• We should enable the License Header Lint GCF GitHub bot on this repo.
• The bot runs a GitHub check called header-check that warns us about invalid/missing (Apache 2.0, etc.) license headers.

Background

• When a new file is added to this repo, we sometimes forget to add the Apache 2.0 license header.
• According to Google-internal docs:

It is necessary to apply a Google copyright notice to any source file that is published or shared outside of Google

• and ...

All published source files should have some form of license header with at least one copyright notice.

Description:

• Currently the cloudbuild job uses a User Access Token to push a comment to the opened PRs.
• This is so because GH has no option of creating Access Tokens against repos/orgs or teams.
• However we should change this and remove the User Access Token.
  • One way we can get around this is to create a simple GitHub bot application that does the commenting
  • Then create an OAuth Token for the application and then use it in the app

What?

As reported by some friction-logs there some warnings during the ansible run. These are related to a deprecation notice for Python2.7 starting from Ansible 2.12. See an example warning below:

[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with 
Ansible 2.12. Current version: 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0]. This feature will 
be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.

/home/user/.local/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py:44: 
CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is 
now deprecated in cryptography,  and will be removed in the next release.
  from cryptography.exceptions import InvalidSignature

We need to fix these warnings.

See attachment for an example of log output of the execution of these ansible scripts.

abm-edge-ansible.log

Like we did in BoA (GoogleCloudPlatform/bank-of-anthos#855) or in Online Boutique (GoogleCloudPlatform/microservices-demo#887) it would be great/easy/important to have the securityContext sections in all the Deployments. This will add more security by default for the end users.

And maybe, like BoA the in-cluster databases could be done in another PR if requiring more research/tests.

Any particular reason why PoS apps are with Java 11? Any plan to move them to 17 (LTS) or 18 or even 19?

FYI:

• Online Boutique is now in 18, soon in 19
• BoA is now in 17:

Description

• Currently we maintain two release branches main and jss. The jss branch is maintained to support the Spanner integration required by the Dynamic Website using Java on GKE Jump Start Solution
  • See jss branch description in: #230
• We also do separate releases for the main app and the jss version of it.
• Ideally we would want to merge these two branches together and do releases only from a single main

Points to consider when merging two branches

• All the existing setups: MySQL, H2 Databases and Spanner must work seamlessly.
• The skaffold dev, release and other dev setups should work as is
• Clear README added for the different scenarios and discoverability of these from the landing page of the repo

Ideal workign scenario:

• The different DB option is configured solely by spring profiles
• The spring profile is simply set using the environment variable
• The application defaults to starting with H2

Description

• Currently the GH token used for the CI steps in CloudBuild is encrypted and is kept in the cloudbuild yaml files
• However, there is a suggestion to move this out of here and use CloudBuild-SecretsManager integration to store and access the token from there
• This was tried in PR #203 . However, it didn't work
• The reason for it not working seems to be that CloudBuild doesn't have the right permissions to access the secrets
• Regardless of what level of permission is given this seems to be not working
• Thus, an internal bug b/267166557 was openned against the documentation to provide more clarity as to how to get this working.

Description

• ApiServer service requires unit tests
  • Controller class

Description:

• Once PR #95 lands into main we have to remove the kubernestes-manifest directory in favor of the newly added k8-manifests directory.
• We have to also ensure all the places where it is referenced is updated

What?

As recently reported on apache.org

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

So, log4j should be updated from 2.16.0 to 2.17.0 to prevent this security risk.

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: The renovate configuration file contains some invalid settings
Message: Invalid configuration option: javascript

Description

• Add unit integration tests to check if the frontend operates as expected!

Policy Bot found one or more issues with this repository.

• Default branch is 'main'
• Branch protection is enabled
• Renovate bot is enabled
• Merge commits disabled
• There is a CODEOWNERS file
• There is a valid LICENSE.md
• There is a CODE_OF_CONDUCT.md
• There is a CONTRIBUTING.md
• There is a SECURITY.md

What?

• The current scripts in the repository uses the manual installation method for Config Sync using kubectl which is unsupported
• As a result this can lead to bugs that can be hard to track: b/200555955 (internal link)
• Thus, we would to re-write the ACM installation in the Ansible scripts to use the gcloud based method

calls to api-server does not get traced.
With the delay profile, we see the browser taking 3 seconds to respond.

But in traces it only shows 600ms. I think trace is being captured for api-server -> payment service. But not ui -> api-server.

Based on this guide of tips to optimize containerized Java apps, it would be great to explore if there is anything to take into account in this repo?

https://cloud.google.com/anthos/run/docs/tips/java

Note: it would be ideal to see if anything from this could be translated into the BankofAnthos and OnlineBoutique repos too.

Description

• Inventory service requires unit tests
  • Controller class
  • Connector for Database
  • Connector for InMemory

It would be great to see if the container base images could be moved to temurin-jre. We recently did this in BoA (see here) and Online Boutique (see here) and the container image sizes were consequently reduced as well as the number of CVEs.

BoA implementation is with Jib too which should inspire this implementation here I guess.

In the directory point-of-sale-app, when running skaffold build in Cloud Shell, I get this error on the api-server:

[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] abm-edge-usecase-workload                                          [pom]
[INFO] service-sdk                                                        [jar]
[INFO] ui                                                                 [jar]
[INFO] api-server                                                         [jar]
[INFO]
[INFO] ----------------< com.google.abm-edge:abm-edge-usecase >----------------
[INFO] Building abm-edge-usecase-workload 0.1.0-SNAPSHOT                  [1/4]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- jib-maven-plugin:3.2.0:_skaffold-fail-if-jib-out-of-date (default-cli) @ abm-edge-usecase ---
[INFO]
[INFO] ----------------< com.google.abm-edge:abm-edge-usecase >----------------
[INFO] Building abm-edge-usecase-workload 0.1.0-SNAPSHOT                  [2/4]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- jib-maven-plugin:3.2.0:build (default-cli) @ abm-edge-usecase ---
[INFO] Skipping containerization of this module (not specified in jib.containerize)
[INFO]
[INFO] ------------------< com.google.abm-edge:service-sdk >-------------------
[INFO] Building service-sdk 0.1.0-SNAPSHOT                                [3/4]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:3.2.0:resources (default-resources) @ service-sdk ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Using 'UTF-8' encoding to copy filtered properties files.
[INFO] skip non existing resourceDirectory /home/mabenoit/point-of-sale/point-of-sale-app/service-sdk/src/main/resources
[INFO] skip non existing resourceDirectory /home/mabenoit/point-of-sale/point-of-sale-app/service-sdk/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.1:compile (default-compile) @ service-sdk ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-resources-plugin:3.2.0:testResources (default-testResources) @ service-sdk ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Using 'UTF-8' encoding to copy filtered properties files.
[INFO] skip non existing resourceDirectory /home/mabenoit/point-of-sale/point-of-sale-app/service-sdk/src/test/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.1:testCompile (default-testCompile) @ service-sdk ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-surefire-plugin:2.22.2:test (default-test) @ service-sdk ---
[INFO] Tests are skipped.
[INFO]
[INFO] --- maven-jar-plugin:3.2.0:jar (default-jar) @ service-sdk ---
[INFO]
[INFO] --- jib-maven-plugin:3.2.0:build (default-cli) @ service-sdk ---
[INFO] Skipping containerization of this module (not specified in jib.containerize)
[INFO]
[INFO] -----------------------< com.google.abm-edge:ui >-----------------------
[INFO] Building ui 0.1.0-SNAPSHOT                                         [4/4]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- frontend-maven-plugin:1.12.1:install-node-and-npm (install node and npm) @ ui ---
[INFO] Node v16.13.2 is already installed.
[INFO]
[INFO] --- frontend-maven-plugin:1.12.1:npm (npm install) @ ui ---
[INFO] Running 'npm install' in /home/mabenoit/point-of-sale/point-of-sale-app/ui
[INFO] npm ERR! code ENOTEMPTY
[INFO] npm ERR! syscall rename
[INFO] npm ERR! path /home/mabenoit/point-of-sale/point-of-sale-app/ui/node_modules/ansi-escapes
[INFO] npm ERR! dest /home/mabenoit/point-of-sale/point-of-sale-app/ui/node_modules/.ansi-escapes-XHR7Ud8o
[INFO] npm ERR! errno -39
[INFO] npm ERR! ENOTEMPTY: directory not empty, rename '/home/mabenoit/point-of-sale/point-of-sale-app/ui/node_modules/ansi-escapes' -> '/home/mabenoit/point-of-sale/point-of-sale-app/ui/node_modules/.ansi-escapes-XHR7Ud8o'
[INFO]
[INFO] npm ERR! A complete log of this run can be found in:
[INFO] npm ERR!     /home/mabenoit/.npm/_logs/2022-01-23T05_16_38_791Z-debug.log
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for abm-edge-usecase-workload 0.1.0-SNAPSHOT:
[INFO]
[INFO] abm-edge-usecase-workload .......................... SUCCESS [  0.016 s]
[INFO] service-sdk ........................................ SUCCESS [  0.707 s]
[INFO] ui ................................................. FAILURE [  4.825 s]
[INFO] api-server ......................................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  6.966 s
[INFO] Finished at: 2022-01-23T05:16:38Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.github.eirslett:frontend-maven-plugin:1.12.1:npm (npm install) on project ui: Failed to run task: 'npm install' failed. org.apache.commons.exec.ExecuteException: Process exited with an error: 217 (Exit value: 217) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <args> -rf :ui
maven build failed: exit status 1

It seems to complain while doing npm install, not sure if I'm missing anything to do in Cloud Shell before running skaffold build?

What?

As per the current state of the Ansible installation scripts the process takes ~35 minutes to complete. We can reduce this time by bundling some of the static steps in the Ansible scripts (that does not change with the host_vars) into a VM image.

This can make the quick start experience much better by reducing the time it takes to reach completion.

Notes:

• Everything up to abm-install can be packaged into an image
• The image needs to be available to both GCE and physical machines
• Explore using Packer Qemu builder to create the images
• We can try building the image for QEMU in GCP and converting it

Description

• Payments service requires unit tests
  • Controller class
  • Connector for Database
  • Connector for InMemory

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Datasource	Name	Replacement PR?
npm	standard-version

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• chore(deps): replace dependency standard-version with commit-and-tag-version 9.5.0

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update java (maven, com.google.cloud.tools:jib-maven-plugin, com.google.googlejavaformat:google-java-format, org.jacoco:jacoco-maven-plugin, org.apache.maven.plugins:maven-surefire-plugin, org.apache.maven.plugins:maven-checkstyle-plugin, org.springframework.boot:spring-boot-maven-plugin, org.apache.commons:commons-lang3, org.springframework:spring-beans, org.springframework.boot:spring-boot-starter-data-jpa, org.springframework.boot:spring-boot-starter-log4j2, org.springframework.boot:spring-boot-starter-test, org.springframework.boot:spring-boot-starter-web, com.google.code.gson:gson, com.github.eirslett:frontend-maven-plugin, org.springframework.boot:spring-boot-starter-parent, com.google.abm-edge:abm-edge-usecase)
• chore(deps): update nodejs (@fortawesome/fontawesome-free, bootstrap, eslint-plugin-vue, vue, vue-template-compiler)
• chore(deps): update dependency lxml to v5.2.2
• Click on this checkbox to rebase all open PRs at once

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• chore(deps): update dependency maven-wrapper to v3
• chore(deps): update spring boot to v3 (major) (org.springframework.boot:spring-boot-maven-plugin, org.springframework.boot:spring-boot-starter-data-jpa, org.springframework.boot:spring-boot-starter-log4j2, org.springframework.boot:spring-boot-starter-test, org.springframework.boot:spring-boot-starter-web, org.springframework.boot:spring-boot-starter-parent)
• fix(deps): update dependency org.springframework:spring-beans to v6

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Description

• Check if app is affected by https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
• If so make changes to mitigate it

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• .mvn/wrapper/maven-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Description

• WHen running the application on database mode (SPRING_PROFILES_ACTIVE=database) we get the following warning:

Apr 21 15:54:19 pos-from-public-image inventory.sh[4269]: Loading class `com.mysql.jdbc.Driver'. 
This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically 
registered via the SPI and manual loading of the driver class is generally unnecessary.

We need to address this by updating the driver in the application-database.properties files of both inventory service and payments service.