From 2f130c779709e0be93197796cd61bfda691b567a Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 9 Feb 2024 11:12:58 +0100 Subject: [PATCH 01/84] Security TRG This PR brings enhancement to the existing TRG with a new addition of TRG 8.0 for Security specific topics. --- .../TRG 8.01 Security Scanning Toolchain.md | 37 ++++++++++++ .../TRG 8.02 Security Assessment Process.md | 54 ++++++++++++++++++ .../trg-8/TRG 8.03 Security Support.md | 37 ++++++++++++ docs/release/trg-8/_category_.json | 3 + .../trg-8/assets/trg-8-create-an-issue.PNG | Bin 0 -> 42073 bytes .../trg-8/assets/trg-8-get-started.PNG | Bin 0 -> 69361 bytes 6 files changed, 131 insertions(+) create mode 100644 docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md create mode 100644 docs/release/trg-8/TRG 8.02 Security Assessment Process.md create mode 100644 docs/release/trg-8/TRG 8.03 Security Support.md create mode 100644 docs/release/trg-8/_category_.json create mode 100644 docs/release/trg-8/assets/trg-8-create-an-issue.PNG create mode 100644 docs/release/trg-8/assets/trg-8-get-started.PNG diff --git a/docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md b/docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md new file mode 100644 index 00000000000..3e1a695d682 --- /dev/null +++ b/docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md @@ -0,0 +1,37 @@ +--- +title: TRG 8.01 - Security Scanning Toolchain +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 14-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. + +## Description + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +### Benefits of Security Scanning Toolchain + +- Reduced risk of security breaches +- Improved compliance posture +- Increased confidence in the security of software applications +- Lower costs associated with security incidents. + +## Tools that we’re using + +- **SAST**: open-source: CodeQL,Snyk,commercial: Veracode +- **SCA**: open-source: Snyk, commercial: Veracode +- **DAST**: open-source: Owasp ZAP, commercial: Invicti +- **IaC**: open-source: KICS +- **Secret Scanning**: open-source: GitGuardian +- **Container Scanner**: open-source: Trivy + +:::info + +For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-tooling.md) page. + +::: \ No newline at end of file diff --git a/docs/release/trg-8/TRG 8.02 Security Assessment Process.md b/docs/release/trg-8/TRG 8.02 Security Assessment Process.md new file mode 100644 index 00000000000..70b35fcb0ef --- /dev/null +++ b/docs/release/trg-8/TRG 8.02 Security Assessment Process.md @@ -0,0 +1,54 @@ +--- +title: TRG 8.02 Security Assessment Process +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 14-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. +Our security assessment process, based on threat modeling, is meticulously designed to safeguard your applications and products against potential vulnerabilities and cyber threats. + +## Description + +Our security assessment process is an in-depth analysis that evaluates your applications and products security posture. This process is integral to identifying and mitigating risks before they become critical issues. + +:::tip + +Check out our [Security Assessment Template](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment-template.md). + +::: + +## Key Features of Our Security Assessment Process + +### Early Detection + +- We identify potential security threats early in the development lifecycle, reducing the risk of future exploits. + +### Comprehensive Analysis + +- Our process includes a detailed examination of business processes, application architecture, implemented security controls, and maintenance requirements. + +### Tailored to Your Needs + +- Whether assessing a new application or revisiting an existing one, already reviewed, our approach is adaptable to suit your specific requirements. + +### Continuous Improvement + +- We believe in evolving our assessment process to stay ahead of emerging threats, ensuring your application's security is robust and up-to-date. + +## Phases of the Security Assessment Process + +1. **Kickoff and Scope Definition**: We begin by defining the scope and gathering essential information about the application, whether it's a new project or an ongoing one. +2. **Information Gathering**: Our team collects detailed information about application interactions, interfaces, and existing security controls. +3. **Data Flow Analysis**: We create data flow diagrams to visualize and assess how information moves within your product. +4. **Vulnerability Identification**: Using our expertise, we identify potential vulnerabilities within your application's architecture, based on customized STRIDE methodology. +5. **Reporting**: We compile a comprehensive report detailing the identified vulnerabilities, potential risks, and recommended mitigation strategies. + +:::info + +For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment.md) page. + +::: \ No newline at end of file diff --git a/docs/release/trg-8/TRG 8.03 Security Support.md b/docs/release/trg-8/TRG 8.03 Security Support.md new file mode 100644 index 00000000000..5522d28166c --- /dev/null +++ b/docs/release/trg-8/TRG 8.03 Security Support.md @@ -0,0 +1,37 @@ +--- +title: TRG 8.03 Security Support +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 14-Feb-2024 | Initial release | + +## Why + +Reporting security issue is essential for enhancing security, mitigating risks and safeguarding users. It ensures prompt identification and resolution, fostering continuous improvement and maintaining trust in systems. + +## Description + +This page contains information on initiating requests for Security Assessment, Security Tooling Support, Tractus-X OSS Tool Membership and report a security vulnerability. It also addresses procedures related to Ask the community for help and Enhance documentation. + +## How to Create an Issue + +**Step 1:** Go to the "sig-security" repository [GitHub](https://github.com/eclipse-tractusx/sig-security). + +**Step 2:** Click Issues tab and then click New issue. + +![Chart Releaser Action](assets/trg-8-create-an-issue.PNG) + +**Step 3:** Click on either "Get Started" or "Report a Vulnerability" or "Open" as per the specific request shown below. + +![Chart Releaser Action](assets/trg-8-get-started.PNG) + +**Step 4:** Fill out the form with necessary information and attach the required documents. + +**Step 5:** You can click on "Preview" to see how the description looks like and When you're done, click "Submit new issue". + +:::info + +If you're a project maintainer, you can assign the issue to someone, add it to a project, associate it with a milestone, or apply a label. + +::: \ No newline at end of file diff --git a/docs/release/trg-8/_category_.json b/docs/release/trg-8/_category_.json new file mode 100644 index 00000000000..4c9752e8a4b --- /dev/null +++ b/docs/release/trg-8/_category_.json @@ -0,0 +1,3 @@ +{ + "label": "TRG 8 - Security" +} diff --git a/docs/release/trg-8/assets/trg-8-create-an-issue.PNG b/docs/release/trg-8/assets/trg-8-create-an-issue.PNG new file mode 100644 index 0000000000000000000000000000000000000000..77f0013e7ce71fc94e478901462718c6a90f06ff GIT binary patch literal 42073 zcmeFZby$?`*EWh>ASy~Ts7N;qT}s!0bc2Y*&@gnW2&j}O-8Br2bPXWgIl$00Fmw-H z`{wa^f8YD=@7sUv{pY@p1Gr<3x!1j}wXSQ$dGhV8k_^Fp^80vrcm#5?lB#%kw-15i z?Yp;u-(X?>Ea1;In5v98UO_MA3UG4M{0-y{9$rz{gEQk>!1+CUSsfT29x?6J&ow#K zSKD}a>6>zrZ`9okH_pF#K5eVI2)VrYvE}SAjdt%tFTMJb(B3P+*{o!Z!Mvk?O&QPs zu%Re~_`f~>#uMJv(bC-fdL=EU z+~xU2d3H8~DkcuQrOJc=l=Q^BRf-jHQ`U3)s<=)zjs1H_JGL9q{#~z_ zbBQXm)MN66>N0g;OQ^1NBlw#z5w=CbbVK+U;{yx5UOuO)-8eA&-^c#>^Gb6Xb#?rR z>O^6N!OtaFzO(?EmtaR(h(y+!rcl{&xZMQB!>V;$^K+tB3ujXFSo0TFmosWyJ(uU2 zWEy2ncIw?J0v#wryP!B+0?88NgjS`of6Js5Y%2Bp>Y7tk^(WiuY6z9<=HS#RVHP56 z)*D7v$)ZokMiH%|d7zDPX`>qd?eO5-_Gk+(o%AfpcgJ+Rlt)J3&eWjyzsflg+dM4I z@vyY8)G$mi7@8iC+URt-x`#8WB(Tq&k|GGnPotX6s8dPQUbEY@dO0;iWwk`n7K90T zW&KA3J(3$>=*&80Vf|98jmiVpZnB{B3^7-laA&E--Elgc_gK4@_i$9l6cNe(<#c{B zhyb^1KUNv+y>k5yM$<~j`)5&{&v9<5Y7^U2pZzribU)5{$VJE{jN-3+k9=^4VBY=8 zUt2CRBvpbn*(JF$iey(a`|(0C>}YCf#@F`F?+%hR?{w++RrOVc-z0rqS(5E2*+cmf zw)cuIP9VmAG&Ily`FiA*H4D2%T-1&;Dke8GKn`yfc21tK5k-e|wVQ@y-mt!v6z06L z8woy&uK!8yG&f74EG!k9i*8)_YkTkTQtA;r<&(sT9?YT%zh>^{tr02orKGy+A)Jv9%ib~zU0D@3X z&NPu~TW$}hal$RDFflPb*{VPsUVxOkp($mbG{<9ic z)z(BirePYbK@3u`C#%ZSH`8%5+V<8F5ZMu{4<~mFpIwqKVIP1?`?k- zxp;3x{P0TXPj@OFxZN~j*$?ToSM`M%5rtmZ(kB9z?0tKD=On!-TPiq1$RqFTwD+Nb z$H@u;dbB;~G~axW^Lk-w>ZedDA!*Np^~cz$D%jHU$^M$tQZJS9$d0T?z-7+_|N7bS zUgN?Wvws_7<9pOZy*y@~3|~t2O`=mukiB*5)^*-BK_MZ3 zsF{rQfdSGj{QiRnD{mWK#0fg*w8tOr>~^uEgtm}02R){<#qFJ>_w#=A)aIN>&t-Hr zz9(bjjy51BW*rpkNbx=G@RjYUu-Lx5I8|QB?U~3h{da}pC-FhgsdyT=Zpk%W1LWnf zpF6k~Hodl1r{c?B1{n3dvigZ^!0D_)KDi*doJ`o+?MPbM+8&Jddv4VpTI|fXI4$?T z$jQqC){d?FC3$?SD=Vp1=z@E{?8b^suk`3$uODDf?sX;GgUGUZD?%M@mL^kdaaUtn z!%v(tJV4LrxBJ9HDB0EXfzkVA#(CV%8@1KFmEWoM=nOtFW6JLE}C5TXaX z+Rh%ZH*zQxc8@3o(F7*&-}moS(L?*S%E^F!V}tJ!KZ#omReZ^Ca&#Y4+%+Utbsyb3qGgQ&!o)8G6ku)ekS5FU$E-)zd zI(B6D+p58|qy_71j&W*#x&>puKWSl^X>?(kHKcEH;8kPP%q*-cNv#<7GQ=eMlI%cF zx7Lh`ho|B@QaL(G4#U|bb2gBR{Hqc?^ZA8C@YS(opnW;Xd!E8i(hN(z9e_1ZBmmYR zxR16|T`aRK!cHCSVEnTW3VqKNVyt_5dK#YwWsc5Hl$aB;>R0~ARE!nhsyi)Upok9d zViLN|{QKRe)Tc1fBwC(fC)+Z2c559CHDzk0%TeZDUqbJIi-Sy6GO@F-KbH^#pZygq zI!noLhZWQNWRY!aCuDo5;}#-i_ZIHr)jbv{`Cm~#!t8fF|2a;R;GcL<6o-CI69HRV z0BnWe%F!~*Y9$oit1O4jaoyZ~{a+u`ET@NwrX?g$=459-4$wBrs;f(K*_@Q4_C4dQ zJ=^U{v(}epV~*BwVQF~RFd4*Q-qi^=i|Y+y5Br&EB3~~iGZtSy2>)(1XivklkA|Lx z>I*t!J)!)2t(C4BrtdCb+w3bICcnT`f93l__V2XXKUt>G_%@8ZO`e)iW1qBDK0&4K zmKUSxRUY~i%bMn^luR4LV^=h)sjV))Q6Mx}n%a+Uqp-0@j${?&BRX@3anq+;sNcp- zU#cn`7v-z%=dO#mZNDac@BL!>5UvnyvA;Tu8&qKbR$MD`L8YR}RU7dE0Bi-|MQTKw&eUq(GEOH*h3(?^-NB>o?w|1r?Z84VYa> z^3-h%DXi-iS2vxgY`Vm*hMw{qbc<#x94L+5gB#bT78Y!UWD<{i&i>}N&5bb1`GGYJ zeA`(NHg08Wo7&ka@3B#awrKov&uM*>vl_M(%F%S9IyE(gn{u7`1{J@=A;bn+f=Hxv zB&cfJfVX>7pn*OnwJ^KjKjDFn%l=Vw>+DQvLb-Gf{=29oyy2gAt}J(8t`tL4I?jLw1vxvz2%ItHgczitb0Hrm6rK)Le zGseG+uh?M_bw!3@`(uk8p-GzGush|YQ<<@h52hB)%`#ciMqHw`kbBY0Q*F>m(8H7Y z6XIlHg{{`UZ9!XRd-4m0w^0ZUaYj#@bLVPJ1BJt_+*Wk0=i%~%T|KFIq*JLYl?RT8$yI16bvK}DT$ z+3j2-F;-T;a4Ms%pP5(TIxw0=YrWCX>S1{W(c{U}+O>26u-(A@WY?;(Y=!K3%Mft# zr(U$@!~O(cR>Tn*W7KSAf^-zgRiyB0Xl61pxe&1;x7Wl~O{?BG#z&s(9y=$x(82u^ z>gw|eJh}44anl1djwEoW&G;-lCW-B`Uj?eqEV<|Ay08I@ zc2`>EazLJKvGXlfV$SU6?n7b(QB+}8CsthyJm zwES#9Kvx?ZFl;+k<+F3Qk|G4si1WZLKaPxyRB>=9I;v0+yEsbc7zVbrL^O_ABnr`)>nJ2WKd#Dv{{Gplqa62x% z@)9H+0%0A*&0%BBjebNmv>Q#6(nHpsu9gRrw1pd5kCww;5>N?$=Tdg|Xu0)#9{g0r zMV{Pr6REgSY(FdE>CR@#w8U~cN&w}*Qv7vPyen1G=e?#dwPsIZUxyl)mgw-*wqbP5 zrbqhnY=8ayqEhi%NCk2p-zlo_Tc3SydCTRx( z!Ory1=8G0M?C{s{nxqcet4i)H-;+{UKJ2ni*I_Y}?S4Kd5kD>cGZCqQ|@10K5 z%h{&b_X}w(q4+@D&u`=N2G>1-jp8-_Q6)IE!Z%imdF%+R?(=p)xG)X>{Q3F`5P?9C zcNa^o$GCQY^ao`Ykdu@I5_DX+n{QNaxDcC^#I`G9Kl@R+E}E?+$Yg7Nor82rt&Bbe=*q(CdQ>Zg#rCog@5%>b&Dm1Y2DIKPwD0HB z??%OemKk%v7l6did-C&g;74Sz7CQ?gGOvFpVO#f|SFgKMILkkdATFn-fttN&4}w&` zJ;4fu*lySI9h>A7R9t>?Ee(x6p3mJ#%j@DAQMHN>a&)YJ=DUUk#dCSoj8Y5Fvq!+- zL_L^A$5oo`VqWXW)_cw4`+AbPy%NN>w`xpD)Et@mG`%B0h30K*6D#SMqe~494Y2E` zJ~@x&)ANIh`u)!p`Fa(hSqmw>v$I^g zyX&}P2SkQbn?ngKc~vAYG`*AH&a0>9-A3tR^0wIZr%;_>%JTy4xRHD9-6CzOdaq;E zTKh{A>Zlur45Jh}wn9?6FYFDS_027g7jB-ondb`&I1Z4H;~!w zv9c1>6yhdPNeAQ`qdxgx%h?m8VTBKN3k849ozlhuiZ4u$ZAQ>9YRn)+Q=7De|f$IcV7*r z7E9_)63K#Qw7 zm#Xw zj{X^x+1MG1DCT$JcUq`y585l`-lri7!3@uZTi+q{MU)N9*1CfOyCcvEUgg07JN9~3MDl(>#m%7I3Q>UGRUH+ zq(#(4w-z;R&s_;J6ASyE3>}BkN^RQs1i^%OZ|eIldE}`u>!z zi+CKbVBN*NN2>ZIWNJguWG3DK?W{<2$dBW$B}fKo3H`MG~i2$D8I;@rqi*UW*^XdD+|s<}~|>;!Yf?{OPksOP2hV3u|Ux-*U`p1ea@ zJ7sUwIg~4qc_LYJ*OhFL0lWy&=;ZtIlQ5v+saApeSw>Z9f#MT0zv@P7P6Nhd-(-_H z`>7v}$?P{ec{-gC!)tP79yadrxP;rU_1l~zraTh@9#YGE6Uv1+2tm;Chl$eerums} zOwKJ64Cl2fxb=5D%3CHwt7)akB#!hq8_r7AIgISkV6AgjrQux^M7ZAh$JR<$gox_7 z>tw>qLa6Yqf|v3{i=e@aw}3{HyH*iacM7Vk;mY0(h; ztW;)q`WmdT;;QNhBx?KY#SMHS&`(FKAyEw^y>$cHJza{W-6BcT35TZsR>S*)!s0I? zVCH;~@nS`Xha`n}eIB|;#6^Z%o{W2H?t-5H*4Kn)i4bgtlG4X`>bY(bo1R;Yd^XH~ z+@4OpPe@YkQ>#Z#|H!4Y*9uh3>2hdGI92a!6k~?01I3$J<2ptfJr^UjmS-FMHV3?0 zT3T>GkP!5HAYCTNMiY0kRu}{phA#o;*&^yrAOecyGwUWT^yWg|p7DP`B8eOy*A;|e zgJYy4x_aCGw7nFPCd7U-7f<#C|jB3urLd08Dz> zAO<%bJnpdzyh?Arvtk%Gi|GARqqMXokM#zj;|dZM{j)oz=W&d-hA%_ZJ4p_Q+~j9e zU;E3SA@`vXF$+3=T?JLqWwasEts$w+8ddT>x86h84QWCSlg+^kmM~~qvB)MoJA&~b zkr_WHHB&{>CA3W}U%eoMRi9fW!c*~nG~~Eu8$5iksmo;ZnGdIQ^W(~%XT$1y5gGyo z5uAqLXcUg;B0`(R2$ zKTEl2;Y_AXskaN)EI6>$cB(rg&sHz^qRHml_jG?3NqTB=EEbvY(DrF!zOA_l;&>ik z!}}x4e@fzhUPK1Fp!HEsHwISt^`Z!^vE!~m(GLLxWTN$6Nv3m({Nr32Wdu)?Q

% z?_Tid;_1A>G7-*)b=RSkLJONB&v)mmd)>R{kD8RmDB^X$a2{;W(X1j-a`Z|GDOjwT zv5)t~@sj9mieCu{iiwGiU zTvx^(>V>i_%0ICfpZs_f7NKcD&N-wh3AMH-4M_+Z18XwsO-@W?y?jkyD*{ssf^yEvX?%|GC+Xgwx(>d6O{bocIPH*A$A#6fpY+&q@xA3E#JKpie|yLJ5L zC zUueXQ-Ehk&`)6;tsN==wK@y_E9-Ff(f3QiSf+}O6Ll@r2HME4B-ZJkpvQO`A#HmTJ zEZ_Iy;Pl5ewr_prOb=%~+`A9MC$hjX@0f6P8*(bHsSwZ}MI%468!S zDVdK?PsJ#pBz@}A_r9xXNNl%6E+NaWihJj=Z>OD=B9n-=G?CL`EW(dkS0a=WS)*I; zk%`e9#yvEbt$5H`q5Anrl)GyDpmd+f3`n>A_S*xHphxwWgRRcATaBc;l50L35MMP! zGej{Jnw<;nntQ?|S{FEyum5USC&n)6Sp!8V&BSJi;BK#V`^wGE^pzadB$Pm@`ZuEF z>Q4vEZK`?O-ibc=R8H>b`{98#X9z+Sr6{wXaO)H`V*I+e8kf()KR~*$h}z86ANpAA%9%6UFFvCXk~vMj>Go~{xMJ7azLPt}LP{ZAJw62a*%f{#&?0kA)Bj~*Pw5*~cXuu&|I%JmbAm%DOL-X} z52iBYen|qYg{HFnh8CIw{+@WdIyoL5o^ef$T+RHnr6kW@s~P;lwYK!r$~=1Iq^G8) zMOAJ8*}u+s8h15}zEV7=+@23j^_uISpcuPmrfUwj(~H(`iJ#O%vo`2)^K+#Nlq#8QiDuni>kO)Nmvsz1gaviPDLd8yO<>6&C@ zf~~njS5doPlZ!q(=0c3{D=0G+L1R%-3R?R%Q;Rqa`TMka?5T8xk4|-u8IWICJRGzfn?4$Wpnn0os<9;K+XOsDxmzE_KmCt;i>pJkAs*!F%-N&wK zYC);#GV9EdBMIOTtQC7IkFW=q8ifcWL%K-SqUaLNBI-%sT7qTkWZJXRcRs{a&hb&? zTCiag?S}MS{E6EB-5-f}M7%YB1Kn}FhI_7;?=ktBC!_B+cg78h-R7Prn1;cTZW%xF z2xA9iq?P1jXb8+lysEzGCmu+X9{cqO#g4U4G}^3l0-;b1~?kiJ%Y3+sD2BdbL}oXD86kvqs} z)5%YcF*NFdfyN2xn0*OTosxV|3DaNJDRV}-4?ic%5I&=b^nM6ZMonu%P_JotSy2W` zYfqjqh}KjXMOLW#AZ=%J)#9*5xbshY`sRIQj&_~~0(27kiStiG3*QOb`HUpOj0l@7 zUMH11zF*~K;tg9?@2#ybTMPawJaxL~8g+{$;SyS~wVAmO*m>D!`Ha!j1 z1sP7@>-R1`cJE@)qA~~5<({6_{wJV_nSQ5wjG>`Cw^hAxkf@*(q^LT zbSlv1QCg^Sz(^OlB!kQ{Q&K)|PS-MbdhB5#=89cp%#!Kref3AhBcC>sQSe=oZrQ;+ zF!9BV?`3wWuweaVlLd5qJB>_?XvEU0vZKEz`StCed|X7Gm%JVA*{|n-gz~uD_NR#4 zRt8qJiq|Hi7E`6XfmTvz+;?6Fe~$IMPzFC{`T*Iy`y%-hX zcnK_kygedxv+m%2=g?xq1^%X?{mbsT7qd(k;>VnF={*{|_IjlTnH$`SR)Zl*nZivB zoaacg9uZ$`WT?=j+ceI3NpU+4mc-xbPL*4j+{S>u+$dAeaka46|0c5pN%*A{D_{E~ zyl>I9jX+b(!(_9gXXR~ot*zE$_%{^~5VvabPc>0NpuUc`To2U0_7+JgJv@VrV9I=R$fhBiE(XN-Bdso)lIFf4@l5Zm%%>C*7dw23bWL-`8@A*J z{nvf5snY$z5iaGElgwIZ3LH7-62vdYmOHYp`Z*zb05S1YP1nZ=!bbf|X@VrWi9Hju zzL^sDAQ0LY3Mr+7k4z&5h#E_m3TNClOgRJ03pBTCWNm8` zmQ&RBZ|Mg`f(131f#N;z3-cL*h#rayxVoUciaiqf1A*$Md{fA_MeS>v1E(mTYUzd8 zDi=TSB=rElA@_}z$Meb0<312N<%M?;S~tkb98 zYA#8QF(E|&5~X?E-8!bo!3F3qXBTDeo$d9ZDD03gF6<^ny-%Es6LcPj;ej(32YeIg zl{cW1wq}Q$Q}3N-fLcaYouPZhavgJML$6aeON{5^`AGEiTcNZYKX%5*f&Nf2w`)Zy zi}Z!y0V`l|j=G6leT^2vuKEwGMmiK3E+@_?NLImd7)IrTK?BdYazto)s#jgWnpMP@ z04V6ohfS#3Q~8l6;N&}oYCYTpChtBhy`{YgQ`p! z!>jxhoEMHEQy2Z)t@Y7BM!TDGhm>m03!RXR)JCiFv)yBsI`@!pXI{ugqb811pxNm1iJF zt3Fj?bNZ}OvM6h}2uO;ad*pfp$|@=<>OQ9XduLY{d~Nj>1}ITDZB2_56#|_%mH$!c zqNeTD1k7c7e9bpHGvw7(znnEFT!1lquyjs}k8?q7&po|`Cx-6gN9@~A<+Rih`O%t? zvGmCEkRip#Vqc*&Qz+eWz*Z9ENzxnFfrW{HXG+~M`A*LtvYNVa`U0}yyAiRT<4ze| zYHG>joL}V@y+J(qR-0uc2*yRq`6b=46iX8Cyt5xH><{}US46=JgJ4m^CikCYI@Y>5 z6R)gf%b&e1w(az{*sM}n4YTZr(v>T8=$+XZgX3Rp3Q^n`CiM1}_s_U)$rnJjcNbB$ zWG<*y;of0}B`dRS>tWnwBLb|318=#f=3&@qJT82^q0wmC_SB4Um=|2#RI@ovN%R44Ho2lDU6>|MBOM?%LTl#C4#y{fNqAqTT|0;Ko{FLFTE*e=2Rl z!_Msu-IVfs+nYEAMrx)^UobO?(u9}<(zGd8?{Sw4-FO& zkp6u#_n}NtuJBk9-*1a#T;0I_x9`~5E#gDiFJs%;u3a)sPe4Qf3yZ$}&SYIvAvd~; z!~)m>kh`7CL!+Y%!Q9OA(ASqI=z96R`!@@#5Mh&678Z|8mrQ<_bYFXbHT*KVv(J`) zLx@AFg+612rlIOV^vaCSF7==z=~%66J=nWaMaE1-iAGKN)a8$sb-J+MSbAYL4_DdO zxa)bf#O>|BY$(7$AqAo)uE}6*rj~C|{4T57EYW-+J`q#&#Vqt&xU8Wuad+*#s%duQ ziLR@B%#yGL9Tq5UO>snKJhge6TG)^oFC-5#q(KU1^Gi{rnsH?3CCCgjP`#9UK zBgn?4qo&$L>vh+uTx~JwAiktx9GBBn%9%it$-ST|1X*|E(?}%~_^>&g@*ApZlOVOU z(U80mFwBoPRyJxLy5@B&8LaLXi$YJVi~fj)F>u%_>y&;LO^T`vWzdARBJKZ_9M6Q$mWn%Bwq9 zPyI)>HDNh6X=WSGNlT3_{{6T3WzQnWgjWClDd{E6CJy>GKi0D$RQb-|ZU~mI0=~i9 zbFNi=M3BhABR4)*Z#DD6Sn}5VufDpJI1f}HEAd_P8H+ru>1}KhduoQxZpYHR@a`RB z;g>4JZTHa>c2#0bC0sp-SPLq4SazCx1gd-b+<)*$uuIb;SR@f>tNX=$<^n1{9%Sbs z93T9)<|A`oPRgbb67lQzX%TM{)|l1~7aT&VJ z-5RfPWf$?l$!3`T`q3k5sMXh=e1W4EbeRA0wP~9HNn+%s5{C#DJDVeXPYs|coOT!F zjOiT5j!8eXVZ*ZGJ(t)FAF~IX+}dFM3;BF5UK_sg7Hu!F_Vr=+WgYnExWT~6N6`5a z8g9w~Q**EE91Kh>umn=Pg2%j0)?B7rENNF&O###3n4AI62yOaj>>6l33PBGhQ(MMI zYeS3q%IVFo`m#7ZvD5tW3RKDxMuU4@a2A^x!_1)T6c49QAsIz}kR5BPuv^uoDh_^a zZ>xW5U7VCfuxCCd_^|1$x}wUf5zrrVR2D(s8K=0_9Fo#}{c_`>w{enk0ym&8CIND4tn|Q>BDN)){dy-#%X)irPnfmlqh@wUTfgN9r zx@K>><x7OWQAkwOQf`#!u75XcYK< z4F7(CTUWEJ{pKkYGH8e{pWr+M@9}Ih+KALe<9GTPU@F>;<3b#FZ2rI048Q=QdDOi_yPh_|hmPTB#UAm=S z2zbPw*Uu@p1UIN$o6!};t{ee~4Hg!`7lzwwcHjZ4nZ40Vw0s zdbZ?)-z%7;G}Ol^8LxTEal1I4RLDJrw~bGVl|2V}sMFxq30GC0jp?15E%pAS&wti3 zPk~fLjd3~Rr)IYZYvGW7we@`%S!f5hf2RC|e|{tWesJBM3i z%6*#5*Y~`r{VF%!!sHu%gy!F2Rc#!c z>FdZ2myuW5l!5Ef#iH}lkzG=pA#rlm*yPK34tj;YY_m*k(9_6K>U~n68QIkpkia7R zG|hB#c*F={)#)j#pb(@D+d9~oXmso9=yS|Yogv)Oyqds zmulU`iIvCEcIwwI>?G2C&ue6JPsYWiTz1K^YPq?CXlQ8iRcCM8b0J<|$*DlU@n!|F9zO@U6UE#Yv{+gp2ePF=3ydd$!&@zuBodaQ=~Pd8VTR81 zKf*P%mOXn{BdidGYUW*&xvVMOj2K}w$J<)91C@5Gn;wygg%Z~^V$cZ836eV`v#Lj& zb;fVlkj@GK(!lHUTU1v2Ml)>Gr?CQ2zk%v%t6=*QOP4VD2nW;dRXw%oYLB=k&OhT^ zsW!h(xYTk&HnTphOpEBs$|-L!_Z9(hrntV|t!C6J7;*Ct1WFLfP-@EFl%oZ8`IvBd zqpF@)H*`VCW_BrGGM+_Ltvz~{EUM^Ptkn+|qciNe22ae)m~+NX?(h|A8XiU3yy+I0 z1|k~WP@vZ)c;geF&mPD2xu$co-mV$ks|^NKP^l#zkw)<5u8l$z3?O}r+P6dGyt|=SQQXgze zaM?3oQH~jAak=tjyq-CT_!Vm!TwZ_Lc6gGTdZzlUN&c9>o}d)G_9N={fB94mhj-*r z503A>GGhIV)>!t|`>jt+jn+Tlgp&WDA){kIr?<=_3ojhg|Khg9MP`I)5z~BqG{==a z3_SY2~sNhOq@qeHd}_6W=`sVVFME#VkZj`uyybCAZ=B zxIgx&;cM&8>Y{U66?$@zF0;(KZuq5i)6QK{LsV!_wcIZ{IS4Newb%BwL?KtDjDaeT zeWr5^^(6pCuJBF2-1EH%d)J@x2JEt~os*Td{oQkCUaIRfJ3s#!G%h~AOg+o7 zNRuB_@nUJVn?=mN08B`K$o_3A5*)DW{5p%T*nrojM@1-=mBXu&1}bb?%MY!XTf`55!B&*y+=MBR51O__3+hN3vlyCsY&cKY3D=U zVHUuq`jx+p)P%+YP14Qm$fMj3yw^;3tc@Ec*K7qO6(adtADbGI?ppBIek0DzGE?_b zWn%3Xm5lC5-vh_7ZKQV7X6JMuI9N@|Sf^CP30xO;ocRl^PqVFQsp|tG`7U<1)6QRR zbf`i~kDApxg>4hO;Xq1-?N=?_HSdpWTD&G*Lslh)aLLQObyB4&t6dydo{)EFqwG49 z20PYiz_`q0%;%Fu{JG5-P0t#1pk6wr59FLeb>QLIr^h?{V|oP}ME_+GU9Go$@iBJI zhTyyAo-Y8*Mw53tQrfQwEe;3ojVY1eyLapz$Tgu?c;XpT0>JY!qC2o2sk4h)sY z=)8z)^IUFsaE)~z+PI_kq@`Z$((xBqw28V2qO59OF}t$nY!a4TV{7OAhK{_gtB;m# zCSk~QGuzkm0l>Yu%_VL+%34#m2~xJ}KtVM%HC4^c5u{XYz9rdo+!Jo@yEhFmtW$d#R&l$oW5`*B8xuOUo;hhLA(!GW&}mg9Lqc z^J07)*U&Z46@(QsGj@@%u{YvYJe@GdfUu#KISK3Whq9WpZkZC|uVp!=JI+AY$W_@m zrv#=|2e#z^LdM+U;@VDfrS;GlfLzRNh{wHTd0MbJ52d=H=t_12nR=7cp%fQU#g{yHtXJOq5lg)Uk z9I2b<;U=6=?CeLm%>?!rVbkfX_s&oXmV<2~oJJyu`vz?F#K_`h-tED<@qXO>NI8?EP-^y%1K4kczVNy@>@a z3*oP=?vT6C$PAP;Mht$9mvu*fSow&5NbXGzy-VcAkdcU&%cby8)TqOqSgHfg*R0fe!? zg+P*~WAw~UPTbN7Leb>IW&2L~Ihw)kCVrtIJVL+8Du6oh$q^=OWii?)699ZXPz#fp zTiKpLdSkm|uUI3-^BueQZ&C!dg;67NRs~he#)@v_L>LCY_H4#$cDXp zXq{TKL@mQlM~+R>P>`l}#RW4o>HJxYX9_!1uqk(VynBmvIVEzBa0pU7Xu8kY_7_YEPj*6}`gj=Ce=&AHGZfzgC>YUwwR`eEc^y+?)ZTUq+|ZFs_Mk zsky!S`}h0R9{V}0Y({m89UUFG)~_>ay?VZg-45#hTmI);wNgYEM|VyDqQnI+u+OLa2j* z$%W=DmqFF)q}3Gz4H(~CS*65nLC zS!Do}xlCkUu3buFqj*u>)bZX@i-nMozJQAOzLi*dYs-V1`^n~mk@Fa*m3b+sm#==M z{ip9iK~g%FtE*A~8L_xn53YqxQZphyJ-K78(2EwmJ<;5umYqXa>QB@Yv-hwWYa^85 zekBJm667?zX{M0FYy?+Z65g!K^$L;?#@+;?s`o?Qp4Qyay%Y^alYQ|(nvuurmhK;} zW@Tl44F!oXjSQNk_Yg1jp;`vHKR;Mp+~vP^1OQiCmfr+)HJZ*BcXV0@8pe8}S8WA% z;o)7~rqTXV4|s<^m`!l^)x8GFpW;E$`6>PiQK(ZQdIi)S@uq;9}2DPyTvN%8G zH#C2=x^p7IcSK$=laiCeWV}rVse>)``akO}$;gn5@i;x$Nbk(mYN>02u5;FM9qK1e zIl-$NRMC))UK1xu?ozdAGN zj+^Y|dR<+Uq_!ooKm9my4&L-zOoic0!=+ez>2 z0+SK_kF81Gwk5Q$d9I1T3_0imq)XJq#pb7x`Y=pnThKEPPh^7y6gCjq$&`c4MAGo^ zqHLmrR@c^AB4TC2sEFuhQa?+~Um`_8VRb@4?ddLG;{<;&#(olD3|yn|MAjA*gpS+I z5MOPCqV6-rT>All?cob$@x|-4$b~INOP}8f?jpBE^XX4oBc+0(*br9)wrEbYYL_701gP(3!HY_Oa=7(Q#8nt{6U$4!y?Q~-HdFBMC-#NKV!B5usT4bw%ZK&EgH*#}EtFgK!J3ISZ zPHyhXJUj^JJ$Cs1Rg&$(&eNn|+oMDQm~`+6rc!v=9Ka?!J39{mBp%761imf5!&Q$SrtgHCGkkEe6yAW6TIa!YKeN!}z2K>IxJM`H&$^{Jmjf z7Yu{;y1jk?pGd&2#;<(6akZ?ftx~W?(s)d#R@b$p&xm}VnuF~@^tY~7(}>7_nQT{r z;NiVqe`IxKy&3;5IwThaO{e+!^=$Y8#yE{(RRAjQlnajpnlMfPK2*dji`<9hg3k`a z5!&P+5R#Pim&C-E2PF53=30bhHJe`>+nxaI@%X&%zfbu0_xmvIE5Cg?JR{P7a_E38 zdXo`~ekkm022+UVSaJ&yp2~Z0yKNDiz^e)X5@_>@#lP!&8#dZ2NZ~`Fr!@#r1BH=RC4__Dscs zS0wQNHE<*VtUmkA^^a=d!~YO`{&Op(9{6_-vII}?629k!{_95n-aNkr%+Bq5_AFU7 z|M~dU!EJJ&ABq2DR{O2%|9Cz=7g1F!9K^@IO>7&v&Bat%iK=lQkJTh3Qa|No3XuWw*MAKzT3e6Y&)pNqi3$4|Gr zMezJ?@)Hjk{P*j4HwgZ}eE~w(YR_dCbCR-BS5?@WjiqH3B&1^8uW^T86u_4!gt1)O zfBHYaimhPv=6w?-vq}H^OKr!U2WY+jgYG_Mk-Y-a@~mxb&io^5D%u`B$;$*$1&*tv zA^&&QmvIBv4CtE$D9l-|r^>$Jxa(koB2D9J4sdq;($_v!j!nwPTJiM*)CjPTs<`$n zQq$B_O-&)*Df!(ypm*}U+_ywaIP6Fu;@4^ZC|%IMN+*p0rspxAY$fVF>OfzC>Ln3^ zb^x0oY-wu~jlI=KsGR7Yn=fJ6?oTnT%#Tzgv8r5P5sX$*5=F~DKsquTUOMm0xLfftyKGnZvRE*5dQg)q@ee!?1(|; zRU=AKXSpD{8-VZ(jc@LLcfD|g*IbZS+?f4vKtk+3>|KMT5WA5Gd7k+Okk&uMpzdIz zZdyW2zjD6iidr^0S?ZMh`?bBHNA0f-B7A)Lu3l6eJD-|Yqy8axz%jrA#C5DXJ1rc^ zT>}`eWSHi@80JAoP%*OM&%4gxrz+G(ek@lUMPMw~Un!ki_5h%P)_eJI(1!2UiO42i z8!^QE2I#ej!^ldH>N5!$xWgN_uOnYYxRFLW?(0vot8+_e?2>EPdgTo0Ryi+EyC4Fa z{F86^jB^kr{#T^X9nD-VLp=VF6}i>+PhZBeOD&Gg%V&Xw-oZ8wY=?J3UaInu3TM?@ zzk}rf<#!vOt#b$7`n)%|7wPYJK_I5)rmI=|kmGFb&#E&;_W#A+dqy?Ywrzv<3M!x? zAfO`Bq)3&nD7{JVL8bQ+dMGMQdY2xM7LXF@1PGDdiv$RS5CkMN37tS_v$^l5eDC`{ zvu1vLKW1jlURkUKWM8{o*SXJf9LM?Fjc$s#o;d)mb-C9$Q`b?I<+pK1Zj?hvc7~0` z!QhDy&VILt<_zoy%UT^%mZaxPdZsICtw6+i+)&*w3%Pl}!!7f{6JU~!%cAgnq!)EV z0c_LhhtK>rMm;uaGfBp$Q6Bd~v-ie!WJO(eK(4fWiw)6WDeG?w=BJ*O4r%lsT>uVG zIee35L2-`H=dze*#evaQPx**rt|t>D13%&Viizo6i$m;s;sYNTpXY~QSLE|3ymtq0 z$>@$B*pbY|2;kj9jH+f_yLzmWoG~T>xOXk?&ITQZ@6>+(_UAet>qi2_(6na@rtj0G zz1p&Jp$6?Xf?bCa@eb#Yn25PrzL-JXtD;HK zxR4u6vZ*k!{Fxu;vF!M4qW-G@|7P6Qr5!dmug83*5YV8;UB}Bu-fiAJEtel3ZIeJD z$M>%$BRWwo#V8#6W`+cd0X^H;mBGqI!F;YY@jy*=<$SlC5*WimyM`f$Dal^|nSfLgjN zP_0#*)Bh+h;lh+bt1iS6VU{$jy(*Sd&SPz}mYC+?k67nsMeTuowtDSAlQ##10PY0g zu6O&^<>XhoQpG_H#57SLsds=d3sRMqR0F8;fDQb8W6lAviq?Q_BGuq=m-%r!6EARD zxz>iZJV_$GXni1^KQy%B^c(=Jl-Bx=(n6QS5@^YJ<*%l`Y=Cx5Er9Gsyeso#3$0^W zY4mIhj$ys+Jwto)DZ+Masj8(5q&325w>Vg-FG$K8d^L}p&*ZQx`mPIoVw`;(6b*9v z;#*-zUna0%+IyjbkFgALTI0Q5tBh_x*OSH{-60{=)&N2x`bANhd?Xo})vSp>0|Jm0 z%&?cPMwa@VO#=&5_7uMZ#GMl4KHOYLuGIUOt2Jt80GS}kW7>(y7Q1!#YR#pdXSX{k z>ziAx|0D|b7^juRsi5Vevu)y*$BFU;CI&__?Z(W#R2Lw>97nq_G3;RkWZ(Em66?sv z0@yr3P;OwcbdH{X0aV%v42L!yf2cjlfO>DlZ1?nD`eGzNN_j!@<7+YSv{)Aik-y&# zSf=HNF+;z8LJ0g|WES#m(dS$zJI^Vqe=rQEjYh~4A=FcYg>FjzkQDM^_-ShF_tMj| zU|w@Q=}k|1pCigp1k4OtCZIhskh5Stdw)Tm%c4 zC0>z@jG}(7D16^F{J!&JAK7^jxU7owQ8xohpTUh_ zmc(*Vn8^K!s>=5xF83>&*&?j6)Hu}`zY0o(4vpu_YGYUZP1$q9-klubR7Hc!Vu!5{v8vN$$t7!MSbkIhMH-6QM-}gOWJ#N%OK-TApkpxj4fhU(Ourq?pa&?Y>#XmR?KyLPjQ5}!(o0<6+XT2?iCN~ z4c)SX^=fTL9Pu^zo%m}fqf2RD66CL}0C$^y;GF=89&D553N=;X%r5XJPfko@Z6iVQ z=c+L^L>%|5{ee%6V8+CE3z#^(gwlw6XYfL9KsrRk`XGJNlmGNaf3W_^M!=K%#c`DK z$F`$tt#NboD7X1W^Nl}4i6Tj}OaKVKR$IB1MNOKY1Y}vmSKeD3U191sw|Je<6#d$1 zEbjwip?NbgBlHWp*J&`9yM2eaBr;FHONd#kSS8?9`sq$@FBbtyaU^<&8yq98&8{;0 z-JH`cwe{&aV4lAvdM|2$)pKVfo+)KKOiZE0<()l$p3C7j(!b(tSBS}XVcX|ec92_U zZXc|Ap|tq(@Fi(Aw8w7EjaJ+Ww+}KU{R5^2 z2xF6)3Ea0_!SK(+uf2V&h%Vmd^Hnm>R~#Q?m=X7zUSIYp`Vz7;j1wSCxIGQThiUbQ z0n!6eF7^_bincdMOqKw#x~?5;!+0NgscED)k%T4LFD*b8h*q zof?}y`NY&oi4e7^-A!X94206;$L)cJM^8Eq5-iP-^8q3tvpIc61~!^r=Nw)g#wt=Po^SVt5Kk;z^Y?f5=4T8 za%ND#p1eQiMz2(_Ii)s9Ge^32eRTLsJm+}~Kv0z^&A~e#x&o*k`sj?^-Y8Mxq1P0R zL1VUYU%@javtA`wHEon^Vn;#t@RiJz`l!t$v)<|WGC?uK3_IP$aUE4}nmt*|D^X#l z%HAP+EYnQ9+^>R%ts}MQ;bt(ePG&)Un+GIIRc@LYK?N^W{wAjBO!lM@0SQBOl%v>3 zx%E4DvZ!37QsUVuYd?+P%mP2aA3Euk&85WUT1V~<|MGwKoto`27>=&&U_oWy+Z4hu zS2GoQQ!tjbY0ZWw2i-#baI(Exi-2u`eF*9siRGR5*q;B}a}^DZ&ukgRzhGUV_9~Y+Kt+)ZuiB6qiPmtHD=U=siAq#=TkYvtQ(0Ut=AC{ zqgcNAcK_M8tS3LUIP75Y0ms5Ukqdrl(3xt)BM?qmivz5D_Rd{Gc=FCyvgG2o0?m2- zO--+$wmCtEsQBbf&v!Ex{fF1%rR0`Wj{wOf#-suJ^X(jlM_^BWTlZ!!q6ro(6|D+4 zo+sZP+RfLp>3fTo^l)HiP4g!q)CyD;3nWVKd#u&g-)~~BGl?bYbV`!aHjT;?VU&6` ztQL?dfsPwbg`B`JU9LL=8nF8TyAG>Nt{9hmsWjNrQQ}rrRFB_AqCbx-hjI+_n&gzz zdPOG_IqkEs5(Itn_Wg(CH{Zrv^*tN->I8uL7R)?ZDy5@`yKOL%PQ@j zgdasJ&MZ)OimJNjWSXtg(M9+I`b>4Zhi5-N%_y%YfLyVzRH4c8vB5?m0XMSeTy&Mt@Bj?f2c&j@axK@dDR)YJWu(^=_2W=C^fCQil>2cobyUt zf=K;p4&JH5VT)z+6-r>aJyFxbbY6!cI=x*oP6fJv71oE-f^llrL>Vj3chDjX^Us1D zCDqsopoUG&R?`pRYByT-`WpQnJL!R_H|tpX@*7LSQOvM5$&mUVrVp8bcT4ZbzPHyy zMsUUCFYzbz>fJ@xZ46otwtK+pg$uvRv(OC_yA)FY^qV?UAmpugGGzz*w`}FZFk1>W z{Woo)bBmcG@*0NzLe&gw4B~@ARC>drd7kvHCR_E>+c%WABp2BtVNDFj&ygvb=Hz$COJLt4>#~ex4fsVGSam;ZOP@2n+CkG& zF2xP>+Vwe)h6~>?a=vq^Vh6VY(pJRE7mvOKwYQB@CdnKSfR^6XDfF>to}u7(ccu*7 zX^SptbfmHHB0)AJM4z>u>KU_!4w(tF zTaNP1Q`g&Zz1>H;w!|feL`AgKLC}O8gTwMp$!HC-?l8mCn2;lkeY}W`Z`uLL>v|qa z2P7THnohc_#XVH%HPxKnJLbm-u}RVF)c+Xd1MBytK@Ovv9fn{6g(D`?+x2|VCrz2E z`EqEXAQHpLAatWCq)J$m(4GXXFTvb2FxhG`6>pmr;J^D*nqrU71uAIF2I*Dn!IP^6 zRoMJHjN|k+x+{mB#jBF7(1H$C)aeYt*w8ag);sg6(-Tgd!mdcZMpOCUBHAzEw8mK| zzL>j-(m)(05nPaI|3Fz~hKH3|*d}kacl<>_^x_~)d`fZ~(4|4trmx&o?=1>l`d)4o zNyBr_L_~QtN}($7a0jKo$IY?`_T-Zm;Fs=aiJtS!9Q5k^qv`*>&d zIk=(U*A0=#agKumk$i|^23OG%@BV_8U;drlfj@JPq^#p)jmr9&N^l8UaC+)xgNCKo_Nu>gOhZ|bNNDgJl7k9Z>wP7)1kEp ze320H!CR|Xr>X11#GzJs`j+YgT*I7FJLXLFo85bDN({2_EHRD<-8VW8fqy$V(O5)@ zAI@wXl<`gCCX#}_)kD$O)OQ6L?KE|D^Ki5kIp#6CDKf^!sMuLTlLdG$&fy3Q2ohbR zt|w3QQAHG)av31YkNoFOCRjvd#wj#+SC83W*s&-t*W5hDKD-O~EL}kMhqQy5xW8A+ zdaIf;is<`oBE9=V{*$C-6F5}^S>3|^p{hxUE^J|A6eFX?f>ddmCw7w!v4TR z#DbBPP}NP2K6gC_UMcxhD+(7giX-yMAgsl#o#-IZUmz+~=?)`Lwy$pwS3IA2Fyvl2 zg8!^7u27tSAG}>U&;?aAQ9Am?$D8mh1p#o;rBD6v4Ed3M$pVo}rq81!mi_hAeb!_xZ~hXR)z0LDJ&yH*1%ljTY8EKtu~RXZ@B}u zx~`d}xJ=*heX_hGvkPHjAV6KE`q>Aoesd?QGR_{ad|D+jTnrdw%Bt}C>Kpm+AqPq`kpJ~hgv+=&mLceVu+ zV&n}{E%P^!HBYKM^z!^)ov&4&cb_7q!g2$~-yVL@oxE#5g_e>#HA-y$C<4`j0YlBD z5}Iiy37LcI(Tc4tve_$^rAVsx;_TyF?XZ*J@_nPbKX72%N#@guG?1&_CrOC-<3J2y zS7&%PZxJ+i50>&v!hFO2tIz{K`8WG)LlL3jV?$_$fZ>kZvsuoi8_(aBig`99t_xAO z+QhD3KWCc$502Lj;Q{n?1pH1O0V;zor*Nmdb;Hby@v{yLS>S$^sj~o}+lXo26KBoj zPwwgF83Tc^Jm_7zW%>&~bRp4dyN0iEH@H_bPeZmZ{m72MWlT~`I~t=C?|k)NuI%S= zK~l$?9FVE5L+;^hZ^6=M?Q@dwb4X_h@Y4h8H5U-z0ktzUF49=wm3Tux&9`%(eyl4t z8?MM&$ep9&*Bk&Mu?S(Tngg<;FS6Vn?&R;NH#P|fEa-b9{@7cr{6%h>o0pQh+KN-X zTEm4CM$0OVM~4?{AnCfaeT>WN{#jJYzAqd5)Y&*-a4EpX7`bpip>cH4A;7H>9r!SHn<8U0t2bmNs zaDPC~1gMS(;`)Bmbw5%qM7K8ll#>kuFU35b>k585sL0~KjQpfNRUQvlH@TYFG1$bo ztMc2fugibXtQ7}|elqZLGPaRtR8)HH>M=YCWtDgteGv5tWff!PAVEj=scO#Bay(c4 z>Zt^aSrWX)pQS9|{ie)vtjd9rzV>Vx%b^pvuDH@D#pnKjT~TUl>qYfZj>zztCGBsc zTszp99Kmw69OkN>&PTfp^oyRogO#1I0eY&+rF&9&LllotxdvtzkkLU0ek}LLn;a`3 zlGLjYZ0e?_D*&y(x%Ge8tCv}+5c?6or&@@kMPd z^IeTxqwTet6w{ibDCHZ>zbo#`LrmWoYtPjmKwW|`|@p13sB zLk?i)9QR4S1PJPPoO0bf=ZrR~Y5Ag6!RlF{*DuNKInwmJTF2jth_vZ%XgyF<6RbiL z=N<}?%0Ri-qwpIzv}<%SP;NzhX^~pJO`2&_0WPLe!Z?G(z^>W|->@+&@1T!+d9S&&6XL_uP{}vL`2b2dq zeHgdgGCi(p!>6oKrFgA2TlbgmU9Y5#F8sMyRvZY^Y!VJ1v`S28wx4$Da6XQrJIE`1 z#bUuitT!xr6u_+t3G3y5omp>ieX9sUi4cs7ksRuheC9K{F8;o@vj4?UMduZu{4wP| zG+htzD5w@U^zF&avR73S*Dhhs&5&-DXLu6dUe()CbUUfOZ%6RQ74e(LD@efnc{MG6 z&eTZs)0ie4MDE=B4Fz`zXrKnl?T8n>nd&zJO6^h8?0b-1eflV?8PWL;CGp2U1o(9k zKSyRk(_dhFLZLvxiH)HqZp3ywA)bU{AXQ^tiwBJ zh<0`*_ZX6~*5~0nDv#vrDC1ePe0j=f)F(PJ>non?*5SQ+C0EmvY^2Up4dDdd)N7}I z8#HB0{N$9O#;G#ADUwcgiDeM%S6x(<=+LwhZ;<^kxxmJ|$5iEfs~n=w{Cdy`PFyhN z($OCdpQEfTYXe(qRUhKjo%@G>fcIyHC;7z%{+&Q7V!a(fQ#R?e?jXgsJGD2|_YLV=-TPPk z$HW*d2w!*4IYq+N*(|I^YU0A9d^7M1I;)En9;Q8j*&{1R5?}m22@tgV$XDLK;o%2S z2-^C*((}!*ynp;-|91mNXc?O4cqLU%Psky_sAxK{Qwyqh-`grHb=S;h))Qn}tb~eb zgvoBV?;cr(^!78#2BIl*DOIcPXrvXD9eC*4l3slmB1O)8^{83W=YUY$if~9I@~ryo z+pt|rwEMwKyI*yO+ix+q`W5RAzLt2QSFh$t*3=CR)AvWIh0-W;CBo|D=*f>t`I_UL zo6S(IOKSP)%K>K|4|eH4VIvuNO0qvU{6jOq{Ig5S`8S>Fwwt);{6SDCi*2RbT6eP$z8VP{-vTe!-xdWF#<&iWu{Z1B{M%RX!}_R!P~caowHn&KTQ0 z&8~kC05YyI?-Cq$k{M(J-DayE+uWBs`4%UC5Ii`J<}0a9_`>U?Ae>~OMNpGeIZ%qg zF!8}hG5La<1LuzqN8)I_g8*TgCMn2(dtq!ryp>X`! zMt~yq(1iDIew10u$m0!*;-^p@a{_3eX=`>J(EQ4w^Tg7w=+3Tt>_kBDonAehXtC=_ z^|8{Sm@98c4vkIFJr;Hs7@#G1Q2nS!WfY`KAI=UR(q@C($jSbI7oRutv{frYkdB1Y zb}_U|80-cmc|KyBAT3}M(_X!sf(Njpr}eHG*+s++*H9DXNe9yGmg3f3#W?{0&-MB~ z!F)-y`noM}Hm$qJi0AhhJhB?@?>gmNoQID5)GxQ;VFyoOy#H2u}rK zz4;kJzMwn#CQ%bBWfdT`rOBA z!Ezpc+Xo#-I(0zOdz(yc{rh9-L1{vo@8`APXAkZKr|QX;7pk%#7o3}H*DTV-`Uu}Lfa z^Kp{JlSvg7&2y46S`F|{RKk`YermsCS9V=Q=1i_ z0{7KgnNF^JLqM@nx_4Qb>(0V$FO}HOhasF7$W!rY&#w7nZ5@NcB!h-sYcw96NPm7v zcYV?Qt7#epX?=NOH2|=Q9ffP=P0X#^q5pdMrb8%Dv46z9f=(5yLIhw+gBr(QbKgO{ zH)gO>N_Vv+B-C8g0olCUew=ycX~G%eS3}0clH%iVslt9; zL{aTOMkch`y}PY}C!71Qsdal=gm}H%ur>D3(ZXMF4=?^|mcWsY5$KwhOVt_?`uLmo z*;lHofkCj}Bc_6TT;9Tfi)oJ2rf+O5agSA%IyTDs6eT~CI=8%T&59&0???eyggtTNh_Ok2 zQk!1BF?__mt*tT?#u&+PfdGLU@F`R?@BGit1BJ;-f5J2bJoH1o2s9kk1hqHWD>uq z`o11&3^fLu?y$FIV|=pfFG7YLU-PGRp*_ zVQSg|r0brRTG&MM*2Nd%B!=X9#q!-{kNl?FcL|!ikeNk~^%>D~M3;G#o;F2tfRu&a0SiH6xd?9g+=hyVCPPd>-{@2KQgrpZm zK9|cT2A=ObaJrnvW^OhElI?DoPypAVoTYsD?o<-fv(aGdZiH35D5!7|BS0+D5ajOO zn*3H)x_sd4dBSr;ch(LSap=!Ao30YOe)9LCl7L(Q78TU3R4LOp1LSMyZAngl`KV)P zH3zO}d0^dcuqeK4oD(F#vdGBejD461sCh#h~#% z7cXgh;osJn2x$Q>hG;g7Z7RTS@|x#&t7Li%j%f^Ae;Jv@wmRRlR?SDZFPd3WHf^~u5s;qVQ{C9Kh5Yg!tG=sQNEYd z?Nlg}JlbAy?XkOf@O(IxKscr`9Z&I zUGgl^_Hi zIp|uSB_h*KMC zWS}@V;=VrnM3bq2=Cq;R3uz#G0AOr!Zf;ZgUv|}sL}@uQm>0MvO`Tp&F%|-+0emS( z4SbeWS}5p}x4lYLc*sapu($E)__hw~WR|0Rg!CFTMYcI!wlOAd_Q zyTx^v#JX=EIMe1&6`Fx;>fgBCy&pjJocM>j<32nNGxFZSL@K&-LzEGAbK!Od|9`;A z{(l-{{Qqu{v}WLiGq6X+bALVFfBtw8aF)OnOaJ)H^E(ENe;I*){^tz&dJC=?H6ioW zxwMRG`@H#ogthC-5}Gf{q(A^Z2m5UvJ)sZ&ANn4g{ZaJak@2^RyCmvfTmh>e($asA zr#n5~l}``;%V&A*6XNpATNnQO=LS`u3^KbtqY>B`AGla+g%U;|5N|Jf7eBoN>3Kp&a_Fy zQU8Z0d!IEm?%azKDvtl~V7fHo={U}`(f@DWG2fb=9BIyddt}OWoW3Vpspe9gycple>1oKtpil@qfD1{|6j6T8QL-xFNr4`oAuY zSjJPyr31Y`*Zib`zn@o*VVZyt<_RX1XOJJR9b2j0y^(gNxm_0ro3rgZ9Py z9qm10OMi8{{L6;Cj$yuC7m!c(p#iv1){?w_ygbUQJC^lsrA&U(KMaf$?a!YX{}hnU z!--No6n{Hk%V8+j(;OiyXkm1X(&+G-4^-v&4wZgD$$^{;O9$`M?fH%x~-FQV#UuL3(F2G%upFi&uI8?@NHeX-`(0)ebeH$>Eo3=gJ%xJ4Lzg7+;N|S z8#`CPi&E~SGiScl1*JDa}Dj-$Kv`vS1Svb#P9 z5B{|s^ zg_)vz?eq}-%F7fI@gdkWr~tM5aMt@VT(OOHPKQx#KBej}%I?z55~bV(aV7@81+g6a&H)!D~Nbq{C(T*Ocf}eoXxBxSbAr=6$;O z6zMfex^aur4Af?Ec3Yvz!w`Pb#bx_XXi z?MU}}ePe(p`w?;3_XEO8-8Z*~KKaMQulj!x;L6nnRj%E8cwP&z1Gg+cPAFWtoWZ*= zO*>1z&*e@AIO~Fsi723l?o)^B7mAiwk1)yqCu0U3)Z^_P^Vif8HHrB1+S;xmoMofo zyh`RSe^Xe1JNq`uI_36HK^fvygM0(YU%6M>U@2K$w=Bm@cG`v`TcPm4F=mACib!LY zb;Jr-aK-I`iwV>A_}n(2_cBuR;*HlDs;RD1p8$DEEeC{Fzs~nbLS`9s#_A#^GTn~T z)vf)PpNRQRRU#b^E|9weC^YnCSV0>f8CzUT0O`wIlWC@$7)$Q#jRb06uK=Y-ew7eu zcaN#0f`9pZFW%<7(|p}~WodCSdz$hD$tPa29^;A6g+iN_>WFaihJ5(AwPe8hu@~wm zHDl&cw^JZZ6q5n5N=CMYn^;{REo%JQ z$A3P8hg!+6PHqu0nDO0T#iBj^YQ^#D$;tKTR^0WQNMxC6t)WdfTNWhMJ3%V#)z;n8 zYyda~amdQ7Pvk5cQ`lN!#MrFOrV9EKgvI9KgC~FJsI6E&8479-)@Hr#c~57**QVw7 zeihNaR`66e;&l5U@Hs@0ikro}x8{DW3u)ODe=8(Z`Z()kO;q!Danv4Qcy^+(A$~hMq{cC+jq1-=C2qrcQ3J2(@@fOFd+x&< zft$~d=u;rOZ6e=FTHmipsSKXx@X(JBS-`UJ+lfdDY=SRLzcZk6(YVCqzn&W*UJI7>}x>l}mk0VZ)^qHu!w1Ii-Vuk^DOh0gy zY)u*#QN6Jr5wtWxJ|D&WPG{*%-*T^Yy6*!g7f=quO}`Y*|Q_5 zPUsksmY->YtW_Ahc0}pj4YMqF%L7h0kmO`kn2$s9v=j-ojL=R=kjV0{s&Y<)sYyTc z`n-4YIf=HK&vfT@e=ghe0fE8d1O8M9zw97xYh)+sXdGARej=3dwVxTKggTP-cyGfcfpa&2eDAq`Khp|?p3;_V@J}^5FfymZx_dWf)S><1|!Z!?9 z^-+G`&!s}-qnT*Bs^(UV`>nk)I#AL-3z{#30Yq_=`I8TcA>b;=lD?19BBoFnUY(SDuG$K^uV=YZXQK+brkauml@BJd zb)W;YS>P1zK0R*q%{G?@bLWQX=pc(;;XYHA>OXhSgL%JI0Jrik8UPmiQhe28?lOJy!-CBY~TKv6O25>8Rb8OM|uuAt)%anoz3VR|YU`+=+-82VTxQBDq zY@57eE#a7!!BOk8rP_6qDZ;_m)~sLF#tg3zSC!JXL`GKah3RY34c<%^b>z}xZO5hT zF}j@gj;zU`C$f@~J;yNDBt7!i{ zg~L7|NE2D6xykYr=$f0kw0lm$K~p~UYGUd8BIKfHz9V4lG)i+*M1|Xik7UVhEHh|* zGDgxX`eUjp5_D`ARG&pVeu&0gt5TdmT(A0*prU;E#$O{%o;}Fb#7VIFN?^2&txZD5 z-;L-1#J>VSD$H~F1I~0^0DF(6%h}Zz&MpcorHX2Ct*L}(Wxa%ORj=2}D5cthOyQCI z&xwcU@pi)?`E1*mZtC*2m|6JKyn1-*qh2A;>kqmlJw;WPtE1~tTj-g_PU;66B=676iOsG_~GMqqf}@yDv?^ zzk;?nU+iZxdpeyi2+>2{eOcBZNy@wQA+=Z>W?g{4Mb5t`^xJ{RcqI5yIIC$%5$zEy zd}0!n{2l#W@`^E3Aslc#mfhG{G%RL+`cy6q(0D)VmF^yrIqcSlDO;~_Eu(1f$JId` z8aO^~`4I%LwK@WSR0yCY86l(#e0v{12CVK&MTG0y9+{a%2>%hm-&6P z>b&pZ&n@kH5|N;jUjm#$%ndJf*Q5)~gT?w+7_zd!PU5Izhw{~A#o!V1&kUaxrp=!I z<*Ksg5J1gN>|ZN%4(ILk_eDr}39T97AB)YB%LuFIm?^B7myu-0yD9J1s;n%?rcgTA zF0HCx)kt!KRiPirsMI89rploevs>G6s5=|`~&Fnf;!R* zN_e_0odjP0ISaV&KVE1*mQMYS4k`WPzSu?+$Vjy7#p7D(@@81)!P{B$h)Y@S;6Vop zi4AI`lxs*ehwI$_!#oMJ-1Okmn2 zboj))!!Us1$7lNeUq+p@y{W!YA5})1SZ87=aeZg!kRD&aU<-xJ?xbGE%`b`~KY=hr zDk`hOPWIovQ7acJaGjeSj|@ejYw}xuqM6qwtGZ+)-Ht0!*4|Qzx!xy^;D9Ub3-=sn z$&6TJS++C_$V+qI2!V03b$MJN#kxR8{w=W+z}H%wZ6KQbx#O~UD3k|p0j8k}3ZhE8sguD@RE4p#0ioCI?) zO_^cxHu6@hxs-i56;ZocZ&@}~oGpZ1d}-O%oSO(~@yU48C+X>3uWS=0K8=x>WY!tF zlx3q1Is4DBgMyBCtB)3XO)H9l2Mka0Xe-|D<6IQ9x3aaKn;!kXHd+j;%G1whlwn`!>#meKS} zziwsKFCZfCdndpd<*H(twxY|0ux~4OAZAX=ZP=&X zVW2QCIHIt4%x+<O1Yw94>1k^6^=4giPKcVOPS(eQM1NwgT`ZNl9hlTRo$*17fwr@^4?y*d*?1) zl)NcItO2m%0k*#h(4hD`gW+ClPBo4Iaq|(!U#={`o&IKLYqKaY7Zv@yfpb617BH;?oXVffj@lkd?3kYJOq{bpX%PH2MC zoX5#)^1obX5mMyj=VhLy+`iugP>Ya5UY3oLYKMd66vtPuxoOG#suvNt^!BB0#|89b z#;G|4o-x}EFAr*b7VP9Ki3s_la+ifpg-Ytq8U$${;|3BCmz2wA@)(lz**N6T(s%k- z@c)p;0eDH(iD$j2BfVqKg42yFHNcLQlm#L|sZG(lru=l&4_gRR0XO}|Oqdw)cOA`Q zuFls(IVIU5lfuyPc{3ju>me}!W1MnrewiNg4_u<}NlU2+Y6A|n^*@Tu=^G_Bo=v&?S8HSDF@%6vC)m7OxzsTC(GP@Xvf z^b~j;a!Bplnao4chKhB}brNy6fuMe5$vG8bVIe&fTX%BT`)E4r_!EzDV_xuH0zz$N zW!alS&rPjZz>smZ8Ub4nu}x?|<4faZZ4a%aa<>j^fw?q|11HbW#SL&U77rAOU5 zAU%FhrR;8byqUSpZT~V1k`4`BODxz)JP4r|J}?rVqFl1t!?%7k-#n4_b_=v>=m9bh9yXF9q@tN;_)Yn|&0rWRJ9d6K&d! z7GNy!P_K~T`woOU4tCb$*A=ja7~Z-AP#JD1l@HoerZQg*;HX+-(?XY<$2?`g)S)5F799W;ZUZq8Q>K+X3cWw zl?mSq7B8&Ar?uar0~d5ByTUKpyOmEkSdQtXQ|k;e%HbnE!$!b6U*_`b2q#1nS%icG zR(|Bxmxjnol^PyT>wR08z6?{4~byvcn-T#j=0yfdFaTE5olT#JJ$&pR#mQtwu;9H2AqkKN1Z6+EOOmjTjpD z?2A=*`gh_AFdu{8)$oUpT0H_T2$0<9xvWnXu5S0hN9&}+j9!Gc@-aS0_qJbtrdPa@ z=hE_$9kZk6c@rtJZ}u*`WV-Pc(4KKc*pYTgDy{m1SOZaMZd~4y$l+G2IYH#L{-#f( z_RjK>MY15>aCa=A5MLG|P{pHTGN@Xjm#m{etBTgT6k#@qL-&-M!}KTB)DSpp!3RS1 zGS7Kg4en#y{EVz<^NrwAABccX&Wl0}BiL zL6+5D6TOYz)k;>*H|3&VmS)2z|oowJcqP-uHW{D zpcRRogaGi>Qo02W76y^Qs0EJ0Drf0yq^b~Rs=z97uTGz%uQkcfgr51$*DIUyod_)HXdz zg@iyl2Giot_FA{&z|*i8bUNC+GpAywO3K9XrVin;cj?*Zi(#mtPbLNJLaG(MCl`fC zAw%(Nk&{P(Hljzr260;V2uwDfF#}m*?9WI~&`pzAIlnfO7oglyZrg3>3d7=#vPc_h zRA^_rvF<*Z?Av4!{}5<;E|sNny+^5N`1|ko>PLnvE`QP>L~wzoGimwW@s9N zVLV@*qt5R<=Xt$;fBjy+|K^XG`@3CpfA9PAd0*GnH=*nL2qL}TRqKY&9Pt3r=LAQu z82ha=4=%s*bLx-i@jIT3X|ldvZV0jrsP>q;5As=gJcvh@M9Omo@yk#+DEViPjc3lb{r`r z8ll?{XCmwsbF|$0zy~H(Rg-p3SyyUCf;h)WyifFn3ze(Xo6zqpN9_Y@yn*bsDNdE+ z=snR}dUfETlp6!f`nh7WQQ5EM$sasd zNN`ws>z}f?p&Uw0VSZc=(m}>gj~I#iJifu>+|7qq*tT!zkM>^PRE|L2K{avWxIZvm3hEal~iYYRf>d`tHNG zg`>tKc5nTQAWgf@EqNpbzq`f0=sn^WV-H3HI{A(VQ z8-w+`kAXfX)0;jZ{=o2bg$qwG7+JVr+^uxtY)LWT(arL43YiQJ6wF=;hve3{HEVeXz&TvX@-HUcd##B0wdj z2Sh*^6~~*-Dqe~``&1E~skdgl>z*oQF_ZE{bE@@|_F>NLMs*XpbJjk1jm0l;juksR zR^e+RFCtBLs2UxGBzHIzqv|q3KPHy-K%35i18PWFgaiefb9umaep+eOuTeC3$V#0$ zFkn_G?Tu=Xv(M-BsWVg@ovZ6@o)>*vadvP+hw)n< zUwfa8XV;TiL0|b*y}xzMk?PGaRu$6Cc=W!J8U)@qLu|UIIU{yYtKTJ#uiNS0W>0Bh z5-=%=XNpmBRY0}ajGGrDiYsGpuB<-Tk-kEww#6bYys@ylOO*|`ZvF8BL4ue`n*lR_0y48U?YWE+%QcDHb?{)>RC>ftLru?x zDMGqo&Fi*sFf+j8o@l$nmhPElLhK8ly@|O8+^6a3exDiISv9g_SNujwi7avtv^Xf~Of|2iH%P&PqaoxM0k zeL0uR>wWw3kz1Al)DL3tK~(y2hKdnz!eH4PXhrx${$mbsvU7pDPW9v&?Ho5pjVz$% zoOBfzkl}86V8E2|$~O$Nx-wnVD-(1Ak$Kffs~B>=_Ts>pzxF+RaL$<_y^=lq+jvs> zAI^$^1(1JA+2MkdCZ*(6@k)uaUYA_aV}@>RwpxUg!S)MOXeadROgoo|bQa%3DTq(ozG5+u$++t#O%aP{$$hcAZv#6)?gxYw=1WE`pRjdMn zb|WXZtP2!Gfe9}}&17QHtC})Bcpx2ct1dF$|0Mn8Nsx0;;DQ7>Y=g$c-jC z7bl62WU%Ym7D-)#nx;>uJ}DsSLep z+gXAIaaTonhTu^7g<%v@ufWQtDRbsbAbz}5v<+N^kb7~eU^Id#RP~iZ{1V;K>I}dc zKEJI7T8jy}pu(NYe)}Dw!kA=|kRCx&guBDPDEcg!M`c=nmfF68MF67pfSrlur_ecn zBZPq^TTN*T+Znz!F*wZF4Tyw2D+u||#N~iK!<`#&qfL1+(BEFyU=H5t=@4=D2wfKf;oy?wxJsP> z6bq`XzJ0C>TCi(+CNdjv3k=mX(U?j>n;y4}jr;Y~aaKw5cEgd=JTVSzAtSv^s&^Bl zSk-S`N0z1tqyUmYSjM;!Y{W(AWsj7%vX{^og^)emp+(AfEwvLOCsdI(lHgGkrEdj0Dpc0cl-)$3n!vU^*B&oGuvyUV< z1wkkz&h{0Zh%xB-;M(3kZG{8HEraXvZM|B%zw8mLEeUSgxRf--p-*%Msv6h7d#}!l znaoeKypQQwWel z>PIf!jo&?Yzck)-s5V^BKeXOe64e8>7NyR3 zO_?|%bv5a~T!*it<}X0`>A#(MW9W(5jB@&R=3M1Sy5yGAhw*xjv#Wc@pBl;gZQQgA zk$N!)s|LGrE}8Ww?^}_!sH-3U>oJa=cl3ndAGgMAb{S~t5(unir5J%6jlib))KR02 zQ~w*d$T98SUi!Va4&q(_8P&mb`_m5$vhyrPlGR|pjI@8vEb0(tKE$~=zvEolJ(y#( zY{e43Kj5%5&QLZHXnE0U_3K~h^BIp8??3~ldK^#%Uc#vg9S*r%nq;%O8yK#5nxPZ` zq0N2?I(VB{>6Jn(|DO7~hiulG-p^IgX~UOuSz3wKS(7tFEFt-FwC(TS4a6 zfFH3z)2X0nKMAmLb>rHsN@ET_&+4ZNCc(@Lp5F+;iZ?AW9>(7gw3z{fLChm({IQ?@ za>lj+H9-Al$8zt7|1qphMa{^1szg=1fWJq`bYbr#=U;|>g{6BFf*GP(T%hM$%(JAp z5B8P1o54GmkI^z#(;7PdeuTKyVQ2O!Ol4XSqZv=6xR?9!!@Q3_qk|^Fk;7-YBoV&M z?v1gX3UAV;Fy7A>{ewa*YpHycrU~#Tfip<$BAMCZs2d;=#fW$BG|Oon*xs7lvc9tN zT%+p+k__N>9w9*qJY88+1;ccLzTet9|8a=uiRYwX!TqPr4YRn$N>cxIr-I(rPW7gu z2Gi4tvES}}XPbeBLv|vyIVnZF-A1bzYb+ zPS0a8W3BMX%lFyGV|?DFs~S1Ls%e9D*K03Z3%Vvk0tnqaQO|)1%MwVgF&gTDZU8M- zOb#m`|76Zg`TmaufJ0i4JbJ=EPo#pg(<*<6tJdve8fIQtc?_bgf}_%|f_t>h#12{b zIK4wiu8lTR9^KXW!f{&7E}`Z!~cpK?@X2m zp>H9_BTzesIBBK+xIx_=poIjE4%{&O8`K+8TG6Q6Xl5(Q1>4tSy&BJ$88p0p^i*jQ zK$sf;&mP>?igM<8m6oe-s1Fy zbOj3s2{w5J`G1{rAo%D%2mT2brK?5}3}5-S;a}b?Li^D08YM8r>^x2xV%3)iYXqr= z>H~5Cs{oI$!e0^S!_T9fIvx5r9IkM@Ucq@gn#u%*wqgrKID#y)T>#@S4W!1R%Tv>R zDxd!EsRAV3Avp_>YJ~oD2q95^;@Uw>jW~FIMg$%-?Dr3e1+@0S*MI&k@tLh4FgO1F zG!}$(j>zlS|ICnhSajZ)@8ta#LhvA#e;7LTQJ?;?pT`q2{vlgpL8vGBJk6aHefs~a iAO1hf&q!q+I^gL+2w~}Ks=n2JH_$P;UafWe{=We!`LxIY literal 0 HcmV?d00001 diff --git a/docs/release/trg-8/assets/trg-8-get-started.PNG b/docs/release/trg-8/assets/trg-8-get-started.PNG new file mode 100644 index 0000000000000000000000000000000000000000..46deb7f3251b36e53d19b92b68c8d2221d34b559 GIT binary patch literal 69361 zcmeFZcT|(x+cxMqiYO|GiU-SO!Vk^-|zR$%$oV{U2Eo9i)t+g>|NZMLt8r9 z>(d?@X5Pn+UFQG!_m`#t-;ZO*s3^_5w~hR**C+(NTap`$8;lwOESICy4bF?lJQ}LfvIW zJz;*r(#v3OF;{i{^Z7GsH@zN4+8{}!tc_u1$G}F%K=s_e-Yn zuA1%dwW*}4>K>^wMBI6EU+B{R`k?jf-m;jY-{5}qfNhjhcUZ0xH5;)iQQqq)ZPSAZ zwTNG6IoP76qyJs-{VUn^E0gz@B@`nE17Zg3qii+9c(dJBYqV`{{QIF4_`qWyal@EF z&^;!&&s&s)+joLr|K)%Gf1N+OcO}^29dBF|7hv`K{TP{lr7I+sjb6!ekc?sntn%Cs z6j%QDCPdDF(`9LUEB)|X+R~)4|8Byps3N)V|Q;e@1*=s~#} zl!MR2AY{eUw4q(!OHaKiGjFMuAs{4{(PYwq=o;Y~GXL~!Um7K)VSl6SsHM#LinImt zg!j;{SMjvGjE(HXyTll|JnXGXL`4N6qr=f&#MbwxU!q+p&o=x!Vt zx-}K9iU=j|w{@wukZwjKHWk*ro#?|gLiIR?Ae!|>2IdL0Ni^RRDXSDJm9ddilJJu! z=N)~nttxg+syPV)DC_hb?wPF?Pw}wy^D`#rE7@0DExRywoj?9IrC=dTCuz(?c%1*s!LOqNuK74woJNNLb zlTzckGL^~!CqonfR}`IoSee1YJ0e$ZpxO)gT=|g9I$kh2a(5m9^3Jj>(w-fOfRf^?ytw!s#WVfDt zrUO;4vxGR}>&g|Xp%H9Mvy;=!xY`2o{aE$Ru07!qcaQ~1x0;3hw~c;CQUmkmV{-T1=G*Li z$c93ng&HBS<(VFBDf=nfpaSLwhIz(y;LI{fq<`cPG6{9^DiCO(lc# zN(2HjWz+NZsCEg>GQ?u8tI1X@J7b2qc9E%nDQkq({5X?<3dJTzRX zCZ~$GnlKMI`m9yt#F6xT{PU*AZHI#in$GVi&K!REi!Dv^!1TfcwAMBU%T{yx$I7*F zh9WnhsG$?R?3RLW7XF+HQfYXoq}5R0ff%~`bjMP6wEOTLbmPI4W3#hvgAva6l5h5l z>NaTEB7St=BGO)EuQ?23iw#6I5UU*JHDM%UP1Bj`344drOkrVObRgoX_DW_@fU=U< z9wT0{RC#fY8!FaNE{R#jUCVaF)gOlr^t%HRt?>=mB?+Wflb~ZLMag@7s_n`y<1aIN zI#-M%7nPRV2vWcPK)=a8y43S1+KslOt95lFCYBz2(%A;9epThk{kx9#a@w6u?&VhHKQ+r3RuqiUOQ+v)Q545f^!S}fPpqUyH7cUgwA0H1H zZDCy>$coANCb~Wr6TDr}a#dX!+0h~8PSlO@>(L_wn{-_~_!eO4{(~*0ZG5RNiDP&O zUoQsBiY@Lh-mZ)3E)7)Q9(F_xGNe0)JdU&0?D=F%XyQP9;SkOnP@M_=;C{ftURo*r zEyWs=_-r*(FDPwYl`oT0=c+51<}=Z26ojHqeF+(UVWj!xN<<2Sl?V!7Oqx*-k}7Ujj@4@ix)r=r;=93H23PsoZ_2 z*2j^xEI3%!Zdl8LZaU6A!J&dN>OSF@8XprX9}Pk#5dd~I%=S*bevIYbSge6XLVH5W z;SOR{ay{8Gk9?QxV`(mO;~PQ&lF3;)!bs-ayx4DjzRJYcmp)P@PgLDwA*QPm6z~5r zj28@-g%52giS-R;|5yrg&(TE+h?iszZ8z>)n-{b`iajy$^}>~QM5nnK5yDXz%x~8ty7E`1|^1BU(mN#~s{Bnz7t)l-s|zid>3HOUbVoAKWykuM?n{kjce~Xo%R2K1b+1i=t=+2fwTJD?Znp9B zH3t9%Tio;MpOy5;HGGd9J?)NhDxbqx^gVWYS0Udi-N$8a3K?c^PnL~2eW^`((OFxY z3xL{?P>@f{c;Oz4 z36cEQHD3e1MUL-&wzn8aph^@6mxrRP8mlKl| zJ6_g=8e-VXl65mLcUV&j-ABl{3xf&IZQ353)H$WEu{YZdb+yUD^8=-3&P^f%St+$q zWAfe4cb}g5?-Of&J==xCv^&q#YWA$d##|G}Hg`-~(*o&#S=ud6W`Mqy$tk#2zj=7) znP+Rls4)E2-FF4&qu-spKPTVRuh3C2T?N7+6oFO8xg8r7L&=RR!fkiVhCPh^(EDfh z3s{XY(>~B~b!lZCtw)E55&v9+kNKY4lj%usIx-D-;_6#tRjnqjDNg0WIT7oDsaJs+ z>&1Or*{8tf9(gOPi_MK?l?7T+(f4rg@o(uJEY@NYU8`orONHxpdS|cdae4}Hg z$o`4aI-09knHFW4_B^~XanIw#uQmKwxcZM|S!O<^>!rVk9G$#rFAc5& z?8-3Jfw?j^aIITsUHVhb^*=jtmtH<(_Q#c!*8Z z9`x$p&~)45uCN&oP(-CZm&{f)Im)L@>5%dn6l)P=%q#Om$bD>QH0=>V)rOicxi?v% zyFZ2X!I8;CEBZXl#$GEnkzKelFxRM_v1jC*bd`gHP9QrYiU?-Z&YjtB)@Mhr%r_m> zw(Z9t$~Nz$UZV%SQYn%|mYMtAI_WT?;2xt%;QsqypK~`eZ^&l>lp_%X3vEz`j6>IB z#~M9NGC1_Q3maSW>QlaEE3kcQ8=OM3w@VM!Szvd!Hx+T&gDTlYPUu7Z+nS@7n{RoP zxlRwS0#x5{mmCemI?RRo|&&bUiNI!z5qbQW(BF&$u>dI4JmnU4<4ZEq4guk zcLVh=XS=v0>)+IY9gHWk+k#DANR`VQ5)TYhmBtW(aU;qDio5C5YHg;67_CKH0<2ls zkP-;1uEi;Dt1wyi>J%6SVk#X! z;pLXXf}1*YBioLQn%<%k5?xp1)!Ll`gTg>$2U=qF`sHz5Pr%hkh)shM`(U!aZmRFj@{ zxeW3y?#b=gIv<7*;2$|3G*&vhPNR#yE#QC2)GH`#ok8{u^P zl|%^J*8YV{VY&SAUvrtUc}KAfQ<>#6Ec;ro{r{rLD zx0+X9%(*)YK&rgXNYWtN25fbS@ z*p5sopSh<-^cC~8!v$7ZVB7b=f)*e6RF(O6D*~7Gcek9A&PI&--P)Mdco+U&w#oj( z8L@4DUzJ_PdV*FhX=_(0Z@v9d-tq{axvF%`CtF_uFCM)Cmj*qQZk|17nu6)UFi;*=~;`_cT(j(Qr40@ z)2{z@>n!|!ypcyu%C6B5qbQa~ziVJTTI>MM35j+2R#`{5oGjPY)ceKYrn7xksh`5x zRvAL-3Wu)tV+8Do8!ex$Y)TEHyqN)X%z&~hfyLs|40kH3FQk28@@GE}_-DM=_i1q$ zPBA!nc_Y1Aq??V6JnT6h;M-=yUU9Z}MSezH{5l&_Qc%d(1HoXPq5>58+;9pWb_#C7 z;8J|U5eJ+VzWdwTKE0DH0xYK9lpPYc)hpIdObt@kb*LbyhDR`^@;q5p2`vmc>Pao?OgYDqkD;DW(p0}Mt7T1#) z?u2=rks0&3+HW=HiD;jYsW7m0Lg*gFLwKD8M_PU)nO{zKr|L+5 zGliVP9%{v2VI@ymIBDfMu$U#`2=iZL8CQ@JsUB8MO%+o$ymi4*kJ`);h<*bRMzlX(xHQ?bD!tohvkI*zB4|E zh17L}jchan+@VcxG@2FgS>Zu5`RgJ}5%n--|HF@R?NIcgV0%LJ?252lDE16IC!xm* zB6Sy}nB#Q<^p8UlG7=8UB}+6r;mWn+xSc;;w_3LAIjywOJ@V6{REDBE8uaxiK;sJUw|5m1B$4r_HPJoJ5F=4g? z681u_ub5rT>u@d(pZes(s}$CoOs?*dY{yq2Xn7#}e&1RsSm20v;z{9JyZ)2?7S;!tX4>_qKM z%1u3p!ztGP{!2IM9~KB-=8eZ(v1$xJR}Am=y|KFc@jrDq?c6sWveT za6g0EHb?b`=+t+3YHodg*V9mI}bR&*A~yL2AVKvUDh18=FFT2`VE zNg!{Kdh^SUCzC_oa&xU-V(83g2KZJ{97Sq2!t71EeyR@8g`XJ^@LzRtQESbx+!x#h ze={`*8qTXSjtgD~2I^(B$r!dOlXb9h_923~d+meJ)mPP_8sk5Z(~@h<21PdVNLVML>}kE=yoeqt0X^VoP!phsyQV+qQBteN%=5#XHWe04uA9tILeHYH-Vy{(6!_$E^S$6JcY!>= z_dKxYv4++O*}NT6sMh)6zxt~?RvVl)r5E|uVWqB zRuZ#24RSM1!7cwdi(^k&Di+$A?H4cqS7#*0^#ll!$P&godm532AhwKFwRqkyHIsk# zB+jiHH6TzF*koR}_KkNvRBj^m4Zej?6jYd!64!rnk=!QVO)OS)qVf$aH2&j_z}#WH zTHOrog9dwd&3#t}CT@*SU8PsOl9Wm6ce_Pv;4CbbTPn7KDFbUsjZ7yOhi=tpiQ9U} zU@vb4Ehm$YnkRmEF~Y0HB8;7b+N5SopKZXq5=4xdMmeQ2WG2D{nowG!hNGL34Ugr1 z#jwhu-$#{{u+wlNXYxF!pzdmXxNOj*UPnuT{gAcJS`qPCKMxS2y9lU-Jvv$oxN4K-r__r(sWs)a_db|^84oS+qHot{zP`)| z{j}p5xgE33p0I@pDe5OF-CH;b`W)1W%=g`x?hW!fs&MFd{P@UPxrco3{@UP9eYZ*3D#=fK#Tti|es?Z;kQ9^tMSPJd_QIzdMB zpi8XVG-q`zFZkP5j#<1-@)Xp7N7I zb(c>S5ind_2#LPVoNuI}sW$#pS~5~gFhv(0ewtQoZ;Ms<768GA&F?|GW~oC=@wq!x15rR%u3?jJ+NzPfUgG` zx1e-epbuKFRACDZAAnF2d&juMx)yFljsz^rKmw#5yHx`_du!uPOG2}!sRk#p)6!^I z+?umKq$6O(Z!x1W$Gl={Ed-3Mcy9Fc@-}uDSsmEfA}lJ6tqE9S#5{H#(HVL zAXsD;H+z!y@y3gxajs5JygDL2p9EnJP~}>jZA*n&fcu@?xYT(hKUkggGA=p?g3Xmh(lsBx#Af8k?o zy`D|K5zdo@+b-Ler&`Y^U~6FkhGCfcz-Af?BN6Zk!G|yzYzj9 z&mvi1tRexfY&#Pb7LK+&`rqX0-AblSAf)35um{Uu+mOVAw0Zg7i&PR&p1{r$oG^1e_me*$a33*5SC91xHc=h^(pcwD7Tc7dw zl@2>c+Fr1R%yn`K1#wdM()fndN&eIehlOX;q8o?_8y@am zd#T?^7thd&vt35eB(I~~)tK!j&hescP=o3k{DV`&BRT&O=sq;16PAD389nU;7{6Wm z9Jb`<5|1S-DoE`lPlB7^w><3L&vdW7<|K?@0A3reXw`?!1j{c^(v|YX4P9aj8^7M3 zeKvFQPBDF=M%v(&Zf1qI6;`7V_R*t@CK?G>M*iv!@*+z-(+6Ne@s`!xg`X6xOT7aj z`lFozO)AZGC@l}k5OM7EIlqy7Ws-b+qEz;00ikG2b8^&>W*4q{QPbeIsDbAZuvoU|#ODGd&Zd+bpm zsR%4Cb5B&H1hHy-ns15I>Qjs*>ke))z#p~F?0d`zLUjbM;8VIwNxydFLk~1C@4=BR zy1EMYP{UC*!XV}?HpT66W0_cOG6!H?Nu*OrFJov)FLaj} z?YnTE^6BC);O$@ISbIWD8<_um0z}GoLVxUFshYyO;I7BpW^*~uFUh&_+K2e zbRYuLJ<_8kZ=^N7`_wIBg28yX#F}))a8t4LV_av zAetMSHe0w;_6@?Kz>+l zY$@&XFYLk7I?m$6|l%hw$l+%|x zL@-Om@ZcK9zQlBY04p<~fisubARXP-mX6bnv=wVX-qk5Ee(15Y^2`zmNZ97iLZoyM zy2V4qV&lK^X;kbk=!g~+l(Q$e@Z<_?HGu1@8-#0#8qd2JAMvkMSHgcFe&|iF5Yle& zUZ2(A&`+GA;D^25k!k>{Ax6$FrLvx-a*KNN_W4?eK%jw^c5KMR?vYc&UW4-A{ThdZ z*>a*Tn^>Kg`OnzSn$IzV22rb@&{t4Pu+DN!bNN(|Lwc@d&DUkKnpq(XA)-sy5qmpG zq;}L_jCF-$o;a3_0Zi-~$?&1DI75bHq z95ES==|@=_We!2K>m{egQm{Se;LQWdoMC67?_J#NbOh~)FltTp(p~?}G2m%{yjs_C zz)6ss;G0@5eT~hr&tG@K*49FI;(6GunYF`R%R3$Cv`x59(>SgXHp zdk-|qgVZ1C$P-sY*?^Be*3c3gjF$mC^s5AGKUQHCvhi#Zu<8r?x{CG@Jp7i7Tu+^Xiev*mM%C-ZCF1?f2Vi&ZT#aJ|*pIk$`E4~5C)cleOuwZA zHH1hYVh-S&+2=Q>6ZSe8OHx-L`h@#?%j2QdeX?K3%5cFgcHW7s3kR^i<$!b;Dsdo}JBn0EzipM`%>8X-N7DL>t)N_~~(zI}PJ z9#hyQ4>YF*(Av5eTz;8Yu)!wNq^y}gGK3?y)&i~OG_1BYrz^y$!xbT@H-4b?$xJLiq{L} z@+K193>zWI4DAVMJfBPAb_hD#>>|J2RI*O}Bmorh7tMpi88`Ds8So2?tFMWdg_$hk z_!<3r-Z(34*n~AKeQVeE>8zD+u`~s_i2IfM0I7*B1Et6WG>m+(bfsZ_J++Z^seT)} z*`A8(ZW?^z}RbGnw1{Jfm3QPSl1RNES)*IW_!+fgU4?bCllonC%SN8)0~L|7?mg zwPwJfVt6B)k?mZ$v?oQGKDsW19GARxP6{~3nDY(+h{ zWsBT+SeIYc+YVEIMn_be7_r(t{^)3!bW6Oh5LVpuxu|v_j8BSY*O6mgrzB4GJ?Yh& z(`vKaQG7QKkQh^lW&tdEu50}gxeA}%~j#~2HZ_l+B!Y&s!+4q^=Xn1$tFV-_%yun zw?;?zcZlRdJrqA5hT4}Yo#2>SZLP!9cSjz7?B!Hw1LyX|tZ3p*YZRGw8N*LME-U>(D{wB0cPyG4}e}NbN6UqN7ubg5EQthD9-EEI$zk769ILd zYG`O#Dg+QXJ;y3m@CpJ19Q+n%lo{tU>u<);g)GZvDWOiZ=^LFF^itE`eS3mP7|gIh ztvewpJaQ`V4E{;20%vVgi;Ew=K(8YG(y3Q-(*?fE^GO>%e(sp=c6bPsyO9g6+525? zbzAAVG*TCtBS2Uea8f9*XgSqBICFB!X=qwOfSa*s-tSNjhCt_PI?Cu6*A{m?+)MdP z0qZq#ehT4G5Cq{!8l&HH^*A&~BU{UrtMETG6)FZoHI>m!aT&z5T3*gaM(YXK6mLCF zAf!QGbr^;lH)ERJ5cHbV@vOzeyl=v+9Vu)j*0giLn1XI+0CQOGH%z%*(17)igd=zp z+C$qo9Pj`=_XzF8b_&9q@^V +u0wfqh7}g65QkIEWFtiSd3=&vyOrKzZ8XhnB1r z&YT~v5Zs*@`cBQCqa89P*qYl+|4C@h?;lp50Bz2I#H_QO z=d(B5@lBjKlG{pFR`V0AHZ4Xe;d@qPkvoJ;ve?M*UeQcn3U6Q&3*a-Xt$It{_nwX> z>4`aZcXws5p#iJ%j}g<;;_?*r$lVdb&cN^X(`vIjBW8uV2$!_W8s^31tPkK5wna)m zig9s0-3b=yxsDq%iQ3t^2KJW)W{&idYR>j`Wp`~)C%fRj5jK2DGgVEu;XB0?UZu=? z7m&NX31pbta)~#bv@lEm*lV~k?NevL;zKwL5Vy0N0e9w9+*!Dy`F+iOYNl0AA#~l% zUohz90g|e3&W`WfHyVuYtv}aerxA5wSw%TepOO^GVeqT0z;#rngSB0oVpEt�pZd z^Yjcf_=wlfvO$JpgRE;ewEAUx!sTUbvMXAlSa+r&A8Q{=x{h6VRDR+{Z&PW{#TYsL zq@h_|@*nelIBxo^eQ@5uv_K+9e4sGQ)FtOwuZ5k^Z;0*eD|HVesS_a4oO-T{kYl39 z{vc{AZ_?TwXWIw0mc>P8uKrBnj)5ir)C(U5Tmy=*h2^rWR)ivwlzE3px09*`G-zk@ zX?*3eUgrNCBuZvR0!nUZYXRd_(h#3`t2zC9{%slbUi|ZMnpy$=Em9sk=JBURMSK6l z?cbfEpQ=ay|M?rhMjkshRD#5RK*j$7jw3pau6X_ffcXEVMU%k)Oq~KZaX6wH*Mh2? zch#L*vt&3D+;lP?;1vxPcMYZ7>!SGV-!|Oo86j4Q71$BqjGz6vm9$I2^8YnP`}8@V zTR;BKG1}TLH9W>`@3gurq(y*LbrsVh%JO|nf};#h!{EzJu_t<^4K}fEPRicK7oPv7 zT8MtxvpLeXcB0H|WoIngK`Dy+8|~aZs+2>U1>|&4&Yf;6BU%dQ0G(1Spd}M|6Gp;i zUH>32O*#WjomyRetvB3uG%3+8_QvA^PUqmjz%<1EX7!M9lbT3Is(7hcYrDRI09FJQ zyi3F2mQ{myUgoll=BIvKcVZiQGf~onlCOAr!@>h0@(&PnndCe|K4^QCJ$O5ZR&OZ6Ff z1)-)d#50CMwXiPrTKIXkEJJg7y>7V*@1WBi8J`MFD2gcE;+E}JAC16a6~o10y6t|0 zR}Ao!)7YK2sE_@@pcFI6GALUL8g%MAs zO3|98cQdV!sh=HtF|s->ncX zomc$_s6Ej*D%;1TjZg6sHVhRH+Af`V#W@M8KAsz2Rd%4whHV==Y`D{Sr$ks-t#(NX zZ*F(3BH@x`c*duivsu8aqY{mzJd#9E-JN0=C3_(Y!D_>0U4w1&%7M&0lJhqie|^kj zKQecsezkG0zrd@Kp@~X0k-ibTMZBMeONwv8`#_V7nZo$x{!89RM|95vB5GFO);2_* zks5{F5<$wY-@|yX3#V(PQD8jK0JU0-e6wSXNlvI_P_`Jk0Y{K`hvI|#8CQ*&u(X=3 zHd&e}wL}c8jnN+4yfdBj(82@j-!UGqC==GE=F)>28VT?}pM+=kZi@@B%5}b2O@XkX zowhmX?H+!avfum-0sLWC^xx3gY@A1zv?QbcH+1&>-{|b(@G&`zpe%lUK)0!I9>8eU zX17slWZ{yPmul4Mrmwg;p@^EcSypGMIR5_i>`FeL1lNy_jDB0&yI%Kk{mUE~6&bOf ziyMV{@OljtOqFestw@DaO3Y$xIZyjrbyQhY*?LZ#T z6MD(?FG!;hq};_cu+IOl$FC9V@zXV(N!F>yaX^-K0+1hPWxnPONh&u#FrOm17lr5M zL6P;v34E-(55?%CuyPIvrWZkB|W2X^h;XDFZG(#|H!^A+GQr1 zyjx)B^W}P$s<&}qCX=Q+b9io*tP9Fj+i^+xIUR^8X#;Axt`l+TfPM2ot61 zp=?~p``0;6+pl$|JP1xiuY!>S&J7pTl05NLav}Z|D`2&;Vo$RmpjF;}?h|}OBYO5p zX^B`-UA;q+3<=!Z+*;2uEad_GdK=lf^K8Fv^-)d3IlQ&UbYyw2w_8&>TT(gFpAcT0 zT2JOnwi$=+hmp$z1sQ|TAXSWjsE}pYa`8-@tOcq!$WPgCa{lZZ32q~7^We6TbvDpY?HVO-sbXC2l*>?b`5(vDi)%r5`!PykUslyD zD$!#UXgx!k``6G83GBgn5PPHzU~|QMe-CS-6xHPI^(GwXuh)hjy$pNh;7+crt*TbC zvx`Ap$=)j&1H`{ka%d8}4%}KuyDYZeI{cAm>KUY!v}7gDk9L531w)mt8V+3UaxVXafylj34GP*bv^L8w zR_GnR40uKJpEq(Dn^$oLxv;g>Pg_YS-ppB{in=7jCz;|_ncBKcsg52C6(zO5rV!5i z*u*MH{!zi)4^ym>JCQbnUJ;-ajh2(RB(``&QL?94vz_Xb(fH4=H8_Kx%t^}OPKPKc zB4ORPi%5#vk4yiu1Fy5l@sGF$MNs!2DQ=!Q4PTSZ%38%8uHxSo^!A8pgNPlrPCF{S zQpVYBUlLW7U+-pB={k+g={nUJ2U0GAtiTE3ye?6yLCU2v4=fI$AyF3q_a@c!v6c_6 z(%mqaF@}6X_KSOP+M+u{+z(}gQ|1~R%%f&CX1ocPU35i*9NNAcDZi*i-Y5#H!Sq*| z5$<7OriRB}=+--7nqW+HmXBZ1Jb{nDp~x+U(*8eaz<;GVmkAsezW4@TBE+04ZGbOu zjasQZSB04!7wS*-?pt;!<4=6&7Q^T^7S!1@^s3FMJwb}bZD~UHW=k#5U6UMhi%Kc0 zp4vE^zQU!a>!*d<4;eqQReh=nEv-n-kmlL-bi9vK!{mtQd+-ep?I!v)myMa< z%_>uPK^iEMr^}k#uK>Mr)@$Reb}p+y>AU0Cn#3{Yya@&lO$Jbh`q4R6jE?q2fUt>$ zZi$2orLwBx3GaXSj0>m8#yZx##%1an!Xv|CjF#Wbm^R`qU%kJ8WmHU z0kxlP=I_#99W4u&fa|`S zyW-vCaZTI9;X{YcxS&89FWc>WnjVq1DZpVvZr%$mPdE6EXxxw^ zHRkJ)P+@f%4Fd^?R~@*9z)m8_iGS2vo9y6Xgp9*#?jZ{&f4? zkwXFCNP*8!bbr#cJaSW2ThzrU^9o#^q0hu4)7mxD#Vsl0WutiLw(D&0Ds&uc&K$BK z%YqBmrdX=w(Y07>hAw@7l-0q-Y#*8JSFTmUQWKGKi$lZOEh<<-WTf@DKCl0dM&(zs zg{V>!7?mG+c3Le5lU6H+BXS1crNjKwy!nt6G5Z9S;w@#5y)_qY^CGzQ1nrH}d^>H4 z?nz{M5xec`BF4e3T^0kY3E|_zXB;}u%fCRC_=3KW>Q)oDQhCENIRbqWDA~1JhtW#3 zq^6Q@NO3G_pzWx_+Wk(%zgX=%FYnQVda|8Xi>CO{nFA|7d5YVg`xGk+x~mEzMRocZ zVHF$Aik`S~17~x3d%56E-qgS^G_H#MM0C;T{p{rl4=wfM-*ZZyw;&bz``?{leF+%&Dw zI2tK5Hh%Z1)F-7#E2KTKkfT6MMzi0A12w4x4`j@=8ERu@Ubmz$qHva&+rw|j@^L4O9< zveiYJ1YBF%aq5~mG%MO1t1$Dv_2RNT_w3MBVBp(7Rk@p7CU9llW162r%UHn<(I|lI_{7K()}-V#4Ij+F)PBjJleHMHZyKJUC`J4DgE;J zQpK5V#+wNPo(`%jFHn$AeQ`%%Wnoj!k)Y_jBT z8J}SjaF7=k|2nI^izdQAi2BmH$^t!Z4+B?1`oSP|bo?OHG$8j-r)fvga3P(RWW^M@ zJc}<49kBrgJ0C)wnti7xlQ?`nE2Mh2X6=4YeqguURoG`vO4)NTGDllp1v1dq8#Nxi zuVmkEvT9p7IA@ky|FPG6+)`EOl^|5{R#>j!zue_{{ixZ(Np3nmDbK~^udu4*9#Q1J zZ8Qzd*&Q^7@bd$qj?$(Hyy^ERl1w~uNyGNOI99e!on&rp3}$R|Z9Wt>FkV1WpUrYW zF35KnJciHHtHkv=TEEWaYjaKYqH#1mWDcOk*3Gj*0}XSdk>V8^l;!$9`WJpyo)S2xvS(@^*<9R=G?<@AhiNQQ@cMe7258Es?nSk;*#+zSDnr(R$I zb!#w$Ix3MzLR*csju*t?$y<$QV@)xbAB{EBKmO)~icP~T+7nck*9zJY{cO<0Ma%t> z&VAc-KY7h9;%im*qC>l;vs1F%LMK4tf6B(kK14l;niZ0znBVBzx8Dm~9jkF2#q_;Q zcRy+GjrA+Lg(GxS4Nv5_d&tmmz0@3?Lr~q|{qgYJuUkP9d}Nas=?o`L{Zx~P z(!^7F*V_kan88qaZs)-4+`Pu=iRnwQ@9p|KU8usJ;OenfhqC+~8e`&5R`DC-K5nbI z)k};YlyK`l3op(iaa4=>jOb_xUj=&gidOBDmhDztB-ZpdbTx9R0WqudTzwko0GDh& zYU|JLq9OMIjk{8PCp=d?-D6Da8gT2ss_G`qG%Gx(sz=A=1|MKxz&f`|QN1{@0i ztwt2%&N%OW>p%BG0BEo{qL5yNxsbt)SUPiHzid`7W6hQ#>~3~7sQ)cBlL44`rekQY zWJIzTd}I)~5~le#oM9bpe)yKVz_NGXawN&UyDghzc|!5DmZY zcHg1whtSYWB#$3!d{w@Lt(er(1=-8iJP$NQdgl z9UPcwq9NPQ@(Ti*@Fy)ZscUq)Q3~*sJ#yeP!_j+4(KhnlJ0I9O%JW5fj`;p=OkWdK z)5Gq+i{9WQNKe6pfA``=sUT7gpYF@={vO~9Gddas4>j^Bj)LZEN}w0^TCmQ7;~7oT zQac4Uc562K+__RN>x!zo(KYB{Eh=5Q`JUXmd1AMPlw?A{q;Wx`-3kZ(!x`%jyNxm- zioB-@SK?Zei(IS>%zm(gitpxVr{2WPe+zM<%mrd=`$Go#mEut9vNROZAIE&`n5cDk zIB!pn*nc%*ZjPUV3-ODd0DTx<9Hb)etA`N)y0UgI_*XSPXdDjVb{dS@aH68f*LS7A_EM*->$a!?r@n_BSmf{~I^9@eBc3Pv5G317TJRx)H z>7%A2i=t7;`mLYH(*!0}b{=5h9F6Xza{?57+hgbXKQ{Z6|2JjNoFPBlbw*!d+H(lO zs9^e7{n?tbSQ7EkBXBLf)Hp@}O7Kw~%$@`1e8fSvFb75)E{Uye>E}#OUgic&A=grQ zV-NBukE?A@FR%b8e}LmYxMheie&d}=>fA|?>FQqSnV)kOr8TxtcC=hfIE}HY4%~-S zW?G2e*46VjlCOMNr@Wrh`6NmZY`ZImRkxB*jSdA(-Y+mW&q2(t%rhcIK#8)cT)eR!aSWy5BMK$h*lNeY93|cUjMt#>b-lz>MiB_|q$YzJ2&-DW(`n zr?@AKc*HvT#mB;e*4TG?3*wyuD2UOM(pT4f*Aj}qxHZUd*ICC**IVF-8L$#!SCbgU zYu&Bu9TiI`{Xf`y&$uSHcHP%$7Zog^qC`Ygnt*f&1XPq>1nCHf(z`&25J(h6RFvK! zL^`2MZy{o%6RD9JP#{8pNC}aIB>O?;eBX7}I%l7CzU}kd`!ggk$}^rZ?(x5_EAZr~ zQOds=?(%+uvG^F#HEtu;I_{myK&kd-#ViC9G&bSgwG75EsJWL00TwnuU1AsYm|8+!{^i=>-?jKt3RKc4XiK;a&w&9o zR(~yGO_NjG6Gq+4_ReJkL{=IG=mYd#!x)6VLb<DMySrD8I)(Agqmpj zGEy_PNZU}wKvaZ>=LIb&W5A^_vbuK@VS_eBzbg}H+#~xpr%lOXFnJpus?sLyNmbP+ z6wSsPzYeyLN?}3p9wVi|Su?Bj7fuV8a`xh!5tPM%m0q}SuCuY%m&`9Ru%<^dew64_ z4!&9e7E1eo0z9E1C~QPZ(mNc6O`r}8y%z8XbjTM+wjn?+ts zm?aZ3DSe-bP}EZ%#Lvb~+6|?$5N)}e_qqyfZmBq5-e8-%WFhTP3A#n!b672Y%e>oD zE7SLX3V;_OAfEE|WwZs6#f|o|j|F*@&XjwL5Rn74qK77O9h>X6^1Mqv%F(q1So>y{ zRD^&kGa#|L z=KE2{T$|>vH6la$M~01aHb%0P(L?Y2H&qz2Aq2+w{8j)KDZRv6Bwv+P1dogfm~LYp zT>FP=Ubk;XMe!`Tcesv?IeoaDP&ha^#l-O=C{z(I~4DSzB8bZ zl0g>B@5nIfyUoD-wBKqO{T?N!9G?3m$d4SPXV8LXp;pLqXCwVR?Ws#E;I+jmVOmx2 zg&&|Gn=3V?v-hmV>Z0ReKDp{9A-E=D{HZ3-B6o~2C4%@UEhFJa5Uvg?R5)>^l33gY z6lP~0M7Hd&`%ODVJDUygXb3ODbS8pph-N6i(AW=Zo8#*!cepoXNqj_Os(kYt?MzHH zX$x2+-&t=eAA_0x0*wekkJ9-XLUZ;tzuZ!{=kj$zS*%}B$ln%F5nye;hIUo;zz z{Z&zFFx^D@V!PHiHQBE~=|?5T9kML9i8QyMHqC;dcCM{2F^84!SadUz#TCIUYb9cg z+qn?_$GA03#|v$A@692*~UB1 zw#JhBLhrea3GoVi&Ru>zy3L6jL~m1UZ0OpwT0ZzGDnuO&fxgX+-Uh`%rqTI%Ob~SI z$HS+{SfsfGh|s1cx@Yb|SxByO$k`eHDKrn!@TxTVqFUC#JU|9mkmN1rt6q-z*jy^$T)OW^P^n%A0;BR<6_X%W`sBo*^hcUb@b5!4Ry4I>%9-{J_q-zI#geOO;+x;~=$U z)cP#7>{1CQVJow)fk-EIo_>n#L@=9MzJ&C9v80&HX?a>&c|CFiBcH)Sgs*_Li1Cfj z{iHV)noyr`&woz+j9#6-GiCQf%@|swdCLSA2|0h^YPH|2AINg_<@|aNh>tf5MKAmG z_MEMQ|0ywr1LOF~rOkeim&b}HfVBvw-_}eAu@n{cJ{h~TAzjYBe7tM~b!PS5_@<`i zGx@a8NV@icYH~X+^44-8UK(*%eRue6EOG?U(uL9-YqcMPHd*~~4@G-vQoi9Q^Wh#rHcf6#iL}P%VR_&CM!A#rffcn4COny4Ue_w$ z`k3kLIMf=`3s`uZxm_bZ@#hsKrl1H&8lqqsvU&P$R1*~d8WUoB!1PpOblY~Lt|oQZ zkqr_#8)p1#Q$mVIXX4o9pTzTjxJtG5F^^9)oa$5Z0CzMSs46HH#m5uI)grp;{Mw!! zl`ELFN;3Gm75dDiEokEUH=GvYK6s!x$V{)m!L(okf{r_$#{3LQJvk!cs!F8xy&j2a z%>U)bJuGs{O7b?Y)(5a0t972=w@Xu_GJu;zZSG+{i#nsVWyD#8pM+3q1IvHVnORru zZ(J%5tJS85=A2ore;$m6)^4C4wFH+5YAW+m2649|k4ANy+;`0??g_T_GpJ;hd~#LT z9B8gUadtIh?Khi) z((s&Z<0-aC(b`_`EtXrD4B~8Fj`b`*g6{FSKrOuT+keym?Cack?&m9>6XrTuv!KGO}~ckq4v3-*&3PoK|Qw4T0v;f~WLPX{+r?NK%xtC%Q-y!b5DE&aqkL zIKf@_5Nn{iHSTfHN39NAt4A7&oqmCw_Ee>T^Cpmqp3(OYrX~DnEGuz7Ju*TOF1dSk zaWWF=IsKs}o?)4<(YX}FuD-W5e!es*4!^d+3J)Isjuo6Vaq1oP5cCxv#{Hx@1jGcb zHa_>j(^;YS7!G$-7ZpV`&ypRIag&-sLLP%_og}btP5f)vrS!rlANI<(V!)n1K=j6v z;|H^R>(YalCk|hWvQ|T7aV-7jVn+OR91kg4=C0eL%2a9^>(@M@Av)^UL50NvynC8X z6C`}_^Mgs;SGW}E;L(UmNTmPD!oNmfK>7sTdI5Q!L@Rg;O#QUAO*RLO-%++>GmsQ* z$-M!)wB7SpVO;#G32Lv|MrM={12ZOnen}2@L!o@$*uMoBfgqXa^X=3uPS~69Lh7zb zwWZ!Zeye7va41Oih5(v0Vl*4@!P{*g(8E5|P!$G8zms}daSQ%BWz3RNX(WGS)1?qihz9ZYf9`zu69L^$~>SY>K^!lpl zLPGi-ywew@57(3Bstjzk?Y1Cj(vqzvs(K6lm;rr-J*Dx$s<&>i!9A`pJM4w-$Z#g@ zHZFS8M*VkH%Nofm(46g5NGmF06;}Ia_z#193GZ}}^3zZ>5n9jCP+Pl)E_lfyT**Ao z`wkzUGr_$!84@0_6~S`SZ2n;cEr6u?f8;>YWn`?ReQ#-9@5|IJ!$l^%Cf->?-9Kmy z?0|wKN6N&$Z`nT>^80J&y+eS7qMcbR#;Vt8DDoU^8E*+UXy!qs+?s!_ch?M>s|U)m(!HI7LnQ|Ge94+ z$kU4KQH2TSrr}I*dfkP`b$ayaZx6t*^X)y+jJ(g*U&rX?_|3hCtjeP7X?C})X{f&W z)ZTMFQ*Z9HZxN_B=Ijcr@e&L<9y4!yn(dbRVG=^9s5cv(N9hXzVdt~o^ zwTW{e!m*=A|M`*B_T9lX9sNk=}u=w>JR;Br+m9ENNKWBH7QO>N2;Cq zrg|(M6InQQg-DZJx2+t4MXeo}DI@J(cw4w6q!UF+F}h_9ZvNsmYHxw%UT<+4_ETls z9ryl}RhzPN3VAY1Nx$`hmnXY`+nVZ)?=0F=G??5~gg$=B=)tK8Gyn9F^3f4|T;FnhgK;E_&PAJ{B=3LHR z3ve!NnEUL%tU}i@AaiCH#Y=n1H=s=IK}ORkZQHh>-yz{81NRrc*wTb9J1lWj8K{>* zpDp66V4qH#d1w8l+gC20VcuqBpDs9K=~Sq?!#d7_S^QCbMhEU4Ae^_(|wP^ z+xu^%6Xc$at2-R1qQPTX9?dbAa+cQ`q6`hdZ3npoPUV(Mtu@DXzmqN}K1*mA)_bWO z`sI`dux7){V4vbi6xU(-6GJN?OW5;3yXe;{*KmZuXCAlV68WGxE27ZSTK9DUy+xY$ z%dnhr>b>hA?i%JTDdI~Dq3-nOl2llhYeW{+xSf$^iQn8phU3bMXp66YvH!TRR&-xJ zacGllZl@%8i&ew4*+d_(^DU@=(-_=3z1d^0ykr`ee(p#N@^1M!0H@#r^>3+_y&kJz zouWZjYxpFEoo7cc*;jmWkJo`m^uo)tedhTmFF&5--K@~?EMAV$-Qf1MJ9@ z*73Q+c2i@sQ1E``_~ttgyHugC--iT}f8`E^&3_tTuR^{d12seP@mXkdw`(uvgLMz@ zd!t#Gi=V%*$2MPY_>j7_(8F_mO<& z?rRuS_iWxej|a2gI$M%OB_SK_2!S4#^0JC&*j_O}P;VkR8MJsO=$)V#kom95Kqt4Z{za zzP7j~mcN@6_e#Tf9pXS3(t9FxG2mwMdaP*b(+}B`Y6El0R~26w;Wr64q{a-n*FdJ6 zoO@ZTtHTM#Bz`K}R%+>5w(Tm?PJKZsnq3|4@SG%`Z8dsd6Mc3(Dn)hRc#b++1IAIlMD^?iUrByWpZ#qQn~113+G}<_ zmk|21N&3oZxFL8z)|A<(yxu&?9oT#J!ZvVkRj>oxd*s1P8W_rVd$G(+zIomRU2~0@ z;5H+e_;K>L#sR186YHe%_Y$M81ix;Z_{$Yh@uve!K}tfW%a3%f$jqar=lv&^Vr?P} zJ2wGa#@4sNj|T^nLr@*sN@dFLGoXp|p+`e<3z*f(`51r_hX*;AjBO5G5cgb|G=bC; zRD^}}K?ll5$O*xALq>@(vm>;EiDpWOp|uQnh2jgu+7K?WgXYYk|bg-?^!)MFyM!^|UdApRbUhAiI;tHa%@2Ri`HAqIKZT=RH3h&MG=PQ%~<{_~vJ|znLVuRSoLaz_vToDc9Tw^#|inNHiYlQBy z;aw{9qnRVQ6rs~~r=d|(-bLo8KL@dsR1{y`#cvMp%pH{ALfs0=#Jc6%nEi0tVb)}N zz!_7?z`Dp^K~W4gPa1o&1r_8ic{C$F>7!@AGxqSm=1}qf6MfH4{xvKdt+{-YQbVZ+ z$xep;7Si-`WJN9l)f8jrc$0a~(>0V0SX!>*eU0T?nY1!MTZ|yg%Njevfa-`TBOMuX z{zz2yCuhJR0f8Rt`;qYjqV&5pWxQJA%F2qXQp!XAHo*{VzM%erLy(dDD65!0uBb1? z5!Mg;Cx4>smI&XLt`?m?l?hzlbT|5xDJfFX^9h3j?LA@>#v~j37$djL^G?}qsN0qN zyz)}*fWWqLz%k&ws(A98jHcAg5$Dw+1#<_VT%NVjoAtzZVL4~;(n^ARp1O|?eG>>l zhrgC@{}Jd;BT-q6(mqKwEf$gONcLI=HEGVJDUtbMvmuEVD_n1($zS!9+g$jz72OPJ-KVsoN@A@^fgYRnz4Rpr9jy>3?x$D<0DZy^vvW{n;Et9BQ z^=!5G8GtH!Q)YW<*>znpG$&3#@fBdKH08Q-J34b!3U~ZzJ8`vy)V9U`Yg@G3%a7GK z{pXjTL{1et9E<`yQ~r7^Iu43Ig*7nh(ps*0d#B#f8Xrw#?-_?itloqFsb=mf(b}td zS>1;_eCptPUwOn_?)p)xZr5Mbb9O_YTyic~Zjl?-+5Fd7eMU-3*RF){^Cj8@VY5CW z6BN5lc0}NbZ~pc7EP4Uipm!5pf3&4spUzr+?{WK`I6Fv!$v$w8jEP^OX8u z)My&WOz2K8ZJ0;^(33|k=6%<$Xjk#D1Ma-6O_BcN|9b- zjXghWbH={@sK^e@0leDtPbxZf6n}(IgkS+D=((yA34R@jn$6iS-3JWgc+LR!zn90FDTz~=RoK(O z4Yn54v*5^WX3|bORIyvBTI?LIkz)rZB z3=sWVb(bgdbzV*hTL&5g#vcFJyz7u1tCn8I1N6~3X5-i~DJ%Qz&tuMjM`Fl;$D3)u z{d^gt#dYqc&PZg0gYZJuM1yE)xmBy7#i9LY!h?lAy*db5`se zsCZ;yCzo)7N+%a;dkhx#kTc{>JNq=nL>2pUOrJ||TF;iqw#+~cmSZ-m@g}_K@Qe9w zmCEMn=o!wNaM@VSWBEM+(U7!hKp~Ru?jN)5-R|)&?74HUFF{})oRew97I7^niYGcw zIv16Uh(dUo-3oaGu*OJaQ(g`HYtUp^|3J|7fZA_=X#gWbo2kPB?ktk+&!Nk-ZI^zu zMtz7`5sG2~`02KD9F5ZHVtKkR+QoeGtm}^A(lNKXli|qygQLcSW&3A*?(gf%xta0x z=M-0l0UN1OZD1y+qM5~g&;Ok72hE{;|1r^__8cA_K1ZwbppRXcuxl&n69{K-%cZwG zh)a%z!-wr}-ptdQ7fdxPRlBgq9@Ng|-T5Bjt_E>T1L^6*I-Mw0^;xC@#FtCj?r@-V zHmoz-#j}hoHzMMV&8vju8yMIcYqtza(M=x{2f%`)bIVh=(}j7MMH*{719kY@x^Jo@ zr+|APM}6HTw&K{6nPMPBZL zidNEw>OQ$w=auW5|0ZdEIrI&@P;x(e{H#$@;m=ws3MnSpkpSJRX{r2t52_q!vCEoS zpsitBty9E$5cVC{X@^?7aycUb9#(?uj(z4@>ikcUw)K@pE^VsrHsfSCqA^lieD}&= z@?unLcU)SdYqfx1x;UAn@FlmvKEeYreC}v&d6Ti*=$A|O0Ucx2JR8k{W}vnr60|5& zQ0&rxM-%VoY@OMcX9PLFV1M0AtfL##e1=BP^S$BDi=livC6nMYsue%je9A*mzaI{5 zUF7y+t%|r#n7Y<<>=^O~%@tjeUd{tVw6jX{K_h%01D6GwNmX-Cj_6z8J+1L<_se4E zJWH&3uX4eL*tSyRTyLkzm)5Ww+Q#|4g)n!f%p5#Dw`Hu6a_(b)i+j9MncG_Va#Gp5 z`ytNm=-I1d!K<3bh@VN4D|R#^WU*sAOB*neLb!T$U)o*;f>|M z8ukjIFz8(~AYm&@eT!~8CoY|fIGs~=nIJbuS3%1Ipmy-mn&YYb^*>U{sYm}4g~q|C z%7COXRH0}8tYJ;QZc&)m_X;ee%0%|rRcSStSTc&u^#j+e7`1Og-?#&-6Q$vd0S)M)Wy?F4DTrA-T9>$kAz3bg@J};ybQt{;#iv-~bn!GIKn*6!htE)P4#6 zSM^aZ8ehc7`Dg?=8h2gAQuyh1mGlelz@t-J!Wsb=l#0uR=G3?LrPUbMIu-lBao&F* z=cv2mnzg6&wUE1UPPf#3y)4q~s9?w*R3L1B-X!JMy?>-1NB)+6luxS7d!@S>LS04= zx5G)I!iqY84KnO#(8OEbfsoB>A}{A}xOyr!0jzyPP84v8EVu4lJbwLMA)Q7R@k+5* z8z{vX*;{D|d2PBEm8oZ9%7G^)E@x@Nh_;NT@s13u2;Ws0C#k|4?k?D^j}BX5Hs6GZ zYg3!=W@&G_iyJigj}52zFJZJwZzOK0_+k%FOM`n#0}`cfUd>wQAEE7Y1(_pzPw@4i zH$pk72)^@4fdeWhf1og5g+zt>C~hO1t~ix~Wk$XpO6flIi+2KtX}P1d)i`YVOZEDw z`@`GA9fvFJQ7xw^N`*f*6f9fA<-~K6s(~N`Z2ym%Dug*QzGJ=r2^gZP%ff-CmL1@+REC*e}%3ldc8rKIe=+k;z=SC}L2 z93SNjOV&H=Xwr0KxD;{4EXC~glrTj; zhUD#AM&8+9IvIVCV@Kq`7n46^hoy4Yp4Qv7$PUyXTL*C`$SOVek$Ij+EkWGa z(YlVXiHVwr-VXx(RGL}1a8+2bQdxqq?d$(;z3-?z{3*Tq1VS}J?&5pN@`!!BBYPK! z9zDH?`~wcc-!s==T*H2O!+b4Wpr&iy4$F3QhYxdyfP-HaR+*fMOZ#FNJ@}|D)d*r= z^7TTEmtGl6;GWCadbGEly4$E4+vdfBFu(h%dgB-Ssvh}d`eg6GFx;_r-yX3Dp6_1m z2cP(-IJKm2WR5{k$Wt?&u$qXk45ZSJQI?6|W|k6Miyl2P5Q<&2PqT21oMdJ*>ej$V}(#b8dR2WNP!5 z=Y?`oI%CJ8^1AE%zq12eFtZC+qZe-JD**j2;Eq-i-A&&IHe2J2+77Z9eDNf68Oy4Eh>2n;E|TIe=T?rm^M&s_cq8a35~*|5^n*sw zUY=Fdk&#i`=77_~623M2G+oYhQzf1q_D;vd6nd~Ll+!+N#g}{)_-<1Xom!l`uX1vu z0$erfv!E<8O+8g$@L}U!*=1*Kkb=RnV+>T!$n$K~=uul28;8?Dc-Mg*Pm{4d^Dig7 ze0lu19xcfKi5p-ySI8e@Z+>YK`m;s51OA(W&r2%KkufI~Yx$OR*s0}x7eYzr5_*2+ z8*q?I5TT)hnh&h@TfuZ4Q|qE7-191Di{wH~5hrjXOKdX2S*JK+01;E+*5k!{5L9~1 zEBmtCXNy6tr?SH?XVt3PZ%cll)a`-OYp(*EqcjgsNm$dshtbdR$N5GEIvR3X*1`Ab zcvt+4>)|NdRgGh(PM!V4x%&aOs$ulbAjxR#aB1Y?Maqcn5BDB3SdRk!E+3!L1J;$c zhX2|G8CjqSx%uZf(oglIo$sQQ7;x%fVciONtHUdrT|+lgILwXjCgpt_@NqnJa((yW zkAmDUcBGt`Yq#DJCf^O8(6+4|Ry$-_ccp*mlv+xcMfw%tV{;C#P1>_#48DDajynM} z+r)Y#zi183Fq@ZqBO^CqmV{X_K?UJ2%I&^ta4klplCuQr?^TT%44 zf_hfUB*2QVQZ~LK(8L89N)>hMB0}NA%tU5oOH~7+X?x(#yYSn4N>@u%b_L)AgzcR8 z@#js?$OIGYYhjs%H4BR|qb;WxK(v8SZ>{;W;PMLjm@94GtKSjGKO=el-9O~l=!38v z4-`h5x6}}ND<52ZI+vzTQ5G1u77onU6f3~`+oX3%6|+*H+IfO6@WY3)Z~j`d`cgdi zVu)!iUev?=ihK%#@1i#$BJi5qS3U&g@=qoJipjf-K=<^=UwU;2k3YT0E9_GTjz6`F zo{~c^v1V?)&r}X5zpWy4R^H62tTO>Q`2QNCHfT3GbvVnkgD4@#q}vy^^ilc6uS?h7&D;nh#? z9LIJ1T@q2T{2Ni!6*qSdEbAolZBw)g)PNhsRo!jf>@=7HqSchn{PF?`n@FfO}DKX z3EAfkJC_&OU8be{mXT@F+;?S95dGFbZR3W?@1@G`zfyQQxs?@-OI-IrF)GK;aGvJj z!xW$O)Y|6^XluYrgMoGH!mj}}>0pQ!aONX+{F$TufNmw@jNc^g6Hw4Ze@jOvXX~J_k87c z;)L^ji{X;@0+H~7GCQ_^bxXf@^Y62>u*g5Gr**JT!l~!qwgLV5SIZ@t%r`@QX-2yR z!}@PNs|Z>D$tl)ep)-f%5@PvjQhAj7x=j_?dpzXV#Y&UpqMW4k}r#YUMBM z=@QbXX)ejDgwYS0mn>UvI9LK*>Q6!vtre=*z_z&dslJ8>l?aC{As6cTs;p^&>inb#4(KAwII{ zCtrfSh{G#4CA1o`pvNzhAYxTZ>02Sj_RhvvtmMP(!t8c0Jzn;hVdNr(G)s@)ZFNtD z81W*?s1dmZ;$5^=*FBr8E2J&>j(tnQ3BZCy958dQe){P&?#O2Fp>11bv73Lg3dDN6 zJraDKiQ96RQ#88}($A74K+4m{IkHtkxX}V=)*nR-qR%AVy1!ROZs+pS@~*@S@| zy`&y+ef3xV>xF$o*oQztXJO9Xxv281!OBea5xzPA*2Z&0^YQqZB#8+`$wm>{ z&H~=Un>|DAmGJa2xnuL}#YsMGW1G9Tgi(Ov-)e|*Bb@)>Jn;?{F}NLC(JmVgoCS*! zepqH#=ENnr(q)RnhWnxMa<_=YngR!%n$`^3vAUz&ztS_-C_Ax}cch~Q6-RxhGmi8S z<38>2JFc-hStkvDXfleAKt>yP1ML1fH?Sf-8Rs~BDmmUlU?)!V`m?zGnm}d&je`x=d*Xz?Oht+kqMk8tltgww?d-vPA;ptIRkaq%Bu+~IEJ z)X#5{j`ycCm5SpsVzbmh$tY(UBX6a%;x%Gz>HCMc6<)v42M07UZyo2ua*Q(~r-WYs zdI+<<{|JUWba?oNkeO#)6Mk3fimGpj=m6IQz_JNMIqbTB`=8*y_WVn&MudH-a-?|g z{f9Z;bRuCluAFK~oDuZP0Bpv$-W)bw6Z1x!96OO9b4IDw&Z@kpy&1cUwFkQ8-iE?A zwaAZ!#^o4$M;RgVZGuoDtKH6N;4gzU*R_V#7RoWIa;!#K+a|B&j-!p=GrE-Qdg;G9 z#VY+AOq@#Ly1_D{rOpySUIftW_ph%1t&fe-2eJ)(k=!xupAyY)(mKpU%Y)}4#8;;> zFHtP-PELRl=?{Z&(GE8~4Xs+=Od2MSVC)?DWK0oPZS1Vus-oFcC1>=;xu) ziX7rN+Rbcl$3mh`QDZ2Z{bCO#m33Zem2%t@$tciS(W zod^Wt*y)?gLZ-C;A`EgNCDips@w^3)CWkowy_T*0SZirHwUf4Uy+FlPD{+-*6N9<` z1WJ=}ReKnH9oXD}?h-a(YgzdOC7mKNc1geQ^m)G9(f3|~0sV*llKZfmj^xghv{Oz7 zeDAqiV?jxP=8B7#`8}z7s!%5gCpC6cv*%gD?oh$H=8Ne_q`~u+jSuH%C!fjE(QPTJ z%dM~1GwO!5S1C;vtwyTUcXs=muZhVjF2o&jF1-{g$n~#lsr#SBw0#DD{VLaTC!7TohFbE@vfWVz^$g(C;@r2!6kBzHK6<)a#NINuG=8DJbcCucHylE ztvnA%i+H>(Z9-qX=0IG{I<&I?(tjEYSAfGbK*fu|#j`eVxVBW-1!O|EWq+xwN&6}Z zSLry+6TyaSSKr`tKvi2al6lSujs1)B6xK|*+{L?W*Eg(}qHHN)bwS2}2F1kSo`Pom z!z_f4KSjn>j$n?M3x(qT$$pqMSCxSmh2UB)46$l}oRi5LfRX>{ z|JZm-pIn_y%6`XTj_8Zb5DT|03icw^&SIcVqytX7#CxjqXFv3YQ;$%Trc&r}Z<83? zWZ|Xy1(h|DLlw?D5lHahcL_?XYw~(uvx&F;nw#>&+o6_5U`G8XxR zuwd}p24z4lNx%JtmB^L?0$|G4?&7o^~V3U&CeEHM>T3Gd04Wnz-Damv`yujg`3IA|0G3I zQOqtG|0n4NuriB(Gxfq4h`xE&c11~K30~|7|MAvBMt67Dz_uq{|An#QB1c`*`1Qb( z(HEa@%V~=0Kp<(i+MP*!0rZcmB>1AZvcHha+eIL|fd6$z55uW0F>30dVWg&Ahbt)9 zL{3W=a8_RgxDG%`@~_nt5R?2ZN||!`w+^PN?P$zKW|B5s>RrL;p43J6_(oXc{4vD$ zl@bp55pmOniL!GR*Uly7v~6x3`r8T0S70Yx?f(*I;O+Y%XLh1BgA4pDnJd$@Rdv~C zk_-ezpp)}}kGjHl8qsiUCtEJ*Kd4wDeyz4viJocgyV$p}^IN_<8N^lB4*>Smi`k4F8bQ>rqki71Hi5MY5f$De}t{I3ZFEO*>sk!KCoF7;^ARrCa!KR!O9 z=O+9ACWpWTyR=;A2ty4rgN#osDa`j9ZjmhFM95% zWU98wIaMyJN)kH7jN%i&IO@4!jx%i0b;Nq#8d6dIzQhz%B zJ;$mVSIed1h0c%43_v`@^N)C_7I#z!MK4((3^;|6gUT~McttOQgRSUguRA_Z#{2q| zFS~fgt+_(J!W^q}dgpIV*b)Uu5npEd-zzB@<1}k!WgAf6HUa?)i!z$7O(GZpkVr~z zqtpf^+lVl{rSpGLgS>yxG%t($TMeQdJoIib#HN4N&pWLJ5L2!YJ2#(0jK_R?G101^ zGe7-IL5WXssWxwv`C*FWE{{NKSR+?{nfj28&H0=&88Mh`cxb)rHi_52y@{Sd$w*kq z9qFi7ecTNpEz@#8H^888ARylg$FGgaP0}p#ewt+yLNeFT>=uZsXzG?OrcD|pL(=6 z#0&b~;x~tM$u7WTkE>kydyf13cl__K)C4u=*Ae66k+pCLe|z3TH~6O)F@Of4cX?Zb zu$2}9I4g@^IcTNlAOyKf0zinRID6@~Q9zU5{-th(d#S3D$~udOM+ z;vv30BIsH7QzCsy2u(j?K82m*;R_MrUzlIwG3?g`(gIb=M<%NLcXzmkdE zp!L&(zcEy1#wQsFhf9JbJH=y*m;X)j{|6NCd@an5Vcz{r=9XuS3dZ!OtVvu{^bHeb zjHiAk67>${f2>HFG@J=?DeyIMu1>nF2-wv5I4o24U*3)&@i^G-{zhMQ3p|6M{o?KJm}K9aT`Y$@6Shw{v&%Hvw|55O*7SD4R`qfv%rrfkOrZ z3l|p0F-8eZlWO9p)uLtGIRA|K)I9aqwEE`9-~5i$Ns_}5+rAU56C3FUcy#~Eu0Qs) zyh_joLIikRE=W3GL59(S9JRT7sah{>*9D*PBLI2N%hzxtvgV7n7B4RI>}?+;LT?nA zWL4i%3t(+|`hq+|yrqu&Z;Vi+{Mh$e?<`LJ>@%14`Sgr4sFj@*@4FR-X!uQ8XvniM zEOWl^Pz=*uAuCU+PG@JDzJ^EfWN`cP`RTiQeu@voZVo%=@21G1r-U`e4nDsD4DB>S zQ*3e#&z#&B&HHHiZ}0dFXspRdF?vaSO<-qccLE5xKNk>^yzt9KZTfhg)@;G70pOQk z%$@TF@Q?V>xK_RzMo!b~d~{OS5!CwqTAL^D%iqZ~0aA~QqOT_SR`k?MUnJ|K5^+vE zfhZo2P&@^+DV1#F@52qbZ8bh6EHxFC(r)40IcT&H)Vr8Jlidj3d^}kmdSe$?-5db)h9oGTp1IoduMZTo?Ks1aOT0_p^ ztr8fcJX`%^?hfcv7eaQsN9|NWO0E$vo#-t*2Fd$YgoK-!f$rqB+%sdozVPxy)z8}O zv2MgrfXTUjPwhI9iCUfTsdidohWDMZ;5!A2#5!2yjn z;ruXp|4!L~5zhmfli5s6jpnK!vw69qEa?a9a*8|W(lOg$pBckgs&iHAhD$%{fmo5u z=n39ysnAEpgol~tGeMH)Ww7QmV0j=L7?!Wds0W%|2JfxeA5{?ZW9BrUc&+N;mhJhP z;VI~M^b)1zLuS@kK;&^gV4^bc0)(@gEE2#0;(_J24|-b6Wye?kanS!)>KnE4h zZCMOZ-?yiBsP8+UK)gW6RIZA2mdTgEo-~yqkZ(t3ncfm|biVNDYYqAs@D!c5`DGCC zdVhgJ6FV=1O*7dA@ZOu{ED9Hyb9$X>m#w)^Tvag+cNCnXkU>B4%#{G2XzU!}Ev+Yf zyA*lOksE&+anTlwoz!# zMOAigkU8}I$ql|`1KlRhFTQW|^dz({{`f3~b8gVs`g?-x>TodjnrK<_2jVxvPi>pW zivm~0Pu%%auV>-?&yt^H_u0fd!9&u66|e0e)ze_-w0G6LE@ItZ4}YQA@Ww}Cg-{|H zMTiMdkgfMC73Yv+A&Y-OW(Uq=+{r%R;IM&j^Gwuy&*Y!Xq0T(99T)T77l4a-NAo`} z=27#1T+9s^*I)byw=vc1?f5Jf=DYQp5NP*oN^51$MGDJ*0$aY|MR9diE30ig7`2S_ z?FU)T5c>XXk%~C^p$o#ypyf^%O_X2nI)f4uCLV@yuR@dY-F`#R%^T^1EHKY~?y8m_ zs`0{ocu{613T%u6w0Z-B$X+VZSI_z+zKxcx)dS@lNLtbc%%3!G#QRI5 zKIQh5JMocnd>xP;XG+zaooO%a?h~bXcWkH1Ngw{=jV#c%+V3=DFcV1Wl!Gq9pb@34 z;2jp(*^({1Vu=G(b_t+AP+ z*v-y080hG;XCOIy%yZz~F{dnkGLFhd! z(U#h*(NAu+pn@2{ybU%>YamtsAlE9OpfjfV!BO!@pWM$F{NgI`1_~1doQB|~weKXq zqX^5r?VCya*F4r+Jbi8DRx4r(zfKi?1NLiMDH$qTnQZG>Y8cMy1pjp8uKNwv+aBF>5c`oMEBg*hSdY_%kRA50f}YXHf(G5z-RqsHJR!jg-+l? z?PE}PZ-IbqdeH&X(@kL2SY;=}f4=J1Z{VxCb&ddco7DyS3vR}TH{g*!(d^%+?hfue zW4m_!dM5C98Y=LqCt?4xTiLY>@E-W*i*_mg+e>2C)IW8_|7}0;1270?k=e}fn^|{+ z|BGGsY6^$o-=}GyhyG7*{jWKvEZh`&b)X{vguC#jKN!e{RQ)W$Z%iwq(BObyasJ3} z*?JL3c@wS1jVb`dOFn$*vFBmG$Aa4sxxiu4gGambmS1=RW(f%1?pRc>`eU}R>q5j~ zbIDF?{>9`~H16u3XroD{YWPh{joY|7I&+Bf4uR&6003D_P|dbM?_dXewLtrx$N3yzc*tCu^7oxH$_~}x|8I%nYDJFObetwh4wORwz*hkMY>Ue-h^$; zGYN%!$926(55N3)->&D+r2>P5PDL(MXlVc8he^MxUu#@c>{Pd>OuK}^K(96aEQ9y+ z1_Y1q@TpOA|Kd~cWQJxForMmXQR)zQUAa{k#{-)7pc+3j&6Z_8gj+$0pkfek@ggqx z_ucX~Kl-j;@WlGT@QNsBj_}H@NCb{;geB2KB=?01R>^$^K9;8Jcql6K;9kwHgMSw# zA6Ndw6lci2Irv66p`hg_ZR>9%?SoO>!wIhQK^^3Tqx_F{$i*??**Qhvek?B^YB3ka z*suJRU!vWF_7^5NptK3=k>gPexqSCf74pTW^|w{59w&-&P*41yVD*?ak&TO6J;}G@ z(3x@cWb`A}z2%auhZ9JPm*;H9&-e{%j&3|?NC+ej(W;8|HP-aA*592Cr4=qzd+L2C zx)Q*In_%%9WQs}qntOK*Ku-c(WSl_x0L1*s$<4sG5JYWK)fP6~|y{Hy_ zBubhHAz8M#jm89BNmQDQ2qj`S?Oi9nX99zaCf+&;7#{*Q}XZS7M|80^!fT|o>yc^=w>aml1&}C#w zFm&AZrjK}z+)z#y;qDx;T!)ttVa!QMIbhI+;+uoDM7v3VHT8h9Eq`yvdqep~;?aND z$#N&yDcDh6{3*$U2NNnm{mRZQKXf~9b>*7~pESGK;tZQpsI^A5H!42W1fpCvt14v{ zn`|wsOoODCg~qoi8+0nlC=@S5q!X4486i^Hlcp%eUJE5)uRLb!a z08x^HAELB*R{aUB+jUi!sJ4!Cpxzjk&Awx%W67+7_QG+4W&u9yIR>eX*b9ejoXR@i zzrSV?8KFb$;z#oBt>JdhC?|XT%7AaK1y{ncIVE(&nZo}0&b@??Xq*FAn0j}qCa&8J>p|h2Fb|-#5^fnIgK^>ye_efv+0TP>kUG3&s zq4AvCn9WsCYOqex{(Nqm039fA6QDMaVY{ws_~b4$c>vhJS+3XL4<0_c4p|`AkEVjl zg3Nm5ZPxWwnng>=-OiHG&Ju>c-FJnio<|DWgx4cyW;ZM`@}!P~w}#LkG$h1beP#xS zuDC9vlLA9yZqhxc(b%RGM@InTLTIM;~!2b1(pkDc@1 z{f6zD_h#=6jdMoAVtK)&DKH6Z=LW2V9OC$AhRKflf0^=1(;sGU?pq5X+ihB-J{J!c zF16m7o6ZJkXmyy&)*0%EOp6SW3S!< z0^tzFd&1wLooDzPM`?wl)H^Q zi!S>mnEU>Y@wkRA2ru}|5%szRsHWrid8fY)o$?Ej)FRi9?Emx9N-8x462M#+gcEp7 zGH5nf+BOqS$GgBXjak=)O7o4oqxI+v?MZ zb&s(S)G{05N`Ett+8k@F>^WWcVya!M_g-R_45~lKqWt(>`%7Qk5HIO`9C)Q>h#6WaWd4jlTLoDL%V97S6OiQ%L$|cX zbssnFFhNLVhlly6zh*s zOo24;&s+n$J(1a;J@AcJcHjUD3I7AW79{ELn}M$m18B!V;CQYVxDBa((Lyb{N9LZ! zorGB5pE@)mWFCPP%Z`T(!)gjS$!C`DC2kNFd!cm+kS3!{TEPOa7ZB-q4Sg`&xn^zU za32gg(t%^GHRB%a)ife?40HOT%u8Hn)(=Wo4e{&q2yw4{6ExcL!~CEqJhhvmC(9~w zlotQOCofJ6kgqIZ+V44IJaSAD0+CT1QQ4!gPpW~0j_;v@smroCb;j;yBR4#)4*rod z?@AI6736T-cPca|@7P43XStZkaf|U5;HFifXCxlPHy^8V#pSE}U`B&zRo&@J^LsrX zfrr&Ez)W(v;&ZJ_Nj739htc75B^YI&p`x*HRl!d#t7L;Q@Itvc8zBHucIdSucA?9>#?$j97IygY`whVL)E%?? z0*Y1~BjEDVJC`cznI7hOBbk~7#S@l%Ql8_0rS=FZd~kCMQ&*{{?xb&O7NE#;{%W9) zY%&K}-nm5KVd9{fH1)VdBK%p(m{Tr}QEGyVtS2z#(^7u@dhZ zp>$jjTSCn?!ww}|!HZ^Ejphnv)ns4S{4+f`0kAEB2QYR^x*63=o*%rq)jN3Kc4`V% zA0hdbzjNWLfpQY5w?dZgzQw0g8vQWh4Edva^vH((+_zy9lg_vUngItMUprEDGY^0~ zqj@qmQH%QqaYUoC1s7*n8K%J`?eH(dgV2?{ z-8DzWAF^bjS%S$WHMP>iKl|;I_fS0UQf!EH5k)%EJ18h!K#KIB(t8a^LO?~Z z0HG5)QUcO@CqzU6={?dCkP;w35J*DLS?b>J`(Ecdf6uS);~!kCWUYDTnVB`uJ@@T2 z8Ly18=dK6FpCiuuxOvf@4?O!9ZE8Z$4^0YLNO zlDT9Q>iTc)=^~jX{%YST27zvn(oH1 zam~&#?}ZDeCO9?-j9s5}hdKBqVUJl$uX8{CrTro)lOFfTG3=;o~?D_FR9-_)r|aKb4S9D6+#U? z!2%QrN2f1rT+(IkR;khV4IvMJrn*Kd$PjthSDlg@%ZW|M-j4}8C^aOzMCeY79k2l; zpr80y%k5Z5KeW3IN@prF1(@gy@|1LdK&tSXmY-?WVz@(n!IG-|YtZ9plczdwY{;*` z?fgtYu4F(xvaB|_Emo-OlVu8t1>n{mU|2!9D|ee#V5=joQUUZEmIlKWms$6=?(xp7 zrg?8O;t`^3^doA=ux>G7XCb|4Bc`TKy(P<4z!-K)odi629H5vH(=9r85SUx*_wAb8 zKN$q5?6m6)sbA~!k-eIxU3h(ex!XodtCwvK#TT|?eAbwUC1iMvw%dmx0<|cDtM7+} zkE8hS0p?eJg|6IOo63{P;?UAd9Lv8|W|9izqk5#fmoWZ1u9W27slN;=s?DT6ldaPh z0&l0A2@aqe)KUkm67MHnJn?G=a+{6Ga4t;GwL8PNmZJYASTqaZ(C=~DhL2W`!Hn_g z!w-jWt~0`k15GbACaQtyCrg|Lyno}vKcKr;;Jt9pr%c$1EYl36ofW5oAy%9z`o#sL9 zYw!2|T=43A9kG|_IW@+s_SC482>_U0Y8Ni_Ee}=~z{)aRI?=C%V9CzcC9K`)Z6u`E0~}0fOD}jiHVv0h<{A)au)S7j+2%B!CJEr0ACbmF5YH+ zdz*>9w2y=KZw5g9gBDiGrk)idro0&)bgZEqp&wxww9R=;qGzmbO?+X?>7P z);rxJ{-f$ele6&55&#wm;Ou_gl#t;T`BiUpR$MB{L&2i9Rg3rRiI|5z0O3DC;=9Qk z;?kZ`uy^#k-8SpI1Mqzp2Lq@%My@p{(O+D`X1kB$qI($tO4mI$=Da0Sa`4JuFOU02 z0b%9{&8>~donsuP^a!=}evO?)Zwh1WyCSjDcwt)Qh+ToYEukfg*(s&7t~i%N>Gb-Q3B{sOy+O|!jnGXP#Pni2#sfdRce zq0qP%$J3{O^KsXgGhGN$irAW^GU%SHN{0i2<*sW9+*bp0&7=iGt7Bf1$`k^R0!%WnIv7%4%88 z_1`?hksY*KYx4d*-Yil!zG}(`)wlS7z5#pN#j8(`Yna)UcoLf@?Uuv$PP~=m?Q@;R zrB^xDcT>?QD7AF8X`4zdSl|H%FY~E785@FI7jq9|Xr1FU>0J_Oz>-LlbHZ8N{ZBgP zF0FBs>GU4bM6(c1l|-8~&t6DB$2TkQ?OJeb29F4xpSzU)&lqjQ5!3{@=$m$>bcVI0@$!~=yLFh)b+EN< zXmb>JApbKwEo5+@cC#%O63mlz+^o1FLUnX*n0v!J2a;;@&OgW#ctAUAP^CoXFevDV63EgR2k9(Q+`~t-sRVH<63*P)!$bf$Mvzv9Ov|A;es7s+h{DP) z$et-;_TOIjccEY}JH+9Sb%P5Rc2xI^B$#+tE}c3bvJ%TYZLfa!&ICV!XR4ekIho7P z{^5Q!RZ}NAa%GI?bq`~1f%SL>-zD6(WL@Y&Zi~xG3usAQNf$e`T20+5 zVa~Qcf0;cjJnuZ@Eiw}(uwXg+UkF@<`5_>1dqF^G&rk9i$Zc&agmo_VqF0avcc^VU z*@t9j5uKa<_p9$TA?WXaCkf%bB9wx@nMGz(tX%Zcfnz1QrIX#9>?x>-Lr(cKM<7iZ z__e9Y4MA8&;QHxv@W?@fzIS#ogr4)5+SJ6r3c?ZjqY7u#C9&P-&T`;m9JkMsSH?d8 zxoA;m&^AO(Dk|Qe*+;D$&c9Y|JuULT2E5AN_%(T6T?&gPQtJ4$`+oXvGsa>y>*8)* zUsf(ZDZp`oeWkat^HD$dYs)Qqc;wTi`~$m?cyHlxJd@3<56eCA{oC?!tgQXXj?1m5 zHI}wRaMR-;aT<-bJFi?einW#M;{<%4I}SmzlY~{h5}MAGYnXVUvtvA80w}%TyA6N~ zE*<}33Lm^cH-r3q8T}}jDuudJ0J>Hf4r%=9Z!vgfXVVJ~9<)wk712G-m$D?QP0x{Z z>$R5-prUw4PJzytz2|!M5l?bFqB{GEvAneM+u-BTl_*DEZ;SO_tJF!1T_4fufJT>U z)VX#Wi)PY~iIsz7k)PUPm6CN)Z(^gVM)Jow$D*uT!e0NgC8jB}UHpV&s2SzZV7qns z$sBbLb??3dFEnqpzHr@C=BR+3i!F%(jd;s)p+V`9KOtt;JTRLQG}xfxTPq@~{_TUx z^n{G~?_l8NLQ>Gk^PIE+gUDyH6NQuCCWRn8LU8DvZ)GJf5kn`Ji}eEUc~TdsI;Stm zozX}vJmKLsd>-V+{qRE0H+MN)an^_@)!M>yzlZs{Y>|-oQi)IhK`b@ccrPp=eIq{B zwUE=G@w5i6Yfpvx+0y?>Jv(*S|7Z>(wzYyLaBAzJc9)+Ofvj9Lt@U4q@~}XsmYEU- z2+EwKaeY0Y-)YfR{|R8d`Da0%R0HLrh5%J=?6NvNj+A8Kz+j6{*;`^uIk$9DJe*mA zb=5K7laMLXUkB-D!$h+DUAQ&i^W`j?)e@P)8=1ZR8UGfLR)3=2jF8(s=U!emfkJ!Q zZR)6e@0OB%p9xi!w-B0QK^0mZE9o=#yk)4QMTY|O%G)-^44_}?qa4=Z%Dj)c+&twY{xP{0xJN-XQ?rF%2>~de}Bt4Gr zjW_q0L}zodq{Ckej5r`3t{nZ+&cCSQC$)5u3(w|?mJq+Zf0L-RBrPPc1sn<`RVtt4tG z260BxKX6PSg*+ZG_QY!jkKI0lv-l(jKism!PXvi^e>3okKW>o#Ts&}#3Jx!)_GBg# zveZy~ngE`+9WdU(JlL84`XctD5b|w$@ER01@t6 z_|jR!lG22xef>>-{t0C!YSwP$<(NK=Vy$?EnlOJ z9!du2jFOaIXh- z!7q%*L~;XPYedY$>1xJw_Uar~Ms${5&+_F?y!02b zlHRio8)m;MRR;{50G*esg3PW0Jarym^j-9W-%tACIwu^s>+FT!mxqUsr+^9{5iX&` ziB9O?klv5bHe?Uvettzb+0QqY!9M3Y|HO~ z%WJHdSyX0(ke2DB2M>K7mqtp$2gu{iAtJ;IirH$hDSa7fSSpvfSFfv3#ue!|#Snm| zPYcj|WKx};I!NFM4)w4&XHDf`Au91gyKi)|MD#wq)Pz;=S$#1%-dyh&Km2&HMASK{ zIwgE#q|=zb-v}|eSevn$JT@$zk5O>w+($awAl(EE3EFlebuP}!8E;?vc0eBuEPB;m zDReBY*Y~6ANx+JKA=3%2E-uT>bMOBsBdIngG##kxkUPAISTYT!>8Vai0@nuOr_~#U z^j2Q$e$-V$_NB37rLN{yeMTJ}_r_-Tz%=Fjb&jMlogSpKC+w4~9vl}% zO?wu8zfowLn*Ml|+I$Cn>-VZ&_Y7&qvjpY^)uLXesAek$eci*31)vAd!d1ibvcH%+ z?#OPj>QK5XIcJvFuX6C+f5p>?XSbBPY6@28?e^*2(TTDM_@E+N$99t`u_v>`e?@*q z)VegP%G$lURI7j0%h})Wu3pAQ!WR)R*23ARP664yXgt5~c->1y@C{T&Ec4OMH}RjS7yFz&7r{804m+#A{%6!u7t%H?vG(;eaCxR-C;UmGBc znVAs*m#?UA4F-~+g-}xqfq<_35Z8nx561&|yrI#YR3@_&!)rF2r`&*FTGIfBp#@Pz z4MueC4ESPA=%SY+tW7<}TVpaEjw1CL3(%bxV0{X%Km!9a(Q0b3+A_y5Qa0w`aCdc- z&lz3j=eGQ_);f$Ig!j3~&=#TSwN%O~#5WZk+e3vK8%Hx(^7 zd?FRa;8XI~7b!W5r4m7fLNytf^*C|5P6WdBo{OC$K55^FKe+T;Y5b}J_~b&L{qTjp zimg&22{oK((7E-VDhwgE6=L4SV-?n9c^5sb16o%Gp(CB&=9_<>{16nH8;O1pwk!Mx z;}LjZGS3jWVDl@0*&C%3tzne&QL|llz)fPMouQcL7W_!2MZ*!8nnNEA!Rf-h7aLl} zRA)*Ub$1)Wlc?3+33)m1Hl@Y#_U2_HB~Uq1DZ`;Wg05YS{v*wlxYmw3#95c3qZ;<) zKv^@4Ylwi7nLTZv-Qg1*fCCi4zNk1ns7*jC-PEcM+sDR8x(UYSG#zUWBsNM$-oUl(4L zjfHNPjkU-$n;(^3E+GAF<1>6VbO-jhMbI<{GnG?@p%XpyRUpmj);MZw=Lfi2BYrkc z{LTDkampZ$Ltvps(N@K;mPUymdpt+%LPB|vtuwpC>DGRKuHyj5bIT%x>l0^R;f-;E zWbHuYwt|=7w1QU+A$$s81>b~OBrKZaBlk6fO8{Ou+xMw#VNOJ1ND?3$ApY_o*F;j^Ncle z=2H*d!yV{5s5(MlyRteM8qw;{apep7*&rbT$2oqUou$mAQYHZ}iV62ok%g2hC@=gZ zwnH9%W3-E|7J1IwwDE<0ajC}-HV$UVN)z_-{@zOel^Do;&d;r_C~*UI38hianf9`D zQGxOM_{2s#bt7`_7J&CQCba}E&OAAg8w=3sVi#=(VaJl#(QHXcIYL@Ij~ym z(g9h!QtbA_@%de~!NNIO+*+beEa>+8fGq6KXA!}?!52&%A9I{1DsKZ_rGbZNgjFby z${HQLX#wJNd#}AuC*i?mTJ0SfNAmHzQN*1o`6<{kvH$EF!(sF{xiL!eplJ$9O2|<` zPutoSm7sv8Z##UP4cqbdIrO+v*$#Hr zgx%a=*ITmUOY-p_^)%4)oMkv)KClb2+D}P|TKnTgj(7H7w&cI!a?EfW^+zKhn zONYm^$0glwRIrJiEHFdq@U-ld6isZmj>U*0RLQn{?3zg|KRSC%;f`7prQn@m9$ zcy{F4>7g@*lqjkvU{Eo zZkDeuTS~}?2kJK8aBND(dVwME)GmXE$5z75zL!_#IzD5VF=oZkG2^_BCvXn_|AL*rr|;Z~H7fH;k5aOY4QCXdi(!T*?8{qeE9-}3T|BN=pGo9y`Gn{h$uZ*yR`&cP1@ za-nAf+gv!+>Q?494&_(LJ6dc-!hcMn5#08uZMB(Ue0WKy3S^sq;CH_jFn|hR0N{`S z|E~e6%j2}_Z@*&gSdB%XMWb7OB)lKn>Oupg-F%Ezk8q{?!2t@m%59}$q6G}Ms$c^Y zt>$(vcF~^fn5bd_p<()ZDW$pW)E4Zyqz+RhX6@a5-aO=R9f|>2;#*<%#k$<%Z2&Z= z0WXTkMUa}@#9z}M-*Fv+){hYFF&7FCV1MzqwmC%ZDL$h@ofsHtIFg z2L81L0-#{VcuspkZygprZ9ZJjbZp^XtD}Yhapy0A)n*f1`96G%Qqt;5f{F6J$`x9= z$}Xoe>Jgn|AqQz0mp6{b+~r!a_a=sWBs@ebdmik(=<+NP@u|xi?g^^Ss@F+VNk?3Q zq6+04ER2_9N30|)@(t$3&s1rUK1_`B!A2k{p5)Y;!=bfzA8-*yWWW2osayEJ1-#*x zr_mk_K;4t%RD6s&=WO)!^^k98;w{-N41R2rD`O|5#=3h<$x%L9I<1B-`r{kxsgXix zPT`X;8E3xvXT|#zm154Smwg)&_nflLa%?yQg9AC#D}x1wId4pRk$uIBS9)^`-|Fm2 zc{LV<|Ktr_OwelgCgHm7#E2*{$N7qOsxnIp7p(4Fh&{~!Uoyto0(!=L%9xsMwh!e~ zfE8}l6FWH1E^@MerCtqO`f2$GaJuB~;GoXyf%Ric1u|Kv%_v|y!dG>#gs)bixgP@V z#=<`4PxwCcAjZ%GXOSGgb%6qMg9E0^ByF

f(Xh{#0+fP5kKU<#0l}+Yi{-kHVGoro$v|gDPY&E<3M50M z*~1-A*M@TEgfDd*hN%X=O*=ZKuDJ;w;3Nf1lI&&YC{ykzdA-1#IX@f7 zZ3Md(Q>|KDMNR3CVrPGG7I1zpvmyheZ7Z2NN(iTqPn9np(V4)UwAT{DXT1yl?w*|- zyAxE}-*@2w z7MoFWV9}vTg7TZ!`yH!ni&C{MgKe=q#C?wgj;6A9jrk@5$hXxIU*A@mRX6)FALLTE zK%VK9k$rz8yk);9oT7wT8^=Gx2Z&{X9R5`J0RbD>#FcWiKVA)hr80sZ{qlDrAki(f z#17!MIdhcG7H#3(imKzH(?>NNXig@5_nu~yPC34S4!1A zBp43leGd#T=#^Jg5)yvbJ^OslRrIdcLUPkWOMuK5BaEe}b*w8rqz9sl|=s zlvn+OGIdDZZbk*tM&`QACm^t#(a^?{W#k(%s$b`)?+E$Pcf(^Q?Tyo(&pV};y-!(#EB&U?J5#->BtRbca@=S zXe$SATSZ=K3tc<@rz|>gBAM|O&)d}7E6J?>#cO$1-O#cWRRGYSm#-(&w9PoS^M&r- z+cP6^|CaA3?r;Go3E!PCVseu+{0~j+bC#YJDLAGuI}HKqtA{iTX0`=>wbI@GQYw14 zP*I#$bqN1dqbEKE0c{c6d3P5$i&S7ptz<^psLn5kc!PT}TKMUs(;GK^ziuYpPk~NC zrMOGKz39Y=?R)=lH2nJgzq8;cP5=ZJ|NP5|6JGyn$^w7+^x*&W3ovoCaOJ%KBzbxV9CD+Vl>E?@B@P%hX+v?VJ)Jg?TLy2KhuSbFaw zS8giY`t^`^kMqwPx52e~PwIoRC=jAe2Vp-u!ri#}?fN3O$SOy1KqGl%U0epE z<<=RM(VnY=dtVs+j%@e|6jE1LpO%*1N+RVy%^L=_#^4NlnT?hR|2YX0(6?+7PQpE7F>BH)mXCy_7rM98G zn&VuL>7y0B2~y-S)sdm+E%w>QS$IXwbp5Q;w^5CMW4I8^#Yudu=RQfkGVEN!qN%a< z?vMQjOPQGug>qkd$XdZaIR~#MY;&_ zPWbKzAzaSt7i5p=Rr{_cdjQPK4$+gj;h8j^*8ew;Cd7w&+LI@3A;yn=T7V6sm`|bB zm4K=rYimzMW@@vr77{@*p{|Eu{cp#N5&@z*r`79za4Dd&Atl8i|0BEF62qRyB}t^O zq+vw%>8Y7xNBwUuu=Fw4@t(3!C2?uQ(~b?ej?H$l;g;^|^XL+Yw)9o5r0t<8aD6F5 z#?(}ug@vf@YLxB}G$XbxAl-L`Qn`9Cp!Hz;wAMc6=s~pP6_wliB?bp23Acl*OyD~j z(P_u6aY`NAzGVe==$}Gy%zylQalIPS=P-fGRQ~dGsX{auX3=FUhifbI_OuNZW*0{w znZej%p9PKMESp#lS1@}VPjGZgh$6QZN;2c8ha0lW#@7J`M=3#JogZB=apJDK&mj%^M|8)D`M1XCnwWS2NJ6ZCXWT%@b56MWKR z@PY@Ob^T}T3uWJI&^SSTe&-p@eebrR$Q=`9B%(ZlIkkGAKoT+gv3zgu1GlpAxa^dE zqe9*^N`OOj50e0TtYn?hs?TexulbHac39`;-Ns4Y=2sW`9zX7Gf*ti6Nu*FLL_0(A zEF!LB!KS!4<`N=-e*)*pDRtNi?^Hyau<3PuPw)*UNGTAv%^KR!*V`UJH}GkeUUuOh zaY^r0%mt1IpPCn75G}Unw}U#GE17s?Q{~dSHiZkfk`ve?g1P1bLh}5Om8c_@g4a0j z&Nt=VlTU1NOT6ImWOHCx?TatjQ#;Wl4JlO<9hmX6?a`W)8A0ifaX9^%-zfXyt1H83 zu5_0!xYxslezjgQ9(Khyy{sz|98*j?JR1KnH*U2d25~5P4uYq1AXsKj+B-DZz}G$^ zwy|6s$dh<-gG0Zuql?i?$@e8ZFcQz6(`0DMZf&0+ZPgZ2^Xu zk`2dF-$N6&OIWEOv74pMQ86oDrE~F-d#$5lMgyJ;?XNE?AAOR`_qBEf#g1ot&l`}C8AMm4N@70dPe|XHd zw3A=E(Y@*{Sa|Yr+omS7n0Uu1#{PZFJX5sRw|g)U{=ofv3~lz~^^J2%p_R6UME|2! zPL>hDct^&94W26(7B8_M-OUWL;ut8WtYV9!?f@O%KMVT&JAIJ+&5)G+Nmf<^zL1nu zZ$g)Gig(9fbB7J8!i2#-l{yE~tm!4K9@_uJp_cowC;x3;oMCvmktj7LiKfhd%j`S2uu76Bz5cdtgtt6^chSNo>1X4Q@ay1~1!DbU z__gvrR(9u<@j_dFA{qT|xmi!CI#NwG{MvxTx}{h@5)wQS?!vA;*0ULqjLdYr65Q!b znxPxWluKvzAKravW`AzX5ZoTb+;~cZ?CFt@ADgwbX5yG+{9_8n+Vfd-7AH^AeibeH z<<>0hEc9)4;hV;rAMnbw$$!1v;J$3(`TmrKI%9+hTh6_^9zYW+=V@{eHl`F}_`K7~ zlO?lfXuAl6HY7W`xBK_col#N|XT_FwAi<$n>0#H71PJpIiG^}$Wp19fY$6bNf`g3M z4MS8pM6@lik5X$QpW{0&OZ3cDc7S}~6CbX4Ok@j&hna3$&+;boqu9P!C5==XVF}7wQ zqO1dIZ@Mbc7#7jo?}quXQ1u6icY;$LV5oHiRI=|SE3x?S)pcw&&kth`i&{31M$`F< zN??V3%UX8Q#~TSpiG_i$OVoT9ult^jExk9>stoR3`^qVO4bY-|rd-fV6bgpb#oYFQ zUrL=9ofqBiU$Q_Xp5Dz?rYo0ijC!+X%#rb zee#}Kp3-fNa8m14iFTzb>g~c4{8A-mc`u*m+mH`Xa3FX!zSc-ld+SEON+$7Wj62FY zWCEi|pH(#0F4(me`y3WPrgYWDZXHrKTWV-z5*I-T0|46*JZ11=sUlE^M^+og1!-t{ zvfI?~bnFM<-TUwjvSwl{9JmPF^0D6hk$V=d+hRcC+ttZ0B{Jd4kuVSEA7v6g43;Pv zG*3^(+kZCqbAS-GiU~NJy|DAqz?W?2a*Bbq*L{28e)2Z%RQ4<6#mQv+axBxp6#h#0 z6K+6xSlRtD3E#QamxyvS5imCAZ^l;cIHas5&=S(M81=joQq{V}*XH`9Cl+xy!*g)s z|EtHiud>)hUxt;6q}8jzJ5i&r|TA=Vk(#WT=nQt%HL;8nO_j>Gdlf7QNHg z1%%voH;bSlwraQYR#!Uh#%|DPe8YLtk1Lr^^75?8D=Tu(bOc%lC-3h1R$)2vMRdAc z>=pH=6vPSN-sAI%8gZ!1g+6ZL zm#YP{bcS@OH`t^Rc}z^46XZYUoeVQ3rfT>s%MBJlE%R9WqdK1GnAgsgCd4_by5J)$jpJ!NmFB4L;NWv$|^=3uV% z)L$NL2n`WQgmmBzUEpFICm2_i6z8x?7+{=B_@`8Xbd;dTE1;)Cs z4Di-#X)%*cG!uXroD^MAAWGRiYXE3)s8omw z@80_Yv|liuE8Npdz$8sTC(?3eYNXhRexf+jhq(U47aa-ILP6OOX7?m8PCv|3UlC<4 zz(Bg68P6kkljBT%xBC2aF{UIjuDd=@RCv^YGjFzQPH{>Ze>{FL@Hw#T)&X?dkyYk! z769qMQ}l6h@3VFXCIWA(6aqEwP5DA@4zw_VaZxTmr{{TQ%HN#m%u`^Cv3ODy;YmTH z*=j1CRwXQ1W^Y*LO4*^=~ubR`1&WC8Ky?K8Y3C$tC#}H-@nn+Cq7kG zd~X}_EV9u*|DxBhieOWE0NWj!sBu4kl|5?bTQ=<0*2rzs9-AYQcD>^MZgo{7uQQ#T&$v2k3T=y93YZI1BiX`*fc;MNlxCv8P4fKq=Pu96JI;Xj`H#d2-7ixFn5 zX=lkLoJAiZBHCIrHG|KpTTj~VC$%1SdrqrRF$&v&s6@0!oCf&r&awp3kcxlW=neZU z92%l5bZa2U^o<5CF^h|%j?-2SAS65y;jz?iO0s$)h%AZ-^r!t#N91RckC)``1XJJ~ zvg*2|p;Gkd*3YzhI}Caw!zMa6)?u%ai}k3;oTfl%N|(MT+h%WWh*z#g_f09FB2yu| z(XY9+lo#n|(zDM5s;G2nf2WAQpz8l`m+Ni4acHjooAAZ3OQMp7b3@3v;%t(OX0!eo z(KktpM#@Ed3ZfVG_1>j7c;GsOF+ddHxTAD5716d8o15nM!T6SvOILF)(^hULDrRM< zlL`XuT4zmHgguf0M#K|EyGI~XXn?V$yQBN^*3k3k&6(Q7^bk^y14{~PBE=PyAQe)a z1T$@|FH>d6Kyyq6a|7_f7Y~L^SKhERl?0mX=kI7=x$y6c@(qJym;IIy39i zh=gur&)lHX@gkr>Vs=IXNpws>JE`iqiK()q6q(pfx;)88gGW>iu8G-)bou~qun6qJWJ-8K{; zuyB;uh#ES%YSSFGc;58i7672J&71Vh>x!vIuoOS_&?juP1>|X+<;xPH4>D+rFxp!6 z-pQa=oYE+~!(S84b!bd(4B>R!M`D$Yv^WGMJ7Ymf{%$=@VZV0JKR-g384bPsJZ5v6 ziQA$rcGg)?x!Ys<%bT}c%QFn)y*!OTb87l!#dSq&)-NqX&wVpB`!(+QTUmj`p}x zL%sNnxMjNm?#X}eaR_YU zvpmr5Gr#}ZNPY1zi$Uj`guLWFf!IAj6;xz46p(#?O5Z4V3+n-!24>d}v{2J$<2kJ< zO*@f<#SLX(mkb$d1tnVm2T%(C^VoI()LSnlH70WsjnFVTd)YFW@7C?`5%R;+8fgo7 zkMg{+s-;eq1hg0#+BidSUqD!fl+i-u3h%5!2NVVM*$xt@a<#&3kARNRzh>Zz0fM6R zRd?UetR#y3^mV?h9P*=sUT5&(OjXaOUnE_5T^MEDb<`-9z- z$j^Xj&CfSv1(E@X-&~Lo)4F&OLdfwysK}q;puf|G#!>x@Yar*wGUndcb=j6s_C7kz z_Wnx~#$ze-_03n%;NTEW?LbW5VyOYT;I~1h^?`3x5(4zYD$c@{J(6xD!jm!*1R+Dy zgI=yTYP#s#hA!RpdX0QP%Lg#?{<`GFo4?wIrfJ(AJr&-bU52O28{A+kDnbVNBH53u zL^INX;oXU`4?P0`~fB z*%j|__kMlyr}h`KP9DE*B`Ls5azs?>!L2x12_cOh?Y!kEZqzf8B-{3NIjxUa3(3a= zENw%>i%LeMgAdH7HgNT=SIW;(+EUc(ITPwGv8U{E{Ko7k(gC=r31EWhZykT*p70#? zmFC+%i_ej6d;p-ZpE>{_O}8|>YWyy;KmB$?w(3W~g<=2PGl{Kpm7VQ_=R`+E6+Rj&Oq@x%A+@ zb3?{*Vyb)pmiw7J9>modXuSBKg(z~${}i5IWmBcMSuboq5CC#*QRF|Yc z`7UUhPonvYL$@$MQc1|21Pz5rC;mbX)^Mcbm9A@Ch9aFJyw_xCZWfw4#sym^8ji>d z89`8;&j%>H3!`bZh9v{F&S~30diu-jH{#TWpIKq@t!sxD+|mNn9F;rY1)fR47CZZw z*rbwK1`NmcaAbm`b4!|}7@;ay4Q^HU?%MO*-ih%ox_GWGPH<#XFzQnQZmyN_Gv!A} zGX~|^rxfy0Qah^|2I2T#RxV@9@iumZQgIivfST_f4M5hdXT+GJu$PY+EM0nL+`qYdBF732qMe-?v2+Nk9W!M^cdp8SHRG~F zK0IphO+|-(i&!_Drz)A&sMP_0#)1+=$~^AfKE*h!?hoSBW$G7Fgn<7U@TWnMAEB1@ z4IvXhKKKHd=~Nqw4XXo~rZ}!3j~9=n0vej=&+PL=<-=3{Dm0oKNJ1I7IBr z^WA}7c%utBkM*AUl&iKrvLapA$lW204-99059V>6X&yFQNmuY5R?<&%aWkQhcu+g+ zt>al_<%#gA4RS0UttIEf-CN^jo1O+6JwUOKVaAM+f1ew>>wyiWW=3o2zyddenk?9m zqwaTv;=}(!6?%>~iqw{Uv?8}Sk7tSVmm5cIk^_=?ar0)_dv%mmwspl>Y4Kv3$=3%$ z8TjCqN93D_TKn!%Ka_i#tXi|vTP4oJvH-+NIM&XwwAqSulMZ!>gAci3Zc}cf@8Hp8 z4n~7PcdH5}il++n7zyf6su>dG!1-dO45Jwl=RT-y?Q&lIk!lR{X+_LV0}upCDnpnm zsVyYy53o|Zrav!*GbY@0w5|}x28Q$Ek6B+8#S%SVg=9q;76e~jokHrsiuapjZbIzu z9(A}Eli_3Dy4@xj+6N-%!Rdvo7Qe)}Kqy2xW%{*4*aS(^P3|6Uv?S4f zw$n`?g?ZvmdF<2g>_AhS!6&Hv7-lR_l=5Fzx6Ex2g;|T>3_Nft zVVT83LBavkF}WX~m0$4``Grb)wparZSrUgTkz2VXtjLQ7XD*>82v%5}+F#`>zaXc+ zb)|&po#W&rBe1}o(nR=&;@8w50Nc5!#nO4xLbEm`+gm31t8ai^$3 zdi+HQk?n-zqc^J>+3v+q41r#C6{%;+ONC!|~eJEjzF zsBUS@A+46Bnjt}g0U0F0D7H+w8UaVD*wh~{ZUyADhb%FT86J~kZbluXVsL+Y^!KM* z_7bhwn}m#PLTu?7_e!%Mg8GJ?SaYC?i5WGFJ@!D(5S4A>DPY*eAo|%hiXZ7UMs>+Q`3}|<`ATy} zTQ@g9&L6dZSV{e1U5>L7wQhsJ4y|u5#(^#+uOzb8_FoI{b!`zuWC-bFMR0A|yi!+S83+6lCd- z%Re1NBc0Ke+`fS{KXF+$A@2bot4>f8_6^qa&nm36jN_t{n^>6HC)A9oFvKr_^1YJ3 zl@K+YD4LmhPw0h9Osm#;t&9g=LHhwWcAFd%nc8HsG@OFAQ$A)-u_70H=~HTH=*6N^ zwJqB7mC<{m4Llt)Pe*%0-jzjXNozzsldH#VJ4CRuuB1oiOZ7U4Dexou!QDe0yuj=S z;#o*$;h^s*ae|d@m;OWHhi`-jNy>R~q9Y2DeJip_9gAy36Pd2Zzu=3{3bI1V=$9IU z)Z}1}{@87?;%)1^DKA#kA*#P7(Hd zmOgKAXh=pWu7L|;;+-L`u5^oB&@Y~z)s^!F6leaJP|&*=EQql|0RUXJaf<}<&lrW5Vd!vSiS zsm;UgPX%f|f`L=4*A0?v9)a(ToimXEh*+F@?#OOYnV|X4oS$nmXzAokrva)1%k@HVgQ#pj|%+xC{ zc*z#IT+!wJh0HeGIf`F|yU7SO=p8r|VLlSR&?Hj++8cYcR-2O070*WUyc?#Y*lBe1%dM z<92gV9*v7tIKhv1@WxeR&6|)TH{T-#F|viC@4uF28_TtO_9H*Y=VzQ1`X^FK^Mg=U z&XSZNVCr|jp|R*$O~yqdV{=h()Wa2I*`&K)1jjS}z=uuPo!gUTiSQ@O`NnGFNQo${ zn2U1P9Sz;r9=m#6aT;kr-F+Rrnp#c1`L2m)-f{BQqdBR!VbJ?uC0zuZ>C^TPSs={M zsoFE*6y1Dv^QlITYFm6B5}Wk|ZB8SOI-}&5?XJvF{&FS=&cZ5p1a@wFR7U+<84Ey( z$qc&QM5zPl*21R8kH24j_w0)4k>+l?9m{q#5Qx2+;`?Q87}VpI%sWHemA_5fC}RN~ zCcK!jYJKzBdSpVKg#Q<+t1Rq>LJs#Wve-2Yw5W!wa@@udumAF2piVl>l!SlVrD&c|dQ!Z{Y7H|( zV*TC>_h)+ZDTvL}`#&Xo>iKN|P<2$i`AO`_@jjs+b{q(QxI;!~%$r|{Fs33Wxw zKW%##Wm(t|wKbH~b)`MO`I^!p6O{qCdusbK2_gvhAdlRNeGiSXy*|e|YXUjR6&nzH z)%ZIh4!4`(np@jxc&21&OXLCuEnrU?$rkYQ@6P|gS-&YjTs2EB|Nipp*_&C3C zz+op_jut`8YEn7Bz@|*$rmOh;EblwUw$i5|BKt?3$7*k5{>~VgJ5x-Cl;SVaE%gG^ zvcC!%vc;Ouzt$CUaCEeX?7P+%eCrx>_3>Vo2xzDR4)zQ=f8<~*A(+*S;(+qi7e(hI zoKsF~G`&RSnfE)K4Quh@ml_>#^ASf4t#4`Z``4X=Naab{J=Dokz&v_)MP}(LXNFQq zooM`*l&)Rr<7v_UN>%!>eb)D@`|X`vFpO(Ov)$%F8rZ zC(&wt7;2jqeu&kbO1F>2xTpk2HnQJd=U5$azjKbrmS@>Oc>FTK*VT`4p}7VaKf=k0 zTvZz#Sloo`@Rr85W!DZz$57PHgE61A?OiVcs$G2a**M)6>1iR~}XEygZ%O1nt?Ron_eeal@ zQ^6=M-0kBSKDsDbc{MlGk{D;o6#ciUM;ojUj%Tvi*wD6nZ@X>Be^Q|dXqql?p^ zxkA&TaZr&t%eTgaQ*>9kxw7O=os2vN@CQixFHjoeg+mbieOR;QEU0OjBz&#Jj&Gyu zs*?S^AZO%V#-RnqVgZhOs4}-Df4t$?_d~d5RTosuYEIt%IHaIJUkPO~k~oxz!rfo! zC0)+Fd2-SHJ1Gu|sqOPNlk%H8$pI8M&>dCyOhH884T-_hUDyzxNzC7h&Li$rhXcLlgXeI=(STO z^#pPMx0=jS<{}Wb7$jz3$2HgEc%ZJRY;n@7L&;Sxh5KWJ{5sp@`kL*ewI8D*9rJ4o zJF|>KKzs>3)`2kgt~T3&CKK{bn7K)7yh4cH-8Q{6m8UT>qMsILnXl*@FH6}McNCV* z8rb0Z59Q+6#bRuWA817?$URfE53p=iD5A#d)exg|%8jX? zSn@*Mz!jY8xgI$%Uo?&@v5)HLk>Vjq-D%V>ca9wJBSC}9*hl)xO_x6hk;O&~_2-tR zlXS+4d3(j|7bX(mt@4PQQo&cj963{x`$ z-)rZ9+z@`MEs3vXbZW2`YR^JNs_l0Bu49o3$%>ftZO+UT?H)X6j1pM&z^%Zv!UJ!l z3+#m-RZ_fLfPzYY5Qb!7$o$Nv%VZ3+;X?{vyB{I5o8 zKvTVJn2Y*5%>VyU?*BXab>TE0xxFYaG!Ncj));UA#Am#lBT%Yob&LD=L_ghjRqG+! z3YKIBB3#=n#eGdhe@(WF|0mkGP5cCG+X2aRWeUCKyK@||m3fMzo4&Qz_hDG#v&~nSHoi_q{ek$$f%J890gCfET z1m8V*y)2&`?pg(^4HwD3GgFEMZUokU;M&59fWG&lY$Npdjm{&QI-|~8aQg6{!25;s zu&D9IcK~3t-uDpzEtvsdL*#G9zFuX(+uqfN-O~F;?g=0#L_Y#BNB3z@7tr76JkDpo zUy+kAxLk#@U#d9Mmo;=D8y!}mMJn7Vcd+Ab;iZqlq8rH-1E|dd($^+{b1~lDk137W zma%SRSW(0`(5jKyGnoR$8{?t60!599B{WoBE^EAU&*~JuZ}!k_Fkozra*y&E?A1Et=Ih;rzzoXd02-< zbjCqE95_XJ1K{G1)_ulatDqcWJhV;AaA;qP*W3r;$(zQADCq#9!Feyi66xl1Oe|j} z=QUzE@No?+T~uHwRy0xvDEj2KYq5On=e zoQ6+!=iW<7YfgW7UWrGQn~r_XJ#&7NJC!K3F!o;hC|94B0}@w$y;XlO{{75fD$gaN zEKM`r;58~}0Nl;TqNAyqVaVLcqKRPCP^f9wag_Um^s@Xvv({)+q$mNmEW*64_NDN= z^y*{gUJ%&L;JaEdRpmFI191dJW)j5KP?*p!$nbOQdfT3`Y5X#-mNe|UR-*ZX#O35@ zKgV<9sElhxlCfZRf_3D!!^~X%6=eNI_2`x9&Rv#uWi3A>Du3oR&a2**E!x{@a5=k1 zZGTV&Vhn=@87J($%wU-bIyqW;A`&pA)VMwamFE~~qrTQ($pXdHAO%R_YSivNupv2b zoHKz(WfdE0IkeZPJS@7^9_PnB%Fo!EmlnT9+gVeZtXd*M<)^UQ1WWXEWT zO|>B`XOJodGL{dZVZPJ%fV7mhR{TqoYDGCyS{{&XFx;b=!~#mttsdH?nItNQLIBAh zZy~BK5`<2WF+?qwSn-o=)`?xwxWGBr*zdS#r-XhniNorqF)JSJ7Vs6M5~XMKOqJOD z_jRMq^mKf~_Ei%_KH4r-X`J6!&CFs|caF>T*D~|)#~O2R#%H{iG-fE_2}Gw3tJj@o z=YVr5#b+}bW>ul_^;bQu5;_g9Hef9C_)^rZ-o6j9BcxG+ayT){ho zH8v_wC~i+E07l0Nn4stGH;ib1a^0*f#g4t5h??Hnu8|0e>?Iv#hRX18iY@@Hl@aj8oto`OEHu_D=6XfB+Zpnu ze$rX3F_88L#xVE3(DkI^)Y#_XtMGWj7xE6h!Qhz@YCqVVP$84e{%aJgSZ~^YWxH_i zTA2R9wI_LUKHapSwnV)#Z`QDyK76DIVJzP_cjtxMx^ya`->iHhD?YwjsSjLa!Ia{e z;*Yto#teTLVX5Z5Zhv`T>7yN!1Iyvl(|wIMx!qJZD*2>BaN9Mx6sw!gl?EFb4H-I6 z|Lg8%R$j63JaxImXg6s{*PZ-Zr31BZ%b^8E{tmIn0A^JcqWHopd0K@+tsW@IZM&Hk z&yXAq*;}y8ebkFJ&Bay}F@;xs!Je|==47}&hG=r^a9C;6l?$u1C>{vW$6NsE01l;= zBtR(D^PY&^f+{|Edh4yG%dWZ|{<9g5O zl~3h4q_E2pPNbMi^*dDt*=Bis8>YNhWnW4UH%!!{^;9L%Hs@phdC_&z_&MDI+v<||(wX18lc^j#C)eV~;;US~} z7)H1j7EwJWrmMR@y+m|$=eb%>@mc~2geSM8FJPqTUQLJDW*(jM(+BO>WFrJLp>Oi) zBmBbiPL8#Ve2gpl=RY1g$plgt8JJ%n?|r!oN#Y-wy_S%Rgx2 z%lISHaz}1}#zm#>SZs4sxy10$oK%zDaCNqw;OwxA^cXN&T$8g+S`r`amr5i(SB(8guil|VIOQ#5 zyVr%aN7rYOJmNc?PMSE%9yVv}vP6vc)Ruz|dWC0O(n(@>zZ}`EZBlT!!+1zqLgWd#`SgiX zb18sG@Ee_dL1{&h_I3mxZ*V`q?Fmg(YgymP%#LQU;AW7%h22R?;#eHZQ15-4*|C(#&S=;+vj&|ju1+lf)$y7P@P3oSiw7ZC= zpnzi4(rteCg8{Gh#3v%bb@QO<2)kdnByv}i7QM>f(;o*h!Z;+H&Q#&R$`wy|z09bXC~?WmM4!zvOrh0Dm0WoA;(;G4dMSPq;G z=1H|1S{k5mGDo;uKArq5wo1$THhH~l2E=JTl<`34-a3U%Ddd*JGteFnFm>MAIR=Y# zsvrbN;sg5Uu5l{5MLhjmYR07qP&A=p(wA!e8LM2-x^5SY*1(~o$~iGsiO|tKtTvka0Wv z4(7qO@XT9GsdDOLJ(DM7>%s0#C*0k@;ZDfBNAcuVQ-a`RcZgcSe>-EZAuE`4)c@t7z_VPohQ`S+4jZGdgtJ(DHPEs9IL!n>R#%el6?xj zfiC^McG1yQ-aU8*^d%x&&8sEUpeJO<#bRr9&eVlg)DT@Kq!F7p=DQat+Jy%$Zfs1@ z9eC>`%c0#=^?!_r_tVY(8*tX2KcjRhFA6v~7{dZoZGzxJM`MgIJhdS^bHXE(3J3u^ z?VN8Owj8O3bWLgHM@t*F`Oce$1=VOW3HLuB{XWbJE zW5eh|U6`ExS{2fzE(In0bqmiQe+IiWRzJIaY^3PW+d?Qr%uLzWFOey!IA5JHII!kc z*m^ySIDmfQ(Z`XbME1Jt#5vXAl2z4U3on`}ly-Z>Ecli(8?zVIa3O20B5Xv62LScL zx}&P*yaubtUDP4t&$(;wZ;y%E|6Aj|Z0+THlIpOglG-@t0dQ*CscpHvJ7`t-{yQc| zEj&gX+WRzf_~BDoaIk=EaU6b;mP^|Qy7P{6OTJWc=r=p)Ms||oLK$TJyVL9fw@OLd z#X?1MUL_gBu_LX$Dn^RUBz4d(Bxq0bqtff4?pJq|lc!8iXB)$J@n z^#<;>o#rU`nEzEdY{hVduoqmpkP4>V<@GQ9%ApQ6AAKiGI{)Th8%t56wYTAM)N%_3 zxsu=?x;&d{q>|f~T8apW=2EuAC9;Eq0rlt#fls;UR_vQd)1b{MB%`ypOl_+-(q;pUwYRL{?fWRrFXi+#?JCtN*{Dv*#6LN6l)w8N)1aB=0A$ zLtc)mFVRX^-dn~hVSP!}o^a7n{p>Ks!M1q_X2-y0IPjM8OI8yRNmOrllyA{Gc^2Xs zd)W!^f6jOQuB;?Om&W@mb=za|vkH2j`&C5aKS5Y#BgCw@{^Oef*lWOI`3W#%cWtxP z9y{qBOEr)!gWisW|Lb4@R@DJ2p5U-HWIc4_T5458zLBy#?Hy$}3Q(d0biT9xcw7nt z;dZfesy^Z{wfD;-$wi@f9pkL#*i50?ZHVq^qUhUg&^E@*ceCSXU(MMA>}w>@edmUN zSe0L1wPBaSRZ7*Dw_u`w_~^Azuz46@TR+QIyLQL>sp9vTpLzCQj{U|=Nt4dEM>HGW zq;@o2RY$LH0MX^7U-HZd32^Hncd=#OJr3Zn86O7<6~w=qh|Z3^B5XGO94e2lh37Q@ zNmm~&fHX>%1Gnrg03mOdp;HlV5VL@GUE*3SRUW&#wr2*82&CmVqIPJb4F4g{m=1CzD6?usYP;3Y z;#juorIvS!%g2B8-sB~*poOZCURB-ke$09GAV3}pGyaVn1_6I^_aq*k@$h`yV z@8O;U!t?1wKHFP`?b(3^U6*3t4WE?c_Y+^)`BNq}q{2$R78O}oTox|LD;w+)3()x9 zV%HbYXbW7S+GBKSbwA`q{)`Iwl0M=!$dRUt` z7}%IEyK^(b-eye)VJ-(La{{pN!$|j{(hatXyqNFX90GB!24lee(S#duxM$5>D!XuP ze8O$ST+qJ^u?#Z3)OU4%OP)+B1>rsXaV?NngH8Gl!^cw|vei0?=B&e-+8aN*H=rbs5(T$uggG6_*F}(pAq8{w@^$+=i{y)O z6q{A#vZOiY8y0WZH`Uy)b1tT@uZ(DH=M8HF#ov>_2C|~zDlxc?y{)RD9LrsslcXbe zi(zbd7^S)2cZ2a97dsY?Lud3C4G%3iytoPCFFC-yi@IWBJ^p6e_%V%9mm+C#HCe^ipEwO5INNhUTY_pSKk>qBpJ z!;P-KutEM|lChlnl+D5mPk-}J;@s9tpb+bz=AD~H6@zyx28w7UB<%4TNMeGdZnCYn zBtIu@fMO9YsB-TmfPRMFVXsd%dVSW_8!2;zaV&Ewi^N2Id%!)q(kvFf%7iU=49;8g zqb_5`Gcr#gjw4O)Y^4=7jotW8rzTJphdO{nTMDi=b7POg zyIgK3Wbq-{feFjWw->xc!LKTdLJ+IcSHOlC<=8-0LHu?i9EQt?ldcu%Yx34YCa#0h zzTl&-jmabKhPD;PuuNf()s_RsBk}AgC}%ApDuPc!vh&;Sorsxe zD7L4uJhAWG(nL}08HU@_VJz0qHak|4qCXn_5&gu{7&JcWcB%uBPm z{@Uc{2Pf2>R@qES3c8p6ii1Cvv<9!dp$4++??!l8>Ye1YSKUi)@tS0;wav?9km^w1 zY}MECis)DY@?LhM>$s_rWQMgmnJ0NC9%oK5r#eX1V>XIAKx5v4Oq`cDbE8-|lC}GJ z$rzt0c2qxmEn+QIL#HBC_QU;9Jy!%Y1e7ky=DF3{>o(CFn4M7%Nk{vmUO;WacBx4E zenz>Cm(|P3fjk)T_kk{{1$*<^;kh5KYI9PsEJ&qNmU)Q4fy20k&rNowx~v}^kd@?2 zStmZ7wcf;+&W5?S!mg;qDfKii35R{1LFRxLv>-MIE=~qIXv7GUKRWDGtHTZvG-8+z(u0x*ap{!=Li>8dq~UNrVrU>4#Bxt+bcK|%hBI# zWLrYQc~sVms%x_pn$?`w8vXJ-9h#y^ybl&)zS>-S+rw@f&czxgS}5##v;rjVdYpyh zd(8Ag%qVV4V*M#AsApl(Zlit$mV;Z<)Kmz(E}6^rro>caqKj)LZED#;C z*V~s~1*e*9D?DGaPPKt1WYzZgNHAJUU-U2T*+i|kz3Onc%PPnbY_HQ5joR1*eZr>J z(|l4K1X?$?5Zt_b)(}T8M)U~a491#?&Ng)!f`p#k@}Rv_+RmP%#LPl}PwOWY$n5yX zdXY0Gt94R<=LPwO7+!p)*i-08I8P*1bi$bVVucufAJm3g2ILrOUGUfp#Fpmxu}wGL z-r<>^+5Yuc7LLbY;~rV7T}{62qv)HqV{WMRW}Z6nlk7={2WB?PD6Mx^T}58M{d{M2 z>#({F4=Ch*a*OgVYh*zMwa4X4@j%BdR*<_Q{K7X7##XEQ7o^ZP6R)ytGv_FFvQAg>vR#!^VPp2`k^Xcxn5ZF- zr(YKSdFXnT&B=J&#qykYa%3HiZ3Wq}q8@W$VLR|mm?Nr3Q+wA&GvQF!H+mQNFUA)?629bl5t%2hTZP78$+EM`VX zZYQ$Z!rb)$w*YqVpBeWCoLZFIDPqkP4``SUPH5xVfT%;{9#{4cmQALk#Sf1tJ`^?B z|5@ETpI5=?wnqWS((2rK_<~qdg&7;a9YknebIC58XOK>QlqkhesMkd%yJhs-alNJS z=CXCi+~{JL?i#B1YQTbYmMLn4$E)+Nh5e9cfJ_acs02kuvbsSQEyYL?9r z-qpDiULhD>S%#h*kG*qtp&=*Zav$KX`;Q(!g&wO4RCw8x+F%u!xk*U2J+v2spS2>! zsstL;$-xXr{&8m+o_nkZ)LqAlo0^W3qY{A1d3ZgM$F?nG^%oHAJ8aSItQEO+NL7T) zzpl}d@kAG2kM&02x@(ciG~ip}&92*40}3W&3&dLcqJ#Zq+0|~qC_Z-R6Tb`NP>Pz? zgtL{O?0EYFE$X$dvmDRnF1enFR1ceW1s7crrv*3F{MANiPfJg-w~%2}BE*R~MXPw} zyIgN=K`~3*q7td)qjN%0C+MA!wglzzi{*E^@>)lMqO|of-MV7<)-phM4BkiqeO{Du z*|HGAd-5+a9PR?^LMGbCs-U+-hDb?7iZ4~i96y29w-npLK5=-Jv^3hH*LnEink zib2BLfo77k3M?HaBs(1n<06ae;wUI2?2W6-3!9k(spn(&{6K8-G%n74R=5`@^;Q8; zbrZ(e(=(g_)^DL9^A`3LaAo*eP<9n^(}L_|pj%5}yJ?aQv|}(9C-th$PXLZDnU`zE zy{LQLbP_+z@oRfY_o4X|2Wt=42Ag_6M0l8uKg+@MP~9urLhD9ds+P80*;y}mvXYCE zw-DoN>eYPGqrjGX)AgNZv31Jeu}M5g=a`h}3*39H zEcNbh_BBI2fFjv7O}fICajULO|Fl#uMC#8s!VuoxQNcppz^>k>)w?N&`uv9bE_zC? zlr)44)B?i6&g?9}7TN7cQn&!5!9-+&dh|if{c@4}ciYB_JBT_>t_3{^SeT1K*oO?a z;=bS(#~Z#S{hToOwz@;UHDe>?->v0H<&~1I3U7NPgWFIZ{HaP_#Q>9s)m|`hN-y|B z1t@Z`yJoWA((I&Po{cO!HF0(0VAp8&j!-#(e`Lb~7j0-ko8@lzUlH!11X0u(MV%^C z#1DYD&EmZ#e+zQ8cBo$bc10R~6uID~V@){NE%Kc6?9O&$z=jesw2T(x-fXJ{3opq} zL2XwVU>vOwVPBkEUZ6@Vgb^r2gV$SZ3J6o_nrKXF#5Q6x@!6rZxQ%$w<{!5D-I|1L zc|dEr-*9e@mOVPyPw@Y@xZ=$*ESI}zC?pHjG?5TV}R-jZG#5+Y-?Ge(jFx#cTkmg z9fIhWuxfSI*+l#JZw0l2-W z0qFZ|m?}iyg=k4~PFkI`1oc$+%jtR57bb#5TBV62Tmj3|*+5fQ05WS0eRAz3H$?gv z?L~>6VQMs45nSPdd_d$}VhlSJ6-&EKYIi3Cx~HC{mY-W~x-S?YFmTTq7oy2}6%pIF zR&e$}#Qy6=x<>_%CXcT9>A;E`G%qXN7e98jRWC#PXVL-io^idy>S>V*z6I?W)A<7& zuA+(d$SVWm%DgdssnWU1zn@Z{a}*Z$guQRoq9KXzRlcT98uZ}g6|1T9OoqAZZE*lA zqELpC)tVbd7ZTUKaNmyH z)|tRwVP%X-vLwtnzX8s|3z{3oK71QqsV!m=ML+EhbaeOm|0la2%X!amWNpngVa+6Uh9 zs6F48EgAd8_~w(mnI--P*$|!mUl+8%t5KS>k^&X!CE-WZyS^stgE@aqQ93#y@nlR< zrlT?g7l%%$(zI@)kc`qC~IKEa?RgoUGb+A8F;RlnLw<5 z!mq^ZWa) z@p=W8rfR5}k6)i>1ng2jIGz39SwoZL&L_Vw8dseaeKzl4Z?W=sOp}g|8Q6sW-8}XG kgkR|<{~sDTO!52N9v?oRQvB!!KKL@4s=9Z|Z`}|7Uqw<^umAu6 literal 0 HcmV?d00001 From 84c21951f5ec0bdd25bdeb182fbfc8fa888701e8 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 16 Feb 2024 14:06:11 +0100 Subject: [PATCH 02/84] Delete docs/release/trg-8 directory --- .../TRG 8.01 Security Scanning Toolchain.md | 37 ------------ .../TRG 8.02 Security Assessment Process.md | 54 ------------------ .../trg-8/TRG 8.03 Security Support.md | 37 ------------ docs/release/trg-8/_category_.json | 3 - .../trg-8/assets/trg-8-create-an-issue.PNG | Bin 42073 -> 0 bytes .../trg-8/assets/trg-8-get-started.PNG | Bin 69361 -> 0 bytes 6 files changed, 131 deletions(-) delete mode 100644 docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md delete mode 100644 docs/release/trg-8/TRG 8.02 Security Assessment Process.md delete mode 100644 docs/release/trg-8/TRG 8.03 Security Support.md delete mode 100644 docs/release/trg-8/_category_.json delete mode 100644 docs/release/trg-8/assets/trg-8-create-an-issue.PNG delete mode 100644 docs/release/trg-8/assets/trg-8-get-started.PNG diff --git a/docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md b/docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md deleted file mode 100644 index 3e1a695d682..00000000000 --- a/docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: TRG 8.01 - Security Scanning Toolchain ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 14-Feb-2024 | Initial release | - -## Why - -Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. - -## Description - -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. - -### Benefits of Security Scanning Toolchain - -- Reduced risk of security breaches -- Improved compliance posture -- Increased confidence in the security of software applications -- Lower costs associated with security incidents. - -## Tools that we’re using - -- **SAST**: open-source: CodeQL,Snyk,commercial: Veracode -- **SCA**: open-source: Snyk, commercial: Veracode -- **DAST**: open-source: Owasp ZAP, commercial: Invicti -- **IaC**: open-source: KICS -- **Secret Scanning**: open-source: GitGuardian -- **Container Scanner**: open-source: Trivy - -:::info - -For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-tooling.md) page. - -::: \ No newline at end of file diff --git a/docs/release/trg-8/TRG 8.02 Security Assessment Process.md b/docs/release/trg-8/TRG 8.02 Security Assessment Process.md deleted file mode 100644 index 70b35fcb0ef..00000000000 --- a/docs/release/trg-8/TRG 8.02 Security Assessment Process.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: TRG 8.02 Security Assessment Process ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 14-Feb-2024 | Initial release | - -## Why - -Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. -Our security assessment process, based on threat modeling, is meticulously designed to safeguard your applications and products against potential vulnerabilities and cyber threats. - -## Description - -Our security assessment process is an in-depth analysis that evaluates your applications and products security posture. This process is integral to identifying and mitigating risks before they become critical issues. - -:::tip - -Check out our [Security Assessment Template](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment-template.md). - -::: - -## Key Features of Our Security Assessment Process - -### Early Detection - -- We identify potential security threats early in the development lifecycle, reducing the risk of future exploits. - -### Comprehensive Analysis - -- Our process includes a detailed examination of business processes, application architecture, implemented security controls, and maintenance requirements. - -### Tailored to Your Needs - -- Whether assessing a new application or revisiting an existing one, already reviewed, our approach is adaptable to suit your specific requirements. - -### Continuous Improvement - -- We believe in evolving our assessment process to stay ahead of emerging threats, ensuring your application's security is robust and up-to-date. - -## Phases of the Security Assessment Process - -1. **Kickoff and Scope Definition**: We begin by defining the scope and gathering essential information about the application, whether it's a new project or an ongoing one. -2. **Information Gathering**: Our team collects detailed information about application interactions, interfaces, and existing security controls. -3. **Data Flow Analysis**: We create data flow diagrams to visualize and assess how information moves within your product. -4. **Vulnerability Identification**: Using our expertise, we identify potential vulnerabilities within your application's architecture, based on customized STRIDE methodology. -5. **Reporting**: We compile a comprehensive report detailing the identified vulnerabilities, potential risks, and recommended mitigation strategies. - -:::info - -For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment.md) page. - -::: \ No newline at end of file diff --git a/docs/release/trg-8/TRG 8.03 Security Support.md b/docs/release/trg-8/TRG 8.03 Security Support.md deleted file mode 100644 index 5522d28166c..00000000000 --- a/docs/release/trg-8/TRG 8.03 Security Support.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: TRG 8.03 Security Support ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 14-Feb-2024 | Initial release | - -## Why - -Reporting security issue is essential for enhancing security, mitigating risks and safeguarding users. It ensures prompt identification and resolution, fostering continuous improvement and maintaining trust in systems. - -## Description - -This page contains information on initiating requests for Security Assessment, Security Tooling Support, Tractus-X OSS Tool Membership and report a security vulnerability. It also addresses procedures related to Ask the community for help and Enhance documentation. - -## How to Create an Issue - -**Step 1:** Go to the "sig-security" repository [GitHub](https://github.com/eclipse-tractusx/sig-security). - -**Step 2:** Click Issues tab and then click New issue. - -![Chart Releaser Action](assets/trg-8-create-an-issue.PNG) - -**Step 3:** Click on either "Get Started" or "Report a Vulnerability" or "Open" as per the specific request shown below. - -![Chart Releaser Action](assets/trg-8-get-started.PNG) - -**Step 4:** Fill out the form with necessary information and attach the required documents. - -**Step 5:** You can click on "Preview" to see how the description looks like and When you're done, click "Submit new issue". - -:::info - -If you're a project maintainer, you can assign the issue to someone, add it to a project, associate it with a milestone, or apply a label. - -::: \ No newline at end of file diff --git a/docs/release/trg-8/_category_.json b/docs/release/trg-8/_category_.json deleted file mode 100644 index 4c9752e8a4b..00000000000 --- a/docs/release/trg-8/_category_.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "label": "TRG 8 - Security" -} diff --git a/docs/release/trg-8/assets/trg-8-create-an-issue.PNG b/docs/release/trg-8/assets/trg-8-create-an-issue.PNG deleted file mode 100644 index 77f0013e7ce71fc94e478901462718c6a90f06ff..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 42073 zcmeFZby$?`*EWh>ASy~Ts7N;qT}s!0bc2Y*&@gnW2&j}O-8Br2bPXWgIl$00Fmw-H z`{wa^f8YD=@7sUv{pY@p1Gr<3x!1j}wXSQ$dGhV8k_^Fp^80vrcm#5?lB#%kw-15i z?Yp;u-(X?>Ea1;In5v98UO_MA3UG4M{0-y{9$rz{gEQk>!1+CUSsfT29x?6J&ow#K zSKD}a>6>zrZ`9okH_pF#K5eVI2)VrYvE}SAjdt%tFTMJb(B3P+*{o!Z!Mvk?O&QPs zu%Re~_`f~>#uMJv(bC-fdL=EU z+~xU2d3H8~DkcuQrOJc=l=Q^BRf-jHQ`U3)s<=)zjs1H_JGL9q{#~z_ zbBQXm)MN66>N0g;OQ^1NBlw#z5w=CbbVK+U;{yx5UOuO)-8eA&-^c#>^Gb6Xb#?rR z>O^6N!OtaFzO(?EmtaR(h(y+!rcl{&xZMQB!>V;$^K+tB3ujXFSo0TFmosWyJ(uU2 zWEy2ncIw?J0v#wryP!B+0?88NgjS`of6Js5Y%2Bp>Y7tk^(WiuY6z9<=HS#RVHP56 z)*D7v$)ZokMiH%|d7zDPX`>qd?eO5-_Gk+(o%AfpcgJ+Rlt)J3&eWjyzsflg+dM4I z@vyY8)G$mi7@8iC+URt-x`#8WB(Tq&k|GGnPotX6s8dPQUbEY@dO0;iWwk`n7K90T zW&KA3J(3$>=*&80Vf|98jmiVpZnB{B3^7-laA&E--Elgc_gK4@_i$9l6cNe(<#c{B zhyb^1KUNv+y>k5yM$<~j`)5&{&v9<5Y7^U2pZzribU)5{$VJE{jN-3+k9=^4VBY=8 zUt2CRBvpbn*(JF$iey(a`|(0C>}YCf#@F`F?+%hR?{w++RrOVc-z0rqS(5E2*+cmf zw)cuIP9VmAG&Ily`FiA*H4D2%T-1&;Dke8GKn`yfc21tK5k-e|wVQ@y-mt!v6z06L z8woy&uK!8yG&f74EG!k9i*8)_YkTkTQtA;r<&(sT9?YT%zh>^{tr02orKGy+A)Jv9%ib~zU0D@3X z&NPu~TW$}hal$RDFflPb*{VPsUVxOkp($mbG{<9ic z)z(BirePYbK@3u`C#%ZSH`8%5+V<8F5ZMu{4<~mFpIwqKVIP1?`?k- zxp;3x{P0TXPj@OFxZN~j*$?ToSM`M%5rtmZ(kB9z?0tKD=On!-TPiq1$RqFTwD+Nb z$H@u;dbB;~G~axW^Lk-w>ZedDA!*Np^~cz$D%jHU$^M$tQZJS9$d0T?z-7+_|N7bS zUgN?Wvws_7<9pOZy*y@~3|~t2O`=mukiB*5)^*-BK_MZ3 zsF{rQfdSGj{QiRnD{mWK#0fg*w8tOr>~^uEgtm}02R){<#qFJ>_w#=A)aIN>&t-Hr zz9(bjjy51BW*rpkNbx=G@RjYUu-Lx5I8|QB?U~3h{da}pC-FhgsdyT=Zpk%W1LWnf zpF6k~Hodl1r{c?B1{n3dvigZ^!0D_)KDi*doJ`o+?MPbM+8&Jddv4VpTI|fXI4$?T z$jQqC){d?FC3$?SD=Vp1=z@E{?8b^suk`3$uODDf?sX;GgUGUZD?%M@mL^kdaaUtn z!%v(tJV4LrxBJ9HDB0EXfzkVA#(CV%8@1KFmEWoM=nOtFW6JLE}C5TXaX z+Rh%ZH*zQxc8@3o(F7*&-}moS(L?*S%E^F!V}tJ!KZ#omReZ^Ca&#Y4+%+Utbsyb3qGgQ&!o)8G6ku)ekS5FU$E-)zd zI(B6D+p58|qy_71j&W*#x&>puKWSl^X>?(kHKcEH;8kPP%q*-cNv#<7GQ=eMlI%cF zx7Lh`ho|B@QaL(G4#U|bb2gBR{Hqc?^ZA8C@YS(opnW;Xd!E8i(hN(z9e_1ZBmmYR zxR16|T`aRK!cHCSVEnTW3VqKNVyt_5dK#YwWsc5Hl$aB;>R0~ARE!nhsyi)Upok9d zViLN|{QKRe)Tc1fBwC(fC)+Z2c559CHDzk0%TeZDUqbJIi-Sy6GO@F-KbH^#pZygq zI!noLhZWQNWRY!aCuDo5;}#-i_ZIHr)jbv{`Cm~#!t8fF|2a;R;GcL<6o-CI69HRV z0BnWe%F!~*Y9$oit1O4jaoyZ~{a+u`ET@NwrX?g$=459-4$wBrs;f(K*_@Q4_C4dQ zJ=^U{v(}epV~*BwVQF~RFd4*Q-qi^=i|Y+y5Br&EB3~~iGZtSy2>)(1XivklkA|Lx z>I*t!J)!)2t(C4BrtdCb+w3bICcnT`f93l__V2XXKUt>G_%@8ZO`e)iW1qBDK0&4K zmKUSxRUY~i%bMn^luR4LV^=h)sjV))Q6Mx}n%a+Uqp-0@j${?&BRX@3anq+;sNcp- zU#cn`7v-z%=dO#mZNDac@BL!>5UvnyvA;Tu8&qKbR$MD`L8YR}RU7dE0Bi-|MQTKw&eUq(GEOH*h3(?^-NB>o?w|1r?Z84VYa> z^3-h%DXi-iS2vxgY`Vm*hMw{qbc<#x94L+5gB#bT78Y!UWD<{i&i>}N&5bb1`GGYJ zeA`(NHg08Wo7&ka@3B#awrKov&uM*>vl_M(%F%S9IyE(gn{u7`1{J@=A;bn+f=Hxv zB&cfJfVX>7pn*OnwJ^KjKjDFn%l=Vw>+DQvLb-Gf{=29oyy2gAt}J(8t`tL4I?jLw1vxvz2%ItHgczitb0Hrm6rK)Le zGseG+uh?M_bw!3@`(uk8p-GzGush|YQ<<@h52hB)%`#ciMqHw`kbBY0Q*F>m(8H7Y z6XIlHg{{`UZ9!XRd-4m0w^0ZUaYj#@bLVPJ1BJt_+*Wk0=i%~%T|KFIq*JLYl?RT8$yI16bvK}DT$ z+3j2-F;-T;a4Ms%pP5(TIxw0=YrWCX>S1{W(c{U}+O>26u-(A@WY?;(Y=!K3%Mft# zr(U$@!~O(cR>Tn*W7KSAf^-zgRiyB0Xl61pxe&1;x7Wl~O{?BG#z&s(9y=$x(82u^ z>gw|eJh}44anl1djwEoW&G;-lCW-B`Uj?eqEV<|Ay08I@ zc2`>EazLJKvGXlfV$SU6?n7b(QB+}8CsthyJm zwES#9Kvx?ZFl;+k<+F3Qk|G4si1WZLKaPxyRB>=9I;v0+yEsbc7zVbrL^O_ABnr`)>nJ2WKd#Dv{{Gplqa62x% z@)9H+0%0A*&0%BBjebNmv>Q#6(nHpsu9gRrw1pd5kCww;5>N?$=Tdg|Xu0)#9{g0r zMV{Pr6REgSY(FdE>CR@#w8U~cN&w}*Qv7vPyen1G=e?#dwPsIZUxyl)mgw-*wqbP5 zrbqhnY=8ayqEhi%NCk2p-zlo_Tc3SydCTRx( z!Ory1=8G0M?C{s{nxqcet4i)H-;+{UKJ2ni*I_Y}?S4Kd5kD>cGZCqQ|@10K5 z%h{&b_X}w(q4+@D&u`=N2G>1-jp8-_Q6)IE!Z%imdF%+R?(=p)xG)X>{Q3F`5P?9C zcNa^o$GCQY^ao`Ykdu@I5_DX+n{QNaxDcC^#I`G9Kl@R+E}E?+$Yg7Nor82rt&Bbe=*q(CdQ>Zg#rCog@5%>b&Dm1Y2DIKPwD0HB z??%OemKk%v7l6did-C&g;74Sz7CQ?gGOvFpVO#f|SFgKMILkkdATFn-fttN&4}w&` zJ;4fu*lySI9h>A7R9t>?Ee(x6p3mJ#%j@DAQMHN>a&)YJ=DUUk#dCSoj8Y5Fvq!+- zL_L^A$5oo`VqWXW)_cw4`+AbPy%NN>w`xpD)Et@mG`%B0h30K*6D#SMqe~494Y2E` zJ~@x&)ANIh`u)!p`Fa(hSqmw>v$I^g zyX&}P2SkQbn?ngKc~vAYG`*AH&a0>9-A3tR^0wIZr%;_>%JTy4xRHD9-6CzOdaq;E zTKh{A>Zlur45Jh}wn9?6FYFDS_027g7jB-ondb`&I1Z4H;~!w zv9c1>6yhdPNeAQ`qdxgx%h?m8VTBKN3k849ozlhuiZ4u$ZAQ>9YRn)+Q=7De|f$IcV7*r z7E9_)63K#Qw7 zm#Xw zj{X^x+1MG1DCT$JcUq`y585l`-lri7!3@uZTi+q{MU)N9*1CfOyCcvEUgg07JN9~3MDl(>#m%7I3Q>UGRUH+ zq(#(4w-z;R&s_;J6ASyE3>}BkN^RQs1i^%OZ|eIldE}`u>!z zi+CKbVBN*NN2>ZIWNJguWG3DK?W{<2$dBW$B}fKo3H`MG~i2$D8I;@rqi*UW*^XdD+|s<}~|>;!Yf?{OPksOP2hV3u|Ux-*U`p1ea@ zJ7sUwIg~4qc_LYJ*OhFL0lWy&=;ZtIlQ5v+saApeSw>Z9f#MT0zv@P7P6Nhd-(-_H z`>7v}$?P{ec{-gC!)tP79yadrxP;rU_1l~zraTh@9#YGE6Uv1+2tm;Chl$eerums} zOwKJ64Cl2fxb=5D%3CHwt7)akB#!hq8_r7AIgISkV6AgjrQux^M7ZAh$JR<$gox_7 z>tw>qLa6Yqf|v3{i=e@aw}3{HyH*iacM7Vk;mY0(h; ztW;)q`WmdT;;QNhBx?KY#SMHS&`(FKAyEw^y>$cHJza{W-6BcT35TZsR>S*)!s0I? zVCH;~@nS`Xha`n}eIB|;#6^Z%o{W2H?t-5H*4Kn)i4bgtlG4X`>bY(bo1R;Yd^XH~ z+@4OpPe@YkQ>#Z#|H!4Y*9uh3>2hdGI92a!6k~?01I3$J<2ptfJr^UjmS-FMHV3?0 zT3T>GkP!5HAYCTNMiY0kRu}{phA#o;*&^yrAOecyGwUWT^yWg|p7DP`B8eOy*A;|e zgJYy4x_aCGw7nFPCd7U-7f<#C|jB3urLd08Dz> zAO<%bJnpdzyh?Arvtk%Gi|GARqqMXokM#zj;|dZM{j)oz=W&d-hA%_ZJ4p_Q+~j9e zU;E3SA@`vXF$+3=T?JLqWwasEts$w+8ddT>x86h84QWCSlg+^kmM~~qvB)MoJA&~b zkr_WHHB&{>CA3W}U%eoMRi9fW!c*~nG~~Eu8$5iksmo;ZnGdIQ^W(~%XT$1y5gGyo z5uAqLXcUg;B0`(R2$ zKTEl2;Y_AXskaN)EI6>$cB(rg&sHz^qRHml_jG?3NqTB=EEbvY(DrF!zOA_l;&>ik z!}}x4e@fzhUPK1Fp!HEsHwISt^`Z!^vE!~m(GLLxWTN$6Nv3m({Nr32Wdu)?Q

% z?_Tid;_1A>G7-*)b=RSkLJONB&v)mmd)>R{kD8RmDB^X$a2{;W(X1j-a`Z|GDOjwT zv5)t~@sj9mieCu{iiwGiU zTvx^(>V>i_%0ICfpZs_f7NKcD&N-wh3AMH-4M_+Z18XwsO-@W?y?jkyD*{ssf^yEvX?%|GC+Xgwx(>d6O{bocIPH*A$A#6fpY+&q@xA3E#JKpie|yLJ5L zC zUueXQ-Ehk&`)6;tsN==wK@y_E9-Ff(f3QiSf+}O6Ll@r2HME4B-ZJkpvQO`A#HmTJ zEZ_Iy;Pl5ewr_prOb=%~+`A9MC$hjX@0f6P8*(bHsSwZ}MI%468!S zDVdK?PsJ#pBz@}A_r9xXNNl%6E+NaWihJj=Z>OD=B9n-=G?CL`EW(dkS0a=WS)*I; zk%`e9#yvEbt$5H`q5Anrl)GyDpmd+f3`n>A_S*xHphxwWgRRcATaBc;l50L35MMP! zGej{Jnw<;nntQ?|S{FEyum5USC&n)6Sp!8V&BSJi;BK#V`^wGE^pzadB$Pm@`ZuEF z>Q4vEZK`?O-ibc=R8H>b`{98#X9z+Sr6{wXaO)H`V*I+e8kf()KR~*$h}z86ANpAA%9%6UFFvCXk~vMj>Go~{xMJ7azLPt}LP{ZAJw62a*%f{#&?0kA)Bj~*Pw5*~cXuu&|I%JmbAm%DOL-X} z52iBYen|qYg{HFnh8CIw{+@WdIyoL5o^ef$T+RHnr6kW@s~P;lwYK!r$~=1Iq^G8) zMOAJ8*}u+s8h15}zEV7=+@23j^_uISpcuPmrfUwj(~H(`iJ#O%vo`2)^K+#Nlq#8QiDuni>kO)Nmvsz1gaviPDLd8yO<>6&C@ zf~~njS5doPlZ!q(=0c3{D=0G+L1R%-3R?R%Q;Rqa`TMka?5T8xk4|-u8IWICJRGzfn?4$Wpnn0os<9;K+XOsDxmzE_KmCt;i>pJkAs*!F%-N&wK zYC);#GV9EdBMIOTtQC7IkFW=q8ifcWL%K-SqUaLNBI-%sT7qTkWZJXRcRs{a&hb&? zTCiag?S}MS{E6EB-5-f}M7%YB1Kn}FhI_7;?=ktBC!_B+cg78h-R7Prn1;cTZW%xF z2xA9iq?P1jXb8+lysEzGCmu+X9{cqO#g4U4G}^3l0-;b1~?kiJ%Y3+sD2BdbL}oXD86kvqs} z)5%YcF*NFdfyN2xn0*OTosxV|3DaNJDRV}-4?ic%5I&=b^nM6ZMonu%P_JotSy2W` zYfqjqh}KjXMOLW#AZ=%J)#9*5xbshY`sRIQj&_~~0(27kiStiG3*QOb`HUpOj0l@7 zUMH11zF*~K;tg9?@2#ybTMPawJaxL~8g+{$;SyS~wVAmO*m>D!`Ha!j1 z1sP7@>-R1`cJE@)qA~~5<({6_{wJV_nSQ5wjG>`Cw^hAxkf@*(q^LT zbSlv1QCg^Sz(^OlB!kQ{Q&K)|PS-MbdhB5#=89cp%#!Kref3AhBcC>sQSe=oZrQ;+ zF!9BV?`3wWuweaVlLd5qJB>_?XvEU0vZKEz`StCed|X7Gm%JVA*{|n-gz~uD_NR#4 zRt8qJiq|Hi7E`6XfmTvz+;?6Fe~$IMPzFC{`T*Iy`y%-hX zcnK_kygedxv+m%2=g?xq1^%X?{mbsT7qd(k;>VnF={*{|_IjlTnH$`SR)Zl*nZivB zoaacg9uZ$`WT?=j+ceI3NpU+4mc-xbPL*4j+{S>u+$dAeaka46|0c5pN%*A{D_{E~ zyl>I9jX+b(!(_9gXXR~ot*zE$_%{^~5VvabPc>0NpuUc`To2U0_7+JgJv@VrV9I=R$fhBiE(XN-Bdso)lIFf4@l5Zm%%>C*7dw23bWL-`8@A*J z{nvf5snY$z5iaGElgwIZ3LH7-62vdYmOHYp`Z*zb05S1YP1nZ=!bbf|X@VrWi9Hju zzL^sDAQ0LY3Mr+7k4z&5h#E_m3TNClOgRJ03pBTCWNm8` zmQ&RBZ|Mg`f(131f#N;z3-cL*h#rayxVoUciaiqf1A*$Md{fA_MeS>v1E(mTYUzd8 zDi=TSB=rElA@_}z$Meb0<312N<%M?;S~tkb98 zYA#8QF(E|&5~X?E-8!bo!3F3qXBTDeo$d9ZDD03gF6<^ny-%Es6LcPj;ej(32YeIg zl{cW1wq}Q$Q}3N-fLcaYouPZhavgJML$6aeON{5^`AGEiTcNZYKX%5*f&Nf2w`)Zy zi}Z!y0V`l|j=G6leT^2vuKEwGMmiK3E+@_?NLImd7)IrTK?BdYazto)s#jgWnpMP@ z04V6ohfS#3Q~8l6;N&}oYCYTpChtBhy`{YgQ`p! z!>jxhoEMHEQy2Z)t@Y7BM!TDGhm>m03!RXR)JCiFv)yBsI`@!pXI{ugqb811pxNm1iJF zt3Fj?bNZ}OvM6h}2uO;ad*pfp$|@=<>OQ9XduLY{d~Nj>1}ITDZB2_56#|_%mH$!c zqNeTD1k7c7e9bpHGvw7(znnEFT!1lquyjs}k8?q7&po|`Cx-6gN9@~A<+Rih`O%t? zvGmCEkRip#Vqc*&Qz+eWz*Z9ENzxnFfrW{HXG+~M`A*LtvYNVa`U0}yyAiRT<4ze| zYHG>joL}V@y+J(qR-0uc2*yRq`6b=46iX8Cyt5xH><{}US46=JgJ4m^CikCYI@Y>5 z6R)gf%b&e1w(az{*sM}n4YTZr(v>T8=$+XZgX3Rp3Q^n`CiM1}_s_U)$rnJjcNbB$ zWG<*y;of0}B`dRS>tWnwBLb|318=#f=3&@qJT82^q0wmC_SB4Um=|2#RI@ovN%R44Ho2lDU6>|MBOM?%LTl#C4#y{fNqAqTT|0;Ko{FLFTE*e=2Rl z!_Msu-IVfs+nYEAMrx)^UobO?(u9}<(zGd8?{Sw4-FO& zkp6u#_n}NtuJBk9-*1a#T;0I_x9`~5E#gDiFJs%;u3a)sPe4Qf3yZ$}&SYIvAvd~; z!~)m>kh`7CL!+Y%!Q9OA(ASqI=z96R`!@@#5Mh&678Z|8mrQ<_bYFXbHT*KVv(J`) zLx@AFg+612rlIOV^vaCSF7==z=~%66J=nWaMaE1-iAGKN)a8$sb-J+MSbAYL4_DdO zxa)bf#O>|BY$(7$AqAo)uE}6*rj~C|{4T57EYW-+J`q#&#Vqt&xU8Wuad+*#s%duQ ziLR@B%#yGL9Tq5UO>snKJhge6TG)^oFC-5#q(KU1^Gi{rnsH?3CCCgjP`#9UK zBgn?4qo&$L>vh+uTx~JwAiktx9GBBn%9%it$-ST|1X*|E(?}%~_^>&g@*ApZlOVOU z(U80mFwBoPRyJxLy5@B&8LaLXi$YJVi~fj)F>u%_>y&;LO^T`vWzdARBJKZ_9M6Q$mWn%Bwq9 zPyI)>HDNh6X=WSGNlT3_{{6T3WzQnWgjWClDd{E6CJy>GKi0D$RQb-|ZU~mI0=~i9 zbFNi=M3BhABR4)*Z#DD6Sn}5VufDpJI1f}HEAd_P8H+ru>1}KhduoQxZpYHR@a`RB z;g>4JZTHa>c2#0bC0sp-SPLq4SazCx1gd-b+<)*$uuIb;SR@f>tNX=$<^n1{9%Sbs z93T9)<|A`oPRgbb67lQzX%TM{)|l1~7aT&VJ z-5RfPWf$?l$!3`T`q3k5sMXh=e1W4EbeRA0wP~9HNn+%s5{C#DJDVeXPYs|coOT!F zjOiT5j!8eXVZ*ZGJ(t)FAF~IX+}dFM3;BF5UK_sg7Hu!F_Vr=+WgYnExWT~6N6`5a z8g9w~Q**EE91Kh>umn=Pg2%j0)?B7rENNF&O###3n4AI62yOaj>>6l33PBGhQ(MMI zYeS3q%IVFo`m#7ZvD5tW3RKDxMuU4@a2A^x!_1)T6c49QAsIz}kR5BPuv^uoDh_^a zZ>xW5U7VCfuxCCd_^|1$x}wUf5zrrVR2D(s8K=0_9Fo#}{c_`>w{enk0ym&8CIND4tn|Q>BDN)){dy-#%X)irPnfmlqh@wUTfgN9r zx@K>><x7OWQAkwOQf`#!u75XcYK< z4F7(CTUWEJ{pKkYGH8e{pWr+M@9}Ih+KALe<9GTPU@F>;<3b#FZ2rI048Q=QdDOi_yPh_|hmPTB#UAm=S z2zbPw*Uu@p1UIN$o6!};t{ee~4Hg!`7lzwwcHjZ4nZ40Vw0s zdbZ?)-z%7;G}Ol^8LxTEal1I4RLDJrw~bGVl|2V}sMFxq30GC0jp?15E%pAS&wti3 zPk~fLjd3~Rr)IYZYvGW7we@`%S!f5hf2RC|e|{tWesJBM3i z%6*#5*Y~`r{VF%!!sHu%gy!F2Rc#!c z>FdZ2myuW5l!5Ef#iH}lkzG=pA#rlm*yPK34tj;YY_m*k(9_6K>U~n68QIkpkia7R zG|hB#c*F={)#)j#pb(@D+d9~oXmso9=yS|Yogv)Oyqds zmulU`iIvCEcIwwI>?G2C&ue6JPsYWiTz1K^YPq?CXlQ8iRcCM8b0J<|$*DlU@n!|F9zO@U6UE#Yv{+gp2ePF=3ydd$!&@zuBodaQ=~Pd8VTR81 zKf*P%mOXn{BdidGYUW*&xvVMOj2K}w$J<)91C@5Gn;wygg%Z~^V$cZ836eV`v#Lj& zb;fVlkj@GK(!lHUTU1v2Ml)>Gr?CQ2zk%v%t6=*QOP4VD2nW;dRXw%oYLB=k&OhT^ zsW!h(xYTk&HnTphOpEBs$|-L!_Z9(hrntV|t!C6J7;*Ct1WFLfP-@EFl%oZ8`IvBd zqpF@)H*`VCW_BrGGM+_Ltvz~{EUM^Ptkn+|qciNe22ae)m~+NX?(h|A8XiU3yy+I0 z1|k~WP@vZ)c;geF&mPD2xu$co-mV$ks|^NKP^l#zkw)<5u8l$z3?O}r+P6dGyt|=SQQXgze zaM?3oQH~jAak=tjyq-CT_!Vm!TwZ_Lc6gGTdZzlUN&c9>o}d)G_9N={fB94mhj-*r z503A>GGhIV)>!t|`>jt+jn+Tlgp&WDA){kIr?<=_3ojhg|Khg9MP`I)5z~BqG{==a z3_SY2~sNhOq@qeHd}_6W=`sVVFME#VkZj`uyybCAZ=B zxIgx&;cM&8>Y{U66?$@zF0;(KZuq5i)6QK{LsV!_wcIZ{IS4Newb%BwL?KtDjDaeT zeWr5^^(6pCuJBF2-1EH%d)J@x2JEt~os*Td{oQkCUaIRfJ3s#!G%h~AOg+o7 zNRuB_@nUJVn?=mN08B`K$o_3A5*)DW{5p%T*nrojM@1-=mBXu&1}bb?%MY!XTf`55!B&*y+=MBR51O__3+hN3vlyCsY&cKY3D=U zVHUuq`jx+p)P%+YP14Qm$fMj3yw^;3tc@Ec*K7qO6(adtADbGI?ppBIek0DzGE?_b zWn%3Xm5lC5-vh_7ZKQV7X6JMuI9N@|Sf^CP30xO;ocRl^PqVFQsp|tG`7U<1)6QRR zbf`i~kDApxg>4hO;Xq1-?N=?_HSdpWTD&G*Lslh)aLLQObyB4&t6dydo{)EFqwG49 z20PYiz_`q0%;%Fu{JG5-P0t#1pk6wr59FLeb>QLIr^h?{V|oP}ME_+GU9Go$@iBJI zhTyyAo-Y8*Mw53tQrfQwEe;3ojVY1eyLapz$Tgu?c;XpT0>JY!qC2o2sk4h)sY z=)8z)^IUFsaE)~z+PI_kq@`Z$((xBqw28V2qO59OF}t$nY!a4TV{7OAhK{_gtB;m# zCSk~QGuzkm0l>Yu%_VL+%34#m2~xJ}KtVM%HC4^c5u{XYz9rdo+!Jo@yEhFmtW$d#R&l$oW5`*B8xuOUo;hhLA(!GW&}mg9Lqc z^J07)*U&Z46@(QsGj@@%u{YvYJe@GdfUu#KISK3Whq9WpZkZC|uVp!=JI+AY$W_@m zrv#=|2e#z^LdM+U;@VDfrS;GlfLzRNh{wHTd0MbJ52d=H=t_12nR=7cp%fQU#g{yHtXJOq5lg)Uk z9I2b<;U=6=?CeLm%>?!rVbkfX_s&oXmV<2~oJJyu`vz?F#K_`h-tED<@qXO>NI8?EP-^y%1K4kczVNy@>@a z3*oP=?vT6C$PAP;Mht$9mvu*fSow&5NbXGzy-VcAkdcU&%cby8)TqOqSgHfg*R0fe!? zg+P*~WAw~UPTbN7Leb>IW&2L~Ihw)kCVrtIJVL+8Du6oh$q^=OWii?)699ZXPz#fp zTiKpLdSkm|uUI3-^BueQZ&C!dg;67NRs~he#)@v_L>LCY_H4#$cDXp zXq{TKL@mQlM~+R>P>`l}#RW4o>HJxYX9_!1uqk(VynBmvIVEzBa0pU7Xu8kY_7_YEPj*6}`gj=Ce=&AHGZfzgC>YUwwR`eEc^y+?)ZTUq+|ZFs_Mk zsky!S`}h0R9{V}0Y({m89UUFG)~_>ay?VZg-45#hTmI);wNgYEM|VyDqQnI+u+OLa2j* z$%W=DmqFF)q}3Gz4H(~CS*65nLC zS!Do}xlCkUu3buFqj*u>)bZX@i-nMozJQAOzLi*dYs-V1`^n~mk@Fa*m3b+sm#==M z{ip9iK~g%FtE*A~8L_xn53YqxQZphyJ-K78(2EwmJ<;5umYqXa>QB@Yv-hwWYa^85 zekBJm667?zX{M0FYy?+Z65g!K^$L;?#@+;?s`o?Qp4Qyay%Y^alYQ|(nvuurmhK;} zW@Tl44F!oXjSQNk_Yg1jp;`vHKR;Mp+~vP^1OQiCmfr+)HJZ*BcXV0@8pe8}S8WA% z;o)7~rqTXV4|s<^m`!l^)x8GFpW;E$`6>PiQK(ZQdIi)S@uq;9}2DPyTvN%8G zH#C2=x^p7IcSK$=laiCeWV}rVse>)``akO}$;gn5@i;x$Nbk(mYN>02u5;FM9qK1e zIl-$NRMC))UK1xu?ozdAGN zj+^Y|dR<+Uq_!ooKm9my4&L-zOoic0!=+ez>2 z0+SK_kF81Gwk5Q$d9I1T3_0imq)XJq#pb7x`Y=pnThKEPPh^7y6gCjq$&`c4MAGo^ zqHLmrR@c^AB4TC2sEFuhQa?+~Um`_8VRb@4?ddLG;{<;&#(olD3|yn|MAjA*gpS+I z5MOPCqV6-rT>All?cob$@x|-4$b~INOP}8f?jpBE^XX4oBc+0(*br9)wrEbYYL_701gP(3!HY_Oa=7(Q#8nt{6U$4!y?Q~-HdFBMC-#NKV!B5usT4bw%ZK&EgH*#}EtFgK!J3ISZ zPHyhXJUj^JJ$Cs1Rg&$(&eNn|+oMDQm~`+6rc!v=9Ka?!J39{mBp%761imf5!&Q$SrtgHCGkkEe6yAW6TIa!YKeN!}z2K>IxJM`H&$^{Jmjf z7Yu{;y1jk?pGd&2#;<(6akZ?ftx~W?(s)d#R@b$p&xm}VnuF~@^tY~7(}>7_nQT{r z;NiVqe`IxKy&3;5IwThaO{e+!^=$Y8#yE{(RRAjQlnajpnlMfPK2*dji`<9hg3k`a z5!&P+5R#Pim&C-E2PF53=30bhHJe`>+nxaI@%X&%zfbu0_xmvIE5Cg?JR{P7a_E38 zdXo`~ekkm022+UVSaJ&yp2~Z0yKNDiz^e)X5@_>@#lP!&8#dZ2NZ~`Fr!@#r1BH=RC4__Dscs zS0wQNHE<*VtUmkA^^a=d!~YO`{&Op(9{6_-vII}?629k!{_95n-aNkr%+Bq5_AFU7 z|M~dU!EJJ&ABq2DR{O2%|9Cz=7g1F!9K^@IO>7&v&Bat%iK=lQkJTh3Qa|No3XuWw*MAKzT3e6Y&)pNqi3$4|Gr zMezJ?@)Hjk{P*j4HwgZ}eE~w(YR_dCbCR-BS5?@WjiqH3B&1^8uW^T86u_4!gt1)O zfBHYaimhPv=6w?-vq}H^OKr!U2WY+jgYG_Mk-Y-a@~mxb&io^5D%u`B$;$*$1&*tv zA^&&QmvIBv4CtE$D9l-|r^>$Jxa(koB2D9J4sdq;($_v!j!nwPTJiM*)CjPTs<`$n zQq$B_O-&)*Df!(ypm*}U+_ywaIP6Fu;@4^ZC|%IMN+*p0rspxAY$fVF>OfzC>Ln3^ zb^x0oY-wu~jlI=KsGR7Yn=fJ6?oTnT%#Tzgv8r5P5sX$*5=F~DKsquTUOMm0xLfftyKGnZvRE*5dQg)q@ee!?1(|; zRU=AKXSpD{8-VZ(jc@LLcfD|g*IbZS+?f4vKtk+3>|KMT5WA5Gd7k+Okk&uMpzdIz zZdyW2zjD6iidr^0S?ZMh`?bBHNA0f-B7A)Lu3l6eJD-|Yqy8axz%jrA#C5DXJ1rc^ zT>}`eWSHi@80JAoP%*OM&%4gxrz+G(ek@lUMPMw~Un!ki_5h%P)_eJI(1!2UiO42i z8!^QE2I#ej!^ldH>N5!$xWgN_uOnYYxRFLW?(0vot8+_e?2>EPdgTo0Ryi+EyC4Fa z{F86^jB^kr{#T^X9nD-VLp=VF6}i>+PhZBeOD&Gg%V&Xw-oZ8wY=?J3UaInu3TM?@ zzk}rf<#!vOt#b$7`n)%|7wPYJK_I5)rmI=|kmGFb&#E&;_W#A+dqy?Ywrzv<3M!x? zAfO`Bq)3&nD7{JVL8bQ+dMGMQdY2xM7LXF@1PGDdiv$RS5CkMN37tS_v$^l5eDC`{ zvu1vLKW1jlURkUKWM8{o*SXJf9LM?Fjc$s#o;d)mb-C9$Q`b?I<+pK1Zj?hvc7~0` z!QhDy&VILt<_zoy%UT^%mZaxPdZsICtw6+i+)&*w3%Pl}!!7f{6JU~!%cAgnq!)EV z0c_LhhtK>rMm;uaGfBp$Q6Bd~v-ie!WJO(eK(4fWiw)6WDeG?w=BJ*O4r%lsT>uVG zIee35L2-`H=dze*#evaQPx**rt|t>D13%&Viizo6i$m;s;sYNTpXY~QSLE|3ymtq0 z$>@$B*pbY|2;kj9jH+f_yLzmWoG~T>xOXk?&ITQZ@6>+(_UAet>qi2_(6na@rtj0G zz1p&Jp$6?Xf?bCa@eb#Yn25PrzL-JXtD;HK zxR4u6vZ*k!{Fxu;vF!M4qW-G@|7P6Qr5!dmug83*5YV8;UB}Bu-fiAJEtel3ZIeJD z$M>%$BRWwo#V8#6W`+cd0X^H;mBGqI!F;YY@jy*=<$SlC5*WimyM`f$Dal^|nSfLgjN zP_0#*)Bh+h;lh+bt1iS6VU{$jy(*Sd&SPz}mYC+?k67nsMeTuowtDSAlQ##10PY0g zu6O&^<>XhoQpG_H#57SLsds=d3sRMqR0F8;fDQb8W6lAviq?Q_BGuq=m-%r!6EARD zxz>iZJV_$GXni1^KQy%B^c(=Jl-Bx=(n6QS5@^YJ<*%l`Y=Cx5Er9Gsyeso#3$0^W zY4mIhj$ys+Jwto)DZ+Masj8(5q&325w>Vg-FG$K8d^L}p&*ZQx`mPIoVw`;(6b*9v z;#*-zUna0%+IyjbkFgALTI0Q5tBh_x*OSH{-60{=)&N2x`bANhd?Xo})vSp>0|Jm0 z%&?cPMwa@VO#=&5_7uMZ#GMl4KHOYLuGIUOt2Jt80GS}kW7>(y7Q1!#YR#pdXSX{k z>ziAx|0D|b7^juRsi5Vevu)y*$BFU;CI&__?Z(W#R2Lw>97nq_G3;RkWZ(Em66?sv z0@yr3P;OwcbdH{X0aV%v42L!yf2cjlfO>DlZ1?nD`eGzNN_j!@<7+YSv{)Aik-y&# zSf=HNF+;z8LJ0g|WES#m(dS$zJI^Vqe=rQEjYh~4A=FcYg>FjzkQDM^_-ShF_tMj| zU|w@Q=}k|1pCigp1k4OtCZIhskh5Stdw)Tm%c4 zC0>z@jG}(7D16^F{J!&JAK7^jxU7owQ8xohpTUh_ zmc(*Vn8^K!s>=5xF83>&*&?j6)Hu}`zY0o(4vpu_YGYUZP1$q9-klubR7Hc!Vu!5{v8vN$$t7!MSbkIhMH-6QM-}gOWJ#N%OK-TApkpxj4fhU(Ourq?pa&?Y>#XmR?KyLPjQ5}!(o0<6+XT2?iCN~ z4c)SX^=fTL9Pu^zo%m}fqf2RD66CL}0C$^y;GF=89&D553N=;X%r5XJPfko@Z6iVQ z=c+L^L>%|5{ee%6V8+CE3z#^(gwlw6XYfL9KsrRk`XGJNlmGNaf3W_^M!=K%#c`DK z$F`$tt#NboD7X1W^Nl}4i6Tj}OaKVKR$IB1MNOKY1Y}vmSKeD3U191sw|Je<6#d$1 zEbjwip?NbgBlHWp*J&`9yM2eaBr;FHONd#kSS8?9`sq$@FBbtyaU^<&8yq98&8{;0 z-JH`cwe{&aV4lAvdM|2$)pKVfo+)KKOiZE0<()l$p3C7j(!b(tSBS}XVcX|ec92_U zZXc|Ap|tq(@Fi(Aw8w7EjaJ+Ww+}KU{R5^2 z2xF6)3Ea0_!SK(+uf2V&h%Vmd^Hnm>R~#Q?m=X7zUSIYp`Vz7;j1wSCxIGQThiUbQ z0n!6eF7^_bincdMOqKw#x~?5;!+0NgscED)k%T4LFD*b8h*q zof?}y`NY&oi4e7^-A!X94206;$L)cJM^8Eq5-iP-^8q3tvpIc61~!^r=Nw)g#wt=Po^SVt5Kk;z^Y?f5=4T8 za%ND#p1eQiMz2(_Ii)s9Ge^32eRTLsJm+}~Kv0z^&A~e#x&o*k`sj?^-Y8Mxq1P0R zL1VUYU%@javtA`wHEon^Vn;#t@RiJz`l!t$v)<|WGC?uK3_IP$aUE4}nmt*|D^X#l z%HAP+EYnQ9+^>R%ts}MQ;bt(ePG&)Un+GIIRc@LYK?N^W{wAjBO!lM@0SQBOl%v>3 zx%E4DvZ!37QsUVuYd?+P%mP2aA3Euk&85WUT1V~<|MGwKoto`27>=&&U_oWy+Z4hu zS2GoQQ!tjbY0ZWw2i-#baI(Exi-2u`eF*9siRGR5*q;B}a}^DZ&ukgRzhGUV_9~Y+Kt+)ZuiB6qiPmtHD=U=siAq#=TkYvtQ(0Ut=AC{ zqgcNAcK_M8tS3LUIP75Y0ms5Ukqdrl(3xt)BM?qmivz5D_Rd{Gc=FCyvgG2o0?m2- zO--+$wmCtEsQBbf&v!Ex{fF1%rR0`Wj{wOf#-suJ^X(jlM_^BWTlZ!!q6ro(6|D+4 zo+sZP+RfLp>3fTo^l)HiP4g!q)CyD;3nWVKd#u&g-)~~BGl?bYbV`!aHjT;?VU&6` ztQL?dfsPwbg`B`JU9LL=8nF8TyAG>Nt{9hmsWjNrQQ}rrRFB_AqCbx-hjI+_n&gzz zdPOG_IqkEs5(Itn_Wg(CH{Zrv^*tN->I8uL7R)?ZDy5@`yKOL%PQ@j zgdasJ&MZ)OimJNjWSXtg(M9+I`b>4Zhi5-N%_y%YfLyVzRH4c8vB5?m0XMSeTy&Mt@Bj?f2c&j@axK@dDR)YJWu(^=_2W=C^fCQil>2cobyUt zf=K;p4&JH5VT)z+6-r>aJyFxbbY6!cI=x*oP6fJv71oE-f^llrL>Vj3chDjX^Us1D zCDqsopoUG&R?`pRYByT-`WpQnJL!R_H|tpX@*7LSQOvM5$&mUVrVp8bcT4ZbzPHyy zMsUUCFYzbz>fJ@xZ46otwtK+pg$uvRv(OC_yA)FY^qV?UAmpugGGzz*w`}FZFk1>W z{Woo)bBmcG@*0NzLe&gw4B~@ARC>drd7kvHCR_E>+c%WABp2BtVNDFj&ygvb=Hz$COJLt4>#~ex4fsVGSam;ZOP@2n+CkG& zF2xP>+Vwe)h6~>?a=vq^Vh6VY(pJRE7mvOKwYQB@CdnKSfR^6XDfF>to}u7(ccu*7 zX^SptbfmHHB0)AJM4z>u>KU_!4w(tF zTaNP1Q`g&Zz1>H;w!|feL`AgKLC}O8gTwMp$!HC-?l8mCn2;lkeY}W`Z`uLL>v|qa z2P7THnohc_#XVH%HPxKnJLbm-u}RVF)c+Xd1MBytK@Ovv9fn{6g(D`?+x2|VCrz2E z`EqEXAQHpLAatWCq)J$m(4GXXFTvb2FxhG`6>pmr;J^D*nqrU71uAIF2I*Dn!IP^6 zRoMJHjN|k+x+{mB#jBF7(1H$C)aeYt*w8ag);sg6(-Tgd!mdcZMpOCUBHAzEw8mK| zzL>j-(m)(05nPaI|3Fz~hKH3|*d}kacl<>_^x_~)d`fZ~(4|4trmx&o?=1>l`d)4o zNyBr_L_~QtN}($7a0jKo$IY?`_T-Zm;Fs=aiJtS!9Q5k^qv`*>&d zIk=(U*A0=#agKumk$i|^23OG%@BV_8U;drlfj@JPq^#p)jmr9&N^l8UaC+)xgNCKo_Nu>gOhZ|bNNDgJl7k9Z>wP7)1kEp ze320H!CR|Xr>X11#GzJs`j+YgT*I7FJLXLFo85bDN({2_EHRD<-8VW8fqy$V(O5)@ zAI@wXl<`gCCX#}_)kD$O)OQ6L?KE|D^Ki5kIp#6CDKf^!sMuLTlLdG$&fy3Q2ohbR zt|w3QQAHG)av31YkNoFOCRjvd#wj#+SC83W*s&-t*W5hDKD-O~EL}kMhqQy5xW8A+ zdaIf;is<`oBE9=V{*$C-6F5}^S>3|^p{hxUE^J|A6eFX?f>ddmCw7w!v4TR z#DbBPP}NP2K6gC_UMcxhD+(7giX-yMAgsl#o#-IZUmz+~=?)`Lwy$pwS3IA2Fyvl2 zg8!^7u27tSAG}>U&;?aAQ9Am?$D8mh1p#o;rBD6v4Ed3M$pVo}rq81!mi_hAeb!_xZ~hXR)z0LDJ&yH*1%ljTY8EKtu~RXZ@B}u zx~`d}xJ=*heX_hGvkPHjAV6KE`q>Aoesd?QGR_{ad|D+jTnrdw%Bt}C>Kpm+AqPq`kpJ~hgv+=&mLceVu+ zV&n}{E%P^!HBYKM^z!^)ov&4&cb_7q!g2$~-yVL@oxE#5g_e>#HA-y$C<4`j0YlBD z5}Iiy37LcI(Tc4tve_$^rAVsx;_TyF?XZ*J@_nPbKX72%N#@guG?1&_CrOC-<3J2y zS7&%PZxJ+i50>&v!hFO2tIz{K`8WG)LlL3jV?$_$fZ>kZvsuoi8_(aBig`99t_xAO z+QhD3KWCc$502Lj;Q{n?1pH1O0V;zor*Nmdb;Hby@v{yLS>S$^sj~o}+lXo26KBoj zPwwgF83Tc^Jm_7zW%>&~bRp4dyN0iEH@H_bPeZmZ{m72MWlT~`I~t=C?|k)NuI%S= zK~l$?9FVE5L+;^hZ^6=M?Q@dwb4X_h@Y4h8H5U-z0ktzUF49=wm3Tux&9`%(eyl4t z8?MM&$ep9&*Bk&Mu?S(Tngg<;FS6Vn?&R;NH#P|fEa-b9{@7cr{6%h>o0pQh+KN-X zTEm4CM$0OVM~4?{AnCfaeT>WN{#jJYzAqd5)Y&*-a4EpX7`bpip>cH4A;7H>9r!SHn<8U0t2bmNs zaDPC~1gMS(;`)Bmbw5%qM7K8ll#>kuFU35b>k585sL0~KjQpfNRUQvlH@TYFG1$bo ztMc2fugibXtQ7}|elqZLGPaRtR8)HH>M=YCWtDgteGv5tWff!PAVEj=scO#Bay(c4 z>Zt^aSrWX)pQS9|{ie)vtjd9rzV>Vx%b^pvuDH@D#pnKjT~TUl>qYfZj>zztCGBsc zTszp99Kmw69OkN>&PTfp^oyRogO#1I0eY&+rF&9&LllotxdvtzkkLU0ek}LLn;a`3 zlGLjYZ0e?_D*&y(x%Ge8tCv}+5c?6or&@@kMPd z^IeTxqwTet6w{ibDCHZ>zbo#`LrmWoYtPjmKwW|`|@p13sB zLk?i)9QR4S1PJPPoO0bf=ZrR~Y5Ag6!RlF{*DuNKInwmJTF2jth_vZ%XgyF<6RbiL z=N<}?%0Ri-qwpIzv}<%SP;NzhX^~pJO`2&_0WPLe!Z?G(z^>W|->@+&@1T!+d9S&&6XL_uP{}vL`2b2dq zeHgdgGCi(p!>6oKrFgA2TlbgmU9Y5#F8sMyRvZY^Y!VJ1v`S28wx4$Da6XQrJIE`1 z#bUuitT!xr6u_+t3G3y5omp>ieX9sUi4cs7ksRuheC9K{F8;o@vj4?UMduZu{4wP| zG+htzD5w@U^zF&avR73S*Dhhs&5&-DXLu6dUe()CbUUfOZ%6RQ74e(LD@efnc{MG6 z&eTZs)0ie4MDE=B4Fz`zXrKnl?T8n>nd&zJO6^h8?0b-1eflV?8PWL;CGp2U1o(9k zKSyRk(_dhFLZLvxiH)HqZp3ywA)bU{AXQ^tiwBJ zh<0`*_ZX6~*5~0nDv#vrDC1ePe0j=f)F(PJ>non?*5SQ+C0EmvY^2Up4dDdd)N7}I z8#HB0{N$9O#;G#ADUwcgiDeM%S6x(<=+LwhZ;<^kxxmJ|$5iEfs~n=w{Cdy`PFyhN z($OCdpQEfTYXe(qRUhKjo%@G>fcIyHC;7z%{+&Q7V!a(fQ#R?e?jXgsJGD2|_YLV=-TPPk z$HW*d2w!*4IYq+N*(|I^YU0A9d^7M1I;)En9;Q8j*&{1R5?}m22@tgV$XDLK;o%2S z2-^C*((}!*ynp;-|91mNXc?O4cqLU%Psky_sAxK{Qwyqh-`grHb=S;h))Qn}tb~eb zgvoBV?;cr(^!78#2BIl*DOIcPXrvXD9eC*4l3slmB1O)8^{83W=YUY$if~9I@~ryo z+pt|rwEMwKyI*yO+ix+q`W5RAzLt2QSFh$t*3=CR)AvWIh0-W;CBo|D=*f>t`I_UL zo6S(IOKSP)%K>K|4|eH4VIvuNO0qvU{6jOq{Ig5S`8S>Fwwt);{6SDCi*2RbT6eP$z8VP{-vTe!-xdWF#<&iWu{Z1B{M%RX!}_R!P~caowHn&KTQ0 z&8~kC05YyI?-Cq$k{M(J-DayE+uWBs`4%UC5Ii`J<}0a9_`>U?Ae>~OMNpGeIZ%qg zF!8}hG5La<1LuzqN8)I_g8*TgCMn2(dtq!ryp>X`! zMt~yq(1iDIew10u$m0!*;-^p@a{_3eX=`>J(EQ4w^Tg7w=+3Tt>_kBDonAehXtC=_ z^|8{Sm@98c4vkIFJr;Hs7@#G1Q2nS!WfY`KAI=UR(q@C($jSbI7oRutv{frYkdB1Y zb}_U|80-cmc|KyBAT3}M(_X!sf(Njpr}eHG*+s++*H9DXNe9yGmg3f3#W?{0&-MB~ z!F)-y`noM}Hm$qJi0AhhJhB?@?>gmNoQID5)GxQ;VFyoOy#H2u}rK zz4;kJzMwn#CQ%bBWfdT`rOBA z!Ezpc+Xo#-I(0zOdz(yc{rh9-L1{vo@8`APXAkZKr|QX;7pk%#7o3}H*DTV-`Uu}Lfa z^Kp{JlSvg7&2y46S`F|{RKk`YermsCS9V=Q=1i_ z0{7KgnNF^JLqM@nx_4Qb>(0V$FO}HOhasF7$W!rY&#w7nZ5@NcB!h-sYcw96NPm7v zcYV?Qt7#epX?=NOH2|=Q9ffP=P0X#^q5pdMrb8%Dv46z9f=(5yLIhw+gBr(QbKgO{ zH)gO>N_Vv+B-C8g0olCUew=ycX~G%eS3}0clH%iVslt9; zL{aTOMkch`y}PY}C!71Qsdal=gm}H%ur>D3(ZXMF4=?^|mcWsY5$KwhOVt_?`uLmo z*;lHofkCj}Bc_6TT;9Tfi)oJ2rf+O5agSA%IyTDs6eT~CI=8%T&59&0???eyggtTNh_Ok2 zQk!1BF?__mt*tT?#u&+PfdGLU@F`R?@BGit1BJ;-f5J2bJoH1o2s9kk1hqHWD>uq z`o11&3^fLu?y$FIV|=pfFG7YLU-PGRp*_ zVQSg|r0brRTG&MM*2Nd%B!=X9#q!-{kNl?FcL|!ikeNk~^%>D~M3;G#o;F2tfRu&a0SiH6xd?9g+=hyVCPPd>-{@2KQgrpZm zK9|cT2A=ObaJrnvW^OhElI?DoPypAVoTYsD?o<-fv(aGdZiH35D5!7|BS0+D5ajOO zn*3H)x_sd4dBSr;ch(LSap=!Ao30YOe)9LCl7L(Q78TU3R4LOp1LSMyZAngl`KV)P zH3zO}d0^dcuqeK4oD(F#vdGBejD461sCh#h~#% z7cXgh;osJn2x$Q>hG;g7Z7RTS@|x#&t7Li%j%f^Ae;Jv@wmRRlR?SDZFPd3WHf^~u5s;qVQ{C9Kh5Yg!tG=sQNEYd z?Nlg}JlbAy?XkOf@O(IxKscr`9Z&I zUGgl^_Hi zIp|uSB_h*KMC zWS}@V;=VrnM3bq2=Cq;R3uz#G0AOr!Zf;ZgUv|}sL}@uQm>0MvO`Tp&F%|-+0emS( z4SbeWS}5p}x4lYLc*sapu($E)__hw~WR|0Rg!CFTMYcI!wlOAd_Q zyTx^v#JX=EIMe1&6`Fx;>fgBCy&pjJocM>j<32nNGxFZSL@K&-LzEGAbK!Od|9`;A z{(l-{{Qqu{v}WLiGq6X+bALVFfBtw8aF)OnOaJ)H^E(ENe;I*){^tz&dJC=?H6ioW zxwMRG`@H#ogthC-5}Gf{q(A^Z2m5UvJ)sZ&ANn4g{ZaJak@2^RyCmvfTmh>e($asA zr#n5~l}``;%V&A*6XNpATNnQO=LS`u3^KbtqY>B`AGla+g%U;|5N|Jf7eBoN>3Kp&a_Fy zQU8Z0d!IEm?%azKDvtl~V7fHo={U}`(f@DWG2fb=9BIyddt}OWoW3Vpspe9gycple>1oKtpil@qfD1{|6j6T8QL-xFNr4`oAuY zSjJPyr31Y`*Zib`zn@o*VVZyt<_RX1XOJJR9b2j0y^(gNxm_0ro3rgZ9Py z9qm10OMi8{{L6;Cj$yuC7m!c(p#iv1){?w_ygbUQJC^lsrA&U(KMaf$?a!YX{}hnU z!--No6n{Hk%V8+j(;OiyXkm1X(&+G-4^-v&4wZgD$$^{;O9$`M?fH%x~-FQV#UuL3(F2G%upFi&uI8?@NHeX-`(0)ebeH$>Eo3=gJ%xJ4Lzg7+;N|S z8#`CPi&E~SGiScl1*JDa}Dj-$Kv`vS1Svb#P9 z5B{|s^ zg_)vz?eq}-%F7fI@gdkWr~tM5aMt@VT(OOHPKQx#KBej}%I?z55~bV(aV7@81+g6a&H)!D~Nbq{C(T*Ocf}eoXxBxSbAr=6$;O z6zMfex^aur4Af?Ec3Yvz!w`Pb#bx_XXi z?MU}}ePe(p`w?;3_XEO8-8Z*~KKaMQulj!x;L6nnRj%E8cwP&z1Gg+cPAFWtoWZ*= zO*>1z&*e@AIO~Fsi723l?o)^B7mAiwk1)yqCu0U3)Z^_P^Vif8HHrB1+S;xmoMofo zyh`RSe^Xe1JNq`uI_36HK^fvygM0(YU%6M>U@2K$w=Bm@cG`v`TcPm4F=mACib!LY zb;Jr-aK-I`iwV>A_}n(2_cBuR;*HlDs;RD1p8$DEEeC{Fzs~nbLS`9s#_A#^GTn~T z)vf)PpNRQRRU#b^E|9weC^YnCSV0>f8CzUT0O`wIlWC@$7)$Q#jRb06uK=Y-ew7eu zcaN#0f`9pZFW%<7(|p}~WodCSdz$hD$tPa29^;A6g+iN_>WFaihJ5(AwPe8hu@~wm zHDl&cw^JZZ6q5n5N=CMYn^;{REo%JQ z$A3P8hg!+6PHqu0nDO0T#iBj^YQ^#D$;tKTR^0WQNMxC6t)WdfTNWhMJ3%V#)z;n8 zYyda~amdQ7Pvk5cQ`lN!#MrFOrV9EKgvI9KgC~FJsI6E&8479-)@Hr#c~57**QVw7 zeihNaR`66e;&l5U@Hs@0ikro}x8{DW3u)ODe=8(Z`Z()kO;q!Danv4Qcy^+(A$~hMq{cC+jq1-=C2qrcQ3J2(@@fOFd+x&< zft$~d=u;rOZ6e=FTHmipsSKXx@X(JBS-`UJ+lfdDY=SRLzcZk6(YVCqzn&W*UJI7>}x>l}mk0VZ)^qHu!w1Ii-Vuk^DOh0gy zY)u*#QN6Jr5wtWxJ|D&WPG{*%-*T^Yy6*!g7f=quO}`Y*|Q_5 zPUsksmY->YtW_Ahc0}pj4YMqF%L7h0kmO`kn2$s9v=j-ojL=R=kjV0{s&Y<)sYyTc z`n-4YIf=HK&vfT@e=ghe0fE8d1O8M9zw97xYh)+sXdGARej=3dwVxTKggTP-cyGfcfpa&2eDAq`Khp|?p3;_V@J}^5FfymZx_dWf)S><1|!Z!?9 z^-+G`&!s}-qnT*Bs^(UV`>nk)I#AL-3z{#30Yq_=`I8TcA>b;=lD?19BBoFnUY(SDuG$K^uV=YZXQK+brkauml@BJd zb)W;YS>P1zK0R*q%{G?@bLWQX=pc(;;XYHA>OXhSgL%JI0Jrik8UPmiQhe28?lOJy!-CBY~TKv6O25>8Rb8OM|uuAt)%anoz3VR|YU`+=+-82VTxQBDq zY@57eE#a7!!BOk8rP_6qDZ;_m)~sLF#tg3zSC!JXL`GKah3RY34c<%^b>z}xZO5hT zF}j@gj;zU`C$f@~J;yNDBt7!i{ zg~L7|NE2D6xykYr=$f0kw0lm$K~p~UYGUd8BIKfHz9V4lG)i+*M1|Xik7UVhEHh|* zGDgxX`eUjp5_D`ARG&pVeu&0gt5TdmT(A0*prU;E#$O{%o;}Fb#7VIFN?^2&txZD5 z-;L-1#J>VSD$H~F1I~0^0DF(6%h}Zz&MpcorHX2Ct*L}(Wxa%ORj=2}D5cthOyQCI z&xwcU@pi)?`E1*mZtC*2m|6JKyn1-*qh2A;>kqmlJw;WPtE1~tTj-g_PU;66B=676iOsG_~GMqqf}@yDv?^ zzk;?nU+iZxdpeyi2+>2{eOcBZNy@wQA+=Z>W?g{4Mb5t`^xJ{RcqI5yIIC$%5$zEy zd}0!n{2l#W@`^E3Aslc#mfhG{G%RL+`cy6q(0D)VmF^yrIqcSlDO;~_Eu(1f$JId` z8aO^~`4I%LwK@WSR0yCY86l(#e0v{12CVK&MTG0y9+{a%2>%hm-&6P z>b&pZ&n@kH5|N;jUjm#$%ndJf*Q5)~gT?w+7_zd!PU5Izhw{~A#o!V1&kUaxrp=!I z<*Ksg5J1gN>|ZN%4(ILk_eDr}39T97AB)YB%LuFIm?^B7myu-0yD9J1s;n%?rcgTA zF0HCx)kt!KRiPirsMI89rploevs>G6s5=|`~&Fnf;!R* zN_e_0odjP0ISaV&KVE1*mQMYS4k`WPzSu?+$Vjy7#p7D(@@81)!P{B$h)Y@S;6Vop zi4AI`lxs*ehwI$_!#oMJ-1Okmn2 zboj))!!Us1$7lNeUq+p@y{W!YA5})1SZ87=aeZg!kRD&aU<-xJ?xbGE%`b`~KY=hr zDk`hOPWIovQ7acJaGjeSj|@ejYw}xuqM6qwtGZ+)-Ht0!*4|Qzx!xy^;D9Ub3-=sn z$&6TJS++C_$V+qI2!V03b$MJN#kxR8{w=W+z}H%wZ6KQbx#O~UD3k|p0j8k}3ZhE8sguD@RE4p#0ioCI?) zO_^cxHu6@hxs-i56;ZocZ&@}~oGpZ1d}-O%oSO(~@yU48C+X>3uWS=0K8=x>WY!tF zlx3q1Is4DBgMyBCtB)3XO)H9l2Mka0Xe-|D<6IQ9x3aaKn;!kXHd+j;%G1whlwn`!>#meKS} zziwsKFCZfCdndpd<*H(twxY|0ux~4OAZAX=ZP=&X zVW2QCIHIt4%x+<O1Yw94>1k^6^=4giPKcVOPS(eQM1NwgT`ZNl9hlTRo$*17fwr@^4?y*d*?1) zl)NcItO2m%0k*#h(4hD`gW+ClPBo4Iaq|(!U#={`o&IKLYqKaY7Zv@yfpb617BH;?oXVffj@lkd?3kYJOq{bpX%PH2MC zoX5#)^1obX5mMyj=VhLy+`iugP>Ya5UY3oLYKMd66vtPuxoOG#suvNt^!BB0#|89b z#;G|4o-x}EFAr*b7VP9Ki3s_la+ifpg-Ytq8U$${;|3BCmz2wA@)(lz**N6T(s%k- z@c)p;0eDH(iD$j2BfVqKg42yFHNcLQlm#L|sZG(lru=l&4_gRR0XO}|Oqdw)cOA`Q zuFls(IVIU5lfuyPc{3ju>me}!W1MnrewiNg4_u<}NlU2+Y6A|n^*@Tu=^G_Bo=v&?S8HSDF@%6vC)m7OxzsTC(GP@Xvf z^b~j;a!Bplnao4chKhB}brNy6fuMe5$vG8bVIe&fTX%BT`)E4r_!EzDV_xuH0zz$N zW!alS&rPjZz>smZ8Ub4nu}x?|<4faZZ4a%aa<>j^fw?q|11HbW#SL&U77rAOU5 zAU%FhrR;8byqUSpZT~V1k`4`BODxz)JP4r|J}?rVqFl1t!?%7k-#n4_b_=v>=m9bh9yXF9q@tN;_)Yn|&0rWRJ9d6K&d! z7GNy!P_K~T`woOU4tCb$*A=ja7~Z-AP#JD1l@HoerZQg*;HX+-(?XY<$2?`g)S)5F799W;ZUZq8Q>K+X3cWw zl?mSq7B8&Ar?uar0~d5ByTUKpyOmEkSdQtXQ|k;e%HbnE!$!b6U*_`b2q#1nS%icG zR(|Bxmxjnol^PyT>wR08z6?{4~byvcn-T#j=0yfdFaTE5olT#JJ$&pR#mQtwu;9H2AqkKN1Z6+EOOmjTjpD z?2A=*`gh_AFdu{8)$oUpT0H_T2$0<9xvWnXu5S0hN9&}+j9!Gc@-aS0_qJbtrdPa@ z=hE_$9kZk6c@rtJZ}u*`WV-Pc(4KKc*pYTgDy{m1SOZaMZd~4y$l+G2IYH#L{-#f( z_RjK>MY15>aCa=A5MLG|P{pHTGN@Xjm#m{etBTgT6k#@qL-&-M!}KTB)DSpp!3RS1 zGS7Kg4en#y{EVz<^NrwAABccX&Wl0}BiL zL6+5D6TOYz)k;>*H|3&VmS)2z|oowJcqP-uHW{D zpcRRogaGi>Qo02W76y^Qs0EJ0Drf0yq^b~Rs=z97uTGz%uQkcfgr51$*DIUyod_)HXdz zg@iyl2Giot_FA{&z|*i8bUNC+GpAywO3K9XrVin;cj?*Zi(#mtPbLNJLaG(MCl`fC zAw%(Nk&{P(Hljzr260;V2uwDfF#}m*?9WI~&`pzAIlnfO7oglyZrg3>3d7=#vPc_h zRA^_rvF<*Z?Av4!{}5<;E|sNny+^5N`1|ko>PLnvE`QP>L~wzoGimwW@s9N zVLV@*qt5R<=Xt$;fBjy+|K^XG`@3CpfA9PAd0*GnH=*nL2qL}TRqKY&9Pt3r=LAQu z82ha=4=%s*bLx-i@jIT3X|ldvZV0jrsP>q;5As=gJcvh@M9Omo@yk#+DEViPjc3lb{r`r z8ll?{XCmwsbF|$0zy~H(Rg-p3SyyUCf;h)WyifFn3ze(Xo6zqpN9_Y@yn*bsDNdE+ z=snR}dUfETlp6!f`nh7WQQ5EM$sasd zNN`ws>z}f?p&Uw0VSZc=(m}>gj~I#iJifu>+|7qq*tT!zkM>^PRE|L2K{avWxIZvm3hEal~iYYRf>d`tHNG zg`>tKc5nTQAWgf@EqNpbzq`f0=sn^WV-H3HI{A(VQ z8-w+`kAXfX)0;jZ{=o2bg$qwG7+JVr+^uxtY)LWT(arL43YiQJ6wF=;hve3{HEVeXz&TvX@-HUcd##B0wdj z2Sh*^6~~*-Dqe~``&1E~skdgl>z*oQF_ZE{bE@@|_F>NLMs*XpbJjk1jm0l;juksR zR^e+RFCtBLs2UxGBzHIzqv|q3KPHy-K%35i18PWFgaiefb9umaep+eOuTeC3$V#0$ zFkn_G?Tu=Xv(M-BsWVg@ovZ6@o)>*vadvP+hw)n< zUwfa8XV;TiL0|b*y}xzMk?PGaRu$6Cc=W!J8U)@qLu|UIIU{yYtKTJ#uiNS0W>0Bh z5-=%=XNpmBRY0}ajGGrDiYsGpuB<-Tk-kEww#6bYys@ylOO*|`ZvF8BL4ue`n*lR_0y48U?YWE+%QcDHb?{)>RC>ftLru?x zDMGqo&Fi*sFf+j8o@l$nmhPElLhK8ly@|O8+^6a3exDiISv9g_SNujwi7avtv^Xf~Of|2iH%P&PqaoxM0k zeL0uR>wWw3kz1Al)DL3tK~(y2hKdnz!eH4PXhrx${$mbsvU7pDPW9v&?Ho5pjVz$% zoOBfzkl}86V8E2|$~O$Nx-wnVD-(1Ak$Kffs~B>=_Ts>pzxF+RaL$<_y^=lq+jvs> zAI^$^1(1JA+2MkdCZ*(6@k)uaUYA_aV}@>RwpxUg!S)MOXeadROgoo|bQa%3DTq(ozG5+u$++t#O%aP{$$hcAZv#6)?gxYw=1WE`pRjdMn zb|WXZtP2!Gfe9}}&17QHtC})Bcpx2ct1dF$|0Mn8Nsx0;;DQ7>Y=g$c-jC z7bl62WU%Ym7D-)#nx;>uJ}DsSLep z+gXAIaaTonhTu^7g<%v@ufWQtDRbsbAbz}5v<+N^kb7~eU^Id#RP~iZ{1V;K>I}dc zKEJI7T8jy}pu(NYe)}Dw!kA=|kRCx&guBDPDEcg!M`c=nmfF68MF67pfSrlur_ecn zBZPq^TTN*T+Znz!F*wZF4Tyw2D+u||#N~iK!<`#&qfL1+(BEFyU=H5t=@4=D2wfKf;oy?wxJsP> z6bq`XzJ0C>TCi(+CNdjv3k=mX(U?j>n;y4}jr;Y~aaKw5cEgd=JTVSzAtSv^s&^Bl zSk-S`N0z1tqyUmYSjM;!Y{W(AWsj7%vX{^og^)emp+(AfEwvLOCsdI(lHgGkrEdj0Dpc0cl-)$3n!vU^*B&oGuvyUV< z1wkkz&h{0Zh%xB-;M(3kZG{8HEraXvZM|B%zw8mLEeUSgxRf--p-*%Msv6h7d#}!l znaoeKypQQwWel z>PIf!jo&?Yzck)-s5V^BKeXOe64e8>7NyR3 zO_?|%bv5a~T!*it<}X0`>A#(MW9W(5jB@&R=3M1Sy5yGAhw*xjv#Wc@pBl;gZQQgA zk$N!)s|LGrE}8Ww?^}_!sH-3U>oJa=cl3ndAGgMAb{S~t5(unir5J%6jlib))KR02 zQ~w*d$T98SUi!Va4&q(_8P&mb`_m5$vhyrPlGR|pjI@8vEb0(tKE$~=zvEolJ(y#( zY{e43Kj5%5&QLZHXnE0U_3K~h^BIp8??3~ldK^#%Uc#vg9S*r%nq;%O8yK#5nxPZ` zq0N2?I(VB{>6Jn(|DO7~hiulG-p^IgX~UOuSz3wKS(7tFEFt-FwC(TS4a6 zfFH3z)2X0nKMAmLb>rHsN@ET_&+4ZNCc(@Lp5F+;iZ?AW9>(7gw3z{fLChm({IQ?@ za>lj+H9-Al$8zt7|1qphMa{^1szg=1fWJq`bYbr#=U;|>g{6BFf*GP(T%hM$%(JAp z5B8P1o54GmkI^z#(;7PdeuTKyVQ2O!Ol4XSqZv=6xR?9!!@Q3_qk|^Fk;7-YBoV&M z?v1gX3UAV;Fy7A>{ewa*YpHycrU~#Tfip<$BAMCZs2d;=#fW$BG|Oon*xs7lvc9tN zT%+p+k__N>9w9*qJY88+1;ccLzTet9|8a=uiRYwX!TqPr4YRn$N>cxIr-I(rPW7gu z2Gi4tvES}}XPbeBLv|vyIVnZF-A1bzYb+ zPS0a8W3BMX%lFyGV|?DFs~S1Ls%e9D*K03Z3%Vvk0tnqaQO|)1%MwVgF&gTDZU8M- zOb#m`|76Zg`TmaufJ0i4JbJ=EPo#pg(<*<6tJdve8fIQtc?_bgf}_%|f_t>h#12{b zIK4wiu8lTR9^KXW!f{&7E}`Z!~cpK?@X2m zp>H9_BTzesIBBK+xIx_=poIjE4%{&O8`K+8TG6Q6Xl5(Q1>4tSy&BJ$88p0p^i*jQ zK$sf;&mP>?igM<8m6oe-s1Fy zbOj3s2{w5J`G1{rAo%D%2mT2brK?5}3}5-S;a}b?Li^D08YM8r>^x2xV%3)iYXqr= z>H~5Cs{oI$!e0^S!_T9fIvx5r9IkM@Ucq@gn#u%*wqgrKID#y)T>#@S4W!1R%Tv>R zDxd!EsRAV3Avp_>YJ~oD2q95^;@Uw>jW~FIMg$%-?Dr3e1+@0S*MI&k@tLh4FgO1F zG!}$(j>zlS|ICnhSajZ)@8ta#LhvA#e;7LTQJ?;?pT`q2{vlgpL8vGBJk6aHefs~a iAO1hf&q!q+I^gL+2w~}Ks=n2JH_$P;UafWe{=We!`LxIY diff --git a/docs/release/trg-8/assets/trg-8-get-started.PNG b/docs/release/trg-8/assets/trg-8-get-started.PNG deleted file mode 100644 index 46deb7f3251b36e53d19b92b68c8d2221d34b559..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 69361 zcmeFZcT|(x+cxMqiYO|GiU-SO!Vk^-|zR$%$oV{U2Eo9i)t+g>|NZMLt8r9 z>(d?@X5Pn+UFQG!_m`#t-;ZO*s3^_5w~hR**C+(NTap`$8;lwOESICy4bF?lJQ}LfvIW zJz;*r(#v3OF;{i{^Z7GsH@zN4+8{}!tc_u1$G}F%K=s_e-Yn zuA1%dwW*}4>K>^wMBI6EU+B{R`k?jf-m;jY-{5}qfNhjhcUZ0xH5;)iQQqq)ZPSAZ zwTNG6IoP76qyJs-{VUn^E0gz@B@`nE17Zg3qii+9c(dJBYqV`{{QIF4_`qWyal@EF z&^;!&&s&s)+joLr|K)%Gf1N+OcO}^29dBF|7hv`K{TP{lr7I+sjb6!ekc?sntn%Cs z6j%QDCPdDF(`9LUEB)|X+R~)4|8Byps3N)V|Q;e@1*=s~#} zl!MR2AY{eUw4q(!OHaKiGjFMuAs{4{(PYwq=o;Y~GXL~!Um7K)VSl6SsHM#LinImt zg!j;{SMjvGjE(HXyTll|JnXGXL`4N6qr=f&#MbwxU!q+p&o=x!Vt zx-}K9iU=j|w{@wukZwjKHWk*ro#?|gLiIR?Ae!|>2IdL0Ni^RRDXSDJm9ddilJJu! z=N)~nttxg+syPV)DC_hb?wPF?Pw}wy^D`#rE7@0DExRywoj?9IrC=dTCuz(?c%1*s!LOqNuK74woJNNLb zlTzckGL^~!CqonfR}`IoSee1YJ0e$ZpxO)gT=|g9I$kh2a(5m9^3Jj>(w-fOfRf^?ytw!s#WVfDt zrUO;4vxGR}>&g|Xp%H9Mvy;=!xY`2o{aE$Ru07!qcaQ~1x0;3hw~c;CQUmkmV{-T1=G*Li z$c93ng&HBS<(VFBDf=nfpaSLwhIz(y;LI{fq<`cPG6{9^DiCO(lc# zN(2HjWz+NZsCEg>GQ?u8tI1X@J7b2qc9E%nDQkq({5X?<3dJTzRX zCZ~$GnlKMI`m9yt#F6xT{PU*AZHI#in$GVi&K!REi!Dv^!1TfcwAMBU%T{yx$I7*F zh9WnhsG$?R?3RLW7XF+HQfYXoq}5R0ff%~`bjMP6wEOTLbmPI4W3#hvgAva6l5h5l z>NaTEB7St=BGO)EuQ?23iw#6I5UU*JHDM%UP1Bj`344drOkrVObRgoX_DW_@fU=U< z9wT0{RC#fY8!FaNE{R#jUCVaF)gOlr^t%HRt?>=mB?+Wflb~ZLMag@7s_n`y<1aIN zI#-M%7nPRV2vWcPK)=a8y43S1+KslOt95lFCYBz2(%A;9epThk{kx9#a@w6u?&VhHKQ+r3RuqiUOQ+v)Q545f^!S}fPpqUyH7cUgwA0H1H zZDCy>$coANCb~Wr6TDr}a#dX!+0h~8PSlO@>(L_wn{-_~_!eO4{(~*0ZG5RNiDP&O zUoQsBiY@Lh-mZ)3E)7)Q9(F_xGNe0)JdU&0?D=F%XyQP9;SkOnP@M_=;C{ftURo*r zEyWs=_-r*(FDPwYl`oT0=c+51<}=Z26ojHqeF+(UVWj!xN<<2Sl?V!7Oqx*-k}7Ujj@4@ix)r=r;=93H23PsoZ_2 z*2j^xEI3%!Zdl8LZaU6A!J&dN>OSF@8XprX9}Pk#5dd~I%=S*bevIYbSge6XLVH5W z;SOR{ay{8Gk9?QxV`(mO;~PQ&lF3;)!bs-ayx4DjzRJYcmp)P@PgLDwA*QPm6z~5r zj28@-g%52giS-R;|5yrg&(TE+h?iszZ8z>)n-{b`iajy$^}>~QM5nnK5yDXz%x~8ty7E`1|^1BU(mN#~s{Bnz7t)l-s|zid>3HOUbVoAKWykuM?n{kjce~Xo%R2K1b+1i=t=+2fwTJD?Znp9B zH3t9%Tio;MpOy5;HGGd9J?)NhDxbqx^gVWYS0Udi-N$8a3K?c^PnL~2eW^`((OFxY z3xL{?P>@f{c;Oz4 z36cEQHD3e1MUL-&wzn8aph^@6mxrRP8mlKl| zJ6_g=8e-VXl65mLcUV&j-ABl{3xf&IZQ353)H$WEu{YZdb+yUD^8=-3&P^f%St+$q zWAfe4cb}g5?-Of&J==xCv^&q#YWA$d##|G}Hg`-~(*o&#S=ud6W`Mqy$tk#2zj=7) znP+Rls4)E2-FF4&qu-spKPTVRuh3C2T?N7+6oFO8xg8r7L&=RR!fkiVhCPh^(EDfh z3s{XY(>~B~b!lZCtw)E55&v9+kNKY4lj%usIx-D-;_6#tRjnqjDNg0WIT7oDsaJs+ z>&1Or*{8tf9(gOPi_MK?l?7T+(f4rg@o(uJEY@NYU8`orONHxpdS|cdae4}Hg z$o`4aI-09knHFW4_B^~XanIw#uQmKwxcZM|S!O<^>!rVk9G$#rFAc5& z?8-3Jfw?j^aIITsUHVhb^*=jtmtH<(_Q#c!*8Z z9`x$p&~)45uCN&oP(-CZm&{f)Im)L@>5%dn6l)P=%q#Om$bD>QH0=>V)rOicxi?v% zyFZ2X!I8;CEBZXl#$GEnkzKelFxRM_v1jC*bd`gHP9QrYiU?-Z&YjtB)@Mhr%r_m> zw(Z9t$~Nz$UZV%SQYn%|mYMtAI_WT?;2xt%;QsqypK~`eZ^&l>lp_%X3vEz`j6>IB z#~M9NGC1_Q3maSW>QlaEE3kcQ8=OM3w@VM!Szvd!Hx+T&gDTlYPUu7Z+nS@7n{RoP zxlRwS0#x5{mmCemI?RRo|&&bUiNI!z5qbQW(BF&$u>dI4JmnU4<4ZEq4guk zcLVh=XS=v0>)+IY9gHWk+k#DANR`VQ5)TYhmBtW(aU;qDio5C5YHg;67_CKH0<2ls zkP-;1uEi;Dt1wyi>J%6SVk#X! z;pLXXf}1*YBioLQn%<%k5?xp1)!Ll`gTg>$2U=qF`sHz5Pr%hkh)shM`(U!aZmRFj@{ zxeW3y?#b=gIv<7*;2$|3G*&vhPNR#yE#QC2)GH`#ok8{u^P zl|%^J*8YV{VY&SAUvrtUc}KAfQ<>#6Ec;ro{r{rLD zx0+X9%(*)YK&rgXNYWtN25fbS@ z*p5sopSh<-^cC~8!v$7ZVB7b=f)*e6RF(O6D*~7Gcek9A&PI&--P)Mdco+U&w#oj( z8L@4DUzJ_PdV*FhX=_(0Z@v9d-tq{axvF%`CtF_uFCM)Cmj*qQZk|17nu6)UFi;*=~;`_cT(j(Qr40@ z)2{z@>n!|!ypcyu%C6B5qbQa~ziVJTTI>MM35j+2R#`{5oGjPY)ceKYrn7xksh`5x zRvAL-3Wu)tV+8Do8!ex$Y)TEHyqN)X%z&~hfyLs|40kH3FQk28@@GE}_-DM=_i1q$ zPBA!nc_Y1Aq??V6JnT6h;M-=yUU9Z}MSezH{5l&_Qc%d(1HoXPq5>58+;9pWb_#C7 z;8J|U5eJ+VzWdwTKE0DH0xYK9lpPYc)hpIdObt@kb*LbyhDR`^@;q5p2`vmc>Pao?OgYDqkD;DW(p0}Mt7T1#) z?u2=rks0&3+HW=HiD;jYsW7m0Lg*gFLwKD8M_PU)nO{zKr|L+5 zGliVP9%{v2VI@ymIBDfMu$U#`2=iZL8CQ@JsUB8MO%+o$ymi4*kJ`);h<*bRMzlX(xHQ?bD!tohvkI*zB4|E zh17L}jchan+@VcxG@2FgS>Zu5`RgJ}5%n--|HF@R?NIcgV0%LJ?252lDE16IC!xm* zB6Sy}nB#Q<^p8UlG7=8UB}+6r;mWn+xSc;;w_3LAIjywOJ@V6{REDBE8uaxiK;sJUw|5m1B$4r_HPJoJ5F=4g? z681u_ub5rT>u@d(pZes(s}$CoOs?*dY{yq2Xn7#}e&1RsSm20v;z{9JyZ)2?7S;!tX4>_qKM z%1u3p!ztGP{!2IM9~KB-=8eZ(v1$xJR}Am=y|KFc@jrDq?c6sWveT za6g0EHb?b`=+t+3YHodg*V9mI}bR&*A~yL2AVKvUDh18=FFT2`VE zNg!{Kdh^SUCzC_oa&xU-V(83g2KZJ{97Sq2!t71EeyR@8g`XJ^@LzRtQESbx+!x#h ze={`*8qTXSjtgD~2I^(B$r!dOlXb9h_923~d+meJ)mPP_8sk5Z(~@h<21PdVNLVML>}kE=yoeqt0X^VoP!phsyQV+qQBteN%=5#XHWe04uA9tILeHYH-Vy{(6!_$E^S$6JcY!>= z_dKxYv4++O*}NT6sMh)6zxt~?RvVl)r5E|uVWqB zRuZ#24RSM1!7cwdi(^k&Di+$A?H4cqS7#*0^#ll!$P&godm532AhwKFwRqkyHIsk# zB+jiHH6TzF*koR}_KkNvRBj^m4Zej?6jYd!64!rnk=!QVO)OS)qVf$aH2&j_z}#WH zTHOrog9dwd&3#t}CT@*SU8PsOl9Wm6ce_Pv;4CbbTPn7KDFbUsjZ7yOhi=tpiQ9U} zU@vb4Ehm$YnkRmEF~Y0HB8;7b+N5SopKZXq5=4xdMmeQ2WG2D{nowG!hNGL34Ugr1 z#jwhu-$#{{u+wlNXYxF!pzdmXxNOj*UPnuT{gAcJS`qPCKMxS2y9lU-Jvv$oxN4K-r__r(sWs)a_db|^84oS+qHot{zP`)| z{j}p5xgE33p0I@pDe5OF-CH;b`W)1W%=g`x?hW!fs&MFd{P@UPxrco3{@UP9eYZ*3D#=fK#Tti|es?Z;kQ9^tMSPJd_QIzdMB zpi8XVG-q`zFZkP5j#<1-@)Xp7N7I zb(c>S5ind_2#LPVoNuI}sW$#pS~5~gFhv(0ewtQoZ;Ms<768GA&F?|GW~oC=@wq!x15rR%u3?jJ+NzPfUgG` zx1e-epbuKFRACDZAAnF2d&juMx)yFljsz^rKmw#5yHx`_du!uPOG2}!sRk#p)6!^I z+?umKq$6O(Z!x1W$Gl={Ed-3Mcy9Fc@-}uDSsmEfA}lJ6tqE9S#5{H#(HVL zAXsD;H+z!y@y3gxajs5JygDL2p9EnJP~}>jZA*n&fcu@?xYT(hKUkggGA=p?g3Xmh(lsBx#Af8k?o zy`D|K5zdo@+b-Ler&`Y^U~6FkhGCfcz-Af?BN6Zk!G|yzYzj9 z&mvi1tRexfY&#Pb7LK+&`rqX0-AblSAf)35um{Uu+mOVAw0Zg7i&PR&p1{r$oG^1e_me*$a33*5SC91xHc=h^(pcwD7Tc7dw zl@2>c+Fr1R%yn`K1#wdM()fndN&eIehlOX;q8o?_8y@am zd#T?^7thd&vt35eB(I~~)tK!j&hescP=o3k{DV`&BRT&O=sq;16PAD389nU;7{6Wm z9Jb`<5|1S-DoE`lPlB7^w><3L&vdW7<|K?@0A3reXw`?!1j{c^(v|YX4P9aj8^7M3 zeKvFQPBDF=M%v(&Zf1qI6;`7V_R*t@CK?G>M*iv!@*+z-(+6Ne@s`!xg`X6xOT7aj z`lFozO)AZGC@l}k5OM7EIlqy7Ws-b+qEz;00ikG2b8^&>W*4q{QPbeIsDbAZuvoU|#ODGd&Zd+bpm zsR%4Cb5B&H1hHy-ns15I>Qjs*>ke))z#p~F?0d`zLUjbM;8VIwNxydFLk~1C@4=BR zy1EMYP{UC*!XV}?HpT66W0_cOG6!H?Nu*OrFJov)FLaj} z?YnTE^6BC);O$@ISbIWD8<_um0z}GoLVxUFshYyO;I7BpW^*~uFUh&_+K2e zbRYuLJ<_8kZ=^N7`_wIBg28yX#F}))a8t4LV_av zAetMSHe0w;_6@?Kz>+l zY$@&XFYLk7I?m$6|l%hw$l+%|x zL@-Om@ZcK9zQlBY04p<~fisubARXP-mX6bnv=wVX-qk5Ee(15Y^2`zmNZ97iLZoyM zy2V4qV&lK^X;kbk=!g~+l(Q$e@Z<_?HGu1@8-#0#8qd2JAMvkMSHgcFe&|iF5Yle& zUZ2(A&`+GA;D^25k!k>{Ax6$FrLvx-a*KNN_W4?eK%jw^c5KMR?vYc&UW4-A{ThdZ z*>a*Tn^>Kg`OnzSn$IzV22rb@&{t4Pu+DN!bNN(|Lwc@d&DUkKnpq(XA)-sy5qmpG zq;}L_jCF-$o;a3_0Zi-~$?&1DI75bHq z95ES==|@=_We!2K>m{egQm{Se;LQWdoMC67?_J#NbOh~)FltTp(p~?}G2m%{yjs_C zz)6ss;G0@5eT~hr&tG@K*49FI;(6GunYF`R%R3$Cv`x59(>SgXHp zdk-|qgVZ1C$P-sY*?^Be*3c3gjF$mC^s5AGKUQHCvhi#Zu<8r?x{CG@Jp7i7Tu+^Xiev*mM%C-ZCF1?f2Vi&ZT#aJ|*pIk$`E4~5C)cleOuwZA zHH1hYVh-S&+2=Q>6ZSe8OHx-L`h@#?%j2QdeX?K3%5cFgcHW7s3kR^i<$!b;Dsdo}JBn0EzipM`%>8X-N7DL>t)N_~~(zI}PJ z9#hyQ4>YF*(Av5eTz;8Yu)!wNq^y}gGK3?y)&i~OG_1BYrz^y$!xbT@H-4b?$xJLiq{L} z@+K193>zWI4DAVMJfBPAb_hD#>>|J2RI*O}Bmorh7tMpi88`Ds8So2?tFMWdg_$hk z_!<3r-Z(34*n~AKeQVeE>8zD+u`~s_i2IfM0I7*B1Et6WG>m+(bfsZ_J++Z^seT)} z*`A8(ZW?^z}RbGnw1{Jfm3QPSl1RNES)*IW_!+fgU4?bCllonC%SN8)0~L|7?mg zwPwJfVt6B)k?mZ$v?oQGKDsW19GARxP6{~3nDY(+h{ zWsBT+SeIYc+YVEIMn_be7_r(t{^)3!bW6Oh5LVpuxu|v_j8BSY*O6mgrzB4GJ?Yh& z(`vKaQG7QKkQh^lW&tdEu50}gxeA}%~j#~2HZ_l+B!Y&s!+4q^=Xn1$tFV-_%yun zw?;?zcZlRdJrqA5hT4}Yo#2>SZLP!9cSjz7?B!Hw1LyX|tZ3p*YZRGw8N*LME-U>(D{wB0cPyG4}e}NbN6UqN7ubg5EQthD9-EEI$zk769ILd zYG`O#Dg+QXJ;y3m@CpJ19Q+n%lo{tU>u<);g)GZvDWOiZ=^LFF^itE`eS3mP7|gIh ztvewpJaQ`V4E{;20%vVgi;Ew=K(8YG(y3Q-(*?fE^GO>%e(sp=c6bPsyO9g6+525? zbzAAVG*TCtBS2Uea8f9*XgSqBICFB!X=qwOfSa*s-tSNjhCt_PI?Cu6*A{m?+)MdP z0qZq#ehT4G5Cq{!8l&HH^*A&~BU{UrtMETG6)FZoHI>m!aT&z5T3*gaM(YXK6mLCF zAf!QGbr^;lH)ERJ5cHbV@vOzeyl=v+9Vu)j*0giLn1XI+0CQOGH%z%*(17)igd=zp z+C$qo9Pj`=_XzF8b_&9q@^V +u0wfqh7}g65QkIEWFtiSd3=&vyOrKzZ8XhnB1r z&YT~v5Zs*@`cBQCqa89P*qYl+|4C@h?;lp50Bz2I#H_QO z=d(B5@lBjKlG{pFR`V0AHZ4Xe;d@qPkvoJ;ve?M*UeQcn3U6Q&3*a-Xt$It{_nwX> z>4`aZcXws5p#iJ%j}g<;;_?*r$lVdb&cN^X(`vIjBW8uV2$!_W8s^31tPkK5wna)m zig9s0-3b=yxsDq%iQ3t^2KJW)W{&idYR>j`Wp`~)C%fRj5jK2DGgVEu;XB0?UZu=? z7m&NX31pbta)~#bv@lEm*lV~k?NevL;zKwL5Vy0N0e9w9+*!Dy`F+iOYNl0AA#~l% zUohz90g|e3&W`WfHyVuYtv}aerxA5wSw%TepOO^GVeqT0z;#rngSB0oVpEt�pZd z^Yjcf_=wlfvO$JpgRE;ewEAUx!sTUbvMXAlSa+r&A8Q{=x{h6VRDR+{Z&PW{#TYsL zq@h_|@*nelIBxo^eQ@5uv_K+9e4sGQ)FtOwuZ5k^Z;0*eD|HVesS_a4oO-T{kYl39 z{vc{AZ_?TwXWIw0mc>P8uKrBnj)5ir)C(U5Tmy=*h2^rWR)ivwlzE3px09*`G-zk@ zX?*3eUgrNCBuZvR0!nUZYXRd_(h#3`t2zC9{%slbUi|ZMnpy$=Em9sk=JBURMSK6l z?cbfEpQ=ay|M?rhMjkshRD#5RK*j$7jw3pau6X_ffcXEVMU%k)Oq~KZaX6wH*Mh2? zch#L*vt&3D+;lP?;1vxPcMYZ7>!SGV-!|Oo86j4Q71$BqjGz6vm9$I2^8YnP`}8@V zTR;BKG1}TLH9W>`@3gurq(y*LbrsVh%JO|nf};#h!{EzJu_t<^4K}fEPRicK7oPv7 zT8MtxvpLeXcB0H|WoIngK`Dy+8|~aZs+2>U1>|&4&Yf;6BU%dQ0G(1Spd}M|6Gp;i zUH>32O*#WjomyRetvB3uG%3+8_QvA^PUqmjz%<1EX7!M9lbT3Is(7hcYrDRI09FJQ zyi3F2mQ{myUgoll=BIvKcVZiQGf~onlCOAr!@>h0@(&PnndCe|K4^QCJ$O5ZR&OZ6Ff z1)-)d#50CMwXiPrTKIXkEJJg7y>7V*@1WBi8J`MFD2gcE;+E}JAC16a6~o10y6t|0 zR}Ao!)7YK2sE_@@pcFI6GALUL8g%MAs zO3|98cQdV!sh=HtF|s->ncX zomc$_s6Ej*D%;1TjZg6sHVhRH+Af`V#W@M8KAsz2Rd%4whHV==Y`D{Sr$ks-t#(NX zZ*F(3BH@x`c*duivsu8aqY{mzJd#9E-JN0=C3_(Y!D_>0U4w1&%7M&0lJhqie|^kj zKQecsezkG0zrd@Kp@~X0k-ibTMZBMeONwv8`#_V7nZo$x{!89RM|95vB5GFO);2_* zks5{F5<$wY-@|yX3#V(PQD8jK0JU0-e6wSXNlvI_P_`Jk0Y{K`hvI|#8CQ*&u(X=3 zHd&e}wL}c8jnN+4yfdBj(82@j-!UGqC==GE=F)>28VT?}pM+=kZi@@B%5}b2O@XkX zowhmX?H+!avfum-0sLWC^xx3gY@A1zv?QbcH+1&>-{|b(@G&`zpe%lUK)0!I9>8eU zX17slWZ{yPmul4Mrmwg;p@^EcSypGMIR5_i>`FeL1lNy_jDB0&yI%Kk{mUE~6&bOf ziyMV{@OljtOqFestw@DaO3Y$xIZyjrbyQhY*?LZ#T z6MD(?FG!;hq};_cu+IOl$FC9V@zXV(N!F>yaX^-K0+1hPWxnPONh&u#FrOm17lr5M zL6P;v34E-(55?%CuyPIvrWZkB|W2X^h;XDFZG(#|H!^A+GQr1 zyjx)B^W}P$s<&}qCX=Q+b9io*tP9Fj+i^+xIUR^8X#;Axt`l+TfPM2ot61 zp=?~p``0;6+pl$|JP1xiuY!>S&J7pTl05NLav}Z|D`2&;Vo$RmpjF;}?h|}OBYO5p zX^B`-UA;q+3<=!Z+*;2uEad_GdK=lf^K8Fv^-)d3IlQ&UbYyw2w_8&>TT(gFpAcT0 zT2JOnwi$=+hmp$z1sQ|TAXSWjsE}pYa`8-@tOcq!$WPgCa{lZZ32q~7^We6TbvDpY?HVO-sbXC2l*>?b`5(vDi)%r5`!PykUslyD zD$!#UXgx!k``6G83GBgn5PPHzU~|QMe-CS-6xHPI^(GwXuh)hjy$pNh;7+crt*TbC zvx`Ap$=)j&1H`{ka%d8}4%}KuyDYZeI{cAm>KUY!v}7gDk9L531w)mt8V+3UaxVXafylj34GP*bv^L8w zR_GnR40uKJpEq(Dn^$oLxv;g>Pg_YS-ppB{in=7jCz;|_ncBKcsg52C6(zO5rV!5i z*u*MH{!zi)4^ym>JCQbnUJ;-ajh2(RB(``&QL?94vz_Xb(fH4=H8_Kx%t^}OPKPKc zB4ORPi%5#vk4yiu1Fy5l@sGF$MNs!2DQ=!Q4PTSZ%38%8uHxSo^!A8pgNPlrPCF{S zQpVYBUlLW7U+-pB={k+g={nUJ2U0GAtiTE3ye?6yLCU2v4=fI$AyF3q_a@c!v6c_6 z(%mqaF@}6X_KSOP+M+u{+z(}gQ|1~R%%f&CX1ocPU35i*9NNAcDZi*i-Y5#H!Sq*| z5$<7OriRB}=+--7nqW+HmXBZ1Jb{nDp~x+U(*8eaz<;GVmkAsezW4@TBE+04ZGbOu zjasQZSB04!7wS*-?pt;!<4=6&7Q^T^7S!1@^s3FMJwb}bZD~UHW=k#5U6UMhi%Kc0 zp4vE^zQU!a>!*d<4;eqQReh=nEv-n-kmlL-bi9vK!{mtQd+-ep?I!v)myMa< z%_>uPK^iEMr^}k#uK>Mr)@$Reb}p+y>AU0Cn#3{Yya@&lO$Jbh`q4R6jE?q2fUt>$ zZi$2orLwBx3GaXSj0>m8#yZx##%1an!Xv|CjF#Wbm^R`qU%kJ8WmHU z0kxlP=I_#99W4u&fa|`S zyW-vCaZTI9;X{YcxS&89FWc>WnjVq1DZpVvZr%$mPdE6EXxxw^ zHRkJ)P+@f%4Fd^?R~@*9z)m8_iGS2vo9y6Xgp9*#?jZ{&f4? zkwXFCNP*8!bbr#cJaSW2ThzrU^9o#^q0hu4)7mxD#Vsl0WutiLw(D&0Ds&uc&K$BK z%YqBmrdX=w(Y07>hAw@7l-0q-Y#*8JSFTmUQWKGKi$lZOEh<<-WTf@DKCl0dM&(zs zg{V>!7?mG+c3Le5lU6H+BXS1crNjKwy!nt6G5Z9S;w@#5y)_qY^CGzQ1nrH}d^>H4 z?nz{M5xec`BF4e3T^0kY3E|_zXB;}u%fCRC_=3KW>Q)oDQhCENIRbqWDA~1JhtW#3 zq^6Q@NO3G_pzWx_+Wk(%zgX=%FYnQVda|8Xi>CO{nFA|7d5YVg`xGk+x~mEzMRocZ zVHF$Aik`S~17~x3d%56E-qgS^G_H#MM0C;T{p{rl4=wfM-*ZZyw;&bz``?{leF+%&Dw zI2tK5Hh%Z1)F-7#E2KTKkfT6MMzi0A12w4x4`j@=8ERu@Ubmz$qHva&+rw|j@^L4O9< zveiYJ1YBF%aq5~mG%MO1t1$Dv_2RNT_w3MBVBp(7Rk@p7CU9llW162r%UHn<(I|lI_{7K()}-V#4Ij+F)PBjJleHMHZyKJUC`J4DgE;J zQpK5V#+wNPo(`%jFHn$AeQ`%%Wnoj!k)Y_jBT z8J}SjaF7=k|2nI^izdQAi2BmH$^t!Z4+B?1`oSP|bo?OHG$8j-r)fvga3P(RWW^M@ zJc}<49kBrgJ0C)wnti7xlQ?`nE2Mh2X6=4YeqguURoG`vO4)NTGDllp1v1dq8#Nxi zuVmkEvT9p7IA@ky|FPG6+)`EOl^|5{R#>j!zue_{{ixZ(Np3nmDbK~^udu4*9#Q1J zZ8Qzd*&Q^7@bd$qj?$(Hyy^ERl1w~uNyGNOI99e!on&rp3}$R|Z9Wt>FkV1WpUrYW zF35KnJciHHtHkv=TEEWaYjaKYqH#1mWDcOk*3Gj*0}XSdk>V8^l;!$9`WJpyo)S2xvS(@^*<9R=G?<@AhiNQQ@cMe7258Es?nSk;*#+zSDnr(R$I zb!#w$Ix3MzLR*csju*t?$y<$QV@)xbAB{EBKmO)~icP~T+7nck*9zJY{cO<0Ma%t> z&VAc-KY7h9;%im*qC>l;vs1F%LMK4tf6B(kK14l;niZ0znBVBzx8Dm~9jkF2#q_;Q zcRy+GjrA+Lg(GxS4Nv5_d&tmmz0@3?Lr~q|{qgYJuUkP9d}Nas=?o`L{Zx~P z(!^7F*V_kan88qaZs)-4+`Pu=iRnwQ@9p|KU8usJ;OenfhqC+~8e`&5R`DC-K5nbI z)k};YlyK`l3op(iaa4=>jOb_xUj=&gidOBDmhDztB-ZpdbTx9R0WqudTzwko0GDh& zYU|JLq9OMIjk{8PCp=d?-D6Da8gT2ss_G`qG%Gx(sz=A=1|MKxz&f`|QN1{@0i ztwt2%&N%OW>p%BG0BEo{qL5yNxsbt)SUPiHzid`7W6hQ#>~3~7sQ)cBlL44`rekQY zWJIzTd}I)~5~le#oM9bpe)yKVz_NGXawN&UyDghzc|!5DmZY zcHg1whtSYWB#$3!d{w@Lt(er(1=-8iJP$NQdgl z9UPcwq9NPQ@(Ti*@Fy)ZscUq)Q3~*sJ#yeP!_j+4(KhnlJ0I9O%JW5fj`;p=OkWdK z)5Gq+i{9WQNKe6pfA``=sUT7gpYF@={vO~9Gddas4>j^Bj)LZEN}w0^TCmQ7;~7oT zQac4Uc562K+__RN>x!zo(KYB{Eh=5Q`JUXmd1AMPlw?A{q;Wx`-3kZ(!x`%jyNxm- zioB-@SK?Zei(IS>%zm(gitpxVr{2WPe+zM<%mrd=`$Go#mEut9vNROZAIE&`n5cDk zIB!pn*nc%*ZjPUV3-ODd0DTx<9Hb)etA`N)y0UgI_*XSPXdDjVb{dS@aH68f*LS7A_EM*->$a!?r@n_BSmf{~I^9@eBc3Pv5G317TJRx)H z>7%A2i=t7;`mLYH(*!0}b{=5h9F6Xza{?57+hgbXKQ{Z6|2JjNoFPBlbw*!d+H(lO zs9^e7{n?tbSQ7EkBXBLf)Hp@}O7Kw~%$@`1e8fSvFb75)E{Uye>E}#OUgic&A=grQ zV-NBukE?A@FR%b8e}LmYxMheie&d}=>fA|?>FQqSnV)kOr8TxtcC=hfIE}HY4%~-S zW?G2e*46VjlCOMNr@Wrh`6NmZY`ZImRkxB*jSdA(-Y+mW&q2(t%rhcIK#8)cT)eR!aSWy5BMK$h*lNeY93|cUjMt#>b-lz>MiB_|q$YzJ2&-DW(`n zr?@AKc*HvT#mB;e*4TG?3*wyuD2UOM(pT4f*Aj}qxHZUd*ICC**IVF-8L$#!SCbgU zYu&Bu9TiI`{Xf`y&$uSHcHP%$7Zog^qC`Ygnt*f&1XPq>1nCHf(z`&25J(h6RFvK! zL^`2MZy{o%6RD9JP#{8pNC}aIB>O?;eBX7}I%l7CzU}kd`!ggk$}^rZ?(x5_EAZr~ zQOds=?(%+uvG^F#HEtu;I_{myK&kd-#ViC9G&bSgwG75EsJWL00TwnuU1AsYm|8+!{^i=>-?jKt3RKc4XiK;a&w&9o zR(~yGO_NjG6Gq+4_ReJkL{=IG=mYd#!x)6VLb<DMySrD8I)(Agqmpj zGEy_PNZU}wKvaZ>=LIb&W5A^_vbuK@VS_eBzbg}H+#~xpr%lOXFnJpus?sLyNmbP+ z6wSsPzYeyLN?}3p9wVi|Su?Bj7fuV8a`xh!5tPM%m0q}SuCuY%m&`9Ru%<^dew64_ z4!&9e7E1eo0z9E1C~QPZ(mNc6O`r}8y%z8XbjTM+wjn?+ts zm?aZ3DSe-bP}EZ%#Lvb~+6|?$5N)}e_qqyfZmBq5-e8-%WFhTP3A#n!b672Y%e>oD zE7SLX3V;_OAfEE|WwZs6#f|o|j|F*@&XjwL5Rn74qK77O9h>X6^1Mqv%F(q1So>y{ zRD^&kGa#|L z=KE2{T$|>vH6la$M~01aHb%0P(L?Y2H&qz2Aq2+w{8j)KDZRv6Bwv+P1dogfm~LYp zT>FP=Ubk;XMe!`Tcesv?IeoaDP&ha^#l-O=C{z(I~4DSzB8bZ zl0g>B@5nIfyUoD-wBKqO{T?N!9G?3m$d4SPXV8LXp;pLqXCwVR?Ws#E;I+jmVOmx2 zg&&|Gn=3V?v-hmV>Z0ReKDp{9A-E=D{HZ3-B6o~2C4%@UEhFJa5Uvg?R5)>^l33gY z6lP~0M7Hd&`%ODVJDUygXb3ODbS8pph-N6i(AW=Zo8#*!cepoXNqj_Os(kYt?MzHH zX$x2+-&t=eAA_0x0*wekkJ9-XLUZ;tzuZ!{=kj$zS*%}B$ln%F5nye;hIUo;zz z{Z&zFFx^D@V!PHiHQBE~=|?5T9kML9i8QyMHqC;dcCM{2F^84!SadUz#TCIUYb9cg z+qn?_$GA03#|v$A@692*~UB1 zw#JhBLhrea3GoVi&Ru>zy3L6jL~m1UZ0OpwT0ZzGDnuO&fxgX+-Uh`%rqTI%Ob~SI z$HS+{SfsfGh|s1cx@Yb|SxByO$k`eHDKrn!@TxTVqFUC#JU|9mkmN1rt6q-z*jy^$T)OW^P^n%A0;BR<6_X%W`sBo*^hcUb@b5!4Ry4I>%9-{J_q-zI#geOO;+x;~=$U z)cP#7>{1CQVJow)fk-EIo_>n#L@=9MzJ&C9v80&HX?a>&c|CFiBcH)Sgs*_Li1Cfj z{iHV)noyr`&woz+j9#6-GiCQf%@|swdCLSA2|0h^YPH|2AINg_<@|aNh>tf5MKAmG z_MEMQ|0ywr1LOF~rOkeim&b}HfVBvw-_}eAu@n{cJ{h~TAzjYBe7tM~b!PS5_@<`i zGx@a8NV@icYH~X+^44-8UK(*%eRue6EOG?U(uL9-YqcMPHd*~~4@G-vQoi9Q^Wh#rHcf6#iL}P%VR_&CM!A#rffcn4COny4Ue_w$ z`k3kLIMf=`3s`uZxm_bZ@#hsKrl1H&8lqqsvU&P$R1*~d8WUoB!1PpOblY~Lt|oQZ zkqr_#8)p1#Q$mVIXX4o9pTzTjxJtG5F^^9)oa$5Z0CzMSs46HH#m5uI)grp;{Mw!! zl`ELFN;3Gm75dDiEokEUH=GvYK6s!x$V{)m!L(okf{r_$#{3LQJvk!cs!F8xy&j2a z%>U)bJuGs{O7b?Y)(5a0t972=w@Xu_GJu;zZSG+{i#nsVWyD#8pM+3q1IvHVnORru zZ(J%5tJS85=A2ore;$m6)^4C4wFH+5YAW+m2649|k4ANy+;`0??g_T_GpJ;hd~#LT z9B8gUadtIh?Khi) z((s&Z<0-aC(b`_`EtXrD4B~8Fj`b`*g6{FSKrOuT+keym?Cack?&m9>6XrTuv!KGO}~ckq4v3-*&3PoK|Qw4T0v;f~WLPX{+r?NK%xtC%Q-y!b5DE&aqkL zIKf@_5Nn{iHSTfHN39NAt4A7&oqmCw_Ee>T^Cpmqp3(OYrX~DnEGuz7Ju*TOF1dSk zaWWF=IsKs}o?)4<(YX}FuD-W5e!es*4!^d+3J)Isjuo6Vaq1oP5cCxv#{Hx@1jGcb zHa_>j(^;YS7!G$-7ZpV`&ypRIag&-sLLP%_og}btP5f)vrS!rlANI<(V!)n1K=j6v z;|H^R>(YalCk|hWvQ|T7aV-7jVn+OR91kg4=C0eL%2a9^>(@M@Av)^UL50NvynC8X z6C`}_^Mgs;SGW}E;L(UmNTmPD!oNmfK>7sTdI5Q!L@Rg;O#QUAO*RLO-%++>GmsQ* z$-M!)wB7SpVO;#G32Lv|MrM={12ZOnen}2@L!o@$*uMoBfgqXa^X=3uPS~69Lh7zb zwWZ!Zeye7va41Oih5(v0Vl*4@!P{*g(8E5|P!$G8zms}daSQ%BWz3RNX(WGS)1?qihz9ZYf9`zu69L^$~>SY>K^!lpl zLPGi-ywew@57(3Bstjzk?Y1Cj(vqzvs(K6lm;rr-J*Dx$s<&>i!9A`pJM4w-$Z#g@ zHZFS8M*VkH%Nofm(46g5NGmF06;}Ia_z#193GZ}}^3zZ>5n9jCP+Pl)E_lfyT**Ao z`wkzUGr_$!84@0_6~S`SZ2n;cEr6u?f8;>YWn`?ReQ#-9@5|IJ!$l^%Cf->?-9Kmy z?0|wKN6N&$Z`nT>^80J&y+eS7qMcbR#;Vt8DDoU^8E*+UXy!qs+?s!_ch?M>s|U)m(!HI7LnQ|Ge94+ z$kU4KQH2TSrr}I*dfkP`b$ayaZx6t*^X)y+jJ(g*U&rX?_|3hCtjeP7X?C})X{f&W z)ZTMFQ*Z9HZxN_B=Ijcr@e&L<9y4!yn(dbRVG=^9s5cv(N9hXzVdt~o^ zwTW{e!m*=A|M`*B_T9lX9sNk=}u=w>JR;Br+m9ENNKWBH7QO>N2;Cq zrg|(M6InQQg-DZJx2+t4MXeo}DI@J(cw4w6q!UF+F}h_9ZvNsmYHxw%UT<+4_ETls z9ryl}RhzPN3VAY1Nx$`hmnXY`+nVZ)?=0F=G??5~gg$=B=)tK8Gyn9F^3f4|T;FnhgK;E_&PAJ{B=3LHR z3ve!NnEUL%tU}i@AaiCH#Y=n1H=s=IK}ORkZQHh>-yz{81NRrc*wTb9J1lWj8K{>* zpDp66V4qH#d1w8l+gC20VcuqBpDs9K=~Sq?!#d7_S^QCbMhEU4Ae^_(|wP^ z+xu^%6Xc$at2-R1qQPTX9?dbAa+cQ`q6`hdZ3npoPUV(Mtu@DXzmqN}K1*mA)_bWO z`sI`dux7){V4vbi6xU(-6GJN?OW5;3yXe;{*KmZuXCAlV68WGxE27ZSTK9DUy+xY$ z%dnhr>b>hA?i%JTDdI~Dq3-nOl2llhYeW{+xSf$^iQn8phU3bMXp66YvH!TRR&-xJ zacGllZl@%8i&ew4*+d_(^DU@=(-_=3z1d^0ykr`ee(p#N@^1M!0H@#r^>3+_y&kJz zouWZjYxpFEoo7cc*;jmWkJo`m^uo)tedhTmFF&5--K@~?EMAV$-Qf1MJ9@ z*73Q+c2i@sQ1E``_~ttgyHugC--iT}f8`E^&3_tTuR^{d12seP@mXkdw`(uvgLMz@ zd!t#Gi=V%*$2MPY_>j7_(8F_mO<& z?rRuS_iWxej|a2gI$M%OB_SK_2!S4#^0JC&*j_O}P;VkR8MJsO=$)V#kom95Kqt4Z{za zzP7j~mcN@6_e#Tf9pXS3(t9FxG2mwMdaP*b(+}B`Y6El0R~26w;Wr64q{a-n*FdJ6 zoO@ZTtHTM#Bz`K}R%+>5w(Tm?PJKZsnq3|4@SG%`Z8dsd6Mc3(Dn)hRc#b++1IAIlMD^?iUrByWpZ#qQn~113+G}<_ zmk|21N&3oZxFL8z)|A<(yxu&?9oT#J!ZvVkRj>oxd*s1P8W_rVd$G(+zIomRU2~0@ z;5H+e_;K>L#sR186YHe%_Y$M81ix;Z_{$Yh@uve!K}tfW%a3%f$jqar=lv&^Vr?P} zJ2wGa#@4sNj|T^nLr@*sN@dFLGoXp|p+`e<3z*f(`51r_hX*;AjBO5G5cgb|G=bC; zRD^}}K?ll5$O*xALq>@(vm>;EiDpWOp|uQnh2jgu+7K?WgXYYk|bg-?^!)MFyM!^|UdApRbUhAiI;tHa%@2Ri`HAqIKZT=RH3h&MG=PQ%~<{_~vJ|znLVuRSoLaz_vToDc9Tw^#|inNHiYlQBy z;aw{9qnRVQ6rs~~r=d|(-bLo8KL@dsR1{y`#cvMp%pH{ALfs0=#Jc6%nEi0tVb)}N zz!_7?z`Dp^K~W4gPa1o&1r_8ic{C$F>7!@AGxqSm=1}qf6MfH4{xvKdt+{-YQbVZ+ z$xep;7Si-`WJN9l)f8jrc$0a~(>0V0SX!>*eU0T?nY1!MTZ|yg%Njevfa-`TBOMuX z{zz2yCuhJR0f8Rt`;qYjqV&5pWxQJA%F2qXQp!XAHo*{VzM%erLy(dDD65!0uBb1? z5!Mg;Cx4>smI&XLt`?m?l?hzlbT|5xDJfFX^9h3j?LA@>#v~j37$djL^G?}qsN0qN zyz)}*fWWqLz%k&ws(A98jHcAg5$Dw+1#<_VT%NVjoAtzZVL4~;(n^ARp1O|?eG>>l zhrgC@{}Jd;BT-q6(mqKwEf$gONcLI=HEGVJDUtbMvmuEVD_n1($zS!9+g$jz72OPJ-KVsoN@A@^fgYRnz4Rpr9jy>3?x$D<0DZy^vvW{n;Et9BQ z^=!5G8GtH!Q)YW<*>znpG$&3#@fBdKH08Q-J34b!3U~ZzJ8`vy)V9U`Yg@G3%a7GK z{pXjTL{1et9E<`yQ~r7^Iu43Ig*7nh(ps*0d#B#f8Xrw#?-_?itloqFsb=mf(b}td zS>1;_eCptPUwOn_?)p)xZr5Mbb9O_YTyic~Zjl?-+5Fd7eMU-3*RF){^Cj8@VY5CW z6BN5lc0}NbZ~pc7EP4Uipm!5pf3&4spUzr+?{WK`I6Fv!$v$w8jEP^OX8u z)My&WOz2K8ZJ0;^(33|k=6%<$Xjk#D1Ma-6O_BcN|9b- zjXghWbH={@sK^e@0leDtPbxZf6n}(IgkS+D=((yA34R@jn$6iS-3JWgc+LR!zn90FDTz~=RoK(O z4Yn54v*5^WX3|bORIyvBTI?LIkz)rZB z3=sWVb(bgdbzV*hTL&5g#vcFJyz7u1tCn8I1N6~3X5-i~DJ%Qz&tuMjM`Fl;$D3)u z{d^gt#dYqc&PZg0gYZJuM1yE)xmBy7#i9LY!h?lAy*db5`se zsCZ;yCzo)7N+%a;dkhx#kTc{>JNq=nL>2pUOrJ||TF;iqw#+~cmSZ-m@g}_K@Qe9w zmCEMn=o!wNaM@VSWBEM+(U7!hKp~Ru?jN)5-R|)&?74HUFF{})oRew97I7^niYGcw zIv16Uh(dUo-3oaGu*OJaQ(g`HYtUp^|3J|7fZA_=X#gWbo2kPB?ktk+&!Nk-ZI^zu zMtz7`5sG2~`02KD9F5ZHVtKkR+QoeGtm}^A(lNKXli|qygQLcSW&3A*?(gf%xta0x z=M-0l0UN1OZD1y+qM5~g&;Ok72hE{;|1r^__8cA_K1ZwbppRXcuxl&n69{K-%cZwG zh)a%z!-wr}-ptdQ7fdxPRlBgq9@Ng|-T5Bjt_E>T1L^6*I-Mw0^;xC@#FtCj?r@-V zHmoz-#j}hoHzMMV&8vju8yMIcYqtza(M=x{2f%`)bIVh=(}j7MMH*{719kY@x^Jo@ zr+|APM}6HTw&K{6nPMPBZL zidNEw>OQ$w=auW5|0ZdEIrI&@P;x(e{H#$@;m=ws3MnSpkpSJRX{r2t52_q!vCEoS zpsitBty9E$5cVC{X@^?7aycUb9#(?uj(z4@>ikcUw)K@pE^VsrHsfSCqA^lieD}&= z@?unLcU)SdYqfx1x;UAn@FlmvKEeYreC}v&d6Ti*=$A|O0Ucx2JR8k{W}vnr60|5& zQ0&rxM-%VoY@OMcX9PLFV1M0AtfL##e1=BP^S$BDi=livC6nMYsue%je9A*mzaI{5 zUF7y+t%|r#n7Y<<>=^O~%@tjeUd{tVw6jX{K_h%01D6GwNmX-Cj_6z8J+1L<_se4E zJWH&3uX4eL*tSyRTyLkzm)5Ww+Q#|4g)n!f%p5#Dw`Hu6a_(b)i+j9MncG_Va#Gp5 z`ytNm=-I1d!K<3bh@VN4D|R#^WU*sAOB*neLb!T$U)o*;f>|M z8ukjIFz8(~AYm&@eT!~8CoY|fIGs~=nIJbuS3%1Ipmy-mn&YYb^*>U{sYm}4g~q|C z%7COXRH0}8tYJ;QZc&)m_X;ee%0%|rRcSStSTc&u^#j+e7`1Og-?#&-6Q$vd0S)M)Wy?F4DTrA-T9>$kAz3bg@J};ybQt{;#iv-~bn!GIKn*6!htE)P4#6 zSM^aZ8ehc7`Dg?=8h2gAQuyh1mGlelz@t-J!Wsb=l#0uR=G3?LrPUbMIu-lBao&F* z=cv2mnzg6&wUE1UPPf#3y)4q~s9?w*R3L1B-X!JMy?>-1NB)+6luxS7d!@S>LS04= zx5G)I!iqY84KnO#(8OEbfsoB>A}{A}xOyr!0jzyPP84v8EVu4lJbwLMA)Q7R@k+5* z8z{vX*;{D|d2PBEm8oZ9%7G^)E@x@Nh_;NT@s13u2;Ws0C#k|4?k?D^j}BX5Hs6GZ zYg3!=W@&G_iyJigj}52zFJZJwZzOK0_+k%FOM`n#0}`cfUd>wQAEE7Y1(_pzPw@4i zH$pk72)^@4fdeWhf1og5g+zt>C~hO1t~ix~Wk$XpO6flIi+2KtX}P1d)i`YVOZEDw z`@`GA9fvFJQ7xw^N`*f*6f9fA<-~K6s(~N`Z2ym%Dug*QzGJ=r2^gZP%ff-CmL1@+REC*e}%3ldc8rKIe=+k;z=SC}L2 z93SNjOV&H=Xwr0KxD;{4EXC~glrTj; zhUD#AM&8+9IvIVCV@Kq`7n46^hoy4Yp4Qv7$PUyXTL*C`$SOVek$Ij+EkWGa z(YlVXiHVwr-VXx(RGL}1a8+2bQdxqq?d$(;z3-?z{3*Tq1VS}J?&5pN@`!!BBYPK! z9zDH?`~wcc-!s==T*H2O!+b4Wpr&iy4$F3QhYxdyfP-HaR+*fMOZ#FNJ@}|D)d*r= z^7TTEmtGl6;GWCadbGEly4$E4+vdfBFu(h%dgB-Ssvh}d`eg6GFx;_r-yX3Dp6_1m z2cP(-IJKm2WR5{k$Wt?&u$qXk45ZSJQI?6|W|k6Miyl2P5Q<&2PqT21oMdJ*>ej$V}(#b8dR2WNP!5 z=Y?`oI%CJ8^1AE%zq12eFtZC+qZe-JD**j2;Eq-i-A&&IHe2J2+77Z9eDNf68Oy4Eh>2n;E|TIe=T?rm^M&s_cq8a35~*|5^n*sw zUY=Fdk&#i`=77_~623M2G+oYhQzf1q_D;vd6nd~Ll+!+N#g}{)_-<1Xom!l`uX1vu z0$erfv!E<8O+8g$@L}U!*=1*Kkb=RnV+>T!$n$K~=uul28;8?Dc-Mg*Pm{4d^Dig7 ze0lu19xcfKi5p-ySI8e@Z+>YK`m;s51OA(W&r2%KkufI~Yx$OR*s0}x7eYzr5_*2+ z8*q?I5TT)hnh&h@TfuZ4Q|qE7-191Di{wH~5hrjXOKdX2S*JK+01;E+*5k!{5L9~1 zEBmtCXNy6tr?SH?XVt3PZ%cll)a`-OYp(*EqcjgsNm$dshtbdR$N5GEIvR3X*1`Ab zcvt+4>)|NdRgGh(PM!V4x%&aOs$ulbAjxR#aB1Y?Maqcn5BDB3SdRk!E+3!L1J;$c zhX2|G8CjqSx%uZf(oglIo$sQQ7;x%fVciONtHUdrT|+lgILwXjCgpt_@NqnJa((yW zkAmDUcBGt`Yq#DJCf^O8(6+4|Ry$-_ccp*mlv+xcMfw%tV{;C#P1>_#48DDajynM} z+r)Y#zi183Fq@ZqBO^CqmV{X_K?UJ2%I&^ta4klplCuQr?^TT%44 zf_hfUB*2QVQZ~LK(8L89N)>hMB0}NA%tU5oOH~7+X?x(#yYSn4N>@u%b_L)AgzcR8 z@#js?$OIGYYhjs%H4BR|qb;WxK(v8SZ>{;W;PMLjm@94GtKSjGKO=el-9O~l=!38v z4-`h5x6}}ND<52ZI+vzTQ5G1u77onU6f3~`+oX3%6|+*H+IfO6@WY3)Z~j`d`cgdi zVu)!iUev?=ihK%#@1i#$BJi5qS3U&g@=qoJipjf-K=<^=UwU;2k3YT0E9_GTjz6`F zo{~c^v1V?)&r}X5zpWy4R^H62tTO>Q`2QNCHfT3GbvVnkgD4@#q}vy^^ilc6uS?h7&D;nh#? z9LIJ1T@q2T{2Ni!6*qSdEbAolZBw)g)PNhsRo!jf>@=7HqSchn{PF?`n@FfO}DKX z3EAfkJC_&OU8be{mXT@F+;?S95dGFbZR3W?@1@G`zfyQQxs?@-OI-IrF)GK;aGvJj z!xW$O)Y|6^XluYrgMoGH!mj}}>0pQ!aONX+{F$TufNmw@jNc^g6Hw4Ze@jOvXX~J_k87c z;)L^ji{X;@0+H~7GCQ_^bxXf@^Y62>u*g5Gr**JT!l~!qwgLV5SIZ@t%r`@QX-2yR z!}@PNs|Z>D$tl)ep)-f%5@PvjQhAj7x=j_?dpzXV#Y&UpqMW4k}r#YUMBM z=@QbXX)ejDgwYS0mn>UvI9LK*>Q6!vtre=*z_z&dslJ8>l?aC{As6cTs;p^&>inb#4(KAwII{ zCtrfSh{G#4CA1o`pvNzhAYxTZ>02Sj_RhvvtmMP(!t8c0Jzn;hVdNr(G)s@)ZFNtD z81W*?s1dmZ;$5^=*FBr8E2J&>j(tnQ3BZCy958dQe){P&?#O2Fp>11bv73Lg3dDN6 zJraDKiQ96RQ#88}($A74K+4m{IkHtkxX}V=)*nR-qR%AVy1!ROZs+pS@~*@S@| zy`&y+ef3xV>xF$o*oQztXJO9Xxv281!OBea5xzPA*2Z&0^YQqZB#8+`$wm>{ z&H~=Un>|DAmGJa2xnuL}#YsMGW1G9Tgi(Ov-)e|*Bb@)>Jn;?{F}NLC(JmVgoCS*! zepqH#=ENnr(q)RnhWnxMa<_=YngR!%n$`^3vAUz&ztS_-C_Ax}cch~Q6-RxhGmi8S z<38>2JFc-hStkvDXfleAKt>yP1ML1fH?Sf-8Rs~BDmmUlU?)!V`m?zGnm}d&je`x=d*Xz?Oht+kqMk8tltgww?d-vPA;ptIRkaq%Bu+~IEJ z)X#5{j`ycCm5SpsVzbmh$tY(UBX6a%;x%Gz>HCMc6<)v42M07UZyo2ua*Q(~r-WYs zdI+<<{|JUWba?oNkeO#)6Mk3fimGpj=m6IQz_JNMIqbTB`=8*y_WVn&MudH-a-?|g z{f9Z;bRuCluAFK~oDuZP0Bpv$-W)bw6Z1x!96OO9b4IDw&Z@kpy&1cUwFkQ8-iE?A zwaAZ!#^o4$M;RgVZGuoDtKH6N;4gzU*R_V#7RoWIa;!#K+a|B&j-!p=GrE-Qdg;G9 z#VY+AOq@#Ly1_D{rOpySUIftW_ph%1t&fe-2eJ)(k=!xupAyY)(mKpU%Y)}4#8;;> zFHtP-PELRl=?{Z&(GE8~4Xs+=Od2MSVC)?DWK0oPZS1Vus-oFcC1>=;xu) ziX7rN+Rbcl$3mh`QDZ2Z{bCO#m33Zem2%t@$tciS(W zod^Wt*y)?gLZ-C;A`EgNCDips@w^3)CWkowy_T*0SZirHwUf4Uy+FlPD{+-*6N9<` z1WJ=}ReKnH9oXD}?h-a(YgzdOC7mKNc1geQ^m)G9(f3|~0sV*llKZfmj^xghv{Oz7 zeDAqiV?jxP=8B7#`8}z7s!%5gCpC6cv*%gD?oh$H=8Ne_q`~u+jSuH%C!fjE(QPTJ z%dM~1GwO!5S1C;vtwyTUcXs=muZhVjF2o&jF1-{g$n~#lsr#SBw0#DD{VLaTC!7TohFbE@vfWVz^$g(C;@r2!6kBzHK6<)a#NINuG=8DJbcCucHylE ztvnA%i+H>(Z9-qX=0IG{I<&I?(tjEYSAfGbK*fu|#j`eVxVBW-1!O|EWq+xwN&6}Z zSLry+6TyaSSKr`tKvi2al6lSujs1)B6xK|*+{L?W*Eg(}qHHN)bwS2}2F1kSo`Pom z!z_f4KSjn>j$n?M3x(qT$$pqMSCxSmh2UB)46$l}oRi5LfRX>{ z|JZm-pIn_y%6`XTj_8Zb5DT|03icw^&SIcVqytX7#CxjqXFv3YQ;$%Trc&r}Z<83? zWZ|Xy1(h|DLlw?D5lHahcL_?XYw~(uvx&F;nw#>&+o6_5U`G8XxR zuwd}p24z4lNx%JtmB^L?0$|G4?&7o^~V3U&CeEHM>T3Gd04Wnz-Damv`yujg`3IA|0G3I zQOqtG|0n4NuriB(Gxfq4h`xE&c11~K30~|7|MAvBMt67Dz_uq{|An#QB1c`*`1Qb( z(HEa@%V~=0Kp<(i+MP*!0rZcmB>1AZvcHha+eIL|fd6$z55uW0F>30dVWg&Ahbt)9 zL{3W=a8_RgxDG%`@~_nt5R?2ZN||!`w+^PN?P$zKW|B5s>RrL;p43J6_(oXc{4vD$ zl@bp55pmOniL!GR*Uly7v~6x3`r8T0S70Yx?f(*I;O+Y%XLh1BgA4pDnJd$@Rdv~C zk_-ezpp)}}kGjHl8qsiUCtEJ*Kd4wDeyz4viJocgyV$p}^IN_<8N^lB4*>Smi`k4F8bQ>rqki71Hi5MY5f$De}t{I3ZFEO*>sk!KCoF7;^ARrCa!KR!O9 z=O+9ACWpWTyR=;A2ty4rgN#osDa`j9ZjmhFM95% zWU98wIaMyJN)kH7jN%i&IO@4!jx%i0b;Nq#8d6dIzQhz%B zJ;$mVSIed1h0c%43_v`@^N)C_7I#z!MK4((3^;|6gUT~McttOQgRSUguRA_Z#{2q| zFS~fgt+_(J!W^q}dgpIV*b)Uu5npEd-zzB@<1}k!WgAf6HUa?)i!z$7O(GZpkVr~z zqtpf^+lVl{rSpGLgS>yxG%t($TMeQdJoIib#HN4N&pWLJ5L2!YJ2#(0jK_R?G101^ zGe7-IL5WXssWxwv`C*FWE{{NKSR+?{nfj28&H0=&88Mh`cxb)rHi_52y@{Sd$w*kq z9qFi7ecTNpEz@#8H^888ARylg$FGgaP0}p#ewt+yLNeFT>=uZsXzG?OrcD|pL(=6 z#0&b~;x~tM$u7WTkE>kydyf13cl__K)C4u=*Ae66k+pCLe|z3TH~6O)F@Of4cX?Zb zu$2}9I4g@^IcTNlAOyKf0zinRID6@~Q9zU5{-th(d#S3D$~udOM+ z;vv30BIsH7QzCsy2u(j?K82m*;R_MrUzlIwG3?g`(gIb=M<%NLcXzmkdE zp!L&(zcEy1#wQsFhf9JbJH=y*m;X)j{|6NCd@an5Vcz{r=9XuS3dZ!OtVvu{^bHeb zjHiAk67>${f2>HFG@J=?DeyIMu1>nF2-wv5I4o24U*3)&@i^G-{zhMQ3p|6M{o?KJm}K9aT`Y$@6Shw{v&%Hvw|55O*7SD4R`qfv%rrfkOrZ z3l|p0F-8eZlWO9p)uLtGIRA|K)I9aqwEE`9-~5i$Ns_}5+rAU56C3FUcy#~Eu0Qs) zyh_joLIikRE=W3GL59(S9JRT7sah{>*9D*PBLI2N%hzxtvgV7n7B4RI>}?+;LT?nA zWL4i%3t(+|`hq+|yrqu&Z;Vi+{Mh$e?<`LJ>@%14`Sgr4sFj@*@4FR-X!uQ8XvniM zEOWl^Pz=*uAuCU+PG@JDzJ^EfWN`cP`RTiQeu@voZVo%=@21G1r-U`e4nDsD4DB>S zQ*3e#&z#&B&HHHiZ}0dFXspRdF?vaSO<-qccLE5xKNk>^yzt9KZTfhg)@;G70pOQk z%$@TF@Q?V>xK_RzMo!b~d~{OS5!CwqTAL^D%iqZ~0aA~QqOT_SR`k?MUnJ|K5^+vE zfhZo2P&@^+DV1#F@52qbZ8bh6EHxFC(r)40IcT&H)Vr8Jlidj3d^}kmdSe$?-5db)h9oGTp1IoduMZTo?Ks1aOT0_p^ ztr8fcJX`%^?hfcv7eaQsN9|NWO0E$vo#-t*2Fd$YgoK-!f$rqB+%sdozVPxy)z8}O zv2MgrfXTUjPwhI9iCUfTsdidohWDMZ;5!A2#5!2yjn z;ruXp|4!L~5zhmfli5s6jpnK!vw69qEa?a9a*8|W(lOg$pBckgs&iHAhD$%{fmo5u z=n39ysnAEpgol~tGeMH)Ww7QmV0j=L7?!Wds0W%|2JfxeA5{?ZW9BrUc&+N;mhJhP z;VI~M^b)1zLuS@kK;&^gV4^bc0)(@gEE2#0;(_J24|-b6Wye?kanS!)>KnE4h zZCMOZ-?yiBsP8+UK)gW6RIZA2mdTgEo-~yqkZ(t3ncfm|biVNDYYqAs@D!c5`DGCC zdVhgJ6FV=1O*7dA@ZOu{ED9Hyb9$X>m#w)^Tvag+cNCnXkU>B4%#{G2XzU!}Ev+Yf zyA*lOksE&+anTlwoz!# zMOAigkU8}I$ql|`1KlRhFTQW|^dz({{`f3~b8gVs`g?-x>TodjnrK<_2jVxvPi>pW zivm~0Pu%%auV>-?&yt^H_u0fd!9&u66|e0e)ze_-w0G6LE@ItZ4}YQA@Ww}Cg-{|H zMTiMdkgfMC73Yv+A&Y-OW(Uq=+{r%R;IM&j^Gwuy&*Y!Xq0T(99T)T77l4a-NAo`} z=27#1T+9s^*I)byw=vc1?f5Jf=DYQp5NP*oN^51$MGDJ*0$aY|MR9diE30ig7`2S_ z?FU)T5c>XXk%~C^p$o#ypyf^%O_X2nI)f4uCLV@yuR@dY-F`#R%^T^1EHKY~?y8m_ zs`0{ocu{613T%u6w0Z-B$X+VZSI_z+zKxcx)dS@lNLtbc%%3!G#QRI5 zKIQh5JMocnd>xP;XG+zaooO%a?h~bXcWkH1Ngw{=jV#c%+V3=DFcV1Wl!Gq9pb@34 z;2jp(*^({1Vu=G(b_t+AP+ z*v-y080hG;XCOIy%yZz~F{dnkGLFhd! z(U#h*(NAu+pn@2{ybU%>YamtsAlE9OpfjfV!BO!@pWM$F{NgI`1_~1doQB|~weKXq zqX^5r?VCya*F4r+Jbi8DRx4r(zfKi?1NLiMDH$qTnQZG>Y8cMy1pjp8uKNwv+aBF>5c`oMEBg*hSdY_%kRA50f}YXHf(G5z-RqsHJR!jg-+l? z?PE}PZ-IbqdeH&X(@kL2SY;=}f4=J1Z{VxCb&ddco7DyS3vR}TH{g*!(d^%+?hfue zW4m_!dM5C98Y=LqCt?4xTiLY>@E-W*i*_mg+e>2C)IW8_|7}0;1270?k=e}fn^|{+ z|BGGsY6^$o-=}GyhyG7*{jWKvEZh`&b)X{vguC#jKN!e{RQ)W$Z%iwq(BObyasJ3} z*?JL3c@wS1jVb`dOFn$*vFBmG$Aa4sxxiu4gGambmS1=RW(f%1?pRc>`eU}R>q5j~ zbIDF?{>9`~H16u3XroD{YWPh{joY|7I&+Bf4uR&6003D_P|dbM?_dXewLtrx$N3yzc*tCu^7oxH$_~}x|8I%nYDJFObetwh4wORwz*hkMY>Ue-h^$; zGYN%!$926(55N3)->&D+r2>P5PDL(MXlVc8he^MxUu#@c>{Pd>OuK}^K(96aEQ9y+ z1_Y1q@TpOA|Kd~cWQJxForMmXQR)zQUAa{k#{-)7pc+3j&6Z_8gj+$0pkfek@ggqx z_ucX~Kl-j;@WlGT@QNsBj_}H@NCb{;geB2KB=?01R>^$^K9;8Jcql6K;9kwHgMSw# zA6Ndw6lci2Irv66p`hg_ZR>9%?SoO>!wIhQK^^3Tqx_F{$i*??**Qhvek?B^YB3ka z*suJRU!vWF_7^5NptK3=k>gPexqSCf74pTW^|w{59w&-&P*41yVD*?ak&TO6J;}G@ z(3x@cWb`A}z2%auhZ9JPm*;H9&-e{%j&3|?NC+ej(W;8|HP-aA*592Cr4=qzd+L2C zx)Q*In_%%9WQs}qntOK*Ku-c(WSl_x0L1*s$<4sG5JYWK)fP6~|y{Hy_ zBubhHAz8M#jm89BNmQDQ2qj`S?Oi9nX99zaCf+&;7#{*Q}XZS7M|80^!fT|o>yc^=w>aml1&}C#w zFm&AZrjK}z+)z#y;qDx;T!)ttVa!QMIbhI+;+uoDM7v3VHT8h9Eq`yvdqep~;?aND z$#N&yDcDh6{3*$U2NNnm{mRZQKXf~9b>*7~pESGK;tZQpsI^A5H!42W1fpCvt14v{ zn`|wsOoODCg~qoi8+0nlC=@S5q!X4486i^Hlcp%eUJE5)uRLb!a z08x^HAELB*R{aUB+jUi!sJ4!Cpxzjk&Awx%W67+7_QG+4W&u9yIR>eX*b9ejoXR@i zzrSV?8KFb$;z#oBt>JdhC?|XT%7AaK1y{ncIVE(&nZo}0&b@??Xq*FAn0j}qCa&8J>p|h2Fb|-#5^fnIgK^>ye_efv+0TP>kUG3&s zq4AvCn9WsCYOqex{(Nqm039fA6QDMaVY{ws_~b4$c>vhJS+3XL4<0_c4p|`AkEVjl zg3Nm5ZPxWwnng>=-OiHG&Ju>c-FJnio<|DWgx4cyW;ZM`@}!P~w}#LkG$h1beP#xS zuDC9vlLA9yZqhxc(b%RGM@InTLTIM;~!2b1(pkDc@1 z{f6zD_h#=6jdMoAVtK)&DKH6Z=LW2V9OC$AhRKflf0^=1(;sGU?pq5X+ihB-J{J!c zF16m7o6ZJkXmyy&)*0%EOp6SW3S!< z0^tzFd&1wLooDzPM`?wl)H^Q zi!S>mnEU>Y@wkRA2ru}|5%szRsHWrid8fY)o$?Ej)FRi9?Emx9N-8x462M#+gcEp7 zGH5nf+BOqS$GgBXjak=)O7o4oqxI+v?MZ zb&s(S)G{05N`Ett+8k@F>^WWcVya!M_g-R_45~lKqWt(>`%7Qk5HIO`9C)Q>h#6WaWd4jlTLoDL%V97S6OiQ%L$|cX zbssnFFhNLVhlly6zh*s zOo24;&s+n$J(1a;J@AcJcHjUD3I7AW79{ELn}M$m18B!V;CQYVxDBa((Lyb{N9LZ! zorGB5pE@)mWFCPP%Z`T(!)gjS$!C`DC2kNFd!cm+kS3!{TEPOa7ZB-q4Sg`&xn^zU za32gg(t%^GHRB%a)ife?40HOT%u8Hn)(=Wo4e{&q2yw4{6ExcL!~CEqJhhvmC(9~w zlotQOCofJ6kgqIZ+V44IJaSAD0+CT1QQ4!gPpW~0j_;v@smroCb;j;yBR4#)4*rod z?@AI6736T-cPca|@7P43XStZkaf|U5;HFifXCxlPHy^8V#pSE}U`B&zRo&@J^LsrX zfrr&Ez)W(v;&ZJ_Nj739htc75B^YI&p`x*HRl!d#t7L;Q@Itvc8zBHucIdSucA?9>#?$j97IygY`whVL)E%?? z0*Y1~BjEDVJC`cznI7hOBbk~7#S@l%Ql8_0rS=FZd~kCMQ&*{{?xb&O7NE#;{%W9) zY%&K}-nm5KVd9{fH1)VdBK%p(m{Tr}QEGyVtS2z#(^7u@dhZ zp>$jjTSCn?!ww}|!HZ^Ejphnv)ns4S{4+f`0kAEB2QYR^x*63=o*%rq)jN3Kc4`V% zA0hdbzjNWLfpQY5w?dZgzQw0g8vQWh4Edva^vH((+_zy9lg_vUngItMUprEDGY^0~ zqj@qmQH%QqaYUoC1s7*n8K%J`?eH(dgV2?{ z-8DzWAF^bjS%S$WHMP>iKl|;I_fS0UQf!EH5k)%EJ18h!K#KIB(t8a^LO?~Z z0HG5)QUcO@CqzU6={?dCkP;w35J*DLS?b>J`(Ecdf6uS);~!kCWUYDTnVB`uJ@@T2 z8Ly18=dK6FpCiuuxOvf@4?O!9ZE8Z$4^0YLNO zlDT9Q>iTc)=^~jX{%YST27zvn(oH1 zam~&#?}ZDeCO9?-j9s5}hdKBqVUJl$uX8{CrTro)lOFfTG3=;o~?D_FR9-_)r|aKb4S9D6+#U? z!2%QrN2f1rT+(IkR;khV4IvMJrn*Kd$PjthSDlg@%ZW|M-j4}8C^aOzMCeY79k2l; zpr80y%k5Z5KeW3IN@prF1(@gy@|1LdK&tSXmY-?WVz@(n!IG-|YtZ9plczdwY{;*` z?fgtYu4F(xvaB|_Emo-OlVu8t1>n{mU|2!9D|ee#V5=joQUUZEmIlKWms$6=?(xp7 zrg?8O;t`^3^doA=ux>G7XCb|4Bc`TKy(P<4z!-K)odi629H5vH(=9r85SUx*_wAb8 zKN$q5?6m6)sbA~!k-eIxU3h(ex!XodtCwvK#TT|?eAbwUC1iMvw%dmx0<|cDtM7+} zkE8hS0p?eJg|6IOo63{P;?UAd9Lv8|W|9izqk5#fmoWZ1u9W27slN;=s?DT6ldaPh z0&l0A2@aqe)KUkm67MHnJn?G=a+{6Ga4t;GwL8PNmZJYASTqaZ(C=~DhL2W`!Hn_g z!w-jWt~0`k15GbACaQtyCrg|Lyno}vKcKr;;Jt9pr%c$1EYl36ofW5oAy%9z`o#sL9 zYw!2|T=43A9kG|_IW@+s_SC482>_U0Y8Ni_Ee}=~z{)aRI?=C%V9CzcC9K`)Z6u`E0~}0fOD}jiHVv0h<{A)au)S7j+2%B!CJEr0ACbmF5YH+ zdz*>9w2y=KZw5g9gBDiGrk)idro0&)bgZEqp&wxww9R=;qGzmbO?+X?>7P z);rxJ{-f$ele6&55&#wm;Ou_gl#t;T`BiUpR$MB{L&2i9Rg3rRiI|5z0O3DC;=9Qk z;?kZ`uy^#k-8SpI1Mqzp2Lq@%My@p{(O+D`X1kB$qI($tO4mI$=Da0Sa`4JuFOU02 z0b%9{&8>~donsuP^a!=}evO?)Zwh1WyCSjDcwt)Qh+ToYEukfg*(s&7t~i%N>Gb-Q3B{sOy+O|!jnGXP#Pni2#sfdRce zq0qP%$J3{O^KsXgGhGN$irAW^GU%SHN{0i2<*sW9+*bp0&7=iGt7Bf1$`k^R0!%WnIv7%4%88 z_1`?hksY*KYx4d*-Yil!zG}(`)wlS7z5#pN#j8(`Yna)UcoLf@?Uuv$PP~=m?Q@;R zrB^xDcT>?QD7AF8X`4zdSl|H%FY~E785@FI7jq9|Xr1FU>0J_Oz>-LlbHZ8N{ZBgP zF0FBs>GU4bM6(c1l|-8~&t6DB$2TkQ?OJeb29F4xpSzU)&lqjQ5!3{@=$m$>bcVI0@$!~=yLFh)b+EN< zXmb>JApbKwEo5+@cC#%O63mlz+^o1FLUnX*n0v!J2a;;@&OgW#ctAUAP^CoXFevDV63EgR2k9(Q+`~t-sRVH<63*P)!$bf$Mvzv9Ov|A;es7s+h{DP) z$et-;_TOIjccEY}JH+9Sb%P5Rc2xI^B$#+tE}c3bvJ%TYZLfa!&ICV!XR4ekIho7P z{^5Q!RZ}NAa%GI?bq`~1f%SL>-zD6(WL@Y&Zi~xG3usAQNf$e`T20+5 zVa~Qcf0;cjJnuZ@Eiw}(uwXg+UkF@<`5_>1dqF^G&rk9i$Zc&agmo_VqF0avcc^VU z*@t9j5uKa<_p9$TA?WXaCkf%bB9wx@nMGz(tX%Zcfnz1QrIX#9>?x>-Lr(cKM<7iZ z__e9Y4MA8&;QHxv@W?@fzIS#ogr4)5+SJ6r3c?ZjqY7u#C9&P-&T`;m9JkMsSH?d8 zxoA;m&^AO(Dk|Qe*+;D$&c9Y|JuULT2E5AN_%(T6T?&gPQtJ4$`+oXvGsa>y>*8)* zUsf(ZDZp`oeWkat^HD$dYs)Qqc;wTi`~$m?cyHlxJd@3<56eCA{oC?!tgQXXj?1m5 zHI}wRaMR-;aT<-bJFi?einW#M;{<%4I}SmzlY~{h5}MAGYnXVUvtvA80w}%TyA6N~ zE*<}33Lm^cH-r3q8T}}jDuudJ0J>Hf4r%=9Z!vgfXVVJ~9<)wk712G-m$D?QP0x{Z z>$R5-prUw4PJzytz2|!M5l?bFqB{GEvAneM+u-BTl_*DEZ;SO_tJF!1T_4fufJT>U z)VX#Wi)PY~iIsz7k)PUPm6CN)Z(^gVM)Jow$D*uT!e0NgC8jB}UHpV&s2SzZV7qns z$sBbLb??3dFEnqpzHr@C=BR+3i!F%(jd;s)p+V`9KOtt;JTRLQG}xfxTPq@~{_TUx z^n{G~?_l8NLQ>Gk^PIE+gUDyH6NQuCCWRn8LU8DvZ)GJf5kn`Ji}eEUc~TdsI;Stm zozX}vJmKLsd>-V+{qRE0H+MN)an^_@)!M>yzlZs{Y>|-oQi)IhK`b@ccrPp=eIq{B zwUE=G@w5i6Yfpvx+0y?>Jv(*S|7Z>(wzYyLaBAzJc9)+Ofvj9Lt@U4q@~}XsmYEU- z2+EwKaeY0Y-)YfR{|R8d`Da0%R0HLrh5%J=?6NvNj+A8Kz+j6{*;`^uIk$9DJe*mA zb=5K7laMLXUkB-D!$h+DUAQ&i^W`j?)e@P)8=1ZR8UGfLR)3=2jF8(s=U!emfkJ!Q zZR)6e@0OB%p9xi!w-B0QK^0mZE9o=#yk)4QMTY|O%G)-^44_}?qa4=Z%Dj)c+&twY{xP{0xJN-XQ?rF%2>~de}Bt4Gr zjW_q0L}zodq{Ckej5r`3t{nZ+&cCSQC$)5u3(w|?mJq+Zf0L-RBrPPc1sn<`RVtt4tG z260BxKX6PSg*+ZG_QY!jkKI0lv-l(jKism!PXvi^e>3okKW>o#Ts&}#3Jx!)_GBg# zveZy~ngE`+9WdU(JlL84`XctD5b|w$@ER01@t6 z_|jR!lG22xef>>-{t0C!YSwP$<(NK=Vy$?EnlOJ z9!du2jFOaIXh- z!7q%*L~;XPYedY$>1xJw_Uar~Ms${5&+_F?y!02b zlHRio8)m;MRR;{50G*esg3PW0Jarym^j-9W-%tACIwu^s>+FT!mxqUsr+^9{5iX&` ziB9O?klv5bHe?Uvettzb+0QqY!9M3Y|HO~ z%WJHdSyX0(ke2DB2M>K7mqtp$2gu{iAtJ;IirH$hDSa7fSSpvfSFfv3#ue!|#Snm| zPYcj|WKx};I!NFM4)w4&XHDf`Au91gyKi)|MD#wq)Pz;=S$#1%-dyh&Km2&HMASK{ zIwgE#q|=zb-v}|eSevn$JT@$zk5O>w+($awAl(EE3EFlebuP}!8E;?vc0eBuEPB;m zDReBY*Y~6ANx+JKA=3%2E-uT>bMOBsBdIngG##kxkUPAISTYT!>8Vai0@nuOr_~#U z^j2Q$e$-V$_NB37rLN{yeMTJ}_r_-Tz%=Fjb&jMlogSpKC+w4~9vl}% zO?wu8zfowLn*Ml|+I$Cn>-VZ&_Y7&qvjpY^)uLXesAek$eci*31)vAd!d1ibvcH%+ z?#OPj>QK5XIcJvFuX6C+f5p>?XSbBPY6@28?e^*2(TTDM_@E+N$99t`u_v>`e?@*q z)VegP%G$lURI7j0%h})Wu3pAQ!WR)R*23ARP664yXgt5~c->1y@C{T&Ec4OMH}RjS7yFz&7r{804m+#A{%6!u7t%H?vG(;eaCxR-C;UmGBc znVAs*m#?UA4F-~+g-}xqfq<_35Z8nx561&|yrI#YR3@_&!)rF2r`&*FTGIfBp#@Pz z4MueC4ESPA=%SY+tW7<}TVpaEjw1CL3(%bxV0{X%Km!9a(Q0b3+A_y5Qa0w`aCdc- z&lz3j=eGQ_);f$Ig!j3~&=#TSwN%O~#5WZk+e3vK8%Hx(^7 zd?FRa;8XI~7b!W5r4m7fLNytf^*C|5P6WdBo{OC$K55^FKe+T;Y5b}J_~b&L{qTjp zimg&22{oK((7E-VDhwgE6=L4SV-?n9c^5sb16o%Gp(CB&=9_<>{16nH8;O1pwk!Mx z;}LjZGS3jWVDl@0*&C%3tzne&QL|llz)fPMouQcL7W_!2MZ*!8nnNEA!Rf-h7aLl} zRA)*Ub$1)Wlc?3+33)m1Hl@Y#_U2_HB~Uq1DZ`;Wg05YS{v*wlxYmw3#95c3qZ;<) zKv^@4Ylwi7nLTZv-Qg1*fCCi4zNk1ns7*jC-PEcM+sDR8x(UYSG#zUWBsNM$-oUl(4L zjfHNPjkU-$n;(^3E+GAF<1>6VbO-jhMbI<{GnG?@p%XpyRUpmj);MZw=Lfi2BYrkc z{LTDkampZ$Ltvps(N@K;mPUymdpt+%LPB|vtuwpC>DGRKuHyj5bIT%x>l0^R;f-;E zWbHuYwt|=7w1QU+A$$s81>b~OBrKZaBlk6fO8{Ou+xMw#VNOJ1ND?3$ApY_o*F;j^Ncle z=2H*d!yV{5s5(MlyRteM8qw;{apep7*&rbT$2oqUou$mAQYHZ}iV62ok%g2hC@=gZ zwnH9%W3-E|7J1IwwDE<0ajC}-HV$UVN)z_-{@zOel^Do;&d;r_C~*UI38hianf9`D zQGxOM_{2s#bt7`_7J&CQCba}E&OAAg8w=3sVi#=(VaJl#(QHXcIYL@Ij~ym z(g9h!QtbA_@%de~!NNIO+*+beEa>+8fGq6KXA!}?!52&%A9I{1DsKZ_rGbZNgjFby z${HQLX#wJNd#}AuC*i?mTJ0SfNAmHzQN*1o`6<{kvH$EF!(sF{xiL!eplJ$9O2|<` zPutoSm7sv8Z##UP4cqbdIrO+v*$#Hr zgx%a=*ITmUOY-p_^)%4)oMkv)KClb2+D}P|TKnTgj(7H7w&cI!a?EfW^+zKhn zONYm^$0glwRIrJiEHFdq@U-ld6isZmj>U*0RLQn{?3zg|KRSC%;f`7prQn@m9$ zcy{F4>7g@*lqjkvU{Eo zZkDeuTS~}?2kJK8aBND(dVwME)GmXE$5z75zL!_#IzD5VF=oZkG2^_BCvXn_|AL*rr|;Z~H7fH;k5aOY4QCXdi(!T*?8{qeE9-}3T|BN=pGo9y`Gn{h$uZ*yR`&cP1@ za-nAf+gv!+>Q?494&_(LJ6dc-!hcMn5#08uZMB(Ue0WKy3S^sq;CH_jFn|hR0N{`S z|E~e6%j2}_Z@*&gSdB%XMWb7OB)lKn>Oupg-F%Ezk8q{?!2t@m%59}$q6G}Ms$c^Y zt>$(vcF~^fn5bd_p<()ZDW$pW)E4Zyqz+RhX6@a5-aO=R9f|>2;#*<%#k$<%Z2&Z= z0WXTkMUa}@#9z}M-*Fv+){hYFF&7FCV1MzqwmC%ZDL$h@ofsHtIFg z2L81L0-#{VcuspkZygprZ9ZJjbZp^XtD}Yhapy0A)n*f1`96G%Qqt;5f{F6J$`x9= z$}Xoe>Jgn|AqQz0mp6{b+~r!a_a=sWBs@ebdmik(=<+NP@u|xi?g^^Ss@F+VNk?3Q zq6+04ER2_9N30|)@(t$3&s1rUK1_`B!A2k{p5)Y;!=bfzA8-*yWWW2osayEJ1-#*x zr_mk_K;4t%RD6s&=WO)!^^k98;w{-N41R2rD`O|5#=3h<$x%L9I<1B-`r{kxsgXix zPT`X;8E3xvXT|#zm154Smwg)&_nflLa%?yQg9AC#D}x1wId4pRk$uIBS9)^`-|Fm2 zc{LV<|Ktr_OwelgCgHm7#E2*{$N7qOsxnIp7p(4Fh&{~!Uoyto0(!=L%9xsMwh!e~ zfE8}l6FWH1E^@MerCtqO`f2$GaJuB~;GoXyf%Ric1u|Kv%_v|y!dG>#gs)bixgP@V z#=<`4PxwCcAjZ%GXOSGgb%6qMg9E0^ByF

f(Xh{#0+fP5kKU<#0l}+Yi{-kHVGoro$v|gDPY&E<3M50M z*~1-A*M@TEgfDd*hN%X=O*=ZKuDJ;w;3Nf1lI&&YC{ykzdA-1#IX@f7 zZ3Md(Q>|KDMNR3CVrPGG7I1zpvmyheZ7Z2NN(iTqPn9np(V4)UwAT{DXT1yl?w*|- zyAxE}-*@2w z7MoFWV9}vTg7TZ!`yH!ni&C{MgKe=q#C?wgj;6A9jrk@5$hXxIU*A@mRX6)FALLTE zK%VK9k$rz8yk);9oT7wT8^=Gx2Z&{X9R5`J0RbD>#FcWiKVA)hr80sZ{qlDrAki(f z#17!MIdhcG7H#3(imKzH(?>NNXig@5_nu~yPC34S4!1A zBp43leGd#T=#^Jg5)yvbJ^OslRrIdcLUPkWOMuK5BaEe}b*w8rqz9sl|=s zlvn+OGIdDZZbk*tM&`QACm^t#(a^?{W#k(%s$b`)?+E$Pcf(^Q?Tyo(&pV};y-!(#EB&U?J5#->BtRbca@=S zXe$SATSZ=K3tc<@rz|>gBAM|O&)d}7E6J?>#cO$1-O#cWRRGYSm#-(&w9PoS^M&r- z+cP6^|CaA3?r;Go3E!PCVseu+{0~j+bC#YJDLAGuI}HKqtA{iTX0`=>wbI@GQYw14 zP*I#$bqN1dqbEKE0c{c6d3P5$i&S7ptz<^psLn5kc!PT}TKMUs(;GK^ziuYpPk~NC zrMOGKz39Y=?R)=lH2nJgzq8;cP5=ZJ|NP5|6JGyn$^w7+^x*&W3ovoCaOJ%KBzbxV9CD+Vl>E?@B@P%hX+v?VJ)Jg?TLy2KhuSbFaw zS8giY`t^`^kMqwPx52e~PwIoRC=jAe2Vp-u!ri#}?fN3O$SOy1KqGl%U0epE z<<=RM(VnY=dtVs+j%@e|6jE1LpO%*1N+RVy%^L=_#^4NlnT?hR|2YX0(6?+7PQpE7F>BH)mXCy_7rM98G zn&VuL>7y0B2~y-S)sdm+E%w>QS$IXwbp5Q;w^5CMW4I8^#Yudu=RQfkGVEN!qN%a< z?vMQjOPQGug>qkd$XdZaIR~#MY;&_ zPWbKzAzaSt7i5p=Rr{_cdjQPK4$+gj;h8j^*8ew;Cd7w&+LI@3A;yn=T7V6sm`|bB zm4K=rYimzMW@@vr77{@*p{|Eu{cp#N5&@z*r`79za4Dd&Atl8i|0BEF62qRyB}t^O zq+vw%>8Y7xNBwUuu=Fw4@t(3!C2?uQ(~b?ej?H$l;g;^|^XL+Yw)9o5r0t<8aD6F5 z#?(}ug@vf@YLxB}G$XbxAl-L`Qn`9Cp!Hz;wAMc6=s~pP6_wliB?bp23Acl*OyD~j z(P_u6aY`NAzGVe==$}Gy%zylQalIPS=P-fGRQ~dGsX{auX3=FUhifbI_OuNZW*0{w znZej%p9PKMESp#lS1@}VPjGZgh$6QZN;2c8ha0lW#@7J`M=3#JogZB=apJDK&mj%^M|8)D`M1XCnwWS2NJ6ZCXWT%@b56MWKR z@PY@Ob^T}T3uWJI&^SSTe&-p@eebrR$Q=`9B%(ZlIkkGAKoT+gv3zgu1GlpAxa^dE zqe9*^N`OOj50e0TtYn?hs?TexulbHac39`;-Ns4Y=2sW`9zX7Gf*ti6Nu*FLL_0(A zEF!LB!KS!4<`N=-e*)*pDRtNi?^Hyau<3PuPw)*UNGTAv%^KR!*V`UJH}GkeUUuOh zaY^r0%mt1IpPCn75G}Unw}U#GE17s?Q{~dSHiZkfk`ve?g1P1bLh}5Om8c_@g4a0j z&Nt=VlTU1NOT6ImWOHCx?TatjQ#;Wl4JlO<9hmX6?a`W)8A0ifaX9^%-zfXyt1H83 zu5_0!xYxslezjgQ9(Khyy{sz|98*j?JR1KnH*U2d25~5P4uYq1AXsKj+B-DZz}G$^ zwy|6s$dh<-gG0Zuql?i?$@e8ZFcQz6(`0DMZf&0+ZPgZ2^Xu zk`2dF-$N6&OIWEOv74pMQ86oDrE~F-d#$5lMgyJ;?XNE?AAOR`_qBEf#g1ot&l`}C8AMm4N@70dPe|XHd zw3A=E(Y@*{Sa|Yr+omS7n0Uu1#{PZFJX5sRw|g)U{=ofv3~lz~^^J2%p_R6UME|2! zPL>hDct^&94W26(7B8_M-OUWL;ut8WtYV9!?f@O%KMVT&JAIJ+&5)G+Nmf<^zL1nu zZ$g)Gig(9fbB7J8!i2#-l{yE~tm!4K9@_uJp_cowC;x3;oMCvmktj7LiKfhd%j`S2uu76Bz5cdtgtt6^chSNo>1X4Q@ay1~1!DbU z__gvrR(9u<@j_dFA{qT|xmi!CI#NwG{MvxTx}{h@5)wQS?!vA;*0ULqjLdYr65Q!b znxPxWluKvzAKravW`AzX5ZoTb+;~cZ?CFt@ADgwbX5yG+{9_8n+Vfd-7AH^AeibeH z<<>0hEc9)4;hV;rAMnbw$$!1v;J$3(`TmrKI%9+hTh6_^9zYW+=V@{eHl`F}_`K7~ zlO?lfXuAl6HY7W`xBK_col#N|XT_FwAi<$n>0#H71PJpIiG^}$Wp19fY$6bNf`g3M z4MS8pM6@lik5X$QpW{0&OZ3cDc7S}~6CbX4Ok@j&hna3$&+;boqu9P!C5==XVF}7wQ zqO1dIZ@Mbc7#7jo?}quXQ1u6icY;$LV5oHiRI=|SE3x?S)pcw&&kth`i&{31M$`F< zN??V3%UX8Q#~TSpiG_i$OVoT9ult^jExk9>stoR3`^qVO4bY-|rd-fV6bgpb#oYFQ zUrL=9ofqBiU$Q_Xp5Dz?rYo0ijC!+X%#rb zee#}Kp3-fNa8m14iFTzb>g~c4{8A-mc`u*m+mH`Xa3FX!zSc-ld+SEON+$7Wj62FY zWCEi|pH(#0F4(me`y3WPrgYWDZXHrKTWV-z5*I-T0|46*JZ11=sUlE^M^+og1!-t{ zvfI?~bnFM<-TUwjvSwl{9JmPF^0D6hk$V=d+hRcC+ttZ0B{Jd4kuVSEA7v6g43;Pv zG*3^(+kZCqbAS-GiU~NJy|DAqz?W?2a*Bbq*L{28e)2Z%RQ4<6#mQv+axBxp6#h#0 z6K+6xSlRtD3E#QamxyvS5imCAZ^l;cIHas5&=S(M81=joQq{V}*XH`9Cl+xy!*g)s z|EtHiud>)hUxt;6q}8jzJ5i&r|TA=Vk(#WT=nQt%HL;8nO_j>Gdlf7QNHg z1%%voH;bSlwraQYR#!Uh#%|DPe8YLtk1Lr^^75?8D=Tu(bOc%lC-3h1R$)2vMRdAc z>=pH=6vPSN-sAI%8gZ!1g+6ZL zm#YP{bcS@OH`t^Rc}z^46XZYUoeVQ3rfT>s%MBJlE%R9WqdK1GnAgsgCd4_by5J)$jpJ!NmFB4L;NWv$|^=3uV% z)L$NL2n`WQgmmBzUEpFICm2_i6z8x?7+{=B_@`8Xbd;dTE1;)Cs z4Di-#X)%*cG!uXroD^MAAWGRiYXE3)s8omw z@80_Yv|liuE8Npdz$8sTC(?3eYNXhRexf+jhq(U47aa-ILP6OOX7?m8PCv|3UlC<4 zz(Bg68P6kkljBT%xBC2aF{UIjuDd=@RCv^YGjFzQPH{>Ze>{FL@Hw#T)&X?dkyYk! z769qMQ}l6h@3VFXCIWA(6aqEwP5DA@4zw_VaZxTmr{{TQ%HN#m%u`^Cv3ODy;YmTH z*=j1CRwXQ1W^Y*LO4*^=~ubR`1&WC8Ky?K8Y3C$tC#}H-@nn+Cq7kG zd~X}_EV9u*|DxBhieOWE0NWj!sBu4kl|5?bTQ=<0*2rzs9-AYQcD>^MZgo{7uQQ#T&$v2k3T=y93YZI1BiX`*fc;MNlxCv8P4fKq=Pu96JI;Xj`H#d2-7ixFn5 zX=lkLoJAiZBHCIrHG|KpTTj~VC$%1SdrqrRF$&v&s6@0!oCf&r&awp3kcxlW=neZU z92%l5bZa2U^o<5CF^h|%j?-2SAS65y;jz?iO0s$)h%AZ-^r!t#N91RckC)``1XJJ~ zvg*2|p;Gkd*3YzhI}Caw!zMa6)?u%ai}k3;oTfl%N|(MT+h%WWh*z#g_f09FB2yu| z(XY9+lo#n|(zDM5s;G2nf2WAQpz8l`m+Ni4acHjooAAZ3OQMp7b3@3v;%t(OX0!eo z(KktpM#@Ed3ZfVG_1>j7c;GsOF+ddHxTAD5716d8o15nM!T6SvOILF)(^hULDrRM< zlL`XuT4zmHgguf0M#K|EyGI~XXn?V$yQBN^*3k3k&6(Q7^bk^y14{~PBE=PyAQe)a z1T$@|FH>d6Kyyq6a|7_f7Y~L^SKhERl?0mX=kI7=x$y6c@(qJym;IIy39i zh=gur&)lHX@gkr>Vs=IXNpws>JE`iqiK()q6q(pfx;)88gGW>iu8G-)bou~qun6qJWJ-8K{; zuyB;uh#ES%YSSFGc;58i7672J&71Vh>x!vIuoOS_&?juP1>|X+<;xPH4>D+rFxp!6 z-pQa=oYE+~!(S84b!bd(4B>R!M`D$Yv^WGMJ7Ymf{%$=@VZV0JKR-g384bPsJZ5v6 ziQA$rcGg)?x!Ys<%bT}c%QFn)y*!OTb87l!#dSq&)-NqX&wVpB`!(+QTUmj`p}x zL%sNnxMjNm?#X}eaR_YU zvpmr5Gr#}ZNPY1zi$Uj`guLWFf!IAj6;xz46p(#?O5Z4V3+n-!24>d}v{2J$<2kJ< zO*@f<#SLX(mkb$d1tnVm2T%(C^VoI()LSnlH70WsjnFVTd)YFW@7C?`5%R;+8fgo7 zkMg{+s-;eq1hg0#+BidSUqD!fl+i-u3h%5!2NVVM*$xt@a<#&3kARNRzh>Zz0fM6R zRd?UetR#y3^mV?h9P*=sUT5&(OjXaOUnE_5T^MEDb<`-9z- z$j^Xj&CfSv1(E@X-&~Lo)4F&OLdfwysK}q;puf|G#!>x@Yar*wGUndcb=j6s_C7kz z_Wnx~#$ze-_03n%;NTEW?LbW5VyOYT;I~1h^?`3x5(4zYD$c@{J(6xD!jm!*1R+Dy zgI=yTYP#s#hA!RpdX0QP%Lg#?{<`GFo4?wIrfJ(AJr&-bU52O28{A+kDnbVNBH53u zL^INX;oXU`4?P0`~fB z*%j|__kMlyr}h`KP9DE*B`Ls5azs?>!L2x12_cOh?Y!kEZqzf8B-{3NIjxUa3(3a= zENw%>i%LeMgAdH7HgNT=SIW;(+EUc(ITPwGv8U{E{Ko7k(gC=r31EWhZykT*p70#? zmFC+%i_ej6d;p-ZpE>{_O}8|>YWyy;KmB$?w(3W~g<=2PGl{Kpm7VQ_=R`+E6+Rj&Oq@x%A+@ zb3?{*Vyb)pmiw7J9>modXuSBKg(z~${}i5IWmBcMSuboq5CC#*QRF|Yc z`7UUhPonvYL$@$MQc1|21Pz5rC;mbX)^Mcbm9A@Ch9aFJyw_xCZWfw4#sym^8ji>d z89`8;&j%>H3!`bZh9v{F&S~30diu-jH{#TWpIKq@t!sxD+|mNn9F;rY1)fR47CZZw z*rbwK1`NmcaAbm`b4!|}7@;ay4Q^HU?%MO*-ih%ox_GWGPH<#XFzQnQZmyN_Gv!A} zGX~|^rxfy0Qah^|2I2T#RxV@9@iumZQgIivfST_f4M5hdXT+GJu$PY+EM0nL+`qYdBF732qMe-?v2+Nk9W!M^cdp8SHRG~F zK0IphO+|-(i&!_Drz)A&sMP_0#)1+=$~^AfKE*h!?hoSBW$G7Fgn<7U@TWnMAEB1@ z4IvXhKKKHd=~Nqw4XXo~rZ}!3j~9=n0vej=&+PL=<-=3{Dm0oKNJ1I7IBr z^WA}7c%utBkM*AUl&iKrvLapA$lW204-99059V>6X&yFQNmuY5R?<&%aWkQhcu+g+ zt>al_<%#gA4RS0UttIEf-CN^jo1O+6JwUOKVaAM+f1ew>>wyiWW=3o2zyddenk?9m zqwaTv;=}(!6?%>~iqw{Uv?8}Sk7tSVmm5cIk^_=?ar0)_dv%mmwspl>Y4Kv3$=3%$ z8TjCqN93D_TKn!%Ka_i#tXi|vTP4oJvH-+NIM&XwwAqSulMZ!>gAci3Zc}cf@8Hp8 z4n~7PcdH5}il++n7zyf6su>dG!1-dO45Jwl=RT-y?Q&lIk!lR{X+_LV0}upCDnpnm zsVyYy53o|Zrav!*GbY@0w5|}x28Q$Ek6B+8#S%SVg=9q;76e~jokHrsiuapjZbIzu z9(A}Eli_3Dy4@xj+6N-%!Rdvo7Qe)}Kqy2xW%{*4*aS(^P3|6Uv?S4f zw$n`?g?ZvmdF<2g>_AhS!6&Hv7-lR_l=5Fzx6Ex2g;|T>3_Nft zVVT83LBavkF}WX~m0$4``Grb)wparZSrUgTkz2VXtjLQ7XD*>82v%5}+F#`>zaXc+ zb)|&po#W&rBe1}o(nR=&;@8w50Nc5!#nO4xLbEm`+gm31t8ai^$3 zdi+HQk?n-zqc^J>+3v+q41r#C6{%;+ONC!|~eJEjzF zsBUS@A+46Bnjt}g0U0F0D7H+w8UaVD*wh~{ZUyADhb%FT86J~kZbluXVsL+Y^!KM* z_7bhwn}m#PLTu?7_e!%Mg8GJ?SaYC?i5WGFJ@!D(5S4A>DPY*eAo|%hiXZ7UMs>+Q`3}|<`ATy} zTQ@g9&L6dZSV{e1U5>L7wQhsJ4y|u5#(^#+uOzb8_FoI{b!`zuWC-bFMR0A|yi!+S83+6lCd- z%Re1NBc0Ke+`fS{KXF+$A@2bot4>f8_6^qa&nm36jN_t{n^>6HC)A9oFvKr_^1YJ3 zl@K+YD4LmhPw0h9Osm#;t&9g=LHhwWcAFd%nc8HsG@OFAQ$A)-u_70H=~HTH=*6N^ zwJqB7mC<{m4Llt)Pe*%0-jzjXNozzsldH#VJ4CRuuB1oiOZ7U4Dexou!QDe0yuj=S z;#o*$;h^s*ae|d@m;OWHhi`-jNy>R~q9Y2DeJip_9gAy36Pd2Zzu=3{3bI1V=$9IU z)Z}1}{@87?;%)1^DKA#kA*#P7(Hd zmOgKAXh=pWu7L|;;+-L`u5^oB&@Y~z)s^!F6leaJP|&*=EQql|0RUXJaf<}<&lrW5Vd!vSiS zsm;UgPX%f|f`L=4*A0?v9)a(ToimXEh*+F@?#OOYnV|X4oS$nmXzAokrva)1%k@HVgQ#pj|%+xC{ zc*z#IT+!wJh0HeGIf`F|yU7SO=p8r|VLlSR&?Hj++8cYcR-2O070*WUyc?#Y*lBe1%dM z<92gV9*v7tIKhv1@WxeR&6|)TH{T-#F|viC@4uF28_TtO_9H*Y=VzQ1`X^FK^Mg=U z&XSZNVCr|jp|R*$O~yqdV{=h()Wa2I*`&K)1jjS}z=uuPo!gUTiSQ@O`NnGFNQo${ zn2U1P9Sz;r9=m#6aT;kr-F+Rrnp#c1`L2m)-f{BQqdBR!VbJ?uC0zuZ>C^TPSs={M zsoFE*6y1Dv^QlITYFm6B5}Wk|ZB8SOI-}&5?XJvF{&FS=&cZ5p1a@wFR7U+<84Ey( z$qc&QM5zPl*21R8kH24j_w0)4k>+l?9m{q#5Qx2+;`?Q87}VpI%sWHemA_5fC}RN~ zCcK!jYJKzBdSpVKg#Q<+t1Rq>LJs#Wve-2Yw5W!wa@@udumAF2piVl>l!SlVrD&c|dQ!Z{Y7H|( zV*TC>_h)+ZDTvL}`#&Xo>iKN|P<2$i`AO`_@jjs+b{q(QxI;!~%$r|{Fs33Wxw zKW%##Wm(t|wKbH~b)`MO`I^!p6O{qCdusbK2_gvhAdlRNeGiSXy*|e|YXUjR6&nzH z)%ZIh4!4`(np@jxc&21&OXLCuEnrU?$rkYQ@6P|gS-&YjTs2EB|Nipp*_&C3C zz+op_jut`8YEn7Bz@|*$rmOh;EblwUw$i5|BKt?3$7*k5{>~VgJ5x-Cl;SVaE%gG^ zvcC!%vc;Ouzt$CUaCEeX?7P+%eCrx>_3>Vo2xzDR4)zQ=f8<~*A(+*S;(+qi7e(hI zoKsF~G`&RSnfE)K4Quh@ml_>#^ASf4t#4`Z``4X=Naab{J=Dokz&v_)MP}(LXNFQq zooM`*l&)Rr<7v_UN>%!>eb)D@`|X`vFpO(Ov)$%F8rZ zC(&wt7;2jqeu&kbO1F>2xTpk2HnQJd=U5$azjKbrmS@>Oc>FTK*VT`4p}7VaKf=k0 zTvZz#Sloo`@Rr85W!DZz$57PHgE61A?OiVcs$G2a**M)6>1iR~}XEygZ%O1nt?Ron_eeal@ zQ^6=M-0kBSKDsDbc{MlGk{D;o6#ciUM;ojUj%Tvi*wD6nZ@X>Be^Q|dXqql?p^ zxkA&TaZr&t%eTgaQ*>9kxw7O=os2vN@CQixFHjoeg+mbieOR;QEU0OjBz&#Jj&Gyu zs*?S^AZO%V#-RnqVgZhOs4}-Df4t$?_d~d5RTosuYEIt%IHaIJUkPO~k~oxz!rfo! zC0)+Fd2-SHJ1Gu|sqOPNlk%H8$pI8M&>dCyOhH884T-_hUDyzxNzC7h&Li$rhXcLlgXeI=(STO z^#pPMx0=jS<{}Wb7$jz3$2HgEc%ZJRY;n@7L&;Sxh5KWJ{5sp@`kL*ewI8D*9rJ4o zJF|>KKzs>3)`2kgt~T3&CKK{bn7K)7yh4cH-8Q{6m8UT>qMsILnXl*@FH6}McNCV* z8rb0Z59Q+6#bRuWA817?$URfE53p=iD5A#d)exg|%8jX? zSn@*Mz!jY8xgI$%Uo?&@v5)HLk>Vjq-D%V>ca9wJBSC}9*hl)xO_x6hk;O&~_2-tR zlXS+4d3(j|7bX(mt@4PQQo&cj963{x`$ z-)rZ9+z@`MEs3vXbZW2`YR^JNs_l0Bu49o3$%>ftZO+UT?H)X6j1pM&z^%Zv!UJ!l z3+#m-RZ_fLfPzYY5Qb!7$o$Nv%VZ3+;X?{vyB{I5o8 zKvTVJn2Y*5%>VyU?*BXab>TE0xxFYaG!Ncj));UA#Am#lBT%Yob&LD=L_ghjRqG+! z3YKIBB3#=n#eGdhe@(WF|0mkGP5cCG+X2aRWeUCKyK@||m3fMzo4&Qz_hDG#v&~nSHoi_q{ek$$f%J890gCfET z1m8V*y)2&`?pg(^4HwD3GgFEMZUokU;M&59fWG&lY$Npdjm{&QI-|~8aQg6{!25;s zu&D9IcK~3t-uDpzEtvsdL*#G9zFuX(+uqfN-O~F;?g=0#L_Y#BNB3z@7tr76JkDpo zUy+kAxLk#@U#d9Mmo;=D8y!}mMJn7Vcd+Ab;iZqlq8rH-1E|dd($^+{b1~lDk137W zma%SRSW(0`(5jKyGnoR$8{?t60!599B{WoBE^EAU&*~JuZ}!k_Fkozra*y&E?A1Et=Ih;rzzoXd02-< zbjCqE95_XJ1K{G1)_ulatDqcWJhV;AaA;qP*W3r;$(zQADCq#9!Feyi66xl1Oe|j} z=QUzE@No?+T~uHwRy0xvDEj2KYq5On=e zoQ6+!=iW<7YfgW7UWrGQn~r_XJ#&7NJC!K3F!o;hC|94B0}@w$y;XlO{{75fD$gaN zEKM`r;58~}0Nl;TqNAyqVaVLcqKRPCP^f9wag_Um^s@Xvv({)+q$mNmEW*64_NDN= z^y*{gUJ%&L;JaEdRpmFI191dJW)j5KP?*p!$nbOQdfT3`Y5X#-mNe|UR-*ZX#O35@ zKgV<9sElhxlCfZRf_3D!!^~X%6=eNI_2`x9&Rv#uWi3A>Du3oR&a2**E!x{@a5=k1 zZGTV&Vhn=@87J($%wU-bIyqW;A`&pA)VMwamFE~~qrTQ($pXdHAO%R_YSivNupv2b zoHKz(WfdE0IkeZPJS@7^9_PnB%Fo!EmlnT9+gVeZtXd*M<)^UQ1WWXEWT zO|>B`XOJodGL{dZVZPJ%fV7mhR{TqoYDGCyS{{&XFx;b=!~#mttsdH?nItNQLIBAh zZy~BK5`<2WF+?qwSn-o=)`?xwxWGBr*zdS#r-XhniNorqF)JSJ7Vs6M5~XMKOqJOD z_jRMq^mKf~_Ei%_KH4r-X`J6!&CFs|caF>T*D~|)#~O2R#%H{iG-fE_2}Gw3tJj@o z=YVr5#b+}bW>ul_^;bQu5;_g9Hef9C_)^rZ-o6j9BcxG+ayT){ho zH8v_wC~i+E07l0Nn4stGH;ib1a^0*f#g4t5h??Hnu8|0e>?Iv#hRX18iY@@Hl@aj8oto`OEHu_D=6XfB+Zpnu ze$rX3F_88L#xVE3(DkI^)Y#_XtMGWj7xE6h!Qhz@YCqVVP$84e{%aJgSZ~^YWxH_i zTA2R9wI_LUKHapSwnV)#Z`QDyK76DIVJzP_cjtxMx^ya`->iHhD?YwjsSjLa!Ia{e z;*Yto#teTLVX5Z5Zhv`T>7yN!1Iyvl(|wIMx!qJZD*2>BaN9Mx6sw!gl?EFb4H-I6 z|Lg8%R$j63JaxImXg6s{*PZ-Zr31BZ%b^8E{tmIn0A^JcqWHopd0K@+tsW@IZM&Hk z&yXAq*;}y8ebkFJ&Bay}F@;xs!Je|==47}&hG=r^a9C;6l?$u1C>{vW$6NsE01l;= zBtR(D^PY&^f+{|Edh4yG%dWZ|{<9g5O zl~3h4q_E2pPNbMi^*dDt*=Bis8>YNhWnW4UH%!!{^;9L%Hs@phdC_&z_&MDI+v<||(wX18lc^j#C)eV~;;US~} z7)H1j7EwJWrmMR@y+m|$=eb%>@mc~2geSM8FJPqTUQLJDW*(jM(+BO>WFrJLp>Oi) zBmBbiPL8#Ve2gpl=RY1g$plgt8JJ%n?|r!oN#Y-wy_S%Rgx2 z%lISHaz}1}#zm#>SZs4sxy10$oK%zDaCNqw;OwxA^cXN&T$8g+S`r`amr5i(SB(8guil|VIOQ#5 zyVr%aN7rYOJmNc?PMSE%9yVv}vP6vc)Ruz|dWC0O(n(@>zZ}`EZBlT!!+1zqLgWd#`SgiX zb18sG@Ee_dL1{&h_I3mxZ*V`q?Fmg(YgymP%#LQU;AW7%h22R?;#eHZQ15-4*|C(#&S=;+vj&|ju1+lf)$y7P@P3oSiw7ZC= zpnzi4(rteCg8{Gh#3v%bb@QO<2)kdnByv}i7QM>f(;o*h!Z;+H&Q#&R$`wy|z09bXC~?WmM4!zvOrh0Dm0WoA;(;G4dMSPq;G z=1H|1S{k5mGDo;uKArq5wo1$THhH~l2E=JTl<`34-a3U%Ddd*JGteFnFm>MAIR=Y# zsvrbN;sg5Uu5l{5MLhjmYR07qP&A=p(wA!e8LM2-x^5SY*1(~o$~iGsiO|tKtTvka0Wv z4(7qO@XT9GsdDOLJ(DM7>%s0#C*0k@;ZDfBNAcuVQ-a`RcZgcSe>-EZAuE`4)c@t7z_VPohQ`S+4jZGdgtJ(DHPEs9IL!n>R#%el6?xj zfiC^McG1yQ-aU8*^d%x&&8sEUpeJO<#bRr9&eVlg)DT@Kq!F7p=DQat+Jy%$Zfs1@ z9eC>`%c0#=^?!_r_tVY(8*tX2KcjRhFA6v~7{dZoZGzxJM`MgIJhdS^bHXE(3J3u^ z?VN8Owj8O3bWLgHM@t*F`Oce$1=VOW3HLuB{XWbJE zW5eh|U6`ExS{2fzE(In0bqmiQe+IiWRzJIaY^3PW+d?Qr%uLzWFOey!IA5JHII!kc z*m^ySIDmfQ(Z`XbME1Jt#5vXAl2z4U3on`}ly-Z>Ecli(8?zVIa3O20B5Xv62LScL zx}&P*yaubtUDP4t&$(;wZ;y%E|6Aj|Z0+THlIpOglG-@t0dQ*CscpHvJ7`t-{yQc| zEj&gX+WRzf_~BDoaIk=EaU6b;mP^|Qy7P{6OTJWc=r=p)Ms||oLK$TJyVL9fw@OLd z#X?1MUL_gBu_LX$Dn^RUBz4d(Bxq0bqtff4?pJq|lc!8iXB)$J@n z^#<;>o#rU`nEzEdY{hVduoqmpkP4>V<@GQ9%ApQ6AAKiGI{)Th8%t56wYTAM)N%_3 zxsu=?x;&d{q>|f~T8apW=2EuAC9;Eq0rlt#fls;UR_vQd)1b{MB%`ypOl_+-(q;pUwYRL{?fWRrFXi+#?JCtN*{Dv*#6LN6l)w8N)1aB=0A$ zLtc)mFVRX^-dn~hVSP!}o^a7n{p>Ks!M1q_X2-y0IPjM8OI8yRNmOrllyA{Gc^2Xs zd)W!^f6jOQuB;?Om&W@mb=za|vkH2j`&C5aKS5Y#BgCw@{^Oef*lWOI`3W#%cWtxP z9y{qBOEr)!gWisW|Lb4@R@DJ2p5U-HWIc4_T5458zLBy#?Hy$}3Q(d0biT9xcw7nt z;dZfesy^Z{wfD;-$wi@f9pkL#*i50?ZHVq^qUhUg&^E@*ceCSXU(MMA>}w>@edmUN zSe0L1wPBaSRZ7*Dw_u`w_~^Azuz46@TR+QIyLQL>sp9vTpLzCQj{U|=Nt4dEM>HGW zq;@o2RY$LH0MX^7U-HZd32^Hncd=#OJr3Zn86O7<6~w=qh|Z3^B5XGO94e2lh37Q@ zNmm~&fHX>%1Gnrg03mOdp;HlV5VL@GUE*3SRUW&#wr2*82&CmVqIPJb4F4g{m=1CzD6?usYP;3Y z;#juorIvS!%g2B8-sB~*poOZCURB-ke$09GAV3}pGyaVn1_6I^_aq*k@$h`yV z@8O;U!t?1wKHFP`?b(3^U6*3t4WE?c_Y+^)`BNq}q{2$R78O}oTox|LD;w+)3()x9 zV%HbYXbW7S+GBKSbwA`q{)`Iwl0M=!$dRUt` z7}%IEyK^(b-eye)VJ-(La{{pN!$|j{(hatXyqNFX90GB!24lee(S#duxM$5>D!XuP ze8O$ST+qJ^u?#Z3)OU4%OP)+B1>rsXaV?NngH8Gl!^cw|vei0?=B&e-+8aN*H=rbs5(T$uggG6_*F}(pAq8{w@^$+=i{y)O z6q{A#vZOiY8y0WZH`Uy)b1tT@uZ(DH=M8HF#ov>_2C|~zDlxc?y{)RD9LrsslcXbe zi(zbd7^S)2cZ2a97dsY?Lud3C4G%3iytoPCFFC-yi@IWBJ^p6e_%V%9mm+C#HCe^ipEwO5INNhUTY_pSKk>qBpJ z!;P-KutEM|lChlnl+D5mPk-}J;@s9tpb+bz=AD~H6@zyx28w7UB<%4TNMeGdZnCYn zBtIu@fMO9YsB-TmfPRMFVXsd%dVSW_8!2;zaV&Ewi^N2Id%!)q(kvFf%7iU=49;8g zqb_5`Gcr#gjw4O)Y^4=7jotW8rzTJphdO{nTMDi=b7POg zyIgK3Wbq-{feFjWw->xc!LKTdLJ+IcSHOlC<=8-0LHu?i9EQt?ldcu%Yx34YCa#0h zzTl&-jmabKhPD;PuuNf()s_RsBk}AgC}%ApDuPc!vh&;Sorsxe zD7L4uJhAWG(nL}08HU@_VJz0qHak|4qCXn_5&gu{7&JcWcB%uBPm z{@Uc{2Pf2>R@qES3c8p6ii1Cvv<9!dp$4++??!l8>Ye1YSKUi)@tS0;wav?9km^w1 zY}MECis)DY@?LhM>$s_rWQMgmnJ0NC9%oK5r#eX1V>XIAKx5v4Oq`cDbE8-|lC}GJ z$rzt0c2qxmEn+QIL#HBC_QU;9Jy!%Y1e7ky=DF3{>o(CFn4M7%Nk{vmUO;WacBx4E zenz>Cm(|P3fjk)T_kk{{1$*<^;kh5KYI9PsEJ&qNmU)Q4fy20k&rNowx~v}^kd@?2 zStmZ7wcf;+&W5?S!mg;qDfKii35R{1LFRxLv>-MIE=~qIXv7GUKRWDGtHTZvG-8+z(u0x*ap{!=Li>8dq~UNrVrU>4#Bxt+bcK|%hBI# zWLrYQc~sVms%x_pn$?`w8vXJ-9h#y^ybl&)zS>-S+rw@f&czxgS}5##v;rjVdYpyh zd(8Ag%qVV4V*M#AsApl(Zlit$mV;Z<)Kmz(E}6^rro>caqKj)LZED#;C z*V~s~1*e*9D?DGaPPKt1WYzZgNHAJUU-U2T*+i|kz3Onc%PPnbY_HQ5joR1*eZr>J z(|l4K1X?$?5Zt_b)(}T8M)U~a491#?&Ng)!f`p#k@}Rv_+RmP%#LPl}PwOWY$n5yX zdXY0Gt94R<=LPwO7+!p)*i-08I8P*1bi$bVVucufAJm3g2ILrOUGUfp#Fpmxu}wGL z-r<>^+5Yuc7LLbY;~rV7T}{62qv)HqV{WMRW}Z6nlk7={2WB?PD6Mx^T}58M{d{M2 z>#({F4=Ch*a*OgVYh*zMwa4X4@j%BdR*<_Q{K7X7##XEQ7o^ZP6R)ytGv_FFvQAg>vR#!^VPp2`k^Xcxn5ZF- zr(YKSdFXnT&B=J&#qykYa%3HiZ3Wq}q8@W$VLR|mm?Nr3Q+wA&GvQF!H+mQNFUA)?629bl5t%2hTZP78$+EM`VX zZYQ$Z!rb)$w*YqVpBeWCoLZFIDPqkP4``SUPH5xVfT%;{9#{4cmQALk#Sf1tJ`^?B z|5@ETpI5=?wnqWS((2rK_<~qdg&7;a9YknebIC58XOK>QlqkhesMkd%yJhs-alNJS z=CXCi+~{JL?i#B1YQTbYmMLn4$E)+Nh5e9cfJ_acs02kuvbsSQEyYL?9r z-qpDiULhD>S%#h*kG*qtp&=*Zav$KX`;Q(!g&wO4RCw8x+F%u!xk*U2J+v2spS2>! zsstL;$-xXr{&8m+o_nkZ)LqAlo0^W3qY{A1d3ZgM$F?nG^%oHAJ8aSItQEO+NL7T) zzpl}d@kAG2kM&02x@(ciG~ip}&92*40}3W&3&dLcqJ#Zq+0|~qC_Z-R6Tb`NP>Pz? zgtL{O?0EYFE$X$dvmDRnF1enFR1ceW1s7crrv*3F{MANiPfJg-w~%2}BE*R~MXPw} zyIgN=K`~3*q7td)qjN%0C+MA!wglzzi{*E^@>)lMqO|of-MV7<)-phM4BkiqeO{Du z*|HGAd-5+a9PR?^LMGbCs-U+-hDb?7iZ4~i96y29w-npLK5=-Jv^3hH*LnEink zib2BLfo77k3M?HaBs(1n<06ae;wUI2?2W6-3!9k(spn(&{6K8-G%n74R=5`@^;Q8; zbrZ(e(=(g_)^DL9^A`3LaAo*eP<9n^(}L_|pj%5}yJ?aQv|}(9C-th$PXLZDnU`zE zy{LQLbP_+z@oRfY_o4X|2Wt=42Ag_6M0l8uKg+@MP~9urLhD9ds+P80*;y}mvXYCE zw-DoN>eYPGqrjGX)AgNZv31Jeu}M5g=a`h}3*39H zEcNbh_BBI2fFjv7O}fICajULO|Fl#uMC#8s!VuoxQNcppz^>k>)w?N&`uv9bE_zC? zlr)44)B?i6&g?9}7TN7cQn&!5!9-+&dh|if{c@4}ciYB_JBT_>t_3{^SeT1K*oO?a z;=bS(#~Z#S{hToOwz@;UHDe>?->v0H<&~1I3U7NPgWFIZ{HaP_#Q>9s)m|`hN-y|B z1t@Z`yJoWA((I&Po{cO!HF0(0VAp8&j!-#(e`Lb~7j0-ko8@lzUlH!11X0u(MV%^C z#1DYD&EmZ#e+zQ8cBo$bc10R~6uID~V@){NE%Kc6?9O&$z=jesw2T(x-fXJ{3opq} zL2XwVU>vOwVPBkEUZ6@Vgb^r2gV$SZ3J6o_nrKXF#5Q6x@!6rZxQ%$w<{!5D-I|1L zc|dEr-*9e@mOVPyPw@Y@xZ=$*ESI}zC?pHjG?5TV}R-jZG#5+Y-?Ge(jFx#cTkmg z9fIhWuxfSI*+l#JZw0l2-W z0qFZ|m?}iyg=k4~PFkI`1oc$+%jtR57bb#5TBV62Tmj3|*+5fQ05WS0eRAz3H$?gv z?L~>6VQMs45nSPdd_d$}VhlSJ6-&EKYIi3Cx~HC{mY-W~x-S?YFmTTq7oy2}6%pIF zR&e$}#Qy6=x<>_%CXcT9>A;E`G%qXN7e98jRWC#PXVL-io^idy>S>V*z6I?W)A<7& zuA+(d$SVWm%DgdssnWU1zn@Z{a}*Z$guQRoq9KXzRlcT98uZ}g6|1T9OoqAZZE*lA zqELpC)tVbd7ZTUKaNmyH z)|tRwVP%X-vLwtnzX8s|3z{3oK71QqsV!m=ML+EhbaeOm|0la2%X!amWNpngVa+6Uh9 zs6F48EgAd8_~w(mnI--P*$|!mUl+8%t5KS>k^&X!CE-WZyS^stgE@aqQ93#y@nlR< zrlT?g7l%%$(zI@)kc`qC~IKEa?RgoUGb+A8F;RlnLw<5 z!mq^ZWa) z@p=W8rfR5}k6)i>1ng2jIGz39SwoZL&L_Vw8dseaeKzl4Z?W=sOp}g|8Q6sW-8}XG kgkR|<{~sDTO!52N9v?oRQvB!!KKL@4s=9Z|Z`}|7Uqw<^umAu6 From 1c09c63cb75dff1d47c8e38cd17f6c6e7882e652 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 16 Feb 2024 14:08:14 +0100 Subject: [PATCH 03/84] Security TRG 8 This PR brings enhancement to the existing TRG with a new addition of TRG 8.0 for Security specific topics --- docs/release/trg-8/_category_.json | 3 + docs/release/trg-8/trg-8-00.md | 66 ++++++++++++++ docs/release/trg-8/trg-8-01.md | 135 +++++++++++++++++++++++++++++ docs/release/trg-8/trg-8-02.md | 25 ++++++ docs/release/trg-8/trg-8-03.md | 91 +++++++++++++++++++ docs/release/trg-8/trg-8-04.md | 71 +++++++++++++++ docs/release/trg-8/trg-8-05.md | 19 ++++ docs/release/trg-8/trg-8-06.md | 33 +++++++ docs/release/trg-8/trg-8-07.md | 122 ++++++++++++++++++++++++++ 9 files changed, 565 insertions(+) create mode 100644 docs/release/trg-8/_category_.json create mode 100644 docs/release/trg-8/trg-8-00.md create mode 100644 docs/release/trg-8/trg-8-01.md create mode 100644 docs/release/trg-8/trg-8-02.md create mode 100644 docs/release/trg-8/trg-8-03.md create mode 100644 docs/release/trg-8/trg-8-04.md create mode 100644 docs/release/trg-8/trg-8-05.md create mode 100644 docs/release/trg-8/trg-8-06.md create mode 100644 docs/release/trg-8/trg-8-07.md diff --git a/docs/release/trg-8/_category_.json b/docs/release/trg-8/_category_.json new file mode 100644 index 00000000000..4c9752e8a4b --- /dev/null +++ b/docs/release/trg-8/_category_.json @@ -0,0 +1,3 @@ +{ + "label": "TRG 8 - Security" +} diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md new file mode 100644 index 00000000000..70ae822a561 --- /dev/null +++ b/docs/release/trg-8/trg-8-00.md @@ -0,0 +1,66 @@ +--- +title: TRG 8.00 - Security Scanning Toolchain +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 21-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. + +## Description + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +:::caution + +To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. + +::: + +## Tools that we’re using + +- ### SAST (Static Application Security Testing) + +Tools analyze source code or compiled binaries to identify potential vulnerabilities + +**Open-Source**: [CodeQL](/docs/release/trg-8/trg-8-01), [Snyk](/docs/release/trg-8/trg-8-06) + +- ### SCA (Software Composition Analysis) + +Tools examine the software components + +**Open-Source**: [Snyk](/docs/release/trg-8/trg-8-06) + +- ### DAST (Dynamic Application Security Testing) + +Tools test the application in it is running state to identify vulnerabilities that may not be detected by SAST + +**Open-Source**: [Owasp ZAP](/docs/release/trg-8/trg-8-05) + +- ### IaC (Infrastructure as Code) + +Tools that check the configuration files that define the infrastructure components of an application + +**Open-Source**: [KICS](/docs/release/trg-8/trg-8-03), [Snyk](/docs/release/trg-8/trg-8-06) + +- ### Secret Scanning + +Tools designed to search for and identify sensitive information, known as secrets, within code repositiories + +**Open-Source**: [GitGuardian](/docs/release/trg-8/trg-8-02) + +- ### Container Scanner + +Tools that scan the container images and the running containers + +**Open-Source**: [Trivy](/docs/release/trg-8/trg-8-04), [Snyk](/docs/release/trg-8/trg-8-06) + +:::tip + +Security is not a one-time activity, but a continuous process that requires constant attention and improvement. +Even if you cannot perform a full **security assessment** for each product every release, you should at least follow basic security practices. + +::: diff --git a/docs/release/trg-8/trg-8-01.md b/docs/release/trg-8/trg-8-01.md new file mode 100644 index 00000000000..dc8ebff5a9a --- /dev/null +++ b/docs/release/trg-8/trg-8-01.md @@ -0,0 +1,135 @@ +--- +title: TRG 8.01 - CodeQL +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 21-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. + +## Description + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +### CodeQL + +**CodeQL** serves as our core code analysis tool (**SAST**), providing deep code introspection for potential security vulnerabilities and other code quality concerns. +Below is a technical breakdown of how CodeQL integrates with our **CI/CD** process. + +:::info + +The CodeQL scan is triggered upon commits to the main branch, based on a CRON schedule set at 01:36 every Sunday, or when manually initiated. + +::: + +Given the range of languages CodeQL can analyze, the workflow leverages a matrix strategy to dynamically adjust runner settings based on the target language. It currently scans **Java**, **JavaScript**, **Python**, and **Ruby**, but this list is adjustable depending on the repository's dominant languages. + +:::info + +CodeQL supports a broader set of languages including 'cpp', 'csharp', 'go', 'swift', among others. Accordingly, adjustments should be made to the language matrix when different languages are in play. + +::: + +### The CodeQL analysis consists of several steps: + +- **Repository Checkout**: The repository content is fetched using actions/checkout@v3. + +- **CodeQL Initialization**: The github/codeql-action/init@v2 action initializes the CodeQL tools, setting the target languages and the desired query sets. CodeQL possesses an extensive collection of predefined queries, but developers can specify custom queries if necessary. + +- **Auto-build**: The github/codeql-action/autobuild@v2 action attempts to build any compiled languages. This auto-build feature can occasionally face issues and may fail, especially with complex build processes or non-standard configurations. If an auto-build failure occurs, developers must manually configure the build process within the workflow. An example is provided in the workflow to guide this manual setup. + +- **CodeQL Analysis**: Post build, CodeQL performs its analysis, examining the codebase for vulnerabilities and other concerns. Results are categorized based on the language of analysis. + +In the provided CodeQL workflow, specific queries are used to enhance security analysis: +security-extended,security-and-quality. The + symbol ensures that these queries are added to the default set, allowing for a comprehensive security analysis. Developers should be aware of these configured queries as they focus on identifying a broad range of vulnerabilities, ensuring robust code security and quality. + +```md +/******************************************************************************** +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "36 1 * * 0" + workflow_dispatch: + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["java", "javascript", "python", "ruby"] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + queries: +security-extended,security-and-quality + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup. + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" + ********************************************************************************/ + ``` + \ No newline at end of file diff --git a/docs/release/trg-8/trg-8-02.md b/docs/release/trg-8/trg-8-02.md new file mode 100644 index 00000000000..29c91e9019b --- /dev/null +++ b/docs/release/trg-8/trg-8-02.md @@ -0,0 +1,25 @@ +--- +title: TRG 8.02 - GitGuardian +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 21-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. + +## Description + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +### GitGuardian + +**GitGuardian** is integrated via its GitHub App, enabling automated secret scanning of our codebase. Each pull request (PR) undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification. + +:::info + +The email contains a temporary **link**, allowing the author to either **report** the detected secret or **mark it as a false positive**, streamlining the review process for software engineers. + +::: diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md new file mode 100644 index 00000000000..fbea0270c4c --- /dev/null +++ b/docs/release/trg-8/trg-8-03.md @@ -0,0 +1,91 @@ +--- +title: TRG 8.03 - KICS +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 21-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. + +## Description + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +### KICS + +**KICS** is an integral tool in our security workflow, specifically targeting infrastructure-as-code (IaC) vulnerabilities. Here's how we've integrated KICS into our process: + +:::info + +When a push is made to the main branch or once daily (based on a CRON schedule), excluding markdown and text files, the KICS scan is triggered. Additionally, a manual dispatch option is available for on-demand scans. + +::: + +The job runs on the latest Ubuntu and requires permissions for reading actions and content, as well as writing security events. Upon initiation, the repository is checked out using the actions/checkout@v3 action. + +The primary action involves running the KICS scan, which leverages the checkmarx/kics-github-action@v1.7.0. The scan focuses on the root directory, and the results are outputted in the SARIF format, stored in the kicsResults/ directory. + +:::info + +KICS is configured to exit with a status code of 0, regardless of the scan results, unless there's a KICS engine error. Some paths and specific queries are excluded from the scan, and secret scanning is explicitly disabled. + +::: + +Subsequently, the SARIF file, which contains the KICS scan results, is uploaded using the github/codeql-action/upload-sarif@v2 action. This ensures that the findings are made available for review and further analysis in the GitHub environment, aiding engineers in addressing potential vulnerabilities effectively. + +```md +/******************************************************************************** +name: Run KICS scan and upload SARIF + +on: + push: + branches: main + paths-ignore: + - "**/*.md" + - "**/*.txt" + schedule: + - cron: "0 0 * * *" # Once a day + workflow_dispatch: + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repo + uses: actions/checkout@v3 + + - name: Run KICS Scan with SARIF result + uses: checkmarx/kics-github-action@v1.7.0 + with: + # Scanning directory . + path: "." + # When provided with a directory on output_path + # it will generate the specified reports file named 'results.{extension}' + # in this example it will generate: kicsResults/results.sarif + output_path: kicsResults/ + output_formats: "sarif" + # If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens + ignore_on_exit: results + # Exclude paths or files from scan + # exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" + # Exclude accepted queries from the build + # exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e + # No secret scanning + disable_secrets: true + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: kicsResults/results.sarif + ********************************************************************************/ + ``` + \ No newline at end of file diff --git a/docs/release/trg-8/trg-8-04.md b/docs/release/trg-8/trg-8-04.md new file mode 100644 index 00000000000..c4e1c1188e2 --- /dev/null +++ b/docs/release/trg-8/trg-8-04.md @@ -0,0 +1,71 @@ +--- +title: TRG 8.04 - Trivy +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 21-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. + +## Description + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +### Trivy + +Trivy stands as our container vulnerability scanner of choice, ensuring the security of our container images by targeting both OS-level and library dependencies. Here's a concise breakdown of the Trivy integration in our workflow: + +:::info + +The Trivy scan is initiated either on-demand through manual dispatch or based on a CRON schedule, executing once daily. The job is executed on the latest Ubuntu and requires specified permissions: reading actions and content and writing security events. + +::: + +The primary step involves the Trivy vulnerability scanner pulling the container image tractusx/irs-api:latest from Docker Hub. Before scanning, it's essential to ensure that the desired image on Docker Hub is correctly configured for the scan. + +:::caution + +We recommend always scanning the most recently published image to maintain updated security assessments. Utilizing the aquasecurity/trivy-action@0.12.0, the scanner inspects the image for vulnerabilities of types os and library. Results are formatted as SARIF and stored in trivy-results.sarif. + +::: + +After the scan, results are then uploaded to the GitHub Security tab via the github/codeql-action/upload-sarif@v2 action, ensuring engineers can efficiently review and address any highlighted vulnerabilities. + +```md +/******************************************************************************** +name: "Run Trivy scan and upload SARIF" + +on: + workflow_dispatch: + schedule: + - cron: "0 0 * * *" # Once a day + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Pull image from Docker Hub and run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: "tractusx/irs-api:latest" + format: "sarif" + output: "trivy-results.sarif" + vuln-type: "os,library" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + ********************************************************************************/ + ``` + \ No newline at end of file diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md new file mode 100644 index 00000000000..49e131a03b7 --- /dev/null +++ b/docs/release/trg-8/trg-8-05.md @@ -0,0 +1,19 @@ +--- +title: TRG 8.05 - Owasp ZAP +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 21-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. + +## Description + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +### Owasp ZAP + +To be updated soon diff --git a/docs/release/trg-8/trg-8-06.md b/docs/release/trg-8/trg-8-06.md new file mode 100644 index 00000000000..de40d4a127a --- /dev/null +++ b/docs/release/trg-8/trg-8-06.md @@ -0,0 +1,33 @@ +--- +title: TRG 8.06 - SNYK +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 21-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. + +## Description + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +### SNYK + +To integrate SNYK with your GitHub repository, you need to follow these steps: + +- Login to SNYK using your GitHub account +- Go to the Integrations page in your SNYK account and click **Connect to GitHub** +- Grant permissions to SNYK to access your GitHub repositories and authorize the SNYK application +- Choose which repositories you want to test and monitor with SNYK and click **Add selected repositories to SNYK** +- Snyk will scan your repositories for vulnerabilities and provide you with security reports, fix pull requests, and alerts + +To import GitHub Projects: + +- Go to **Settings** +- Go to **GitHub** under **Integrations** +- Click on **Import GitHub Projects** +- Choose project that you want to add +- Click on **Add Selected Repositories** diff --git a/docs/release/trg-8/trg-8-07.md b/docs/release/trg-8/trg-8-07.md new file mode 100644 index 00000000000..a3c89f0b7e4 --- /dev/null +++ b/docs/release/trg-8/trg-8-07.md @@ -0,0 +1,122 @@ +--- +title: TRG 8.07 - Dependabot +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 21-Feb-2024 | Initial release | + +## Why + +GitHub Dependabot is a powerful tool designed to help keep your project's dependencies up to date. By automating the process of checking for updates and creating pull requests when new versions are available,Dependabot ensures that your project benefits from the latest features, bug fixes, and security patches. + +### Key Benefits: + +- **Security**: Receive timely updates for security vulnerabilities in your project's dependencies. +- **Stability**: Keep your project stable by staying current with the latest releases. +- **Efficiency**: Automate the time consuming task of manually checking for updates and creating pull requests. + +## Description + +Dependabot is an excellent fit for application dependencies/vulnerabilities. By regularly checking for updates, it allows you to seamlessly integrate the latest improvements into your application. +For Docker images, Dependabot ensures that your [base images](https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02) and dependencies are regularly updated, reducing the risk of using outdated or vulnerable components. +Dependabot can also assist in keeping used GitHub Actions up to date. This is crucial for ensuring that your workflows leverage the latest GitHub Actions features and improvements. + +### Security updates + +To enable Dependabot for security updates, you can leverage GitHub's Security tab. Go to the "Security" tab in your repository and follow the prompts to enable automated security updates. +More information: + + +### Version updates + +To enable Dependabot for version updates, create a dependabot.yml file in .github directory the root of your repository. In order to reduce number of generated bump Pull Requests, recommendation is to change default interval to i.e. weekly, as well as limit open PRs. See provided example below. + +### Example + +This configuration checks for Maven, GitHub Action and Docker updates on a weekly basis and creates pull requests for up to 5 updates at a time. + +:::caution + +Be careful, Dependabot PR merge can lead to out of date DEPENDENCIES file. + +Make sure DEPENDENCIES file is updated by DASH tool. + +::: + +```yaml +version: 2 +updates: + # Maintain dependencies for Maven + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + # Maintain dependencies for Docker + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + # Maintain dependencies for npm + +version: 2 + +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + +version: 2 +updates: + # maintain dependencies for GitHub actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monday" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "github_actions" + + # maintain dependencies for Gradle + - package-ecosystem: "gradle" # checks build.gradle(.kts) and settings.gradle(.kts) + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "java" +``` +:::tip + +You can change **interval** and **open-pull-requests-limit** based on your needs + +::: + +More information: + + + +:::info + +**Importance of Implemented Tests:** + +Ensure that your project has comprehensive test coverage. Automated tests are crucial for quickly validating that updates do not introduce regressions or break existing functionality. + +::: From 34e362d053d992f168f9d64125fbf91acef35337 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 19 Feb 2024 13:58:21 +0100 Subject: [PATCH 04/84] Delete docs/release/trg-8/trg-8-07.md Removing Dependabot section because there is PR regarding it and Tomasz Barwicki is working on this --- docs/release/trg-8/trg-8-07.md | 122 --------------------------------- 1 file changed, 122 deletions(-) delete mode 100644 docs/release/trg-8/trg-8-07.md diff --git a/docs/release/trg-8/trg-8-07.md b/docs/release/trg-8/trg-8-07.md deleted file mode 100644 index a3c89f0b7e4..00000000000 --- a/docs/release/trg-8/trg-8-07.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: TRG 8.07 - Dependabot ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 21-Feb-2024 | Initial release | - -## Why - -GitHub Dependabot is a powerful tool designed to help keep your project's dependencies up to date. By automating the process of checking for updates and creating pull requests when new versions are available,Dependabot ensures that your project benefits from the latest features, bug fixes, and security patches. - -### Key Benefits: - -- **Security**: Receive timely updates for security vulnerabilities in your project's dependencies. -- **Stability**: Keep your project stable by staying current with the latest releases. -- **Efficiency**: Automate the time consuming task of manually checking for updates and creating pull requests. - -## Description - -Dependabot is an excellent fit for application dependencies/vulnerabilities. By regularly checking for updates, it allows you to seamlessly integrate the latest improvements into your application. -For Docker images, Dependabot ensures that your [base images](https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02) and dependencies are regularly updated, reducing the risk of using outdated or vulnerable components. -Dependabot can also assist in keeping used GitHub Actions up to date. This is crucial for ensuring that your workflows leverage the latest GitHub Actions features and improvements. - -### Security updates - -To enable Dependabot for security updates, you can leverage GitHub's Security tab. Go to the "Security" tab in your repository and follow the prompts to enable automated security updates. -More information: - - -### Version updates - -To enable Dependabot for version updates, create a dependabot.yml file in .github directory the root of your repository. In order to reduce number of generated bump Pull Requests, recommendation is to change default interval to i.e. weekly, as well as limit open PRs. See provided example below. - -### Example - -This configuration checks for Maven, GitHub Action and Docker updates on a weekly basis and creates pull requests for up to 5 updates at a time. - -:::caution - -Be careful, Dependabot PR merge can lead to out of date DEPENDENCIES file. - -Make sure DEPENDENCIES file is updated by DASH tool. - -::: - -```yaml -version: 2 -updates: - # Maintain dependencies for Maven - - package-ecosystem: "maven" - directory: "/" - schedule: - interval: "weekly" - open-pull-requests-limit: 5 - # Maintain dependencies for GitHub Actions - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" - open-pull-requests-limit: 5 - # Maintain dependencies for Docker - - package-ecosystem: "docker" - directory: "/" - schedule: - interval: "weekly" - open-pull-requests-limit: 5 - - # Maintain dependencies for npm - -version: 2 - -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "daily" - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - -version: 2 -updates: - # maintain dependencies for GitHub actions - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "monday" - open-pull-requests-limit: 5 - labels: - - "dependencies" - - "github_actions" - - # maintain dependencies for Gradle - - package-ecosystem: "gradle" # checks build.gradle(.kts) and settings.gradle(.kts) - directory: "/" - schedule: - interval: "daily" - open-pull-requests-limit: 5 - labels: - - "dependencies" - - "java" -``` -:::tip - -You can change **interval** and **open-pull-requests-limit** based on your needs - -::: - -More information: - - - -:::info - -**Importance of Implemented Tests:** - -Ensure that your project has comprehensive test coverage. Automated tests are crucial for quickly validating that updates do not introduce regressions or break existing functionality. - -::: From 513590a0a92a39ae4bd3818e474e9e171c6e7b0a Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 22 Feb 2024 14:31:43 +0100 Subject: [PATCH 05/84] Update trg-8-00.md --- docs/release/trg-8/trg-8-00.md | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md index 70ae822a561..ed51db352da 100644 --- a/docs/release/trg-8/trg-8-00.md +++ b/docs/release/trg-8/trg-8-00.md @@ -4,7 +4,7 @@ title: TRG 8.00 - Security Scanning Toolchain | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 21-Feb-2024 | Initial release | +| Active | 23-Feb-2024 | Initial release | ## Why @@ -16,7 +16,9 @@ A security scanning toolchain is a collection of tools and processes that are us :::caution -To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. +To pass the quality gates, all **critical**, **high** and **medium** security vulnerabilities **must be mitigated**. +This generic statement may conflict with [TRG 4.02](/docs/release/trg-4/trg-4-02) base images that apply to containers scans. +The statement from [TRG 4.02](/docs/release/trg-4/trg-4-02) **prevails**. ::: @@ -26,37 +28,31 @@ To pass the quality gates, all **critical** and **high** security vulnerabilitie Tools analyze source code or compiled binaries to identify potential vulnerabilities -**Open-Source**: [CodeQL](/docs/release/trg-8/trg-8-01), [Snyk](/docs/release/trg-8/trg-8-06) +**Open-Source**: [CodeQL](/docs/release/trg-8/trg-8-01), [Snyk](/docs/release/trg-8/trg-8-02) - ### SCA (Software Composition Analysis) Tools examine the software components -**Open-Source**: [Snyk](/docs/release/trg-8/trg-8-06) - -- ### DAST (Dynamic Application Security Testing) - -Tools test the application in it is running state to identify vulnerabilities that may not be detected by SAST - -**Open-Source**: [Owasp ZAP](/docs/release/trg-8/trg-8-05) +**Open-Source**: [Snyk](/docs/release/trg-8/trg-8-02) - ### IaC (Infrastructure as Code) Tools that check the configuration files that define the infrastructure components of an application -**Open-Source**: [KICS](/docs/release/trg-8/trg-8-03), [Snyk](/docs/release/trg-8/trg-8-06) +**Open-Source**: [KICS](/docs/release/trg-8/trg-8-03), [Snyk](/docs/release/trg-8/trg-8-02) - ### Secret Scanning -Tools designed to search for and identify sensitive information, known as secrets, within code repositiories +Tools designed to search for and identify sensitive information, known as secrets, within code repositories -**Open-Source**: [GitGuardian](/docs/release/trg-8/trg-8-02) +**Open-Source**: [GitGuardian](/docs/release/trg-8/trg-8-04) - ### Container Scanner Tools that scan the container images and the running containers -**Open-Source**: [Trivy](/docs/release/trg-8/trg-8-04), [Snyk](/docs/release/trg-8/trg-8-06) +**Open-Source**: [Trivy](/docs/release/trg-8/trg-8-05), [Snyk](/docs/release/trg-8/trg-8-02) :::tip From 68b4111fa5043a220ea38426a48caae5c351cd2e Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 22 Feb 2024 14:32:18 +0100 Subject: [PATCH 06/84] Update trg-8-01.md --- docs/release/trg-8/trg-8-01.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/release/trg-8/trg-8-01.md b/docs/release/trg-8/trg-8-01.md index dc8ebff5a9a..f86fb2af5fd 100644 --- a/docs/release/trg-8/trg-8-01.md +++ b/docs/release/trg-8/trg-8-01.md @@ -4,17 +4,19 @@ title: TRG 8.01 - CodeQL | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 21-Feb-2024 | Initial release | +| Active | 23-Feb-2024 | Initial release | ## Why -Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. +**CodeQL** can be used to analyze large and complex codebases, making it ideal for organizations of all sizes.It can also be integrated into your existing development workflow, allowing you to catch problems early. -## Description +:::info -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. +For any errors, please contact Security Team by creating an issue on GitHub. -### CodeQL +::: + +## Description **CodeQL** serves as our core code analysis tool (**SAST**), providing deep code introspection for potential security vulnerabilities and other code quality concerns. Below is a technical breakdown of how CodeQL integrates with our **CI/CD** process. @@ -33,7 +35,7 @@ CodeQL supports a broader set of languages including 'cpp', 'csharp', 'go', 'swi ::: -### The CodeQL analysis consists of several steps: +### The CodeQL analysis consists of several steps - **Repository Checkout**: The repository content is fetched using actions/checkout@v3. @@ -132,4 +134,3 @@ jobs: category: "/language:${{matrix.language}}" ********************************************************************************/ ``` - \ No newline at end of file From 2ed268194b3b05e9ecc7a19497e99dd79d578533 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 22 Feb 2024 14:33:22 +0100 Subject: [PATCH 07/84] Delete docs/release/trg-8/trg-8-05.md After discussion about Owasp ZAP on security meeting, we decided that for now we won't add Owasp ZAP to TRG --- docs/release/trg-8/trg-8-05.md | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 docs/release/trg-8/trg-8-05.md diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md deleted file mode 100644 index 49e131a03b7..00000000000 --- a/docs/release/trg-8/trg-8-05.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: TRG 8.05 - Owasp ZAP ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 21-Feb-2024 | Initial release | - -## Why - -Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. - -## Description - -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. - -### Owasp ZAP - -To be updated soon From 0eb18382759341f5041f52de2ad2869bb36226ba Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 22 Feb 2024 14:34:04 +0100 Subject: [PATCH 08/84] Update trg-8-02.md --- docs/release/trg-8/trg-8-02.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs/release/trg-8/trg-8-02.md b/docs/release/trg-8/trg-8-02.md index 29c91e9019b..af0fb6edcd0 100644 --- a/docs/release/trg-8/trg-8-02.md +++ b/docs/release/trg-8/trg-8-02.md @@ -1,25 +1,27 @@ --- -title: TRG 8.02 - GitGuardian +title: TRG 8.02 - SNYK --- | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 21-Feb-2024 | Initial release | +| Active | 23-Feb-2024 | Initial release | ## Why -Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. +**SNYK** provides actionable insights and guidance on how to fix vulnerabilities, making it easy for developers to understand and address security concerns. -## Description - -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. +:::caution -### GitGuardian +It can be set up **only by Security Team**, so please contact us by creating an issue on GitHub. -**GitGuardian** is integrated via its GitHub App, enabling automated secret scanning of our codebase. Each pull request (PR) undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification. +::: -:::info +## Description -The email contains a temporary **link**, allowing the author to either **report** the detected secret or **mark it as a false positive**, streamlining the review process for software engineers. +To integrate SNYK with your GitHub repository, you need to follow these steps: -::: +- Login to SNYK using your GitHub account +- Go to the Integrations page in your SNYK account and click **Connect to GitHub** +- Grant permissions to SNYK to access your GitHub repositories and authorize the SNYK application +- Choose which repositories you want to test and monitor with SNYK and click **Add selected repositories to SNYK** +- Snyk will scan your repositories for vulnerabilities and provide you with security reports, fix pull requests, and alerts From 39aacf3177a57aacd384fac36d4ac898ca4d6a7f Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 22 Feb 2024 14:34:28 +0100 Subject: [PATCH 09/84] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index fbea0270c4c..f6271a3e773 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -4,17 +4,19 @@ title: TRG 8.03 - KICS | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 21-Feb-2024 | Initial release | +| Active | 23-Feb-2024 | Initial release | ## Why -Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. +**KICS** identifies security vulnerabilities, compliance issues, and infrastructure misconfigurations in your IaC. -## Description +:::info -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. +For any errors, please contact Security Team by creating an issue on GitHub. -### KICS +::: + +## Description **KICS** is an integral tool in our security workflow, specifically targeting infrastructure-as-code (IaC) vulnerabilities. Here's how we've integrated KICS into our process: @@ -88,4 +90,3 @@ jobs: sarif_file: kicsResults/results.sarif ********************************************************************************/ ``` - \ No newline at end of file From 35c06c76d4fdfac7086b5d423a3aa03c9b739132 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 22 Feb 2024 14:34:48 +0100 Subject: [PATCH 10/84] Update trg-8-04.md --- docs/release/trg-8/trg-8-04.md | 62 +++++----------------------------- 1 file changed, 9 insertions(+), 53 deletions(-) diff --git a/docs/release/trg-8/trg-8-04.md b/docs/release/trg-8/trg-8-04.md index c4e1c1188e2..33689165a8a 100644 --- a/docs/release/trg-8/trg-8-04.md +++ b/docs/release/trg-8/trg-8-04.md @@ -1,71 +1,27 @@ --- -title: TRG 8.04 - Trivy +title: TRG 8.04 - GitGuardian --- | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 21-Feb-2024 | Initial release | +| Active | 23-Feb-2024 | Initial release | ## Why -Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. - -## Description - -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. - -### Trivy - -Trivy stands as our container vulnerability scanner of choice, ensuring the security of our container images by targeting both OS-level and library dependencies. Here's a concise breakdown of the Trivy integration in our workflow: - -:::info - -The Trivy scan is initiated either on-demand through manual dispatch or based on a CRON schedule, executing once daily. The job is executed on the latest Ubuntu and requires specified permissions: reading actions and content and writing security events. - -::: - -The primary step involves the Trivy vulnerability scanner pulling the container image tractusx/irs-api:latest from Docker Hub. Before scanning, it's essential to ensure that the desired image on Docker Hub is correctly configured for the scan. +**GitGuardian** excels at detecting and preventing leaks of sensitive data in your code repositories, such as API keys, passwords, and other secrets. This can help you avoid security breaches and comply with data privacy regulations. :::caution -We recommend always scanning the most recently published image to maintain updated security assessments. Utilizing the aquasecurity/trivy-action@0.12.0, the scanner inspects the image for vulnerabilities of types os and library. Results are formatted as SARIF and stored in trivy-results.sarif. +It can be set up **only by Security Team**, so please contact us by creating an issue on GitHub. ::: -After the scan, results are then uploaded to the GitHub Security tab via the github/codeql-action/upload-sarif@v2 action, ensuring engineers can efficiently review and address any highlighted vulnerabilities. - -```md -/******************************************************************************** -name: "Run Trivy scan and upload SARIF" +## Description -on: - workflow_dispatch: - schedule: - - cron: "0 0 * * *" # Once a day +**GitGuardian** is integrated via its GitHub App, enabling automated secret scanning of our codebase. Each pull request (PR) undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification. -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write +:::info - steps: - # Pull image from Docker Hub and run Trivy vulnerability scanner - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.12.0 - with: - image-ref: "tractusx/irs-api:latest" - format: "sarif" - output: "trivy-results.sarif" - vuln-type: "os,library" +The email contains a temporary **link**, allowing the author to either **report** the detected secret or **mark it as a false positive**, streamlining the review process for software engineers. - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: "trivy-results.sarif" - ********************************************************************************/ - ``` - \ No newline at end of file +::: From a073b042cf7a652b3597711fc0e64a261d9f3d83 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 22 Feb 2024 14:35:13 +0100 Subject: [PATCH 11/84] Update and rename trg-8-06.md to trg-8-05.md --- docs/release/trg-8/trg-8-05.md | 72 ++++++++++++++++++++++++++++++++++ docs/release/trg-8/trg-8-06.md | 33 ---------------- 2 files changed, 72 insertions(+), 33 deletions(-) create mode 100644 docs/release/trg-8/trg-8-05.md delete mode 100644 docs/release/trg-8/trg-8-06.md diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md new file mode 100644 index 00000000000..1f64d32975b --- /dev/null +++ b/docs/release/trg-8/trg-8-05.md @@ -0,0 +1,72 @@ +--- +title: TRG 8.05 - Trivy +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 23-Feb-2024 | Initial release | + +## Why + +**Trivy** identifies known vulnerabilities in the packages and libraries within your container images. + +:::info + +For any errors, please contact Security Team by creating an issue on GitHub. + +::: + +## Description + +Trivy stands as our container vulnerability scanner of choice, ensuring the security of our container images by targeting both OS-level and library dependencies. Here's a concise breakdown of the Trivy integration in our workflow: + +:::info + +The Trivy scan is initiated either on-demand through manual dispatch or based on a CRON schedule, executing once daily. The job is executed on the latest Ubuntu and requires specified permissions: reading actions and content and writing security events. + +::: + +The primary step involves the Trivy vulnerability scanner pulling the container image tractusx/irs-api:latest from Docker Hub. Before scanning, it's essential to ensure that the desired image on Docker Hub is correctly configured for the scan. + +:::caution + +We recommend always scanning the most recently published image to maintain updated security assessments. Utilizing the aquasecurity/trivy-action@0.12.0, the scanner inspects the image for vulnerabilities of types os and library. Results are formatted as SARIF and stored in trivy-results.sarif. + +::: + +After the scan, results are then uploaded to the GitHub Security tab via the github/codeql-action/upload-sarif@v2 action, ensuring engineers can efficiently review and address any highlighted vulnerabilities. + +```md +/******************************************************************************** +name: "Run Trivy scan and upload SARIF" + +on: + workflow_dispatch: + schedule: + - cron: "0 0 * * *" # Once a day + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Pull image from Docker Hub and run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: "tractusx/irs-api:latest" + format: "sarif" + output: "trivy-results.sarif" + vuln-type: "os,library" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + ********************************************************************************/ + ``` diff --git a/docs/release/trg-8/trg-8-06.md b/docs/release/trg-8/trg-8-06.md deleted file mode 100644 index de40d4a127a..00000000000 --- a/docs/release/trg-8/trg-8-06.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: TRG 8.06 - SNYK ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 21-Feb-2024 | Initial release | - -## Why - -Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. - -## Description - -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. - -### SNYK - -To integrate SNYK with your GitHub repository, you need to follow these steps: - -- Login to SNYK using your GitHub account -- Go to the Integrations page in your SNYK account and click **Connect to GitHub** -- Grant permissions to SNYK to access your GitHub repositories and authorize the SNYK application -- Choose which repositories you want to test and monitor with SNYK and click **Add selected repositories to SNYK** -- Snyk will scan your repositories for vulnerabilities and provide you with security reports, fix pull requests, and alerts - -To import GitHub Projects: - -- Go to **Settings** -- Go to **GitHub** under **Integrations** -- Click on **Import GitHub Projects** -- Choose project that you want to add -- Click on **Add Selected Repositories** From 8bfa754f99bc6f57363e077751ed49f7cd4e1e9f Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 23 Feb 2024 14:37:39 +0100 Subject: [PATCH 12/84] Update trg-8-00.md --- docs/release/trg-8/trg-8-00.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md index ed51db352da..39a15471625 100644 --- a/docs/release/trg-8/trg-8-00.md +++ b/docs/release/trg-8/trg-8-00.md @@ -4,7 +4,7 @@ title: TRG 8.00 - Security Scanning Toolchain | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 23-Feb-2024 | Initial release | +| Active | 26-Feb-2024 | Initial release | ## Why @@ -14,6 +14,26 @@ Our primary aim is to improve security and define best practices across the Trac A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. +### Emphasized Guidelines for Optimizing Security GitHub Actions + +Following, here are specific guidelines and best practices for developers: + +1.**Action Failures:** Actions should only fail if there is an error with the Action "Engine" itself or if there is a misconfiguration in the workflow. Failures should not occur based solely on high-severity findings. + +2.**Manual Execution:** Include the on: workflow_dispatch option in all workflows. This allows you to manually trigger workflows whenever necessary. + +3.**Scheduling Workflows:** Workflows should run frequently. Ideally, they should be set to execute once nightly. At a minimum, they should run once per week. Configure the on: schedule option to achieve this frequency. + +4.**Exclusions:** Do not exclude files or directories from scans. If false positives are detected, they can be simply ignored. However, when pushing documentation to the main branch, the workflows do not need to be executed. For such cases, configure the exclude option. + +5.**Pull Requests (PRs):** It's not mandatory for workflows to run with every PR. Nonetheless, the Secret Scan is strongly recommended and deemed sufficient. + +6.**Target Scanning:** Avoid over-scanning. Focusing on scanning the releases and the main branch from which releases are made is adequate. + +7.**Issue Reporting:** Should developers encounter issues during scanning or have questions regarding tool usage, they are encouraged to create an issue in our repository. An appropriate issue template has been provided to streamline this process. + +By adhering to these guidelines, developers can efficiently integrate GitHub actions into their workflow, ensuring optimal security without compromising productivity. + :::caution To pass the quality gates, all **critical**, **high** and **medium** security vulnerabilities **must be mitigated**. From 07e1014e940c8429b6bb18b10c53f2ba0d4b81d6 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 07:11:21 +0100 Subject: [PATCH 13/84] Update trg-8-01.md --- docs/release/trg-8/trg-8-01.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/release/trg-8/trg-8-01.md b/docs/release/trg-8/trg-8-01.md index f86fb2af5fd..e7684e46334 100644 --- a/docs/release/trg-8/trg-8-01.md +++ b/docs/release/trg-8/trg-8-01.md @@ -98,11 +98,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -116,7 +116,7 @@ jobs: # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup. # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -129,7 +129,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" ********************************************************************************/ From 3e779d424baad1326200bc566f8a0762adb47e7f Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 07:23:10 +0100 Subject: [PATCH 14/84] Update trg-8-01.md --- docs/release/trg-8/trg-8-01.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-8/trg-8-01.md b/docs/release/trg-8/trg-8-01.md index e7684e46334..b34c84b99e7 100644 --- a/docs/release/trg-8/trg-8-01.md +++ b/docs/release/trg-8/trg-8-01.md @@ -37,11 +37,11 @@ CodeQL supports a broader set of languages including 'cpp', 'csharp', 'go', 'swi ### The CodeQL analysis consists of several steps -- **Repository Checkout**: The repository content is fetched using actions/checkout@v3. +- **Repository Checkout**: The repository content is fetched using actions/checkout@v4. -- **CodeQL Initialization**: The github/codeql-action/init@v2 action initializes the CodeQL tools, setting the target languages and the desired query sets. CodeQL possesses an extensive collection of predefined queries, but developers can specify custom queries if necessary. +- **CodeQL Initialization**: The github/codeql-action/init@v3 action initializes the CodeQL tools, setting the target languages and the desired query sets. CodeQL possesses an extensive collection of predefined queries, but developers can specify custom queries if necessary. -- **Auto-build**: The github/codeql-action/autobuild@v2 action attempts to build any compiled languages. This auto-build feature can occasionally face issues and may fail, especially with complex build processes or non-standard configurations. If an auto-build failure occurs, developers must manually configure the build process within the workflow. An example is provided in the workflow to guide this manual setup. +- **Auto-build**: The github/codeql-action/autobuild@v3 action attempts to build any compiled languages. This auto-build feature can occasionally face issues and may fail, especially with complex build processes or non-standard configurations. If an auto-build failure occurs, developers must manually configure the build process within the workflow. An example is provided in the workflow to guide this manual setup. - **CodeQL Analysis**: Post build, CodeQL performs its analysis, examining the codebase for vulnerabilities and other concerns. Results are categorized based on the language of analysis. From 58905f7e3963e0068000b5d8993c6307921d2e94 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 08:19:37 +0100 Subject: [PATCH 15/84] Update trg-8-01.md --- docs/release/trg-8/trg-8-01.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-01.md b/docs/release/trg-8/trg-8-01.md index b34c84b99e7..fd752cca86b 100644 --- a/docs/release/trg-8/trg-8-01.md +++ b/docs/release/trg-8/trg-8-01.md @@ -4,7 +4,7 @@ title: TRG 8.01 - CodeQL | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 23-Feb-2024 | Initial release | +| Active | 26-Feb-2024 | Initial release | ## Why From 6540bbc233fae258d1470f409664e88a344e162a Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 08:19:50 +0100 Subject: [PATCH 16/84] Update trg-8-02.md --- docs/release/trg-8/trg-8-02.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-02.md b/docs/release/trg-8/trg-8-02.md index af0fb6edcd0..ad7da1c626d 100644 --- a/docs/release/trg-8/trg-8-02.md +++ b/docs/release/trg-8/trg-8-02.md @@ -4,7 +4,7 @@ title: TRG 8.02 - SNYK | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 23-Feb-2024 | Initial release | +| Active | 26-Feb-2024 | Initial release | ## Why From 076e242de68630f7a8b42a485c3026f6fcf29edc Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 08:20:08 +0100 Subject: [PATCH 17/84] Update trg-8-04.md --- docs/release/trg-8/trg-8-04.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-04.md b/docs/release/trg-8/trg-8-04.md index 33689165a8a..0a349ac59b4 100644 --- a/docs/release/trg-8/trg-8-04.md +++ b/docs/release/trg-8/trg-8-04.md @@ -4,7 +4,7 @@ title: TRG 8.04 - GitGuardian | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 23-Feb-2024 | Initial release | +| Active | 26-Feb-2024 | Initial release | ## Why From 7778f1ff171357bbc0c5acc2866ece5a04e19503 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 08:20:25 +0100 Subject: [PATCH 18/84] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index f6271a3e773..b613cc7224f 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -4,7 +4,7 @@ title: TRG 8.03 - KICS | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 23-Feb-2024 | Initial release | +| Active | 26-Feb-2024 | Initial release | ## Why From 06f3f7cc1cb56ab3ced2117237355d47f64f9375 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 08:22:20 +0100 Subject: [PATCH 19/84] Update trg-8-05.md --- docs/release/trg-8/trg-8-05.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md index 1f64d32975b..d576e947d6f 100644 --- a/docs/release/trg-8/trg-8-05.md +++ b/docs/release/trg-8/trg-8-05.md @@ -4,7 +4,7 @@ title: TRG 8.05 - Trivy | Status | Created | Post-History | |--------|-------------|--------------------------------------| -| Active | 23-Feb-2024 | Initial release | +| Active | 26-Feb-2024 | Initial release | ## Why @@ -34,7 +34,7 @@ We recommend always scanning the most recently published image to maintain updat ::: -After the scan, results are then uploaded to the GitHub Security tab via the github/codeql-action/upload-sarif@v2 action, ensuring engineers can efficiently review and address any highlighted vulnerabilities. +After the scan, results are then uploaded to the GitHub Security tab via the github/codeql-action/upload-sarif@v3 action, ensuring engineers can efficiently review and address any highlighted vulnerabilities. ```md /******************************************************************************** @@ -65,7 +65,7 @@ jobs: vuln-type: "os,library" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: "trivy-results.sarif" ********************************************************************************/ From 7a1c81a2fadd7b3b8b5d991d72e9caaff14e0857 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 08:23:44 +0100 Subject: [PATCH 20/84] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index b613cc7224f..3a5abb03c8a 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -36,7 +36,7 @@ KICS is configured to exit with a status code of 0, regardless of the scan resul ::: -Subsequently, the SARIF file, which contains the KICS scan results, is uploaded using the github/codeql-action/upload-sarif@v2 action. This ensures that the findings are made available for review and further analysis in the GitHub environment, aiding engineers in addressing potential vulnerabilities effectively. +Subsequently, the SARIF file, which contains the KICS scan results, is uploaded using the github/codeql-action/upload-sarif@v3 action. This ensures that the findings are made available for review and further analysis in the GitHub environment, aiding engineers in addressing potential vulnerabilities effectively. ```md /******************************************************************************** @@ -63,7 +63,7 @@ jobs: steps: - name: Checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run KICS Scan with SARIF result uses: checkmarx/kics-github-action@v1.7.0 @@ -85,7 +85,7 @@ jobs: disable_secrets: true - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: kicsResults/results.sarif ********************************************************************************/ From 369cd06fab52788d9a77ddd9b6588c131df521b7 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 08:38:00 +0100 Subject: [PATCH 21/84] Update trg-8-00.md --- docs/release/trg-8/trg-8-00.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md index 39a15471625..500872845ca 100644 --- a/docs/release/trg-8/trg-8-00.md +++ b/docs/release/trg-8/trg-8-00.md @@ -12,10 +12,16 @@ Our primary aim is to improve security and define best practices across the Trac ## Description -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. +In this document we will provide instructions regarding security tools and GitHub Security tab. ### Emphasized Guidelines for Optimizing Security GitHub Actions +:::info + +These developer-friendly workflows ensure all security findings are directly visible in the **GitHub Security tab**, keeping everything within the familiar GitHub environment. While using these actions is optional, their implementation is strongly recommended as they introduce a foundational level of security into the development process. + +::: + Following, here are specific guidelines and best practices for developers: 1.**Action Failures:** Actions should only fail if there is an error with the Action "Engine" itself or if there is a misconfiguration in the workflow. Failures should not occur based solely on high-severity findings. @@ -37,13 +43,18 @@ By adhering to these guidelines, developers can efficiently integrate GitHub act :::caution To pass the quality gates, all **critical**, **high** and **medium** security vulnerabilities **must be mitigated**. -This generic statement may conflict with [TRG 4.02](/docs/release/trg-4/trg-4-02) base images that apply to containers scans. -The statement from [TRG 4.02](/docs/release/trg-4/trg-4-02) **prevails**. +This generic statement may be in conflict with TRG 4.02 for container scans as TRG 4.02 states that base images should be used as-is.. ::: ## Tools that we’re using +:::info + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +::: + - ### SAST (Static Application Security Testing) Tools analyze source code or compiled binaries to identify potential vulnerabilities From aa22049f0a650b3cfd776712bb6114f3905ef866 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 10:39:51 +0100 Subject: [PATCH 22/84] Update trg-8-00.md --- docs/release/trg-8/trg-8-00.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md index 500872845ca..8d7542881b3 100644 --- a/docs/release/trg-8/trg-8-00.md +++ b/docs/release/trg-8/trg-8-00.md @@ -43,7 +43,7 @@ By adhering to these guidelines, developers can efficiently integrate GitHub act :::caution To pass the quality gates, all **critical**, **high** and **medium** security vulnerabilities **must be mitigated**. -This generic statement may be in conflict with TRG 4.02 for container scans as TRG 4.02 states that base images should be used as-is.. +This generic statement may be in conflict with TRG 4.02 for container scans as TRG 4.02 states that base images should be used as-is.The statement from TRG 4.02 **prevails**. ::: From 92a01082fe8ba6c411a579de27b2c4473801416a Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 10:57:25 +0100 Subject: [PATCH 23/84] Update trg-8-00.md --- docs/release/trg-8/trg-8-00.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md index 8d7542881b3..46662c8061d 100644 --- a/docs/release/trg-8/trg-8-00.md +++ b/docs/release/trg-8/trg-8-00.md @@ -42,8 +42,8 @@ By adhering to these guidelines, developers can efficiently integrate GitHub act :::caution -To pass the quality gates, all **critical**, **high** and **medium** security vulnerabilities **must be mitigated**. -This generic statement may be in conflict with TRG 4.02 for container scans as TRG 4.02 states that base images should be used as-is.The statement from TRG 4.02 **prevails**. +To pass the quality gates, all **critical**, **high** security vulnerabilities **must be mitigated**. +This generic statement may be in conflict with TRG 4.02 for container scans as TRG 4.02 states that base images should be used as-is. The statement from TRG 4.02 **prevails**. ::: From a10ccb5cc6c9142fa9be5bd90a6ea024cb493ece Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Mon, 26 Feb 2024 13:52:24 +0100 Subject: [PATCH 24/84] Update trg-8-00.md --- docs/release/trg-8/trg-8-00.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md index 46662c8061d..ad83dbafaac 100644 --- a/docs/release/trg-8/trg-8-00.md +++ b/docs/release/trg-8/trg-8-00.md @@ -42,7 +42,7 @@ By adhering to these guidelines, developers can efficiently integrate GitHub act :::caution -To pass the quality gates, all **critical**, **high** security vulnerabilities **must be mitigated**. +To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. This generic statement may be in conflict with TRG 4.02 for container scans as TRG 4.02 states that base images should be used as-is. The statement from TRG 4.02 **prevails**. ::: From 97c011802b64511476b6b724e4c741d1dac012e0 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 29 Feb 2024 10:37:52 +0100 Subject: [PATCH 25/84] Update trg-8-00.md --- docs/release/trg-8/trg-8-00.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md index ad83dbafaac..fea394722fc 100644 --- a/docs/release/trg-8/trg-8-00.md +++ b/docs/release/trg-8/trg-8-00.md @@ -32,7 +32,7 @@ Following, here are specific guidelines and best practices for developers: 4.**Exclusions:** Do not exclude files or directories from scans. If false positives are detected, they can be simply ignored. However, when pushing documentation to the main branch, the workflows do not need to be executed. For such cases, configure the exclude option. -5.**Pull Requests (PRs):** It's not mandatory for workflows to run with every PR. Nonetheless, the Secret Scan is strongly recommended and deemed sufficient. +5.**Pull Requests (PRs):** Pull Requests (PRs): Running workflows on every PR and push it optional. Nonetheless, the Secret Scan is strongly recommended and deemed sufficient. 6.**Target Scanning:** Avoid over-scanning. Focusing on scanning the releases and the main branch from which releases are made is adequate. @@ -51,7 +51,7 @@ This generic statement may be in conflict with TRG 4.02 for container scans as T :::info -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. ::: From 51c3d810cba20423773c961fd94445f463ec944e Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 29 Feb 2024 13:42:52 +0100 Subject: [PATCH 26/84] Update trg-8-05.md --- docs/release/trg-8/trg-8-05.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md index d576e947d6f..93f2605de28 100644 --- a/docs/release/trg-8/trg-8-05.md +++ b/docs/release/trg-8/trg-8-05.md @@ -36,14 +36,25 @@ We recommend always scanning the most recently published image to maintain updat After the scan, results are then uploaded to the GitHub Security tab via the github/codeql-action/upload-sarif@v3 action, ensuring engineers can efficiently review and address any highlighted vulnerabilities. +:::info + +We recommend for workflow to run with PR and push. Schedule can be set up once per week. + +::: + ```md /******************************************************************************** name: "Run Trivy scan and upload SARIF" on: - workflow_dispatch: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] schedule: - cron: "0 0 * * *" # Once a day + workflow_dispatch: jobs: analyze: From c332531a3e96cde99f9790e2fbd875471493d0ca Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 29 Feb 2024 13:47:57 +0100 Subject: [PATCH 27/84] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index 3a5abb03c8a..cfc357245f6 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -38,6 +38,12 @@ KICS is configured to exit with a status code of 0, regardless of the scan resul Subsequently, the SARIF file, which contains the KICS scan results, is uploaded using the github/codeql-action/upload-sarif@v3 action. This ensures that the findings are made available for review and further analysis in the GitHub environment, aiding engineers in addressing potential vulnerabilities effectively. +:::info + +We recommend for workflow to run with push. Schedule can be set up daily or once per week. + +::: + ```md /******************************************************************************** name: Run KICS scan and upload SARIF From 6c75967fd74525738c7e10cabbe6954b9f5d2730 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 29 Feb 2024 13:48:21 +0100 Subject: [PATCH 28/84] Update trg-8-05.md --- docs/release/trg-8/trg-8-05.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md index 93f2605de28..15f952b4bb0 100644 --- a/docs/release/trg-8/trg-8-05.md +++ b/docs/release/trg-8/trg-8-05.md @@ -38,7 +38,7 @@ After the scan, results are then uploaded to the GitHub Security tab via the git :::info -We recommend for workflow to run with PR and push. Schedule can be set up once per week. +We recommend for workflow to run with PR and push. Schedule can be set up daily or once per week. ::: From b44cd12227728e9057f68c243e13f0d8992e3a5d Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 29 Feb 2024 13:55:31 +0100 Subject: [PATCH 29/84] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index cfc357245f6..1e244dea01d 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -40,7 +40,7 @@ Subsequently, the SARIF file, which contains the KICS scan results, is uploaded :::info -We recommend for workflow to run with push. Schedule can be set up daily or once per week. +We recommend for workflow to run with push. Schedule can be set up nightly or once per week. ::: From 1ae0a02dec6a68b666f78525b700309e79b3d029 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 29 Feb 2024 13:55:47 +0100 Subject: [PATCH 30/84] Update trg-8-05.md --- docs/release/trg-8/trg-8-05.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md index 15f952b4bb0..3fd148595ce 100644 --- a/docs/release/trg-8/trg-8-05.md +++ b/docs/release/trg-8/trg-8-05.md @@ -38,7 +38,7 @@ After the scan, results are then uploaded to the GitHub Security tab via the git :::info -We recommend for workflow to run with PR and push. Schedule can be set up daily or once per week. +We recommend for workflow to run with PR and push. Schedule can be set up nightly or once per week. ::: From 358fc049b53e5e82c337977ac8357d9d3f873ec3 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 29 Feb 2024 14:05:54 +0100 Subject: [PATCH 31/84] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index 1e244dea01d..b33c9d2aee8 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -26,7 +26,7 @@ When a push is made to the main branch or once daily (based on a CRON schedule), ::: -The job runs on the latest Ubuntu and requires permissions for reading actions and content, as well as writing security events. Upon initiation, the repository is checked out using the actions/checkout@v3 action. +The job runs on the latest Ubuntu and requires permissions for reading actions and content, as well as writing security events. Upon initiation, the repository is checked out using the actions/checkout@v4 action. The primary action involves running the KICS scan, which leverages the checkmarx/kics-github-action@v1.7.0. The scan focuses on the root directory, and the results are outputted in the SARIF format, stored in the kicsResults/ directory. From 3a42ef3cc5bace36ebacc2ee6b02365ec7e8e048 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:31:36 +0100 Subject: [PATCH 32/84] Update trg-8-00.md --- docs/release/trg-8/trg-8-00.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md index fea394722fc..38fe6a02cb0 100644 --- a/docs/release/trg-8/trg-8-00.md +++ b/docs/release/trg-8/trg-8-00.md @@ -32,11 +32,9 @@ Following, here are specific guidelines and best practices for developers: 4.**Exclusions:** Do not exclude files or directories from scans. If false positives are detected, they can be simply ignored. However, when pushing documentation to the main branch, the workflows do not need to be executed. For such cases, configure the exclude option. -5.**Pull Requests (PRs):** Pull Requests (PRs): Running workflows on every PR and push it optional. Nonetheless, the Secret Scan is strongly recommended and deemed sufficient. +5.**Target Scanning:** Avoid over-scanning. Focusing on scanning the releases and the main branch from which releases are made is adequate. -6.**Target Scanning:** Avoid over-scanning. Focusing on scanning the releases and the main branch from which releases are made is adequate. - -7.**Issue Reporting:** Should developers encounter issues during scanning or have questions regarding tool usage, they are encouraged to create an issue in our repository. An appropriate issue template has been provided to streamline this process. +6.**Issue Reporting:** Should developers encounter issues during scanning or have questions regarding tool usage, they are encouraged to create an issue in our repository. An appropriate issue template has been provided to streamline this process. By adhering to these guidelines, developers can efficiently integrate GitHub actions into their workflow, ensuring optimal security without compromising productivity. From 7d1b949aa0162eca9773b34908491cf150413544 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:33:46 +0100 Subject: [PATCH 33/84] Update trg-8-01.md --- docs/release/trg-8/trg-8-01.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release/trg-8/trg-8-01.md b/docs/release/trg-8/trg-8-01.md index fd752cca86b..3e3bbb0a0e0 100644 --- a/docs/release/trg-8/trg-8-01.md +++ b/docs/release/trg-8/trg-8-01.md @@ -47,6 +47,12 @@ CodeQL supports a broader set of languages including 'cpp', 'csharp', 'go', 'swi In the provided CodeQL workflow, specific queries are used to enhance security analysis: +security-extended,security-and-quality. The + symbol ensures that these queries are added to the default set, allowing for a comprehensive security analysis. Developers should be aware of these configured queries as they focus on identifying a broad range of vulnerabilities, ensuring robust code security and quality. +:::info + +For CodeQL we recommend for workflow to run with PR and push. Schedule can be set up nightly or once per week,depends on each team capacity. + +::: + ```md /******************************************************************************** # For most projects, this workflow file will not need changing; you simply need From 59b8517650e9e11f4094142571c83f2201a9efc1 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:35:36 +0100 Subject: [PATCH 34/84] Update trg-8-03.md --- docs/release/trg-8/trg-8-03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md index b33c9d2aee8..ab0db19c08e 100644 --- a/docs/release/trg-8/trg-8-03.md +++ b/docs/release/trg-8/trg-8-03.md @@ -40,7 +40,7 @@ Subsequently, the SARIF file, which contains the KICS scan results, is uploaded :::info -We recommend for workflow to run with push. Schedule can be set up nightly or once per week. +For KICS we recommend for workflow to run with push. Schedule can be set up nightly or once per week, depends on each team capacity. ::: From c64d434bb41e713f0e61689ca68f3e53dd90e174 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:35:58 +0100 Subject: [PATCH 35/84] Update trg-8-01.md --- docs/release/trg-8/trg-8-01.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-01.md b/docs/release/trg-8/trg-8-01.md index 3e3bbb0a0e0..8a703158a58 100644 --- a/docs/release/trg-8/trg-8-01.md +++ b/docs/release/trg-8/trg-8-01.md @@ -49,7 +49,7 @@ In the provided CodeQL workflow, specific queries are used to enhance security a :::info -For CodeQL we recommend for workflow to run with PR and push. Schedule can be set up nightly or once per week,depends on each team capacity. +For CodeQL we recommend for workflow to run with PR and push. Schedule can be set up nightly or once per week, depends on each team capacity. ::: From 491cb5cc78f6b270c37847177a3ebb061b35dbb5 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:36:44 +0100 Subject: [PATCH 36/84] Update trg-8-05.md --- docs/release/trg-8/trg-8-05.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md index 3fd148595ce..2d88e941a1f 100644 --- a/docs/release/trg-8/trg-8-05.md +++ b/docs/release/trg-8/trg-8-05.md @@ -38,7 +38,7 @@ After the scan, results are then uploaded to the GitHub Security tab via the git :::info -We recommend for workflow to run with PR and push. Schedule can be set up nightly or once per week. +For Trivy we recommend for workflow to run with push. Schedule can be set up nightly or once per week,depends on each team capacity. ::: From 8b8a49ff5677db65edd8993b0819f725ad47de5f Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:39:51 +0100 Subject: [PATCH 37/84] Update trg-8-05.md --- docs/release/trg-8/trg-8-05.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md index 2d88e941a1f..c547c4ad45b 100644 --- a/docs/release/trg-8/trg-8-05.md +++ b/docs/release/trg-8/trg-8-05.md @@ -38,7 +38,7 @@ After the scan, results are then uploaded to the GitHub Security tab via the git :::info -For Trivy we recommend for workflow to run with push. Schedule can be set up nightly or once per week,depends on each team capacity. +For Trivy we recommend for workflow to run with PR and push. Schedule can be set up nightly or once per week, depends on each team capacity. ::: From d613aceb733481d91c9dd46b63f400355d3cba11 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 12:38:19 +0100 Subject: [PATCH 38/84] docs: delete docs/release/trg-8/trg-8-00.md No value. --- docs/release/trg-8/trg-8-00.md | 91 ---------------------------------- 1 file changed, 91 deletions(-) delete mode 100644 docs/release/trg-8/trg-8-00.md diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md deleted file mode 100644 index 38fe6a02cb0..00000000000 --- a/docs/release/trg-8/trg-8-00.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: TRG 8.00 - Security Scanning Toolchain ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 26-Feb-2024 | Initial release | - -## Why - -Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. - -## Description - -In this document we will provide instructions regarding security tools and GitHub Security tab. - -### Emphasized Guidelines for Optimizing Security GitHub Actions - -:::info - -These developer-friendly workflows ensure all security findings are directly visible in the **GitHub Security tab**, keeping everything within the familiar GitHub environment. While using these actions is optional, their implementation is strongly recommended as they introduce a foundational level of security into the development process. - -::: - -Following, here are specific guidelines and best practices for developers: - -1.**Action Failures:** Actions should only fail if there is an error with the Action "Engine" itself or if there is a misconfiguration in the workflow. Failures should not occur based solely on high-severity findings. - -2.**Manual Execution:** Include the on: workflow_dispatch option in all workflows. This allows you to manually trigger workflows whenever necessary. - -3.**Scheduling Workflows:** Workflows should run frequently. Ideally, they should be set to execute once nightly. At a minimum, they should run once per week. Configure the on: schedule option to achieve this frequency. - -4.**Exclusions:** Do not exclude files or directories from scans. If false positives are detected, they can be simply ignored. However, when pushing documentation to the main branch, the workflows do not need to be executed. For such cases, configure the exclude option. - -5.**Target Scanning:** Avoid over-scanning. Focusing on scanning the releases and the main branch from which releases are made is adequate. - -6.**Issue Reporting:** Should developers encounter issues during scanning or have questions regarding tool usage, they are encouraged to create an issue in our repository. An appropriate issue template has been provided to streamline this process. - -By adhering to these guidelines, developers can efficiently integrate GitHub actions into their workflow, ensuring optimal security without compromising productivity. - -:::caution - -To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. -This generic statement may be in conflict with TRG 4.02 for container scans as TRG 4.02 states that base images should be used as-is. The statement from TRG 4.02 **prevails**. - -::: - -## Tools that we’re using - -:::info - -A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. - -::: - -- ### SAST (Static Application Security Testing) - -Tools analyze source code or compiled binaries to identify potential vulnerabilities - -**Open-Source**: [CodeQL](/docs/release/trg-8/trg-8-01), [Snyk](/docs/release/trg-8/trg-8-02) - -- ### SCA (Software Composition Analysis) - -Tools examine the software components - -**Open-Source**: [Snyk](/docs/release/trg-8/trg-8-02) - -- ### IaC (Infrastructure as Code) - -Tools that check the configuration files that define the infrastructure components of an application - -**Open-Source**: [KICS](/docs/release/trg-8/trg-8-03), [Snyk](/docs/release/trg-8/trg-8-02) - -- ### Secret Scanning - -Tools designed to search for and identify sensitive information, known as secrets, within code repositories - -**Open-Source**: [GitGuardian](/docs/release/trg-8/trg-8-04) - -- ### Container Scanner - -Tools that scan the container images and the running containers - -**Open-Source**: [Trivy](/docs/release/trg-8/trg-8-05), [Snyk](/docs/release/trg-8/trg-8-02) - -:::tip - -Security is not a one-time activity, but a continuous process that requires constant attention and improvement. -Even if you cannot perform a full **security assessment** for each product every release, you should at least follow basic security practices. - -::: From 1f66c5646991082ea80dbfd67194d0272351d3f2 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 12:39:00 +0100 Subject: [PATCH 39/84] docs: delete docs/release/trg-8/trg-8-02.md Just overhead, no additional value --- docs/release/trg-8/trg-8-02.md | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 docs/release/trg-8/trg-8-02.md diff --git a/docs/release/trg-8/trg-8-02.md b/docs/release/trg-8/trg-8-02.md deleted file mode 100644 index ad7da1c626d..00000000000 --- a/docs/release/trg-8/trg-8-02.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: TRG 8.02 - SNYK ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 26-Feb-2024 | Initial release | - -## Why - -**SNYK** provides actionable insights and guidance on how to fix vulnerabilities, making it easy for developers to understand and address security concerns. - -:::caution - -It can be set up **only by Security Team**, so please contact us by creating an issue on GitHub. - -::: - -## Description - -To integrate SNYK with your GitHub repository, you need to follow these steps: - -- Login to SNYK using your GitHub account -- Go to the Integrations page in your SNYK account and click **Connect to GitHub** -- Grant permissions to SNYK to access your GitHub repositories and authorize the SNYK application -- Choose which repositories you want to test and monitor with SNYK and click **Add selected repositories to SNYK** -- Snyk will scan your repositories for vulnerabilities and provide you with security reports, fix pull requests, and alerts From c708ac051121160754062b8062a4b7915483285f Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 21:41:11 +0100 Subject: [PATCH 40/84] docs: create trg-8-01.md --- docs/release/trg-0/trg-8-01.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 docs/release/trg-0/trg-8-01.md diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/docs/release/trg-0/trg-8-01.md @@ -0,0 +1 @@ + From 5ae780b45cd6a25debde09cd95087b3156981ee6 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 22:43:02 +0100 Subject: [PATCH 41/84] docs: add codeql workflow description --- docs/release/trg-0/trg-8-01.md | 103 +++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index 8b137891791..f71984478a5 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -1 +1,104 @@ +--- +title: TRG 8.01 - CodeQL +--- +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Draft | 01-Mar-2024 | Draft release | + +## Why + +CodeQL is a core SAST tool due to its ability to perform deep code introspection, identifying potential security vulnerabilities and code quality concerns. + +## Description + +Use CodeQL for all repos with classic code (e.g., C#, Java) without exception. Do not use it for documentation-only or pure IaC repos; it's intended solely for analyzing classic code vulnerabilities. Exclude files as necessary. + +Ensure to set up the following triggers in your GitHub Actions configuration: + +- `workflow_dispatch`: Enables manual workflow execution through GitHub's interface. +- `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. +- `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the `main` branch. This is the branch from which new releases will be made. + +Findings are displayed in the GitHub Advanced Security Dashboard of the repo. _If high/critical findings are dismissed as non-exploitable or false positives, justification must be included_ in the vulnerability alert. +High and critical severity findings _must_ be addressed within 30 days. We strongly _recommend_ addressing the medium severity findings as well. + +Configure the language of your code and the build settings at the specified places within the workflow. The example workflow below includes comments describing where these adjustments can be made. + +Example CodeQL workflow: + +```yml +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "`0 0 * * 0" + workflow_dispatch: + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["java"] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # Use +security-extended,security-and-quality for wider security and better code quality. + queries: +security-extended,security-and-quality + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup. + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" +``` From f36ad755f319d1e42d163cf4fea6955107af5653 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 22:44:36 +0100 Subject: [PATCH 42/84] docs: better why for codeql --- docs/release/trg-0/trg-8-01.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index f71984478a5..07611ece06e 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -8,7 +8,7 @@ title: TRG 8.01 - CodeQL ## Why -CodeQL is a core SAST tool due to its ability to perform deep code introspection, identifying potential security vulnerabilities and code quality concerns. +Use CodeQL for deep, static code analysis to identify vulnerabilities and improve code quality across a wide range of programming languages. ## Description From 20f5a705b8b42322234a529588ad5512e9bc1ba0 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 22:51:39 +0100 Subject: [PATCH 43/84] docs: small textual adjustments --- docs/release/trg-0/trg-8-01.md | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index 07611ece06e..fc5371ccd7f 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -14,16 +14,15 @@ Use CodeQL for deep, static code analysis to identify vulnerabilities and improv Use CodeQL for all repos with classic code (e.g., C#, Java) without exception. Do not use it for documentation-only or pure IaC repos; it's intended solely for analyzing classic code vulnerabilities. Exclude files as necessary. -Ensure to set up the following triggers in your GitHub Actions configuration: +The GitHub Actions configuration must include the following triggers: -- `workflow_dispatch`: Enables manual workflow execution through GitHub's interface. +- `workflow_dispatch`: Manual workflow execution. - `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. - `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the `main` branch. This is the branch from which new releases will be made. -Findings are displayed in the GitHub Advanced Security Dashboard of the repo. _If high/critical findings are dismissed as non-exploitable or false positives, justification must be included_ in the vulnerability alert. -High and critical severity findings _must_ be addressed within 30 days. We strongly _recommend_ addressing the medium severity findings as well. +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/critical findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high and critical severity findings within 30 days; addressing medium severity findings is strongly recommended. -Configure the language of your code and the build settings at the specified places within the workflow. The example workflow below includes comments describing where these adjustments can be made. +Adjust your code's language and build settings as indicated within the workflow comments. Example CodeQL workflow: @@ -43,13 +42,8 @@ on: jobs: analyze: name: Analyze - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + runs-on: ubuntu-latest + timeout-minutes: 360 permissions: actions: read contents: read @@ -58,7 +52,7 @@ jobs: strategy: fail-fast: false matrix: - language: ["java"] + language: ["java"] # Define languages here. # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] # Use only 'java' to analyze code written in Java, Kotlin or both # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both From 1589198b32c84dac2204e5484e9274a6daaeaab9 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 23:09:48 +0100 Subject: [PATCH 44/84] docs: add trg-8-03 on kics --- docs/release/trg-0/trg-8-03.md | 74 ++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 docs/release/trg-0/trg-8-03.md diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md new file mode 100644 index 00000000000..6c7b88508f3 --- /dev/null +++ b/docs/release/trg-0/trg-8-03.md @@ -0,0 +1,74 @@ +--- +title: TRG 8.03 - KICS +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Draft | 01-Mar-2024 | Draft release | + +## Why + +KICS is deployed for comprehensive scanning of Infrastructure as Code (IaC) files, ensuring secure and best-practice configurations across various IaC frameworks. + +## Description + +KICS is essential for repositories exclusively containing Infrastructure as Code (IaC) files, such as Terraform, CloudFormation, Kubernetes, GitHub Actions, and Helm charts. It's not applicable to traditional programming languages or documentation-only repositories. Exclude non-IaC files as necessary. + +Configure your GitHub Actions to include: + +- `workflow_dispatch`: Allows manual workflow initiation. +- `schedule`: Executes the workflow weekly with 0 0 * * 0. +- `push` and `pull_request`: Targets the branch that holds the IaC files intended for current deployments, which might not always be the main branch. + +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/critical findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high and critical severity findings within 30 days; addressing medium severity findings is strongly recommended. + +Example KICS workflow: + +```yml +name: KICS + +on: + push: + branches: ["main"] + paths-ignore: + - "**/*.md" + - "**/*.txt" + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + paths-ignore: + - "**/*.md" + - "**/*.txt" + schedule: + - cron: "`0 0 * * 0" + workflow_dispatch: + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repo + uses: actions/checkout@v3 + + - name: Run KICS Scan with SARIF result + uses: checkmarx/kics-github-action@v1.7.0 + with: + path: "." # Scanning directory . + output_path: kicsResults/ # Output path for SARIF results + output_formats: "sarif" # Output format + ignore_on_exit: results # Ignore the results and return exit status code 0 unless a KICS engine error happens + # exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" # Exclude paths or files from scan + # exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e # Exclude accepted queries from the build + disable_secrets: true # No secret scanning + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: kicsResults/results.sarif +``` From d36836a2ae227d485185cb1716da838ad04ee244 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 23:12:57 +0100 Subject: [PATCH 45/84] docs: add paths ignore to codeql workflow --- docs/release/trg-0/trg-8-01.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index fc5371ccd7f..97c5234a018 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -32,9 +32,15 @@ name: "CodeQL" on: push: branches: ["main"] + paths-ignore: + - "**/*.md" + - "**/*.txt" pull_request: # The branches below must be a subset of the branches above branches: ["main"] + paths-ignore: + - "**/*.md" + - "**/*.txt" schedule: - cron: "`0 0 * * 0" workflow_dispatch: From f88c5c81afbea40b9b1e5bd169420100511f4e17 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 23:17:16 +0100 Subject: [PATCH 46/84] docs: emphasize code --- docs/release/trg-0/trg-8-03.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index 6c7b88508f3..fa1d57c1e43 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -17,8 +17,8 @@ KICS is essential for repositories exclusively containing Infrastructure as Code Configure your GitHub Actions to include: - `workflow_dispatch`: Allows manual workflow initiation. -- `schedule`: Executes the workflow weekly with 0 0 * * 0. -- `push` and `pull_request`: Targets the branch that holds the IaC files intended for current deployments, which might not always be the main branch. +- `schedule`: Executes the workflow weekly with `0 0 * * 0`. +- `push` and `pull_request`: Targets the branch that holds the IaC files intended for current deployments, which might not always be the `main` branch. Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/critical findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high and critical severity findings within 30 days; addressing medium severity findings is strongly recommended. From 5217ab7dc013d583805fee3541fb199cc4671e76 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 23:25:00 +0100 Subject: [PATCH 47/84] docs: update codeql version --- docs/release/trg-0/trg-8-01.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index 97c5234a018..b2b24fc076f 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -98,7 +98,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" ``` From 2e425e350f7dfc6c71c96acdbcc133fe51ac8fb6 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 1 Mar 2024 23:29:49 +0100 Subject: [PATCH 48/84] docs: fail / exit strategy for kics --- docs/release/trg-0/trg-8-03.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index fa1d57c1e43..4361bf376f2 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -63,6 +63,7 @@ jobs: output_path: kicsResults/ # Output path for SARIF results output_formats: "sarif" # Output format ignore_on_exit: results # Ignore the results and return exit status code 0 unless a KICS engine error happens + # fail_on: high # If want your pipeline just to fail on high severity results and KICS engine execution errors # exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" # Exclude paths or files from scan # exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e # Exclude accepted queries from the build disable_secrets: true # No secret scanning From d835bc3e523c6364ae4bd30d7d5e8630dac4c688 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Sat, 2 Mar 2024 11:52:06 +0100 Subject: [PATCH 49/84] docs: correct cron job --- docs/release/trg-0/trg-8-03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index 4361bf376f2..d1e8da9ea0d 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -40,7 +40,7 @@ on: - "**/*.md" - "**/*.txt" schedule: - - cron: "`0 0 * * 0" + - cron: "0 0 * * 0" workflow_dispatch: jobs: From 23afbc76678727002360f00c957efb7d237b838b Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Sat, 2 Mar 2024 11:52:48 +0100 Subject: [PATCH 50/84] docs: correct schedule --- docs/release/trg-0/trg-8-01.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index b2b24fc076f..bf8efee056f 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -42,7 +42,7 @@ on: - "**/*.md" - "**/*.txt" schedule: - - cron: "`0 0 * * 0" + - cron: "0 0 * * 0" workflow_dispatch: jobs: From cbf234b3e8158c58111b64a2cc303a51ef08c34c Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Sat, 2 Mar 2024 11:58:08 +0100 Subject: [PATCH 51/84] docs: correct grammar --- docs/release/trg-0/trg-8-03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index d1e8da9ea0d..92c81e911cc 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -63,7 +63,7 @@ jobs: output_path: kicsResults/ # Output path for SARIF results output_formats: "sarif" # Output format ignore_on_exit: results # Ignore the results and return exit status code 0 unless a KICS engine error happens - # fail_on: high # If want your pipeline just to fail on high severity results and KICS engine execution errors + # fail_on: high # If you want your pipeline to fail only on high severity results and KICS engine execution errors # exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" # Exclude paths or files from scan # exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e # Exclude accepted queries from the build disable_secrets: true # No secret scanning From 7dba489374b018e4c9b3911ffca7b35283d4441e Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Sat, 2 Mar 2024 12:00:20 +0100 Subject: [PATCH 52/84] docs: correct grammar on comments --- docs/release/trg-0/trg-8-01.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index bf8efee056f..e02bc0936a1 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -58,7 +58,7 @@ jobs: strategy: fail-fast: false matrix: - language: ["java"] # Define languages here. + language: ["java"] # Define languages here # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] # Use only 'java' to analyze code written in Java, Kotlin or both # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both @@ -73,16 +73,16 @@ jobs: uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + # If you wish to specify custom queries, you can do so here or in a config file + # By default, queries listed here will override any specified in a config file + # Prefix the list here with "+" to use these queries and those in the config file # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # Use +security-extended,security-and-quality for wider security and better code quality. + # Use +security-extended,security-and-quality for wider security and better code quality queries: +security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup. + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift) + # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2 @@ -90,8 +90,7 @@ jobs: # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + # If the Autobuild fails above, remove it and uncomment the following three lines modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance # - run: | # echo "Run, Build Application using script" From c4078ca69647a13dece3a7fc498075e957604c05 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Sat, 2 Mar 2024 14:54:06 +0100 Subject: [PATCH 53/84] docs: codeql fail on error --- docs/release/trg-0/trg-8-01.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index e02bc0936a1..3da18b59f8d 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -20,7 +20,7 @@ The GitHub Actions configuration must include the following triggers: - `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. - `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the `main` branch. This is the branch from which new releases will be made. -Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/critical findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high and critical severity findings within 30 days; addressing medium severity findings is strongly recommended. +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/critical findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high and error severity findings within 30 days; addressing medium severity findings is strongly recommended. Adjust your code's language and build settings as indicated within the workflow comments. @@ -100,4 +100,5 @@ jobs: uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" + fail-on: error ``` From ee7280a7af6bb588ac7e6aa8389700d00871f255 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Sat, 2 Mar 2024 14:55:03 +0100 Subject: [PATCH 54/84] docs: kics fail on error --- docs/release/trg-0/trg-8-03.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index 92c81e911cc..615ad3eb9aa 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -20,7 +20,7 @@ Configure your GitHub Actions to include: - `schedule`: Executes the workflow weekly with `0 0 * * 0`. - `push` and `pull_request`: Targets the branch that holds the IaC files intended for current deployments, which might not always be the `main` branch. -Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/critical findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high and critical severity findings within 30 days; addressing medium severity findings is strongly recommended. +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/critical findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high and error severity findings within 30 days; addressing medium severity findings is strongly recommended. Example KICS workflow: @@ -62,8 +62,8 @@ jobs: path: "." # Scanning directory . output_path: kicsResults/ # Output path for SARIF results output_formats: "sarif" # Output format - ignore_on_exit: results # Ignore the results and return exit status code 0 unless a KICS engine error happens - # fail_on: high # If you want your pipeline to fail only on high severity results and KICS engine execution errors + # ignore_on_exit: results # Ignore the results and return exit status code 0 unless a KICS engine error happens + fail_on: high # If you want your pipeline to fail only on high severity results and KICS engine execution errors # exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" # Exclude paths or files from scan # exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e # Exclude accepted queries from the build disable_secrets: true # No secret scanning From 25b350bb46d04ba6ed474e9be26d0d266e59e172 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Sat, 2 Mar 2024 14:56:27 +0100 Subject: [PATCH 55/84] docs: take care of error severity findings --- docs/release/trg-0/trg-8-01.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index 3da18b59f8d..516dc06a812 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -20,7 +20,7 @@ The GitHub Actions configuration must include the following triggers: - `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. - `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the `main` branch. This is the branch from which new releases will be made. -Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/critical findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high and error severity findings within 30 days; addressing medium severity findings is strongly recommended. +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. Adjust your code's language and build settings as indicated within the workflow comments. From d7dbefbc92cca59c23eb20e92be8f5d856c0c8fb Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Sat, 2 Mar 2024 14:57:59 +0100 Subject: [PATCH 56/84] docs: fix error and high severity findings --- docs/release/trg-0/trg-8-03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index 615ad3eb9aa..e286a5145f8 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -20,7 +20,7 @@ Configure your GitHub Actions to include: - `schedule`: Executes the workflow weekly with `0 0 * * 0`. - `push` and `pull_request`: Targets the branch that holds the IaC files intended for current deployments, which might not always be the `main` branch. -Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/critical findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high and error severity findings within 30 days; addressing medium severity findings is strongly recommended. +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. Example KICS workflow: From f951d20b49c77d1a3f056f81a5154c0070d6c003 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 01:01:45 +0100 Subject: [PATCH 57/84] docs: kics failure condition --- docs/release/trg-0/trg-8-03.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index e286a5145f8..6efc652e122 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -22,6 +22,8 @@ Configure your GitHub Actions to include: Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. +Teams are given the freedom to integrate failure conditions (`fail_on`) for high severity issues into their workflow as they see fit. + Example KICS workflow: ```yml From f9bf291d57a6f0339d2ad4fb494ba5f1388e1682 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 01:02:55 +0100 Subject: [PATCH 58/84] docs: failure condition codeql --- docs/release/trg-0/trg-8-01.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index 516dc06a812..4ce8097ef0b 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -22,6 +22,8 @@ The GitHub Actions configuration must include the following triggers: Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. +Teams are given the freedom to integrate failure conditions (`fail-on`) for high severity issues into their workflow as they see fit. + Adjust your code's language and build settings as indicated within the workflow comments. Example CodeQL workflow: From 174bce09865dfa4bdac94947572dafdbe444e2ec Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 01:20:12 +0100 Subject: [PATCH 59/84] docs: schedule kics --- docs/release/trg-0/trg-8-03.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index 6efc652e122..0fa06801302 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -16,8 +16,8 @@ KICS is essential for repositories exclusively containing Infrastructure as Code Configure your GitHub Actions to include: -- `workflow_dispatch`: Allows manual workflow initiation. -- `schedule`: Executes the workflow weekly with `0 0 * * 0`. +- `workflow_dispatch`: Manual workflow execution. +- `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. - `push` and `pull_request`: Targets the branch that holds the IaC files intended for current deployments, which might not always be the `main` branch. Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. From 8d48374a96853119ec13f7b4ee589192e9b84e8e Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 15:06:20 +0100 Subject: [PATCH 60/84] docs: update trg-8-01.md --- docs/release/trg-0/trg-8-01.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index 4ce8097ef0b..d394075e6a4 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -22,7 +22,7 @@ The GitHub Actions configuration must include the following triggers: Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. -Teams are given the freedom to integrate failure conditions (`fail-on`) for high severity issues into their workflow as they see fit. +You can tailor the failure conditions (fail-on) for high severity issues in the workflow to suit your team's preferences. Adjust your code's language and build settings as indicated within the workflow comments. From 2c79c5151be45f49bce6a0b8fb6537fd567ae381 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 15:07:24 +0100 Subject: [PATCH 61/84] docs: update trg-8-03.md --- docs/release/trg-0/trg-8-03.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index 0fa06801302..7c91aeb998a 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -22,7 +22,7 @@ Configure your GitHub Actions to include: Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. -Teams are given the freedom to integrate failure conditions (`fail_on`) for high severity issues into their workflow as they see fit. +You can tailor the failure conditions (`fail_on`) for high severity issues in the workflow to suit your team's preferences. Example KICS workflow: From d29c3d7545dcb872b7db07d90e5ee49c29731950 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 15:07:55 +0100 Subject: [PATCH 62/84] docs: update trg-8-01.md --- docs/release/trg-0/trg-8-01.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index d394075e6a4..56e9f53faf8 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -22,7 +22,7 @@ The GitHub Actions configuration must include the following triggers: Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. -You can tailor the failure conditions (fail-on) for high severity issues in the workflow to suit your team's preferences. +You can tailor the failure conditions (`fail-on`) for high severity issues in the workflow to suit your team's preferences. Adjust your code's language and build settings as indicated within the workflow comments. From a297b38d3e54a8341fc3db3d2729c92d7e835782 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 15:56:18 +0100 Subject: [PATCH 63/84] docs: add trivy draft trg --- docs/release/trg-0/trg-8-05.md | 68 ++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 docs/release/trg-0/trg-8-05.md diff --git a/docs/release/trg-0/trg-8-05.md b/docs/release/trg-0/trg-8-05.md new file mode 100644 index 00000000000..800ec02a706 --- /dev/null +++ b/docs/release/trg-0/trg-8-05.md @@ -0,0 +1,68 @@ +--- +title: TRG 8.05 - Trivy +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Draft | 04-Mar-2024 | Draft release | + +## Why + +Trivy scans our Docker containers to accurately identify and remediate vulnerabilities in OS packages and application dependencies, ensuring our environment remains secure. + +## Description + +Trivy should be used if your project or repository builds containers and publishes them to Docker Hub. + +Configure your GitHub Actions to include: + +- `workflow_dispatch`: Manual workflow execution. +- `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. + +Because Trivy scans the published image on Docker Hub, running it on a `schedule` suffices, removing the necessity to execute it on every push and pull request. Optionally, the local build in the pipeline run can be scanned, using the `push` and `pull_request` triggers for these scans. + +In the Trivy workflow, the Docker Hub image scanned must be the currently supported version, not necessarily the `latest` image. + +If multiple Docker images, such as frontend and backend, are published from the repository, configure a scan for each image either by using the `matrix` option or by duplicating the necessary steps from the example workflow. + +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. + +You can tailor the failure conditions (`exit-code`, `severity`) for high severity issues in the workflow to suit your team's preferences. + +Example Trivy workflow: + +```yml +name: "Trivy" + +on: + schedule: + - cron: "0 0 * * 0" + workflow_dispatch: + + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.18.0 + with: + image-ref: "tractusx/:" # Pull image from Docker Hub and run Trivy vulnerability scanner + format: "sarif" + output: "trivy-results.sarif" + exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail. + severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH). + hide-progress: false + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: "trivy-results.sarif" +``` From 10f5ca4184ed8c4b06a385c3a4ee49fad756726b Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 21:55:21 +0100 Subject: [PATCH 64/84] docs: add gitguardian draft trg --- docs/release/trg-0/trg-8-04.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/release/trg-0/trg-8-04.md diff --git a/docs/release/trg-0/trg-8-04.md b/docs/release/trg-0/trg-8-04.md new file mode 100644 index 00000000000..703a997dd79 --- /dev/null +++ b/docs/release/trg-0/trg-8-04.md @@ -0,0 +1,19 @@ +--- +title: TRG 8.04 - GitGuardian +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Draft | 04-Mar-2024 | Draft release | + +## Why + +GitGuardian excels at detecting and preventing leaks of sensitive data in your code repositories, such as API keys, passwords, and other secrets. This can help you avoid security breaches and comply with data privacy regulations. + +## Description + +GitGuardian is integrated via its GitHub App, enabling automated secret scanning of our repositories. Each pull request undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification. + +If a secret is suspected, the pull request will be locked. Immediate action is required regarding the potential secret due to the high risk associated with exposing secrets. + +The email contains a _temporary **link**_, allowing the author to either **report** the detected secret or **mark it as a false positive**, streamlining the review process for software engineers. From 291e35df5a2aa812f63b6314ebd3ae305b80cc51 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Tue, 5 Mar 2024 10:56:01 +0100 Subject: [PATCH 65/84] Delete docs/release/trg-8/trg-8-05.md Releasing TRG 8 as draft --- docs/release/trg-8/trg-8-05.md | 83 ---------------------------------- 1 file changed, 83 deletions(-) delete mode 100644 docs/release/trg-8/trg-8-05.md diff --git a/docs/release/trg-8/trg-8-05.md b/docs/release/trg-8/trg-8-05.md deleted file mode 100644 index c547c4ad45b..00000000000 --- a/docs/release/trg-8/trg-8-05.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: TRG 8.05 - Trivy ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 26-Feb-2024 | Initial release | - -## Why - -**Trivy** identifies known vulnerabilities in the packages and libraries within your container images. - -:::info - -For any errors, please contact Security Team by creating an issue on GitHub. - -::: - -## Description - -Trivy stands as our container vulnerability scanner of choice, ensuring the security of our container images by targeting both OS-level and library dependencies. Here's a concise breakdown of the Trivy integration in our workflow: - -:::info - -The Trivy scan is initiated either on-demand through manual dispatch or based on a CRON schedule, executing once daily. The job is executed on the latest Ubuntu and requires specified permissions: reading actions and content and writing security events. - -::: - -The primary step involves the Trivy vulnerability scanner pulling the container image tractusx/irs-api:latest from Docker Hub. Before scanning, it's essential to ensure that the desired image on Docker Hub is correctly configured for the scan. - -:::caution - -We recommend always scanning the most recently published image to maintain updated security assessments. Utilizing the aquasecurity/trivy-action@0.12.0, the scanner inspects the image for vulnerabilities of types os and library. Results are formatted as SARIF and stored in trivy-results.sarif. - -::: - -After the scan, results are then uploaded to the GitHub Security tab via the github/codeql-action/upload-sarif@v3 action, ensuring engineers can efficiently review and address any highlighted vulnerabilities. - -:::info - -For Trivy we recommend for workflow to run with PR and push. Schedule can be set up nightly or once per week, depends on each team capacity. - -::: - -```md -/******************************************************************************** -name: "Run Trivy scan and upload SARIF" - -on: - push: - branches: ["main"] - pull_request: - # The branches below must be a subset of the branches above - branches: ["main"] - schedule: - - cron: "0 0 * * *" # Once a day - workflow_dispatch: - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - # Pull image from Docker Hub and run Trivy vulnerability scanner - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.12.0 - with: - image-ref: "tractusx/irs-api:latest" - format: "sarif" - output: "trivy-results.sarif" - vuln-type: "os,library" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results.sarif" - ********************************************************************************/ - ``` From 393dc153aa3f53815e1e61092569f787b5e5de88 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Tue, 5 Mar 2024 10:56:23 +0100 Subject: [PATCH 66/84] Delete docs/release/trg-8/trg-8-04.md Releasing TRG 8 as draft --- docs/release/trg-8/trg-8-04.md | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 docs/release/trg-8/trg-8-04.md diff --git a/docs/release/trg-8/trg-8-04.md b/docs/release/trg-8/trg-8-04.md deleted file mode 100644 index 0a349ac59b4..00000000000 --- a/docs/release/trg-8/trg-8-04.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: TRG 8.04 - GitGuardian ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 26-Feb-2024 | Initial release | - -## Why - -**GitGuardian** excels at detecting and preventing leaks of sensitive data in your code repositories, such as API keys, passwords, and other secrets. This can help you avoid security breaches and comply with data privacy regulations. - -:::caution - -It can be set up **only by Security Team**, so please contact us by creating an issue on GitHub. - -::: - -## Description - -**GitGuardian** is integrated via its GitHub App, enabling automated secret scanning of our codebase. Each pull request (PR) undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification. - -:::info - -The email contains a temporary **link**, allowing the author to either **report** the detected secret or **mark it as a false positive**, streamlining the review process for software engineers. - -::: From 75c15ea385b284b7b0a333d0a223388e9365b242 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Tue, 5 Mar 2024 10:56:47 +0100 Subject: [PATCH 67/84] Delete docs/release/trg-8/trg-8-03.md Releasing TRG 8 as draft --- docs/release/trg-8/trg-8-03.md | 98 ---------------------------------- 1 file changed, 98 deletions(-) delete mode 100644 docs/release/trg-8/trg-8-03.md diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md deleted file mode 100644 index ab0db19c08e..00000000000 --- a/docs/release/trg-8/trg-8-03.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -title: TRG 8.03 - KICS ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 26-Feb-2024 | Initial release | - -## Why - -**KICS** identifies security vulnerabilities, compliance issues, and infrastructure misconfigurations in your IaC. - -:::info - -For any errors, please contact Security Team by creating an issue on GitHub. - -::: - -## Description - -**KICS** is an integral tool in our security workflow, specifically targeting infrastructure-as-code (IaC) vulnerabilities. Here's how we've integrated KICS into our process: - -:::info - -When a push is made to the main branch or once daily (based on a CRON schedule), excluding markdown and text files, the KICS scan is triggered. Additionally, a manual dispatch option is available for on-demand scans. - -::: - -The job runs on the latest Ubuntu and requires permissions for reading actions and content, as well as writing security events. Upon initiation, the repository is checked out using the actions/checkout@v4 action. - -The primary action involves running the KICS scan, which leverages the checkmarx/kics-github-action@v1.7.0. The scan focuses on the root directory, and the results are outputted in the SARIF format, stored in the kicsResults/ directory. - -:::info - -KICS is configured to exit with a status code of 0, regardless of the scan results, unless there's a KICS engine error. Some paths and specific queries are excluded from the scan, and secret scanning is explicitly disabled. - -::: - -Subsequently, the SARIF file, which contains the KICS scan results, is uploaded using the github/codeql-action/upload-sarif@v3 action. This ensures that the findings are made available for review and further analysis in the GitHub environment, aiding engineers in addressing potential vulnerabilities effectively. - -:::info - -For KICS we recommend for workflow to run with push. Schedule can be set up nightly or once per week, depends on each team capacity. - -::: - -```md -/******************************************************************************** -name: Run KICS scan and upload SARIF - -on: - push: - branches: main - paths-ignore: - - "**/*.md" - - "**/*.txt" - schedule: - - cron: "0 0 * * *" # Once a day - workflow_dispatch: - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Checkout repo - uses: actions/checkout@v4 - - - name: Run KICS Scan with SARIF result - uses: checkmarx/kics-github-action@v1.7.0 - with: - # Scanning directory . - path: "." - # When provided with a directory on output_path - # it will generate the specified reports file named 'results.{extension}' - # in this example it will generate: kicsResults/results.sarif - output_path: kicsResults/ - output_formats: "sarif" - # If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens - ignore_on_exit: results - # Exclude paths or files from scan - # exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" - # Exclude accepted queries from the build - # exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e - # No secret scanning - disable_secrets: true - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: kicsResults/results.sarif - ********************************************************************************/ - ``` From 3923610d29382e1c301163d6b6aa28a1d3ee85ca Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Tue, 5 Mar 2024 10:57:45 +0100 Subject: [PATCH 68/84] Delete docs/release/trg-8/trg-8-01.md Releasing TRG 8 as draft --- docs/release/trg-8/trg-8-01.md | 142 --------------------------------- 1 file changed, 142 deletions(-) delete mode 100644 docs/release/trg-8/trg-8-01.md diff --git a/docs/release/trg-8/trg-8-01.md b/docs/release/trg-8/trg-8-01.md deleted file mode 100644 index 8a703158a58..00000000000 --- a/docs/release/trg-8/trg-8-01.md +++ /dev/null @@ -1,142 +0,0 @@ ---- -title: TRG 8.01 - CodeQL ---- - -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 26-Feb-2024 | Initial release | - -## Why - -**CodeQL** can be used to analyze large and complex codebases, making it ideal for organizations of all sizes.It can also be integrated into your existing development workflow, allowing you to catch problems early. - -:::info - -For any errors, please contact Security Team by creating an issue on GitHub. - -::: - -## Description - -**CodeQL** serves as our core code analysis tool (**SAST**), providing deep code introspection for potential security vulnerabilities and other code quality concerns. -Below is a technical breakdown of how CodeQL integrates with our **CI/CD** process. - -:::info - -The CodeQL scan is triggered upon commits to the main branch, based on a CRON schedule set at 01:36 every Sunday, or when manually initiated. - -::: - -Given the range of languages CodeQL can analyze, the workflow leverages a matrix strategy to dynamically adjust runner settings based on the target language. It currently scans **Java**, **JavaScript**, **Python**, and **Ruby**, but this list is adjustable depending on the repository's dominant languages. - -:::info - -CodeQL supports a broader set of languages including 'cpp', 'csharp', 'go', 'swift', among others. Accordingly, adjustments should be made to the language matrix when different languages are in play. - -::: - -### The CodeQL analysis consists of several steps - -- **Repository Checkout**: The repository content is fetched using actions/checkout@v4. - -- **CodeQL Initialization**: The github/codeql-action/init@v3 action initializes the CodeQL tools, setting the target languages and the desired query sets. CodeQL possesses an extensive collection of predefined queries, but developers can specify custom queries if necessary. - -- **Auto-build**: The github/codeql-action/autobuild@v3 action attempts to build any compiled languages. This auto-build feature can occasionally face issues and may fail, especially with complex build processes or non-standard configurations. If an auto-build failure occurs, developers must manually configure the build process within the workflow. An example is provided in the workflow to guide this manual setup. - -- **CodeQL Analysis**: Post build, CodeQL performs its analysis, examining the codebase for vulnerabilities and other concerns. Results are categorized based on the language of analysis. - -In the provided CodeQL workflow, specific queries are used to enhance security analysis: +security-extended,security-and-quality. The + symbol ensures that these queries are added to the default set, allowing for a comprehensive security analysis. Developers should be aware of these configured queries as they focus on identifying a broad range of vulnerabilities, ensuring robust code security and quality. - -:::info - -For CodeQL we recommend for workflow to run with PR and push. Schedule can be set up nightly or once per week, depends on each team capacity. - -::: - -```md -/******************************************************************************** -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: ["main"] - pull_request: - # The branches below must be a subset of the branches above - branches: ["main"] - schedule: - - cron: "36 1 * * 0" - workflow_dispatch: - -jobs: - analyze: - name: Analyze - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["java", "javascript", "python", "ruby"] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] - # Use only 'java' to analyze code written in Java, Kotlin or both - # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - queries: +security-extended,security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup. - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - ********************************************************************************/ - ``` From fae42e05fc741a5a481d8b9fa72d60950fb0358a Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Tue, 5 Mar 2024 10:58:24 +0100 Subject: [PATCH 69/84] Delete docs/release/trg-8/_category_.json Releasing TRG 8 as draft --- docs/release/trg-8/_category_.json | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 docs/release/trg-8/_category_.json diff --git a/docs/release/trg-8/_category_.json b/docs/release/trg-8/_category_.json deleted file mode 100644 index 4c9752e8a4b..00000000000 --- a/docs/release/trg-8/_category_.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "label": "TRG 8 - Security" -} From 5d1702b4b4cb7fde476636288b3a118d3f23e246 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:17:35 +0100 Subject: [PATCH 70/84] adding caution Caution about passing QG --- docs/release/trg-0/trg-8-05.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/release/trg-0/trg-8-05.md b/docs/release/trg-0/trg-8-05.md index 800ec02a706..d98c934054f 100644 --- a/docs/release/trg-0/trg-8-05.md +++ b/docs/release/trg-0/trg-8-05.md @@ -25,6 +25,13 @@ In the Trivy workflow, the Docker Hub image scanned must be the currently suppor If multiple Docker images, such as frontend and backend, are published from the repository, configure a scan for each image either by using the `matrix` option or by duplicating the necessary steps from the example workflow. +:::caution + +To pass the quality gates, all **critical**, **high** and **medium** security vulnerabilities **must be mitigated**. +This generic statement may conflict with base images that apply to containers scans.The statement from **prevails**. + +::: + Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. You can tailor the failure conditions (`exit-code`, `severity`) for high severity issues in the workflow to suit your team's preferences. From b7043c9f23bc8a0e9f7efc072ca8d172898417c8 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:19:40 +0100 Subject: [PATCH 71/84] Update trg-8-05.md --- docs/release/trg-0/trg-8-05.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-05.md b/docs/release/trg-0/trg-8-05.md index d98c934054f..aaa99a15c43 100644 --- a/docs/release/trg-0/trg-8-05.md +++ b/docs/release/trg-0/trg-8-05.md @@ -27,7 +27,7 @@ If multiple Docker images, such as frontend and backend, are published from the :::caution -To pass the quality gates, all **critical**, **high** and **medium** security vulnerabilities **must be mitigated**. +To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. This generic statement may conflict with base images that apply to containers scans.The statement from **prevails**. ::: From 9f96b14932779fc12aefe8d99ac126c8d52ecaf3 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:21:12 +0100 Subject: [PATCH 72/84] Update trg-8-05.md --- docs/release/trg-0/trg-8-05.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-05.md b/docs/release/trg-0/trg-8-05.md index aaa99a15c43..17784040100 100644 --- a/docs/release/trg-0/trg-8-05.md +++ b/docs/release/trg-0/trg-8-05.md @@ -28,7 +28,7 @@ If multiple Docker images, such as frontend and backend, are published from the :::caution To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. -This generic statement may conflict with base images that apply to containers scans.The statement from **prevails**. +This generic statement may conflict with TRG 4.02 base images that apply to containers scans.The statement from TRG 4.02 **prevails**. ::: From ddbe6cd0a39375ddd00d4ea55bc1bf80ff8ecdaa Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:22:43 +0100 Subject: [PATCH 73/84] Caution about QG --- docs/release/trg-0/trg-8-04.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release/trg-0/trg-8-04.md b/docs/release/trg-0/trg-8-04.md index 703a997dd79..cee45778f8a 100644 --- a/docs/release/trg-0/trg-8-04.md +++ b/docs/release/trg-0/trg-8-04.md @@ -12,6 +12,12 @@ GitGuardian excels at detecting and preventing leaks of sensitive data in your c ## Description +:::caution + +To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. + +::: + GitGuardian is integrated via its GitHub App, enabling automated secret scanning of our repositories. Each pull request undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification. If a secret is suspected, the pull request will be locked. Immediate action is required regarding the potential secret due to the high risk associated with exposing secrets. From 1e0c6cf537ea936da23cfb489336f20478a036b5 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:23:49 +0100 Subject: [PATCH 74/84] Caution about QG --- docs/release/trg-0/trg-8-03.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index 7c91aeb998a..f3e016faead 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -20,6 +20,12 @@ Configure your GitHub Actions to include: - `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. - `push` and `pull_request`: Targets the branch that holds the IaC files intended for current deployments, which might not always be the `main` branch. +:::caution + +To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. + +::: + Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. You can tailor the failure conditions (`fail_on`) for high severity issues in the workflow to suit your team's preferences. From 8a149d3edd59a136703a064190ce3a8543b4af37 Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:24:27 +0100 Subject: [PATCH 75/84] Caution about QG --- docs/release/trg-0/trg-8-01.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index 56e9f53faf8..a6cf955e623 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -20,6 +20,12 @@ The GitHub Actions configuration must include the following triggers: - `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. - `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the `main` branch. This is the branch from which new releases will be made. +:::caution + +To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. + +::: + Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. You can tailor the failure conditions (`fail-on`) for high severity issues in the workflow to suit your team's preferences. From 8caf99c3a28fe86f64439e5176846ec457c2967f Mon Sep 17 00:00:00 2001 From: Klaudia Jozwiak <148344761+klaudiaZF@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:27:15 +0100 Subject: [PATCH 76/84] grammar correction --- docs/release/trg-0/trg-8-05.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-05.md b/docs/release/trg-0/trg-8-05.md index 17784040100..6001dba89a4 100644 --- a/docs/release/trg-0/trg-8-05.md +++ b/docs/release/trg-0/trg-8-05.md @@ -28,7 +28,7 @@ If multiple Docker images, such as frontend and backend, are published from the :::caution To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. -This generic statement may conflict with TRG 4.02 base images that apply to containers scans.The statement from TRG 4.02 **prevails**. +This generic statement may conflict with TRG 4.02 base images that apply to containers scans. The statement from TRG 4.02 **prevails**. ::: From 82a23a2061537321b9f3707fdd8cb95b75804154 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Thu, 7 Mar 2024 11:54:49 +0100 Subject: [PATCH 77/84] docs: update trg-8-01.md --- docs/release/trg-0/trg-8-01.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-0/trg-8-01.md b/docs/release/trg-0/trg-8-01.md index a6cf955e623..5749266742c 100644 --- a/docs/release/trg-0/trg-8-01.md +++ b/docs/release/trg-0/trg-8-01.md @@ -20,14 +20,14 @@ The GitHub Actions configuration must include the following triggers: - `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. - `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the `main` branch. This is the branch from which new releases will be made. +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. + :::caution -To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. +Address high severity findings; it is recommended to also address medium severity findings. ::: -Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. - You can tailor the failure conditions (`fail-on`) for high severity issues in the workflow to suit your team's preferences. Adjust your code's language and build settings as indicated within the workflow comments. From 810521ce4b322999e3e3fe7f8bc87f23ef660262 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Thu, 7 Mar 2024 11:55:36 +0100 Subject: [PATCH 78/84] docs: update trg-8-03.md --- docs/release/trg-0/trg-8-03.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index f3e016faead..de6d30ce62f 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -20,14 +20,14 @@ Configure your GitHub Actions to include: - `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`. - `push` and `pull_request`: Targets the branch that holds the IaC files intended for current deployments, which might not always be the `main` branch. +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. + :::caution -To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. +Address high severity findings; it is recommended to also address medium severity findings. ::: -Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. - You can tailor the failure conditions (`fail_on`) for high severity issues in the workflow to suit your team's preferences. Example KICS workflow: From 16e7b838d7d6aea3865cc1ab2cabdc86d281bae1 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Thu, 7 Mar 2024 11:56:20 +0100 Subject: [PATCH 79/84] docs: update trg-8-05.md --- docs/release/trg-0/trg-8-05.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/release/trg-0/trg-8-05.md b/docs/release/trg-0/trg-8-05.md index 6001dba89a4..59f61f7ac93 100644 --- a/docs/release/trg-0/trg-8-05.md +++ b/docs/release/trg-0/trg-8-05.md @@ -25,15 +25,14 @@ In the Trivy workflow, the Docker Hub image scanned must be the currently suppor If multiple Docker images, such as frontend and backend, are published from the repository, configure a scan for each image either by using the `matrix` option or by duplicating the necessary steps from the example workflow. +Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. + :::caution -To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. -This generic statement may conflict with TRG 4.02 base images that apply to containers scans. The statement from TRG 4.02 **prevails**. +Address high severity findings; it is recommended to also address medium severity findings. ::: -Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended. - You can tailor the failure conditions (`exit-code`, `severity`) for high severity issues in the workflow to suit your team's preferences. Example Trivy workflow: From c0d4b99150c620c408fe57144099ed135953bf03 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Thu, 7 Mar 2024 11:58:05 +0100 Subject: [PATCH 80/84] docs: update trg-8-04.md --- docs/release/trg-0/trg-8-04.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/release/trg-0/trg-8-04.md b/docs/release/trg-0/trg-8-04.md index cee45778f8a..656281cf780 100644 --- a/docs/release/trg-0/trg-8-04.md +++ b/docs/release/trg-0/trg-8-04.md @@ -12,14 +12,14 @@ GitGuardian excels at detecting and preventing leaks of sensitive data in your c ## Description -:::caution +GitGuardian is integrated via its GitHub App, enabling automated secret scanning of our repositories. Each pull request undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification. -To pass the quality gates, all **critical** and **high** security vulnerabilities **must be mitigated**. +If a secret is suspected, the pull request will be locked. Immediate action is required regarding the potential secret due to the high risk associated with exposing secrets. -::: +:::caution -GitGuardian is integrated via its GitHub App, enabling automated secret scanning of our repositories. Each pull request undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification. +Address all findings. -If a secret is suspected, the pull request will be locked. Immediate action is required regarding the potential secret due to the high risk associated with exposing secrets. +::: The email contains a _temporary **link**_, allowing the author to either **report** the detected secret or **mark it as a false positive**, streamlining the review process for software engineers. From d5bfa3be23a607d31aa75fc28cfbfcf50cd1f18f Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Thu, 7 Mar 2024 12:09:12 +0100 Subject: [PATCH 81/84] docs: update trg-8-03.md --- docs/release/trg-0/trg-8-03.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index de6d30ce62f..6dc4cdfe8f3 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -26,6 +26,8 @@ Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error fi Address high severity findings; it is recommended to also address medium severity findings. +Due to IP considerations, base images with findings must not be updated arbitrarily, as outlined in [TRG4](https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02). An update is permissible only when a base image containing the necessary fix has been cleared for use based on IP reasons. + ::: You can tailor the failure conditions (`fail_on`) for high severity issues in the workflow to suit your team's preferences. From 02b3c895d2da649440013d2ffe2b1d39f4429497 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Thu, 7 Mar 2024 21:20:39 +0100 Subject: [PATCH 82/84] docs: wrong trg caution --- docs/release/trg-0/trg-8-03.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/release/trg-0/trg-8-03.md b/docs/release/trg-0/trg-8-03.md index 6dc4cdfe8f3..de6d30ce62f 100644 --- a/docs/release/trg-0/trg-8-03.md +++ b/docs/release/trg-0/trg-8-03.md @@ -26,8 +26,6 @@ Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error fi Address high severity findings; it is recommended to also address medium severity findings. -Due to IP considerations, base images with findings must not be updated arbitrarily, as outlined in [TRG4](https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02). An update is permissible only when a base image containing the necessary fix has been cleared for use based on IP reasons. - ::: You can tailor the failure conditions (`fail_on`) for high severity issues in the workflow to suit your team's preferences. From 4a8ab8a02ab9ba4af406d8a324b452bd97afd033 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Thu, 7 Mar 2024 21:21:23 +0100 Subject: [PATCH 83/84] docs: add statement about IP issues --- docs/release/trg-0/trg-8-05.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release/trg-0/trg-8-05.md b/docs/release/trg-0/trg-8-05.md index 59f61f7ac93..84bda8e635c 100644 --- a/docs/release/trg-0/trg-8-05.md +++ b/docs/release/trg-0/trg-8-05.md @@ -31,6 +31,8 @@ Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error fi Address high severity findings; it is recommended to also address medium severity findings. +Due to IP considerations, base images with findings must not be updated arbitrarily, as outlined in [TRG4](https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02). An update is permissible only when a base image containing the necessary fix has been cleared for use based on IP reasons. + ::: You can tailor the failure conditions (`exit-code`, `severity`) for high severity issues in the workflow to suit your team's preferences. From 52e39dcc53184fafe22e60e193aa7ed7f803012c Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Fri, 8 Mar 2024 10:48:53 +0100 Subject: [PATCH 84/84] docs: update trg-8-05.md --- docs/release/trg-0/trg-8-05.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-8-05.md b/docs/release/trg-0/trg-8-05.md index 84bda8e635c..91b3fbd8a71 100644 --- a/docs/release/trg-0/trg-8-05.md +++ b/docs/release/trg-0/trg-8-05.md @@ -31,7 +31,7 @@ Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error fi Address high severity findings; it is recommended to also address medium severity findings. -Due to IP considerations, base images with findings must not be updated arbitrarily, as outlined in [TRG4](https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02). An update is permissible only when a base image containing the necessary fix has been cleared for use based on IP reasons. +Due to IP considerations, base images with findings must not be updated arbitrarily, as outlined in [TRG4](https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02). :::