From 0024c2f44455cf5ace9235a7efa195c12a1d72d2 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 12 May 2022 15:08:59 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- .../components/issuable_header_warnings.vue | 7 +- app/assets/javascripts/lib/dompurify.js | 1 + .../javascripts/lib/utils/url_utility.js | 13 ++ .../project_select_combo_button.js | 3 +- .../projects/service_ping_controller.rb | 2 +- app/helpers/application_settings_helper.rb | 2 + app/helpers/merge_requests_helper.rb | 4 +- app/models/application_setting.rb | 2 + .../application_setting_implementation.rb | 2 + .../merge_requests/post_merge_service.rb | 14 ++- .../_prometheus.html.haml | 21 ++-- .../background_migrations/index.html.haml | 4 +- app/workers/all_queues.yml | 9 ++ .../migration/guard_worker.rb | 22 +++- .../merge_requests/close_issue_worker.rb | 52 ++++++++ .../development/async_mr_close_issue.yml | 8 ++ .../registry_migration_guard_thresholds.yml | 8 ++ config/sidekiq_queues.yml | 2 + data/removals/15_0/15-0-request-profiling.yml | 2 +- ...uard_thresholds_to_application_settings.rb | 15 +++ db/schema_migrations/20220511191502 | 1 + db/structure.sql | 2 + doc/development/integrations/secure.md | 3 - doc/topics/autodevops/customize.md | 2 - .../dependency_scanning/analyzers.md | 54 ++++---- .../dependency_scanning/index.md | 117 ++---------------- doc/user/application_security/index.md | 2 +- .../vulnerabilities/severities.md | 2 - doc/user/gitlab_com/index.md | 2 +- lib/container_registry/migration.rb | 4 + .../Jobs/Dependency-Scanning.gitlab-ci.yml | 28 ----- .../Security/Secure-Binaries.gitlab-ci.yml | 17 +-- locale/gitlab.pot | 18 +-- spec/features/projects/jobs_spec.rb | 2 +- spec/frontend/lib/dompurify_spec.js | 10 ++ spec/frontend/lib/utils/mock_data.js | 42 +++++++ spec/frontend/lib/utils/url_utility_spec.js | 53 ++------ .../project_select_combo_button_spec.js | 24 ++++ .../vue_shared/security_reports/mock_data.js | 6 +- spec/lib/container_registry/migration_spec.rb | 24 ++++ .../ci/reports/security/scanner_spec.rb | 2 - spec/models/application_setting_spec.rb | 4 + spec/requests/api/ci/jobs_spec.rb | 24 ++-- .../requests/api/ci/runner/jobs_trace_spec.rb | 2 +- .../merge_requests/merge_service_spec.rb | 2 +- .../merge_requests/post_merge_service_spec.rb | 76 +++++++++--- .../gitlab/artifacts/migrate_rake_spec.rb | 14 +-- .../migration/guard_worker_spec.rb | 38 +++++- .../merge_requests/close_issue_worker_spec.rb | 63 ++++++++++ 49 files changed, 522 insertions(+), 309 deletions(-) create mode 100644 app/workers/merge_requests/close_issue_worker.rb create mode 100644 config/feature_flags/development/async_mr_close_issue.yml create mode 100644 config/feature_flags/development/registry_migration_guard_thresholds.yml create mode 100644 db/migrate/20220511191502_add_registry_migration_guard_thresholds_to_application_settings.rb create mode 100644 db/schema_migrations/20220511191502 create mode 100644 spec/workers/merge_requests/close_issue_worker_spec.rb diff --git a/app/assets/javascripts/issuable/components/issuable_header_warnings.vue b/app/assets/javascripts/issuable/components/issuable_header_warnings.vue index 7f313086fca..06d1a2ee233 100644 --- a/app/assets/javascripts/issuable/components/issuable_header_warnings.vue +++ b/app/assets/javascripts/issuable/components/issuable_header_warnings.vue @@ -63,8 +63,11 @@ export default { v-gl-tooltip :data-testid="meta.dataTestId" :title="meta.tooltip || null" - :class="{ 'gl-mr-3 gl-mt-2': isMergeRequest }" - class="issuable-warning-icon gl-display-flex gl-justify-content-center gl-align-items-center" + :class="{ + 'gl-mr-3 gl-mt-2 gl-display-flex gl-justify-content-center gl-align-items-center': isMergeRequest, + 'gl-display-inline-block': !isMergeRequest, + }" + class="issuable-warning-icon" > diff --git a/app/assets/javascripts/lib/dompurify.js b/app/assets/javascripts/lib/dompurify.js index 47568f0ecff..4959550e273 100644 --- a/app/assets/javascripts/lib/dompurify.js +++ b/app/assets/javascripts/lib/dompurify.js @@ -7,6 +7,7 @@ const defaultConfig = { // Prevent possible XSS attacks with data-* attributes used by @rails/ujs // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421 FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'], + FORBID_TAGS: ['style', 'mstyle'], }; // Only icons urls from `gon` are allowed diff --git a/app/assets/javascripts/lib/utils/url_utility.js b/app/assets/javascripts/lib/utils/url_utility.js index 335cd6a16e5..ff60fd2aecb 100644 --- a/app/assets/javascripts/lib/utils/url_utility.js +++ b/app/assets/javascripts/lib/utils/url_utility.js @@ -419,6 +419,19 @@ export function isSafeURL(url) { } } +/** + * Returns the sanitized url when not safe + * + * @param {String} url + * @returns {String} + */ +export function sanitizeUrl(url) { + if (!isSafeURL(url)) { + return 'about:blank'; + } + return url; +} + /** * Returns a normalized url * diff --git a/app/assets/javascripts/project_select_combo_button.js b/app/assets/javascripts/project_select_combo_button.js index 09dbf2cee04..ad80032c551 100644 --- a/app/assets/javascripts/project_select_combo_button.js +++ b/app/assets/javascripts/project_select_combo_button.js @@ -1,5 +1,6 @@ import $ from 'jquery'; import { sprintf, __ } from '~/locale'; +import { sanitizeUrl } from '~/lib/utils/url_utility'; import AccessorUtilities from './lib/utils/accessor'; import { loadCSSFile } from './lib/utils/css_utils'; @@ -80,7 +81,7 @@ export default class ProjectSelectComboButton { setNewItemBtnAttributes(project) { if (project) { - this.newItemBtn.attr('href', project.url); + this.newItemBtn.attr('href', sanitizeUrl(project.url)); this.newItemBtn.text( sprintf(__('New %{type} in %{project}'), { type: this.resourceLabel, diff --git a/app/controllers/projects/service_ping_controller.rb b/app/controllers/projects/service_ping_controller.rb index d8e3990a244..d8f1785d95e 100644 --- a/app/controllers/projects/service_ping_controller.rb +++ b/app/controllers/projects/service_ping_controller.rb @@ -3,7 +3,7 @@ class Projects::ServicePingController < Projects::ApplicationController before_action :authenticate_user! - feature_category :service_ping + feature_category :web_ide def web_ide_clientside_preview return render_404 unless Gitlab::CurrentSettings.web_ide_clientside_preview_enabled? diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb index f6fff68e98b..b3477fa0e3e 100644 --- a/app/helpers/application_settings_helper.rb +++ b/app/helpers/application_settings_helper.rb @@ -407,6 +407,8 @@ module ApplicationSettingsHelper :container_registry_import_max_retries, :container_registry_import_start_max_retries, :container_registry_import_max_step_duration, + :container_registry_pre_import_timeout, + :container_registry_import_timeout, :container_registry_import_target_plan, :container_registry_import_created_before, :keep_latest_artifact, diff --git a/app/helpers/merge_requests_helper.rb b/app/helpers/merge_requests_helper.rb index 29b2f2eb12f..f167734034d 100644 --- a/app/helpers/merge_requests_helper.rb +++ b/app/helpers/merge_requests_helper.rb @@ -246,13 +246,13 @@ module MergeRequestsHelper '' end - link_to branch, branch_path, class: 'gl-link gl-font-monospace gl-bg-blue-50 gl-rounded-base gl-font-sm gl-p-2 gl-display-inline-block gl-text-truncate gl-w-30p gl-mb-n3' + link_to branch, branch_path, class: 'gl-link gl-font-monospace gl-bg-blue-50 gl-rounded-base gl-font-sm gl-p-2 gl-display-inline-block gl-text-truncate gl-max-w-26 gl-mb-n3' end def merge_request_header(project, merge_request) link_to_author = link_to_member(project, merge_request.author, size: 24, extra_class: 'gl-font-weight-bold', avatar: false) copy_button = clipboard_button(text: merge_request.source_branch, title: _('Copy branch name'), class: 'btn btn-default btn-sm gl-button btn-default-tertiary btn-icon gl-display-none! gl-md-display-inline-block! js-source-branch-copy') - target_branch = link_to merge_request.target_branch, project_tree_path(merge_request.target_project, merge_request.target_branch), class: 'gl-link gl-font-monospace gl-bg-blue-50 gl-rounded-base gl-font-sm gl-p-2 gl-display-inline-block gl-text-truncate gl-w-20p gl-mb-n3' + target_branch = link_to merge_request.target_branch, project_tree_path(merge_request.target_project, merge_request.target_branch), class: 'gl-link gl-font-monospace gl-bg-blue-50 gl-rounded-base gl-font-sm gl-p-2 gl-display-inline-block gl-text-truncate gl-max-w-26 gl-mb-n3' _('%{author} requested to merge %{source_branch} %{copy_button} into %{target_branch} %{created_at}').html_safe % { author: link_to_author.html_safe, source_branch: merge_request_source_branch(merge_request).html_safe, copy_button: copy_button.html_safe, target_branch: target_branch.html_safe, created_at: time_ago_with_tooltip(merge_request.created_at, html_class: 'gl-display-inline-block').html_safe } end diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index bf68101934b..d40f3784fa1 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -377,6 +377,8 @@ class ApplicationSetting < ApplicationRecord :container_registry_import_max_retries, :container_registry_import_start_max_retries, :container_registry_import_max_step_duration, + :container_registry_pre_import_timeout, + :container_registry_import_timeout, allow_nil: false, numericality: { only_integer: true, greater_than_or_equal_to: 0 } diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb index 36366b375b9..a54dc4f691d 100644 --- a/app/models/application_setting_implementation.rb +++ b/app/models/application_setting_implementation.rb @@ -224,6 +224,8 @@ module ApplicationSettingImplementation container_registry_import_max_retries: 3, container_registry_import_start_max_retries: 50, container_registry_import_max_step_duration: 5.minutes, + container_registry_pre_import_timeout: 30.minutes, + container_registry_import_timeout: 10.minutes, container_registry_import_target_plan: 'free', container_registry_import_created_before: '2022-01-23 00:00:00', kroki_enabled: false, diff --git a/app/services/merge_requests/post_merge_service.rb b/app/services/merge_requests/post_merge_service.rb index e475b57e4a2..980c757bcbc 100644 --- a/app/services/merge_requests/post_merge_service.rb +++ b/app/services/merge_requests/post_merge_service.rb @@ -45,7 +45,19 @@ module MergeRequests closed_issues = merge_request.visible_closing_issues_for(current_user) closed_issues.each do |issue| - Issues::CloseService.new(project: project, current_user: current_user).execute(issue, commit: merge_request) + # We are intentionally only closing Issues asynchronously (excluding ExternalIssues) + # as the worker only supports finding an Issue. We are also only experiencing + # SQL timeouts when closing an Issue. + if Feature.enabled?(:async_mr_close_issue, project) && issue.is_a?(Issue) + MergeRequests::CloseIssueWorker.perform_async( + project.id, + current_user.id, + issue.id, + merge_request.id + ) + else + Issues::CloseService.new(project: project, current_user: current_user).execute(issue, commit: merge_request) + end end end diff --git a/app/views/admin/application_settings/_prometheus.html.haml b/app/views/admin/application_settings/_prometheus.html.haml index e2051e17bf9..59681c0278e 100644 --- a/app/views/admin/application_settings/_prometheus.html.haml +++ b/app/views/admin/application_settings/_prometheus.html.haml @@ -1,20 +1,17 @@ -= form_for @application_setting, url: metrics_and_profiling_admin_application_settings_path(anchor: 'js-prometheus-settings'), html: { class: 'fieldset-form' } do |f| += gitlab_ui_form_for @application_setting, url: metrics_and_profiling_admin_application_settings_path(anchor: 'js-prometheus-settings'), html: { class: 'fieldset-form' } do |f| = form_errors(@application_setting) %fieldset .form-group - .form-check - = f.check_box :prometheus_metrics_enabled, class: 'form-check-input' - = f.label :prometheus_metrics_enabled, class: 'form-check-label' do - = _("Enable health and performance metrics endpoint") - .form-text.text-muted - = _('Enable collection of application metrics. Restart required.') - = link_to _('How to export these metrics to Prometheus?'), help_page_path('administration/monitoring/prometheus/gitlab_metrics.md'), target: '_blank', rel: 'noopener noreferrer' + - prometheus_help_link_url = help_page_path('administration/monitoring/prometheus/gitlab_metrics') + - prometheus_help_link_start = ''.html_safe % { url: prometheus_help_link_url } + = f.gitlab_ui_checkbox_component :prometheus_metrics_enabled, + _('Enable health and performance metrics endpoint'), + help_text: s_('AdminSettings|Enable a Prometheus endpoint that exposes health and performance statistics. The Health Check menu item appears in the Monitoring section of the Admin Area. Restart required. %{link_start}Learn more.%{link_end}').html_safe % { link_start: prometheus_help_link_start, link_end: ''.html_safe } + .form-text.gl-text-gray-500.gl-pl-6 - unless Gitlab::Metrics.metrics_folder_present? - .form-text.text-muted - %strong.cred= _("WARNING:") - = _("Environment variable %{environment_variable} does not exist or is not pointing to a valid directory.").html_safe % { environment_variable: 'prometheus_multiproc_dir'.html_safe } - = link_to sprite_icon('question-o'), help_page_path('administration/monitoring/prometheus/gitlab_metrics', anchor: 'metrics-shared-directory') + - icon_link = link_to sprite_icon('question-o'), help_page_path('administration/monitoring/prometheus/gitlab_metrics', anchor: 'metrics-shared-directory'), target: '_blank', rel: 'noopener noreferrer' + = s_('AdminSettings|%{strongStart}WARNING:%{strongEnd} Environment variable %{environment_variable} does not exist or is not pointing to a valid directory. %{icon_link}').html_safe % { strongStart: ''.html_safe, strongEnd: ''.html_safe, environment_variable: 'prometheus_multiproc_dir'.html_safe, icon_link: icon_link } .form-group = f.label :metrics_method_call_threshold, _('Method call threshold (ms)'), class: 'label-bold' = f.number_field :metrics_method_call_threshold, class: 'form-control gl-form-input' diff --git a/app/views/admin/background_migrations/index.html.haml b/app/views/admin/background_migrations/index.html.haml index b2b66a94970..e3ef2587e5d 100644 --- a/app/views/admin/background_migrations/index.html.haml +++ b/app/views/admin/background_migrations/index.html.haml @@ -1,7 +1,7 @@ - page_title s_('BackgroundMigrations|Background Migrations') .gl-display-flex.gl-sm-flex-direction-column.gl-sm-align-items-flex-end.gl-pb-5.gl-border-b-1.gl-border-b-solid.gl-border-b-gray-100 - .gl-flex-grow-1.gl-mr-7 + .gl-flex-grow-1 %h3= s_('BackgroundMigrations|Background Migrations') %p.light.gl-mb-0 - learnmore_link = help_page_path('development/database/batched_background_migrations') @@ -9,7 +9,7 @@ = html_escape(s_('BackgroundMigrations|Background migrations are used to perform data migrations whenever a migration exceeds the time limits in our guidelines. %{linkStart}Learn more%{linkEnd}')) % { linkStart: learnmore_link_start, linkEnd: ''.html_safe } - if @databases.size > 1 - .gl-display-flex.gl-align-items-center.gl-flex-grow-0.gl-flex-basis-0.gl-sm-mt-0.gl-mt-5 + .gl-display-flex.gl-align-items-center.gl-flex-grow-0.gl-flex-basis-0.gl-sm-mt-0.gl-mt-5.gl-sm-ml-7.gl-ml-0 #js-database-listbox{ data: { databases: @databases, selected_database: @selected_database } } = gl_tabs_nav do diff --git a/app/workers/all_queues.yml b/app/workers/all_queues.yml index c436335a244..17866ef7296 100644 --- a/app/workers/all_queues.yml +++ b/app/workers/all_queues.yml @@ -2506,6 +2506,15 @@ :weight: 1 :idempotent: true :tags: [] +- :name: merge_requests_close_issue + :worker_name: MergeRequests::CloseIssueWorker + :feature_category: :code_review + :has_external_dependencies: true + :urgency: :low + :resource_boundary: :unknown + :weight: 1 + :idempotent: true + :tags: [] - :name: merge_requests_delete_source_branch :worker_name: MergeRequests::DeleteSourceBranchWorker :feature_category: :source_code_management diff --git a/app/workers/container_registry/migration/guard_worker.rb b/app/workers/container_registry/migration/guard_worker.rb index e5b3bd908c1..cb74360d2d6 100644 --- a/app/workers/container_registry/migration/guard_worker.rb +++ b/app/workers/container_registry/migration/guard_worker.rb @@ -64,7 +64,17 @@ module ContainerRegistry end def long_running_migration?(repository) - migration_start_timestamp(repository).before?(long_running_migration_threshold) + timeout = long_running_migration_threshold + + if Feature.enabled?(:registry_migration_guard_thresholds) + timeout = if repository.migration_state == 'pre_importing' + migration.pre_import_timeout + else + migration.import_timeout + end + end + + migration_start_timestamp(repository).before?(timeout.ago) end def external_state_matches_migration_state?(repository) @@ -83,17 +93,21 @@ module ContainerRegistry end def step_before_timestamp - ::ContainerRegistry::Migration.max_step_duration.seconds.ago + migration.max_step_duration.seconds.ago end def max_capacity # doubling the actual capacity to prevent issues in case the capacity # is not properly applied - ::ContainerRegistry::Migration.capacity * 2 + migration.capacity * 2 + end + + def migration + ::ContainerRegistry::Migration end def long_running_migration_threshold - @threshold ||= 10.minutes.ago + @threshold ||= 10.minutes end def cancel_long_running_migration(repository) diff --git a/app/workers/merge_requests/close_issue_worker.rb b/app/workers/merge_requests/close_issue_worker.rb new file mode 100644 index 00000000000..86d63e571ac --- /dev/null +++ b/app/workers/merge_requests/close_issue_worker.rb @@ -0,0 +1,52 @@ +# frozen_string_literal: true + +module MergeRequests + class CloseIssueWorker + include ApplicationWorker + + data_consistency :always + feature_category :code_review + urgency :low + idempotent! + + # Issues:CloseService execute webhooks which are treated as external dependencies + worker_has_external_dependencies! + + # This worker only accepts ID of an Issue. We are intentionally using this + # worker to close Issues asynchronously as we only experience SQL timeouts + # when closing an Issue. + def perform(project_id, user_id, issue_id, merge_request_id) + project = Project.find_by_id(project_id) + + unless project + logger.info(structured_payload(message: 'Project not found.', project_id: project_id)) + return + end + + user = User.find_by_id(user_id) + + unless user + logger.info(structured_payload(message: 'User not found.', user_id: user_id)) + return + end + + issue = Issue.find_by_id(issue_id) + + unless issue + logger.info(structured_payload(message: 'Issue not found.', issue_id: issue_id)) + return + end + + merge_request = MergeRequest.find_by_id(merge_request_id) + + unless merge_request + logger.info(structured_payload(message: 'Merge request not found.', merge_request_id: merge_request_id)) + return + end + + Issues::CloseService + .new(project: project, current_user: user) + .execute(issue, commit: merge_request) + end + end +end diff --git a/config/feature_flags/development/async_mr_close_issue.yml b/config/feature_flags/development/async_mr_close_issue.yml new file mode 100644 index 00000000000..84db0a57fd6 --- /dev/null +++ b/config/feature_flags/development/async_mr_close_issue.yml @@ -0,0 +1,8 @@ +--- +name: async_mr_close_issue +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86328 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/361320 +milestone: '15.0' +type: development +group: group::code review +default_enabled: false diff --git a/config/feature_flags/development/registry_migration_guard_thresholds.yml b/config/feature_flags/development/registry_migration_guard_thresholds.yml new file mode 100644 index 00000000000..664897c9e87 --- /dev/null +++ b/config/feature_flags/development/registry_migration_guard_thresholds.yml @@ -0,0 +1,8 @@ +--- +name: registry_migration_guard_thresholds +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/issues/360790 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/350543 +milestone: '15.0' +type: development +group: group::package +default_enabled: false diff --git a/config/sidekiq_queues.yml b/config/sidekiq_queues.yml index f3df7608052..104580761d0 100644 --- a/config/sidekiq_queues.yml +++ b/config/sidekiq_queues.yml @@ -263,6 +263,8 @@ - 1 - - merge_request_reset_approvals - 1 +- - merge_requests_close_issue + - 1 - - merge_requests_delete_source_branch - 1 - - merge_requests_handle_assignees_change diff --git a/data/removals/15_0/15-0-request-profiling.yml b/data/removals/15_0/15-0-request-profiling.yml index b5f7c39b8bd..0ca6919130c 100644 --- a/data/removals/15_0/15-0-request-profiling.yml +++ b/data/removals/15_0/15-0-request-profiling.yml @@ -1,6 +1,6 @@ - name: "Request profiling" announcement_milestone: "14.8" - announcement_date: "2021-02-22" + announcement_date: "2022-02-22" removal_milestone: "15.0" removal_date: "2022-05-22" breaking_change: true diff --git a/db/migrate/20220511191502_add_registry_migration_guard_thresholds_to_application_settings.rb b/db/migrate/20220511191502_add_registry_migration_guard_thresholds_to_application_settings.rb new file mode 100644 index 00000000000..87a29bd5889 --- /dev/null +++ b/db/migrate/20220511191502_add_registry_migration_guard_thresholds_to_application_settings.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +class AddRegistryMigrationGuardThresholdsToApplicationSettings < Gitlab::Database::Migration[2.0] + def change + add_column :application_settings, :container_registry_pre_import_timeout, + :integer, + default: 30.minutes, + null: false + + add_column :application_settings, :container_registry_import_timeout, + :integer, + default: 10.minutes, + null: false + end +end diff --git a/db/schema_migrations/20220511191502 b/db/schema_migrations/20220511191502 new file mode 100644 index 00000000000..caebd721aa6 --- /dev/null +++ b/db/schema_migrations/20220511191502 @@ -0,0 +1 @@ +432214f4683800e1f5b5e42d05d9a6de07c317fec0dffd6b1eb312ccfd437e0c \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 19de1d7ba2f..61a95095e34 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -11292,6 +11292,8 @@ CREATE TABLE application_settings ( delayed_group_deletion boolean DEFAULT true NOT NULL, arkose_labs_namespace text DEFAULT 'client'::text NOT NULL, max_export_size integer DEFAULT 0, + container_registry_pre_import_timeout integer DEFAULT 1800 NOT NULL, + container_registry_import_timeout integer DEFAULT 600 NOT NULL, CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)), CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)), CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)), diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md index cc7daccfa5b..0f4fa1a97a8 100644 --- a/doc/development/integrations/secure.md +++ b/doc/development/integrations/secure.md @@ -290,9 +290,6 @@ useful when debugging. The default value for `SECURE_LOG_LEVEL` should be set to `info`. When executing command lines, scanners should use the `debug` level to log the command line and its output. -For instance, the [bundler-audit](https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit) scanner -uses the `debug` level to log the command line `bundle audit check --quiet`, -and what `bundle audit` writes to the standard output. If the command line fails, then it should be logged with the `error` log level; this makes it possible to debug the problem without having to change the log level to `debug` and rerun the scanning job. diff --git a/doc/topics/autodevops/customize.md b/doc/topics/autodevops/customize.md index f84abca1ff2..4f797f5c238 100644 --- a/doc/topics/autodevops/customize.md +++ b/doc/topics/autodevops/customize.md @@ -479,7 +479,6 @@ The following table lists variables used to disable jobs. | `build_artifact` | `BUILD_DISABLED` | | If the variable is present, the job isn't created. | | `bandit-sast` | `SAST_DISABLED` | | If the variable is present, the job isn't created. | | `brakeman-sast` | `SAST_DISABLED` | | If the variable is present, the job isn't created. | -| `bundler-audit-dependency_scanning` | `DEPENDENCY_SCANNING_DISABLED` | | If the variable is present, the job isn't created. | | `canary` | `CANARY_ENABLED` | | This manual job is created if the variable is present. | | `cluster_image_scanning` | `CLUSTER_IMAGE_SCANNING_DISABLED` | | If the variable is present, the job isn't created. | | `code_intelligence` | `CODE_INTELLIGENCE_DISABLED` | From GitLab 13.6 | If the variable is present, the job isn't created. | @@ -503,7 +502,6 @@ The following table lists variables used to disable jobs. | `browser_performance` | `BROWSER_PERFORMANCE_DISABLED` | From GitLab 14.0 | Browser performance. If the variable is present, the job isn't created. Replaces `performance`. | | `phpcs-security-audit-sast` | `SAST_DISABLED` | | If the variable is present, the job isn't created. | | `pmd-apex-sast` | `SAST_DISABLED` | | If the variable is present, the job isn't created. | -| `retire-js-dependency_scanning` | `DEPENDENCY_SCANNING_DISABLED` | | If the variable is present, the job isn't created. | | `review` | `REVIEW_DISABLED` | | If the variable is present, the job isn't created. | | `review:stop` | `REVIEW_DISABLED` | | Manual job. If the variable is present, the job isn't created. | | `sast` | `SAST_DISABLED` | | If the variable is present, the job isn't created. | diff --git a/doc/user/application_security/dependency_scanning/analyzers.md b/doc/user/application_security/dependency_scanning/analyzers.md index 665d29c4017..acbc94cba47 100644 --- a/doc/user/application_security/dependency_scanning/analyzers.md +++ b/doc/user/application_security/dependency_scanning/analyzers.md @@ -20,11 +20,9 @@ This is achieved by implementing the [common API](https://gitlab.com/gitlab-org/ Dependency Scanning supports the following official analyzers: -- [`bundler-audit`](https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit) - [`gemnasium`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) - [`gemnasium-maven`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven) - [`gemnasium-python`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python) -- [`retire.js`](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js) The analyzers are published as Docker images, which Dependency Scanning uses to launch dedicated containers for each analysis. @@ -34,11 +32,13 @@ The Dependency Scanning analyzers' current major version number is 2. Dependency Scanning is pre-configured with a set of **default images** that are maintained by GitLab, but users can also integrate their own **custom images**. -WARNING: -The `bundler-audit` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#bundler-audit-dependency-scanning-tool). + -WARNING: -The `retire.js` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#retire-js-dependency-scanning-tool). +The [`bundler-audit`](https://gitlab.com/gitlab-org/gitlab/-/issues/289832) and [`retire.js`](https://gitlab.com/gitlab-org/gitlab/-/issues/350510) analyzers were deprecated +in GitLab 14.8 and [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86704) in 15.0. +Use Gemnasium instead. + + ## Official default analyzers @@ -67,7 +67,7 @@ the official analyzers. ### Disable specific analyzers You can select the official analyzers you don't want to run. Here's how to disable -`bundler-audit` and `gemnasium` analyzers. +the `gemnasium` analyzer. In `.gitlab-ci.yml` define: ```yaml @@ -75,7 +75,7 @@ include: template: Security/Dependency-Scanning.gitlab-ci.yml variables: - DS_EXCLUDED_ANALYZERS: "bundler-audit, gemnasium" + DS_EXCLUDED_ANALYZERS: "gemnasium" ``` ### Disabling default analyzers @@ -88,7 +88,7 @@ include: template: Security/Dependency-Scanning.gitlab-ci.yml variables: - DS_EXCLUDED_ANALYZERS: "gemnasium, gemnasium-maven, gemnasium-python, bundler-audit, retire.js" + DS_EXCLUDED_ANALYZERS: "gemnasium, gemnasium-maven, gemnasium-python" ``` This is used when one totally relies on [custom analyzers](#custom-analyzers). @@ -117,25 +117,25 @@ The [Security Scanner Integration](../../../development/integrations/secure.md) ## Analyzers data -The following table lists the data available for each official analyzer. +The following table lists the data available for the Gemnasium analyzer. -| Property \ Tool | Gemnasium | bundler-audit | Retire.js | -|---------------------------------------|:------------------:|:------------------:|:------------------:| -| Severity | 𐄂 | ✓ | ✓ | -| Title | ✓ | ✓ | ✓ | -| File | ✓ | ⚠ | ✓ | -| Start line | 𐄂 | 𐄂 | 𐄂 | -| End line | 𐄂 | 𐄂 | 𐄂 | -| External ID (for example, CVE) | ✓ | ✓ | ⚠ | -| URLs | ✓ | ✓ | ✓ | -| Internal doc/explanation | ✓ | 𐄂 | 𐄂 | -| Solution | ✓ | ✓ | 𐄂 | -| Confidence | 𐄂 | 𐄂 | 𐄂 | -| Affected item (for example, class or package) | ✓ | ✓ | ✓ | -| Source code extract | 𐄂 | 𐄂 | 𐄂 | -| Internal ID | ✓ | 𐄂 | 𐄂 | -| Date | ✓ | 𐄂 | 𐄂 | -| Credits | ✓ | 𐄂 | 𐄂 | +| Property \ Tool | Gemnasium | +|---------------------------------------|:------------------:| +| Severity | 𐄂 | +| Title | ✓ | +| File | ✓ | +| Start line | 𐄂 | +| End line | 𐄂 | +| External ID (for example, CVE) | ✓ | +| URLs | ✓ | +| Internal doc/explanation | ✓ | +| Solution | ✓ | +| Confidence | 𐄂 | +| Affected item (for example, class or package) | ✓ | +| Source code extract | 𐄂 | +| Internal ID | ✓ | +| Date | ✓ | +| Credits | ✓ | - ✓ => we have that data - ⚠ => we have that data, but it's partially reliable, or we need to extract that data from unstructured content diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 0cec6750202..909f1353221 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -153,9 +153,9 @@ table.supported-languages ul { - Ruby - N/A - Bundler + Ruby + N/A + Bundler