Merge branch 'dev' into 2-fix-the-risk-treatment-plan

.github/workflows/test-and-publish.yml

@@ -5,6 +5,8 @@ on:
     branches: [ "dev", "main" ]
   pull_request:
     branches: [ "dev", "main" ]
+  release:
+    types: [published]
   workflow_dispatch:
 
 permissions:
@@ -74,24 +76,34 @@ jobs:
 
     - name: Build the Docker image
       # The metadata inside the image will include the final git commit SHA and the time of the final commit.
-      # The tag applied to the image will be like spyderisk/system-modeller:<branch-name>-<timestamp>
+      # If the commit is a tag then the image is also tagged with spyderisk/system-modeller:<tag-name> and the image will include the release number.
+      # Otherwise, the tag applied to the image will be like spyderisk/system-modeller:<branch-name>-<timestamp>
       # e.g. spyderisk/system-modeller:dev-20230405T1012
-      # Where the timestamp is the time of the final commit in the build.
-      # In addition, the image is tagged with spyderisk/system-modeller:<branch-name>-latest
+      # (where the timestamp is the time of the final commit in the build)
+      # and the image will also be tagged with spyderisk/system-modeller:<branch-name>-latest
       run: |
         TAG_ROOT=spyderisk/system-modeller
         TIMESTAMP=$(git show -s --format=%cI ${GITHUB_SHA})
         SHORT_TIME=$(echo ${TIMESTAMP} | sed 's/[-:]//g')
         REF_END=$(echo ${GITHUB_REF} | sed 's/.*\///')
-        TAG_DATE=${TAG_ROOT}:${REF_END}-${SHORT_TIME:0:13}
-        TAG_LATEST=${TAG_ROOT}:${REF_END}-latest
-        echo "TAG_DATE=${TAG_DATE}" >> ${GITHUB_ENV}
-        echo "TAG_LATEST=${TAG_LATEST}" >> ${GITHUB_ENV}
-        docker build --tag ${TAG_DATE} --tag ${TAG_LATEST} --build-arg CI_COMMIT_SHA=${GITHUB_SHA} --build-arg CI_COMMIT_TIMESTAMP=${TIMESTAMP} --file Dockerfile --target ssm-production "."
+        if [[ ${GITHUB_REF} == refs/tags/* ]]; then
+          TAG_RELEASE=${TAG_ROOT}:${REF_END}
+          echo "TAG_RELEASE=${TAG_RELEASE}" >> ${GITHUB_ENV}
+          docker build --tag ${TAG_RELEASE} --build-arg CI_RELEASE=${RELEASE} --build-arg CI_COMMIT_SHA=${GITHUB_SHA} --build-arg CI_COMMIT_TIMESTAMP=${TIMESTAMP} --file Dockerfile --target ssm-production "."
+        else
+          TAG_DATE=${TAG_ROOT}:${REF_END}-${SHORT_TIME:0:13}
+          TAG_LATEST=${TAG_ROOT}:${REF_END}-latest
+          echo "TAG_DATE=${TAG_DATE}" >> ${GITHUB_ENV}
+          echo "TAG_LATEST=${TAG_LATEST}" >> ${GITHUB_ENV}
+          docker build --tag ${TAG_DATE} --tag ${TAG_LATEST} --build-arg CI_COMMIT_SHA=${GITHUB_SHA} --build-arg CI_COMMIT_TIMESTAMP=${TIMESTAMP} --file Dockerfile --target ssm-production "."
+        fi
 
     - name: Push Docker image to registry
       run: | 
         docker login -u ${{ vars.DOCKER_HUB_USERNAME }} -p ${{ secrets.DOCKER_HUB_RW_SECRET }}
-        docker push ${TAG_DATE}
-        docker push ${TAG_LATEST}
-    
+        if [[ ${GITHUB_REF} == refs/tags/* ]]; then
+          docker push ${TAG_RELEASE}
+        else
+          docker push ${TAG_DATE}
+          docker push ${TAG_LATEST}
+        fi

.reuse/DEP5

@@ -0,0 +1,8 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Spyderisk
+Upstream-Contact: Spyderisk Team <team@spyderisk.org>
+Source: https://github.com/Spyderisk/system-modeller/src
+
+Files: src/*
+Copyright: 2024 The Spyderisk Licensors
+License: APACHE-2.0

.reuse/README.md

@@ -0,0 +1,17 @@
+# Spyderisk REUSE compliant licensing file
+
+This is the `.reuse` directory, according to the [REUSE specification](https://reuse.software/spec/).
+
+As of 2024, there are still files in the Spyderisk source tree which do not have copyright headers,
+or have incorrect headers. In the meantime, and for the avoidance of all doubt, and for the benefit
+of automated license scanning software, we have created this directory. In time we will have a correct
+[SPDX header](https://spdx.dev/use/specifications/) on every relevant file, or in a .licence file next to the file as per REUSE.
+
+The copyright claimed by the DEP5 file in this directory is Apache2, and we are
+quite sure there are no licenses which conflict with this in Spyderisk. In
+other words, at worst we have temporarily and legally (but perhaps, impolitely)
+relicensed the code of other people. But at least we have audited all code for
+the reassurance of all users and licensors - Spyderisk is safe and compliant.
+
+The Spyderisk Team
+2024

CODE-OF-CONDUCT.md

@@ -1,8 +1,8 @@
 # Spyderisk Code of Conduct
 
-Version 1.0, November 2023
+Version 1.0
 
-The Spyderisk Project is a friendly community and welcomes contributions. This document outlines both
+The Spyderisk Open Project is a friendly community and welcomes contributions. This document outlines both
 expected and prohibited behaviour.
 
 # Short summary
@@ -121,26 +121,26 @@ accepted or tolerated.
 # Reporting
 
 If you believe you're experiencing unacceptable behaviour 
-as outlined above please contact one of the 
-[current authors in AUTHORS.md](./AUTHORS.md), or send a message to 
-[code-of-conduct@spyderisk.org](mailto:code-of-conduct@spyderisk.org).
+as outlined above please contact one of the current authors 
+[in the CONTRIBUTORS](./CONTRIBUTORS.md) file, or send a message to 
+[team@spyderisk.org](mailto:team@spyderisk.org).
 
-You should expect to receive a reply. After determining a precise description of your
-situation, the team will review and determine next steps. 
+You should certainly get a reply. After determining a precise description of your
+situation, they will review and determine next steps. 
 
-Please also report to us if you observe someone else in distress, or violations of
+Please also report to us if you observe someone else in distress or violations of
 these guidelines.
 
 If you feel you have been unfairly accused of violating these guidelines,
 please follow the same reporting process.
 
 <hr>
 
-This document is (c) 2023 The Spyderisk Authors, under the
+This document is (c) 2024 The Spyderisk Licensors, under the
 [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/) license.
 
-*Heavily Adapted and Compressed from the quite large version 3.1 of the 
-[Mozilla Participation Guidelines](https://www.mozilla.org/en-US/about/governance/policies/participation/),
-released under the same license. We thank Mozilla for their work. First revision and compression done by [LumoSQL](https://lumosql.org).*
+*Lightly adapted from the [LumoSQL project](https://lumosql.org), which in turn heavily adapted and compressed
+version 3.1 of the [Mozilla Participation Guidelines](https://www.mozilla.org/en-US/about/governance/policies/participation/),
+released under the same license.*
 
 

CONTRIBUTING.md

@@ -0,0 +1,101 @@
+# Contributing to the Spyderisk System Modeller Project
+
+Welcome!
+
+We'd love to have your contributions to the Spyderisk System Modeller project. This document is
+about our practical principles of working. 
+
+The overall Spyderisk aim is to
+
+> understand the trustworthiness of socio-technical systems by establishing an international Open Community supporting the research, development, use and support of open, effective, and accessible risk assessment methods, knowledge and tools.
+
+and you can read more about this in the [general Spyderisk description](https://github.com/Spyderisk/), which explains
+who we are and what we do.
+
+Please read our [Code of Conduct](../CODE-OF-CONDUCT.md) to keep our community approachable and
+respectful.
+
+# Who can contribute?
+
+We need all the help we can get on the software and computing side
+of Spyderisk such as Java, python and web development, system configuration,
+software packaging, build/test etc. There is lots of computer science in Spyderisk.
+
+That said, some of the most important work is not by computer scientists.
+
+We also need help from:
+
+* modellers (creating descriptions of real-world situations in a form that Spyderisk can operate on)
+* documenters (describing the current state of risk assessment knowledge, and how Spyderisk implements this)
+* risk specialists (how can we decide what is important? how do we correctly calibrate our response?)
+* ontologists (conceptual understanding of societal goods, risks, threats, harms, attacks, vulnerabilities etc)
+* mathematicians (risk modelling methodologies, robustness of calculations etc)
+* legal specialists (EU legislation on Cyber Resilience, AI, Medical Devices etc)
+* graphic designers (have you seen the corners on our icons??)
+
+If you are any of the above, including a coder, we would love to hear from you.
+Do please drop an email to [team@spyderisk.org](mailto://team@spyderisk.org)
+or open a discussion issue on GitHub.
+
+# Getting started for software developers
+
+* The [system modeller README](../README.md) explains how to set up the development environment
+* Once you have a working local copy of Spyderisk you can run the demonstration System models to get a feel for things
+* It is likely that while doing the above you will already have noticed things that need to be fixed. Great! This document shows you how to make these fixes happen, or
+* Alternatively, you can find an issue from our [List of Open Issues](https://github.com/Spyderisk/system-modeller/issues) you think you would like to solve, and add a comment to say that you are working on a fix, or
+* Create a new query or bug report as described in the following section, and start working on a fix for it
+* Whatever you decide to work on, follow the "How to submit a patch" procedure below
+
+# How to open a query or bug report
+
+At this stage in our young open project, two things are true: there are many bugs to find, and, very often a problem is because the user does not understand how Spyderisk works. If its the latter, then you have not found a bug. When you have a problem, we recommend you:
+
+* Open a [new issue in system-modeller](https://github.com/Spyderisk/system-modeller/issues/new)
+* Select the template marked "New Spyderisk query". If you are very sure its a bug, select "New Spyderisk bug report"
+
+# How to submit a patch
+
+You are about to make us very happy. There are several cases:
+
+* Documentation fix - [create a fork and send a pull request](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork)
+* Obvious code fix - create a fork and pull request, just as for documentation
+* Any other code fix - please create a query or bug report according to the previous section. It may well be that you have code which is good to go, but in our young open project there is a lot of context that might be relevant to what you wish to do.
+
+But basically just talk to us using whatever means you are comfortable with, and we will figure it out.
+
+# Spyderisk project principles
+
+## Openness first
+
+* Our software licensing is Apache 2, and analogously for documentation
+* Our communication is collaborative and collective
+* We build our software around openly published academic theory
+
+## Version control is mandatory
+
+* Our software is under public version control.
+* Our models expressed in data dumps are also under version control
+* We create [PURL permanent URLs for software and documentation](https://purl.archive.org/domain/spyderisk) when there are important new versions. PURL is maintained by [archive.org](https://archive.org) which we hope is stable for the long term
+* We have some legacy software outside the system-modeller Git tree which cannot yet be versioned, but we are working hard on that
+
+## Transparency trumps accuracy
+
+Spyderisk needs to be both trustable and also to progress quickly. Where there
+is incomplete or inaccurate work in the Spyderisk System Modeller code then we document
+this with the string:
+
+```
+WIP: BRIEF TEXT DESCRIPTION, https://github.com/Spyderisk/system-modeller/issues/NNN
+```
+
+Where "BRIEF TEXT DESCRIPTION" should not exceed a couple of sentences, and NNN
+should be the most relevant issue.
+
+
+# Communication with the Spyderisk community
+
+* tbd
+
+# Wiki and documentation
+
+* tbd

CONTRIBUTORS.md

@@ -0,0 +1,56 @@
+# List of Spyderisk contributors
+
+"Contributors" refers to individual people whose work appears in Spyderisk. There are
+two kinds of individual contributors:
+
+1. Those listed in the [LICENSORS file](./LICENSORS.md), because as owners
+they have the right to license their work as open source. Individuals are
+listed there alongside organisations including Yahoo!, Microsoft and the University of Southampton.
+2. Those who are listed in this file, who have between them contributed many
+thousands of lines of code, but who cannot be licensors because they do not own
+the code they have contributed because their employer owns the code instead.
+
+The Spyderisk source trees have been worked on by many people over at least
+twelve years at the IT Innovation Centre at the University of Southampton. As
+far as we know, anyone who has made commits to one of the Southampton Spyderisk
+trees is listed here, some with email addresses that are different from the
+ones in the source tree. If you feel you should be listed here but are not,
+then please [do get in touch](mailto://team@spyderisk.org).
+
+See also [MAINTAINERS-OF-SUBSYSTEMS.md](./MAINTAINERS-OF-SUBSYSTEMS.md) which
+lists the roles within Spyderisk. 
+
+# Current contributors (who are not licensors)
+
+* Nic Fair <nsf1u11@soton.ac.uk>
+* Ken Meacham <kem@it-innovation.soton.ac.uk>
+* Panos Melas <pm@it-innovation.soton.ac.uk>
+* Stephen C. Phillips <scp@it-innovation.soton.ac.uk>
+* Samuel Senior <s.senior@soton.ac.uk>
+* Dan Shearer <dan@shearer.org> on GitHub (also <dan.shearer@soton.ac.uk> )
+* Paul Smart <ps02v@ecs.soton.ac.uk>
+* Mike Surridge <ms@it-innovation.soton.ac.uk>
+* Steve Taylor <sjt1@soton.ac.uk>
+
+# Spyderisk alumni (who are not licensors)
+
+We thank you all for your work and look forward to seeing you around.
+
+* Maxim Bashevoy <mvb@it-innovation.soton.ac.uk>
+* Rayna Bozhkova <rb@it-innovation.soton.ac.uk>
+* Anna Brown <a.m.brown@soton.ac.uk>
+* Ajay Chakravarthy <ajay@it-innovation.soton.ac.uk>
+* Gianluca Correndo <gc@it-innovation.soton.ac.uk>
+* Stefanie Cox <ssm@binarywood.net>
+* Niall A J. Dickin <najd@it-innovation.soton.ac.uk>
+* Manny Dinssa <ed@it-innovation.soton.ac.uk>
+* Vahibav Gohil <vg20@it-innovation.soton.ac.uk>
+* Vadim Krivcov <vk@it-innovation.soton.ac.uk>
+* Dian Kumanov <d.a.kumanov@soton.ac.uk>
+* Lee Mason <lm18@it-innovation.soton.ac.uk>
+* Pete Maynard <pete@port22.co.uk>  https://github.com/PMaynard
+* Ardavan Shafiee <bm.bigbang@gmail.com>  https://github.com/bmbigbang
+* Josh Tucker <jt6g20@soton.ac.uk>
+* Toby Wilkinson <stw@it-innovation.soton.ac.uk>
+* Josh Wright <jw18@it-innovation.soton.ac.uk>
+* Oliver Hayes IT Innovation

Dockerfile

@@ -18,7 +18,7 @@ FROM gradle:6.3.0-jdk8 AS ssm-dev
 
 # LABELs are added to the image metadata
 LABEL org.opencontainers.image.vendor="IT Innovation Centre"
-LABEL org.opencontainers.image.title="SPYDERISK System Modeller development image"
+LABEL org.opencontainers.image.title="Spyderisk System Modeller development image"
 
 # Need gradle v6, java v8, python3 and python3-lxml (needed for jacoco2cobertura), killall (from psmisc)
 RUN apt-get update && apt-get -y install python3 python3-lxml psmisc
@@ -41,7 +41,7 @@ FROM ssm-dev AS ssm-build
 ARG MAVEN_USER
 ARG MAVEN_PASS
 
-LABEL org.opencontainers.image.title="SPYDERISK System Modeller build image"
+LABEL org.opencontainers.image.title="Spyderisk System Modeller build image"
 
 # Copy in only the files needed for the build: it's cleanest and it means more cache hits
 COPY src /system-modeller/src/
@@ -64,11 +64,13 @@ FROM alpine:3.11 AS ssm-production
 # Build metadata
 ARG CI_COMMIT_SHA
 ARG CI_COMMIT_TIMESTAMP
+ARG CI_RELEASE
 
 LABEL org.opencontainers.image.vendor="IT Innovation Centre"
-LABEL org.opencontainers.image.title="SPYDERISK System Modeller"
+LABEL org.opencontainers.image.title="Spyderisk System Modeller"
 LABEL org.opencontainers.image.revision=${CI_COMMIT_SHA}
 LABEL org.opencontainers.image.created=${CI_COMMIT_TIMESTAMP}
+LABEL org.opencontainers.image.release=${CI_RELEASE}
 
 ENV SPRING_PROFILES_ACTIVE=production