactId>swagger-annotations-jakarta</artifactId>
         </dependency>
 
-        <!-- Spring Boot Starter for Web -->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
-
-        <!-- Spring Boot Starter for Testing -->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-        </dependency>
 
         <dependency>
             <groupId>org.springdoc</groupId>

obs/obs-rest-api/src/main/java/com/adorsys/webank/obs/resource/RegistrationResourceApi.java

@@ -1,8 +1,3 @@
-/*
- * Copyright (c) 2018-2024 adorsys GmbH and Co. KG
- * All rights are reserved.
- */
-
 package com.adorsys.webank.obs.resource;
 
 import com.adorsys.webank.obs.dto.RegistrationRequest;
@@ -12,19 +7,17 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 
-
-
 @RestController
 @RequestMapping("/api/registration")
+@CrossOrigin(origins = "http://localhost:5173")
 public interface RegistrationResourceApi {
 
     @Operation(summary = "Register a new bank account", description = "Accepts a phone number and public key for registration")
     @ApiResponses(value = {
-            @ApiResponse(responseCode = "200", description = "Registration successful"),
-            @ApiResponse(responseCode = "400", description = "Invalid input")
+            @ApiResponse(responseCode = "201", description = "Registration successful"),
+            @ApiResponse(responseCode = "400", description = "Invalid input"),
+            @ApiResponse(responseCode = "500", description = "Internal server error")
     })
     @PostMapping
-    ResponseEntity<String> registerAccount(
-             @RequestBody RegistrationRequest registrationRequest
-    );
+    ResponseEntity<String> registerAccount(@RequestBody RegistrationRequest registrationRequest);
 }

obs/obs-rest-server/src/test/java/com/adorsys/webank/obs/Config/WebConfig.java

@@ -0,0 +1,24 @@
+package com.adorsys.webank.obs.Config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class WebConfig {
+
+    @Bean
+    public WebMvcConfigurer corsConfigurer() {
+        return new WebMvcConfigurer() {
+            @Override
+            public void addCorsMappings(CorsRegistry registry) {
+                registry.addMapping("/**")  // Applies to all endpoints
+                        .allowedOrigins("http://localhost:5173")  // Replace with your frontend URL
+                        .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
+                        .allowedHeaders("*")
+                        .allowCredentials(true);
+            }
+        };
+    }
+}

obs/obs-rest-server/src/test/resources/application.properties

@@ -0,0 +1,15 @@
+# H2 Database Configuration
+spring.h2.console.enabled=true
+spring.datasource.url=jdbc:h2:mem:testdb
+
+# Swagger Configuration
+springdoc.api-docs.path=/api-docs
+springdoc.swagger-ui.path=/swagger-ui.html
+
+# Additional Settings (if needed)
+spring.datasource.driver-class-name=org.h2.Driver
+spring.datasource.username=sa
+spring.datasource.password=
+
+# Hibernate DDL auto (update, create-drop, validate, etc.)
+spring.jpa.hibernate.ddl-auto=update

obs/obs-rest-server/src/test/resources/com/adorsys/webank/obs/resource/mockbank/aspsps-config.yml

@@ -0,0 +1,46 @@
+name: mockbank
+ledger: mockbank
+coaFile: sample_coa_banking.yml
+coaExtensions:
+### Hello Bank
+  - shortDesc: Hello Bank
+    name: 11240
+    parent: 1124
+### Clearing account as subaccount of  Deposits with Centralbank - Non-Interest bearing
+  - shortDesc: SEPA-Clearing Account (sepa-credit-transfers)
+    name: 11031
+    parent: 1103
+  - shortDesc: INSTANT_SEPA-Clearing Account (instant-sepa-credit-transfers)
+    name: 11032
+    parent: 1103
+  - shortDesc: TARGET2-Clearing Account (target-2-payments)
+    name: 11033
+    parent: 1103
+  - shortDesc: CROSS_BORDER-Clearing Account (cross-border-credit-transfers)
+    name: 11034
+    parent: 1103
+### Sample Bank Account Bank account Natural persons (households), residents, Interest bearing
+  - shortDesc: Bank Account Marion Mueller
+    name: DE69760700240340283600
+    parent: 2332
+  - shortDesc: Bank Account Anton Brueckner
+    name: DE80760700240271232400
+    parent: 2332
+  - shortDesc: Bank Account Max Musterman
+    name: DE38760700240320465700
+    parent: 2332
+### Payment products supported.
+clearingAccounts:
+  - paymentProduct: SEPA
+    accountNbr: 11031
+  - paymentProduct: INSTANT_SEPA
+    accountNbr: 11032
+  - paymentProduct: TARGET2
+    accountNbr: 11033
+  - paymentProduct: CROSS_BORDER
+    accountNbr: 11034
+bankParentAccount: 2332
+
+
+### Marker used to prevent repeated processing of this config file.
+updateMarkerAccountNbr: 2320