V2.9.3

.env.demo.bodc

@@ -0,0 +1,14 @@
+# file checker image
+FILECHECKER_IMAGE=ghcr.io/oneargo/argoformatchecker/app
+FILECHECKER_IMAGE_TAG=develop
+#availables tags at https://github.com/OneArgo/ArgoFormatChecker/tags + develop + latest
+
+# External directories to mount to the container
+FILECHECKER_SPEC_VOLUME=./file_checker_spec
+FILECHECKER_INPUT_VOLUME=./demo/inputs/3901945
+FILECHECKER_OUTPUT_VOLUME=./demo/outputs/3901945
+
+# Variable specific to floats to check
+DAC_NAME=bodc
+FILECHECKER_OPTIONS=
+FILES_NAMES=

.env.demo.coriolis

@@ -0,0 +1,14 @@
+# file checker image
+FILECHECKER_IMAGE=ghcr.io/oneargo/argoformatchecker/app
+FILECHECKER_IMAGE_TAG=develop
+#availables tags at https://github.com/OneArgo/ArgoFormatChecker/tags + develop + latest
+
+# External directories to mount to the container
+FILECHECKER_SPEC_VOLUME=./file_checker_spec
+FILECHECKER_INPUT_VOLUME=./demo/inputs/2903996_coriolis
+FILECHECKER_OUTPUT_VOLUME=./demo/outputs/2903996_coriolis
+
+# Variable specific to floats to check
+DAC_NAME=coriolis
+FILECHECKER_OPTIONS=
+FILES_NAMES=

.env.docs

@@ -0,0 +1,18 @@
+# file checker image
+FILECHECKER_IMAGE=ghcr.io/oneargo/argoformatchecker/app
+FILECHECKER_IMAGE_TAG=develop
+#availables tags at https://github.com/OneArgo/ArgoFormatChecker/tags + develop + latest
+
+# External directories to mount to the container
+FILECHECKER_SPEC_VOLUME=<path to the file_checker_spec directory>
+FILECHECKER_INPUT_VOLUME=<path to input directory>
+FILECHECKER_OUTPUT_VOLUME=<path to output directory>
+
+# Variable specific to floats to check
+DAC_NAME=<The dac name for the file to check>
+FILECHECKER_OPTIONS=<optional list of options>
+FILES_NAMES=<optional list of file names to process>
+
+# Variable specific to Docker
+DOCKER_UID=<user uid for output files>
+DOCKER_GID=<user git for output files>

.github/workflows/component-container-image-security.yml

@@ -0,0 +1,64 @@
+name: Generic security scan
+
+on:
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the Dockerfile directory to analyse"
+        required: true
+        default: "."
+        type: string
+      image-path:
+        description: "Path of the docker image to analyse"
+        default: "ghcr.io/${{ github.repository }}/app"
+        type: string
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+jobs:
+  security-dependency-trivy:
+    name: Trivy dependency scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      # need to format as github.repository contains uppercase
+      # and pull request workflow contains slashes
+      - id: format
+        name: Format proper image path and tag
+        env:
+          IMAGE_PATH: ${{ inputs.image-path }}
+        run: |
+          echo "image-tag=${GITHUB_REF_NAME/\//-}" >> $GITHUB_OUTPUT
+          echo "image-path=${IMAGE_PATH@L}" >> $GITHUB_OUTPUT
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        if: ${{ github.event_name != 'release' }}
+        with:
+          context: "{{defaultContext}}:${{ inputs.context }}"
+          tags: "${{ steps.format.outputs.image-path }}:${{ steps.format.outputs.image-tag }}"
+          push: false
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
+        with:
+          image-ref: "${{ steps.format.outputs.image-path }}:${{ steps.format.outputs.image-tag }}"
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+          exit-code: "1"
+          ignore-unfixed: true
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+      - name: Inspect bandit SARIF report
+        if: always()
+        run: cat trivy-results.sarif

.github/workflows/component-container-image.yml

@@ -0,0 +1,63 @@
+name: Build and push Docker image
+
+on:
+  workflow_call:
+    inputs:
+      context:
+        description: "Path to the Dockerfile directory to build"
+        default: "."
+        type: string
+      image-path:
+        description: "Path of the docker image Tag"
+        default: "ghcr.io/${{ github.repository }}/app"
+        type: string
+
+jobs:
+  container-image-build:
+    name: Docker
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - id: format
+        name: Lowercase repository path
+        uses: ASzc/change-string-case-action@v1
+        with:
+          string: ${{ inputs.image-path }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        if: ${{ github.event_name == 'release' || github.event_name == 'push'  }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build  (pull request)
+        uses: docker/build-push-action@v6
+        if: ${{ github.event_name == 'pull_request'}}
+        with:
+          context: "{{defaultContext}}:${{ inputs.context }}"
+          tags: "${{ steps.format.outputs.lowercase }}:develop"
+          push: false
+      - name: Build and push (develop)
+        uses: docker/build-push-action@v6
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/develop' }}
+        with:
+          context: "{{defaultContext}}:${{ inputs.context }}"
+          tags: "${{ steps.format.outputs.lowercase }}:develop"
+          push: true
+      - name: Build and push (main)
+        uses: docker/build-push-action@v6
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+        with:
+          context: "{{defaultContext}}:${{ inputs.context }}"
+          tags: "${{ steps.format.outputs.lowercase }}:latest"
+          push: true
+      - name: Build and push (release)
+        uses: docker/build-push-action@v6
+        if: ${{ github.event_name == 'release' }}
+        with:
+          context: "{{defaultContext}}:${{ inputs.context }}"
+          tags: "${{ steps.format.outputs.lowercase }}:${{ github.ref_name }}"
+          push: true

.github/workflows/workflow-java.yml

@@ -0,0 +1,30 @@
+name: Image build
+
+on:
+  push:
+    branches:
+      # Run on our main branch
+      - main
+      - develop
+    paths:
+      - file_checker_exec/**
+  pull_request:
+    # Run for any pull requests
+    paths:
+      - file_checker_exec/**
+  release:
+    types: [created]
+
+
+jobs:
+  container-image-build:    
+    uses: ./.github/workflows/component-container-image.yml
+    with:
+      context: file_checker_exec
+      image-path: ghcr.io/OneArgo/ArgoFormatChecker/app
+  container-image-security:
+    needs: [container-image-build]
+    uses: ./.github/workflows/component-container-image-security.yml
+    with:
+      context: file_checker_exec
+      image-path: ghcr.io/OneArgo/ArgoFormatChecker/app

.gitignore

@@ -0,0 +1,4 @@
+demo/outputs/*
+.env
+
+!.gitkeep

README.md

@@ -1,25 +1,117 @@
 # Argo NetCDF file format checker
+
 The Argo NetCDF file format checker performs format and content checks on Argo NetCDF files.  
-The Argo NetCDF format is described in "Argo user's manual" http://dx.doi.org/10.13155/29825  
-More information on https://www.argodatamgt.org/Documentation  
+The Argo NetCDF format is described in "Argo user's manual" <http://dx.doi.org/10.13155/29825>  
+More information on <https://www.argodatamgt.org/Documentation>  
 The format checker has two directories:
+
 - file_checker_exec : the java code
 - file_checker_spec : the rules applied on the NetCDF file by the java code
 
 The rules files implement the Argo vocabularies managed on [NVS vocabulary server](https://vocab.nerc.ac.uk/search_nvs/).  
 Vocabularies and format changes are managed on [Argo Vocabs Task Team - AVTT GitHub](https://github.com/orgs/OneArgo/projects/4/views/1).
 
 **With each release (from 2.9.2) you will find :**
+
 - **file_checker_exec-[version].jar** which consolidates both application's compiled code and all its dependencies into a single executable file.
-- source code 
+- source code
 
 ## Run Argo NetCDF file format checker
-- Using file_checker_exec-[version].jar :
+
+### Using file_checker_exec-{version}.jar :
+
+```bash
+java -jar file_checker_exec-{version}.jar $OPTION $DAC_NAME $SPEC $OUTPUT_DIR $INPUT_DIR [$FILES_NAMES]
+```
+
+$FILES_NAMES is a list of file's name from the INPUT_DIR. It is optional : without it, all files from INPUT_DIR will be checked.
+
+### Run the application using Docker
+
+```bash
+docker run --rm -v [ABSOLUTE_PATH_TO_SPEC]:/app/file_checker_spec -v [ABSOLUTE_PATH_TO_DATA_FOLDER]:/app/data -v [ABSOLUTE_PATH_TO_OUTPUT_DIR]:/app/results ghcr.io/oneargo/argoformatchecker/app:{TAG} [$OPTIONS] $DAC_NAME ./file_checker_spec ./results ./data [$FILES_NAMES]
+```
+
+You need to mount external directories to the container :
+
+[ABSOLUTE_PATH_TO_SPEC] : the file_checker_spec directory path.
+
+[ABSOLUTE_PATH_TO_DATA_FOLDER] : Path to directory containing the argo necdf files to be checked. The fileChecker will not seek files in subfolders
+
+[ABSOLUTE_PATH_TO_OUTPUT_DIR] : the directory where xml results files \*.filecheck will be created
+
+Example :
+
+```bash
+docker run --rm -v D:\test_file_checker\file_checker_spec:/app/file_checker_spec -v D:\test_file_checker\datatest:/app/data -v D:\test_file_checker\results:/app/results ghcr.io/oneargo/argoformatchecker/app:develop  -no-name-check coriolis ./file_checker_spec ./results ./data
+```
+
+### Run the application using Docker Compose
+
+To facilitate the use of Argo file checker a compose.yaml and .env files are provided :
+
+- Prepare your data.
+- Copy `.env.docs` as `.env` file, and customize variables to configure the file checker for your environment.
+- Download compose.yaml
+- Run the service using Docker Compose:
+
+```bash
+docker compose -f compose.yaml up
+```
+
+or in background :
+
+```bash
+docker compose -f compose.yaml up -d
+```
+
+Example of an .env file :
+
+```text
+# file checker image
+FILECHECKER_IMAGE=ghcr.io/oneargo/argoformatchecker/app
+FILECHECKER_IMAGE_TAG=develop
+
+# External directories to mount to the container
+FILECHECKER_SPEC_VOLUME='D:\test_compose\file_checker_spec'
+FILECHECKER_INPUT_VOLUME='D:\test_compose\data'
+FILECHECKER_OUTPUT_VOLUME='D:\test_compose\results'
+
+# Variable specific to floats to check
+DAC_NAME=bodc
+FILECHECKER_OPTIONS=
+FILES_NAMES=
+```
+
+### Run the application on demonstration files
+
+Demonstration data are availables to run the application locally easily.
+
+- Clone the repository :
+
+```bash
+git clone https://github.com/OneArgo/ArgoFormatChecker.git
+```
+
+- Run the script dedicated
+
 ```bash
-java -jar file_checker_exec-[version].jar $OPTION $DAC_NAME $SPEC $OUTPUT_DIR $INPUT_DIR $FILE_NAME
+./run-file-checker-linux.sh
 ```
 
-Only this JAR file is needed. You can delete legacy log4j2 & netcdf libraries jar files.
+or for Windows :
+
+```bash
+./run-file-checker-windows.bat
+```
+
+output files will be generated in `./demo/outputs`.
+
+### Test data
+
+To further test the Argo File Checker, you will find argo data here : https://www.argodatamgt.org/DataAccess.html
+
+The Argo File Checker is not yet designed to checking *prof.nc and *Sprof.nc. It checks only TRAJ, META, TECH and PROFILES files.
 
 ## TOOLS
 
@@ -39,31 +131,23 @@ git clone https://github.com/OneArgo/ArgoFormatChecker.git
 
 - Build the application with maven (will requiert Java jdk installed), in file_checker_exec folder :
 
-
 ```bash
 cd file_checker_exec
 ./mvnw clean install
 ```
 
 In target folder you will find both original-file_checker_exec and file_checker_exec-[version]. It is this last one to use.
 
-
-### Using docker
-
+### build docker image
 
 - Build the application with Docker :
 
-```
+```bash
 docker build -t filechecker_2.8.14 .
 ```
 
-- Run the application using Docker
-
-```
-docker run --rm -v [ABSOLUTE_PATH_TO_file_checker_spec]:/app/file_checker_spec -v [ABSOLUTE_PATH_TO_DATA_FOLDER]:/app/data -v [ABSOLUTE_PATH_TO_OUTPUT_DIR]:/app/results filechecker_2.8.14:latest $DAC_NAME ./file_checker_spec ./results ./data $FILE_NAME
-```
-
 ### Run integration tests
+
 The source code comes with some netcdf test files. You can run the integration tests with this following command :
 
 ```bash

compose.yaml

@@ -0,0 +1,12 @@
+services:
+  argo-netcdf-checker:
+    container_name: ArgoFormatChecker
+    image: ${FILECHECKER_IMAGE}:${FILECHECKER_IMAGE_TAG}
+    user: "${DOCKER_UID:-0}:${DOCKER_GID:-0}"
+    group_add:
+      - 1001
+    volumes:
+      - ${FILECHECKER_SPEC_VOLUME}:/app/file_checker_spec:ro
+      - ${FILECHECKER_INPUT_VOLUME}:/app/data:ro
+      - ${FILECHECKER_OUTPUT_VOLUME}:/app/results:rw
+    command: ${FILECHECKER_OPTIONS} ${DAC_NAME} ./file_checker_spec ./results ./data ${FILES_NAMES}