Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-10-27 03:10:53 +00:00
parent 135dd0646b
commit 21c8f4814b
19 changed files with 236 additions and 21 deletions

View File

@ -510,7 +510,7 @@ gem 'kas-grpc', '~> 0.0.2'
gem 'grpc', '~> 1.42.0'
gem 'google-protobuf', '~> 3.21', '>= 3.21.8'
gem 'google-protobuf', '~> 3.21', '>= 3.21.9'
gem 'toml-rb', '~> 2.2.0'

View File

@ -219,14 +219,14 @@
{"name":"gon","version":"6.4.0","platform":"ruby","checksum":"e3a618d659392890f1aa7db420f17c75fd7d35aeb5f8fe003697d02c4b88d2f0"},
{"name":"google-api-client","version":"0.50.0","platform":"ruby","checksum":"3ae45e972f293f3a66e53950ecc0fd350d85d6347c06a430bb971bd1ae5ad617"},
{"name":"google-cloud-env","version":"1.6.0","platform":"ruby","checksum":"6179acb946975892c7908748df5722a4ebadfc8cf5bb7b0d8d933ca67183fa15"},
{"name":"google-protobuf","version":"3.21.8","platform":"java","checksum":"fed99be5fa3f5aafded120fb3efd1544a35cbbbc34d4dc6b84dfabe9fce044e0"},
{"name":"google-protobuf","version":"3.21.8","platform":"ruby","checksum":"d1ff763c4fdf5744e5435a70b3a8100a1b112576aec8133ebee1a861a165f881"},
{"name":"google-protobuf","version":"3.21.8","platform":"x64-mingw-ucrt","checksum":"1a3aed52e5279c914a7bcfe6339b586c169f64f4132c822af7ce3b837ff3a2ae"},
{"name":"google-protobuf","version":"3.21.8","platform":"x64-mingw32","checksum":"ad868d1b7cc090a766bda2980a88a485f7348028aa22bbce6ddee011f9d39810"},
{"name":"google-protobuf","version":"3.21.8","platform":"x86-linux","checksum":"76b0c65611ac96049cec2ab12735dd338e5901def03212c148991c2af3542c40"},
{"name":"google-protobuf","version":"3.21.8","platform":"x86-mingw32","checksum":"94ad5bc5ef18e6b265b4b535b49fb49c7dc093b048df6ed5d9a09de032560a3b"},
{"name":"google-protobuf","version":"3.21.8","platform":"x86_64-darwin","checksum":"9062431f13d4ff6597abd38177910828d339ff755a6609cc02d5963458f00479"},
{"name":"google-protobuf","version":"3.21.8","platform":"x86_64-linux","checksum":"fed2e72269cd0bb1ed5bf372e0d7d9720a9ec749b9618868e98a7e6a09bef162"},
{"name":"google-protobuf","version":"3.21.9","platform":"java","checksum":"8483ab2487170434f7a139d6534b3a166e4ec244a6fd8929f758d87abbb82fee"},
{"name":"google-protobuf","version":"3.21.9","platform":"ruby","checksum":"5a656c159aa2c85008af7eab3f603cf22921b748e09438f6682dcf696d518adc"},
{"name":"google-protobuf","version":"3.21.9","platform":"x64-mingw-ucrt","checksum":"7cb37b76241150212703f0ac582555f6fda1c7c66f58c1164667e783141e25fe"},
{"name":"google-protobuf","version":"3.21.9","platform":"x64-mingw32","checksum":"54df7b9df435cc5c715261fbe8897fe03dd4b0e68e052aa0bb814c31bc66ef35"},
{"name":"google-protobuf","version":"3.21.9","platform":"x86-linux","checksum":"11f28f344f6b6afa78fa0688379e39fbc86da4c199f04a51da7a29cf2db8205d"},
{"name":"google-protobuf","version":"3.21.9","platform":"x86-mingw32","checksum":"a2dce43556196b6bb0fce2cf28df70fdca4255607fb9e1ffb7ee611953436a9a"},
{"name":"google-protobuf","version":"3.21.9","platform":"x86_64-darwin","checksum":"9e948a08ee27cca8acf794c798db16d918ce503eae06525d7551dc05ac3324c0"},
{"name":"google-protobuf","version":"3.21.9","platform":"x86_64-linux","checksum":"d4053012022f7bf47cd54c7c19416f600325e6cc1e1604a631c2fde69dd920a4"},
{"name":"googleapis-common-protos-types","version":"1.3.0","platform":"ruby","checksum":"c5411f3197cc3e02547ded1858303b1f830b4dc89c588c142ad6c8a231050671"},
{"name":"googleauth","version":"0.14.0","platform":"ruby","checksum":"4659b563d5b2727e775ba9231e75485c1b55ac8fc319e0bf1bc87d5e9705a632"},
{"name":"gpgme","version":"2.0.20","platform":"ruby","checksum":"fc194689cff40cd4ccafb3086031e930650b3efc15348bbfdf7a2f8b5a826f75"},

View File

@ -619,7 +619,7 @@ GEM
signet (~> 0.12)
google-cloud-env (1.6.0)
faraday (>= 0.17.3, < 3.0)
google-protobuf (3.21.8)
google-protobuf (3.21.9)
googleapis-common-protos-types (1.3.0)
google-protobuf (~> 3.14)
googleauth (0.14.0)
@ -1644,7 +1644,7 @@ DEPENDENCIES
gitlab_omniauth-ldap (~> 2.2.0)
gon (~> 6.4.0)
google-api-client (~> 0.33)
google-protobuf (~> 3.21, >= 3.21.8)
google-protobuf (~> 3.21, >= 3.21.9)
gpgme (~> 2.0.19)
grape (~> 1.5.2)
grape-entity (~> 0.10.0)

View File

@ -43,12 +43,14 @@ Example response:
"name": "master",
"push_access_levels": [
{
"id": 1,
"access_level": 40,
"access_level_description": "Maintainers"
}
],
"merge_access_levels": [
{
"id": 1,
"access_level": 40,
"access_level_description": "Maintainers"
}
@ -61,12 +63,14 @@ Example response:
"name": "release/*",
"push_access_levels": [
{
"id": 1,
"access_level": 40,
"access_level_description": "Maintainers"
}
],
"merge_access_levels": [
{
"id": 1,
"access_level": 40,
"access_level_description": "Maintainers"
}
@ -90,6 +94,7 @@ Example response:
"name": "master",
"push_access_levels": [
{
"id": 1,
"access_level": 40,
"user_id": null,
"group_id": null,
@ -98,6 +103,7 @@ Example response:
],
"merge_access_levels": [
{
"id": 1,
"access_level": null,
"user_id": null,
"group_id": 1234,
@ -136,12 +142,14 @@ Example response:
"name": "master",
"push_access_levels": [
{
"id": 1,
"access_level": 40,
"access_level_description": "Maintainers"
}
],
"merge_access_levels": [
{
"id": 1,
"access_level": 40,
"access_level_description": "Maintainers"
}
@ -162,6 +170,7 @@ Example response:
"name": "master",
"push_access_levels": [
{
"id": 1,
"access_level": 40,
"user_id": null,
"group_id": null,
@ -170,6 +179,7 @@ Example response:
],
"merge_access_levels": [
{
"id": 1,
"access_level": null,
"user_id": null,
"group_id": 1234,
@ -215,18 +225,21 @@ Example response:
"name": "*-stable",
"push_access_levels": [
{
"id": 1,
"access_level": 30,
"access_level_description": "Developers + Maintainers"
}
],
"merge_access_levels": [
{
"id": 1,
"access_level": 30,
"access_level_description": "Developers + Maintainers"
}
],
"unprotect_access_levels": [
{
"id": 1,
"access_level": 40,
"access_level_description": "Maintainers"
}
@ -247,6 +260,7 @@ Example response:
"name": "*-stable",
"push_access_levels": [
{
"id": 1,
"access_level": 30,
"user_id": null,
"group_id": null,
@ -255,6 +269,7 @@ Example response:
],
"merge_access_levels": [
{
"id": 1,
"access_level": 30,
"user_id": null,
"group_id": null,
@ -263,6 +278,7 @@ Example response:
],
"unprotect_access_levels": [
{
"id": 1,
"access_level": 40,
"user_id": null,
"group_id": null,
@ -291,6 +307,7 @@ Example response:
"name": "*-stable",
"push_access_levels": [
{
"id": 1,
"access_level": null,
"user_id": 1,
"group_id": null,
@ -299,6 +316,7 @@ Example response:
],
"merge_access_levels": [
{
"id": 1,
"access_level": 40,
"user_id": null,
"group_id": null,
@ -307,6 +325,7 @@ Example response:
],
"unprotect_access_levels": [
{
"id": 1,
"access_level": 40,
"user_id": null,
"group_id": null,
@ -348,6 +367,7 @@ Example response:
"name": "master",
"push_access_levels": [
{
"id": 1,
"access_level": 30,
"access_level_description": "Developers + Maintainers",
"user_id": null,
@ -356,12 +376,14 @@ Example response:
],
"merge_access_levels": [
{
"id": 1,
"access_level": 30,
"access_level_description": "Developers + Maintainers",
"user_id": null,
"group_id": null
},
{
"id": 2,
"access_level": 40,
"access_level_description": "Maintainers",
"user_id": null,
@ -370,6 +392,7 @@ Example response:
],
"unprotect_access_levels": [
{
"id": 1,
"access_level": 40,
"access_level_description": "Maintainers",
"user_id": null,

View File

@ -41,6 +41,7 @@ Example response:
"name": "release-1-0",
"create_access_levels": [
{
"id":1,
"access_level": 40,
"access_level_description": "Maintainers"
}
@ -75,6 +76,7 @@ Example response:
"name": "release-1-0",
"create_access_levels": [
{
"id": 1,
"access_level": 40,
"access_level_description": "Maintainers"
}
@ -109,6 +111,7 @@ Example response:
"name": "*-stable",
"create_access_levels": [
{
"id": 1,
"access_level": 30,
"access_level_description": "Developers + Maintainers"
}

Binary file not shown.

After

Width:  |  Height:  |  Size: 36 KiB

View File

@ -68,3 +68,88 @@ Depending on the context, the security reports may be stored either in the datab
While CI/CD templates are the responsibility of the Verify section, many are critical to the Sec Section's feature usage.
If you are working with CI/CD templates, please read the [development guide for GitLab CI/CD templates](../cicd/templates.md).
## Importance of the primary identifier
Within analyzer JSON reports, the [`identifiers` field](../integrations/secure.md#identifiers) contains a collection of types and categories by which
a vulnerability can be described (that is, a CWE family).
The first item in the `identifiers` collection is known as the [primary identifier](../../user/application_security/terminology#primary-identifier),
a critical component to both describing and tracking vulnerabilities.
In most other cases, the `identifiers` collection is unordered, where the remaining secondary identifiers act as metadata for grouping vulnerabilities
(see [Analyzer vulnerability translation](#analyzer-vulnerability-translation) below for the exception).
Any time the primary identifier changes and a project pipeline is re-run, ingestion of the new report will “orphan” the previous DB record.
Because our processing logic relies on generating a delta of two different vulnerabilities, it can end up looking rather confusing. For example:
[!Screenshot of primary identifier mismatch in MR widget](img/primary_identifier_changed_v15_6.png)
After being [merged](../integrations/secure.md#tracking-and-merging-vulnerabilities), the previous vulnerability is listed as "remediated" and the introduced as ["detected"](../../user/application_security/vulnerabilities/index.md#vulnerability-status-values).
### Guiding principles for ensuring primary identifier stability
- A primary identifier should never change unless we have a compelling reason.
- Analyzer supporting vulnerability translation must include the legacy primary identifiers in a secondary position to prevent “orphaning” of results.
- Beyond the primary identifier, the order of secondary identifiers does not matter.
- The identifier is unique based on a combination of the `Type` and `Value` fields (see [identifier fingerprint](https://gitlab.com/gitlab-org/gitlab/-/blob/v15.5.1-ee/lib/gitlab/ci/reports/security/identifier.rb#L63)).
- If we change the primary identifier, rolling back analyzers to previous versions will not fix the orphaned results. The data previously ingested into our database is an artifact of previous jobs with few ways of automating data migrations.
### Analyzer vulnerability translation
In the case of SAST's semgrep analyzer, there is a secondary identifier of particular importance: the identifier linking the reports vulnerability
to the legacy analyzer (that is, bandit or eslint).
To [enable vulnerability translation](../../user/application_security/sast/analyzers.md#vulnerability-translation)
the semgrep analyzer relies on a secondary identifier exactly matching the primary identifier of the legacy analyzer.
For example, when [`eslint`](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) was previously used to generate vulnerability records,
the [`semgrep`](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) analyzer must produce an identifier collection containing the
original eslint primary identifier.
Given the original `eslint` report:
```json
{
"version": "14.0.4",
"vulnerabilities": [
{
"identifiers": [
{
"type": "eslint_rule_id",
"name": "ESLint rule ID security/detect-eval-with-expression",
"value": "security/detect-eval-with-expression"
}
]
}
]
}
```
The corresponding semgrep report must contain the `eslint_rule_id`:
```json
{
"version": "14.0.4",
"vulnerabilities": [
{
"identifiers": [
{
"type": "semgrep_id",
"name": "eslint.detect-eval-with-expression",
"value": "eslint.detect-eval-with-expression",
"url": "https://semgrep.dev/r/gitlab.eslint.detect-eval-with-expression"
},
{
"type": "eslint_rule_id",
"name": "ESLint rule ID security/detect-eval-with-expression",
"value": "security/detect-eval-with-expression"
}
]
}
]
}
```
[Tracking of vulnerabilities](../integrations/secure.md#tracking-and-merging-vulnerabilities) relies on a combination of the two identifiers
to remap DB records previously generated with the legacy analyzers to those generated with the new `semgrep` ones.

View File

@ -3,6 +3,7 @@
module API
module Entities
class ProtectedRefAccess < Grape::Entity
expose :id
expose :access_level
expose :access_level_description do |protected_ref_access|
protected_ref_access.humanize

View File

@ -2,7 +2,7 @@
module QA
RSpec.describe 'Analytics' do
describe 'Performance bar display', :requires_admin, :skip_live_env do
describe 'Performance bar display', :requires_admin, :skip_live_env, product_group: :product_analytics do
context 'when logged in as an admin user' do
# performance metrics: pg, gitaly, redis, rugged (feature flagged), total (not always provided)
let(:minimum_metrics_count) { 3 }

View File

@ -2,7 +2,7 @@
module QA
RSpec.describe 'Analytics' do
describe 'Service ping default enabled' do
describe 'Service ping default enabled', product_group: :product_intelligence do
context 'when using default enabled from gitlab.yml config', :requires_admin, except: { job: 'review-qa-*' } do
before do
Flow::Login.sign_in_as_admin

View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
module QA
RSpec.describe 'Analytics' do
RSpec.describe 'Analytics', product_group: :product_intelligence do
describe 'Service ping disabled', :orchestrated, :service_ping_disabled, :requires_admin do
context 'when disabled from gitlab.yml config' do
before do

View File

@ -0,0 +1,25 @@
{
"type": "object",
"required": [
"id",
"access_level",
"access_level_description"
],
"properties": {
"id": {
"type": "integer"
},
"access_level": {
"type": [
"integer",
"null"
]
},
"access_level_description": {
"type": [
"string",
"null"
]
}
}
}

View File

@ -0,0 +1,33 @@
{
"type": "object",
"required": [
"id",
"name",
"push_access_levels",
"merge_access_levels",
"allow_force_push"
],
"properties": {
"id": {
"type": "integer"
},
"name": {
"type": "string"
},
"push_access_levels": {
"type": "array",
"items": {
"$ref": "entities/protected_ref_access.json"
}
},
"merge_access_levels": {
"type": "array",
"items": {
"$ref": "entities/protected_ref_access.json"
}
},
"allow_force_push": {
"type": "boolean"
}
}
}

View File

@ -0,0 +1,6 @@
{
"type": "array",
"items": {
"$ref": "protected_branch.json"
}
}

View File

@ -0,0 +1,19 @@
{
"type": "object",
"required": [
"name",
"create_access_levels"
],
"properties": {
"name": {
"type": "string"
},
"create_access_levels": {
"type": "array",
"items": {
"$ref": "entities/protected_ref_access.json"
}
},
"additionalProperties": false
}
}

View File

@ -0,0 +1,6 @@
{
"type": "array",
"items": {
"$ref": "protected_tag.json"
}
}

View File

@ -34,11 +34,11 @@ export const describeMarkdownSnapshots = (description, glfmSpecificationDir) =>
path.join(glfmSpecificationDir, 'input', 'gitlab_flavored_markdown'),
'glfm_example_status.yml',
);
const glfmExampleSnapshotsDir = path.join(glfmSpecificationDir, 'example_snapshots');
const markdownExamples = loadExamples(glfmExampleSnapshotsDir, 'markdown.yml');
const expectedHtmlExamples = loadExamples(glfmExampleSnapshotsDir, 'html.yml');
const outputExampleSnapshotsDir = path.join(glfmSpecificationDir, 'output_example_snapshots');
const markdownExamples = loadExamples(outputExampleSnapshotsDir, 'markdown.yml');
const expectedHtmlExamples = loadExamples(outputExampleSnapshotsDir, 'html.yml');
const expectedProseMirrorJsonExamples = loadExamples(
glfmExampleSnapshotsDir,
outputExampleSnapshotsDir,
'prosemirror_json.yml',
);

View File

@ -29,8 +29,7 @@ RSpec.describe API::ProtectedBranches do
expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(response).to match_response_schema('protected_branches')
protected_branch_names = json_response.map { |x| x['name'] }
expect(protected_branch_names).to match_array(expected_branch_names)
end
@ -71,6 +70,7 @@ RSpec.describe API::ProtectedBranches do
get api(route, user)
expect(response).to have_gitlab_http_status(:ok)
expect(response).to match_response_schema('protected_branch')
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(false)
expect(json_response['push_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
@ -130,6 +130,7 @@ RSpec.describe API::ProtectedBranches do
post post_endpoint, params: { name: branch_name }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_branch')
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(false)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
@ -140,6 +141,7 @@ RSpec.describe API::ProtectedBranches do
post post_endpoint, params: { name: branch_name, push_access_level: 30 }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_branch')
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(false)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::DEVELOPER)
@ -150,6 +152,7 @@ RSpec.describe API::ProtectedBranches do
post post_endpoint, params: { name: branch_name, merge_access_level: 30 }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_branch')
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(false)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
@ -160,6 +163,7 @@ RSpec.describe API::ProtectedBranches do
post post_endpoint, params: { name: branch_name, push_access_level: 30, merge_access_level: 30 }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_branch')
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(false)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::DEVELOPER)
@ -170,6 +174,7 @@ RSpec.describe API::ProtectedBranches do
post post_endpoint, params: { name: branch_name, push_access_level: 0 }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_branch')
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(false)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
@ -180,6 +185,7 @@ RSpec.describe API::ProtectedBranches do
post post_endpoint, params: { name: branch_name, merge_access_level: 0 }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_branch')
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(false)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
@ -190,6 +196,7 @@ RSpec.describe API::ProtectedBranches do
post post_endpoint, params: { name: branch_name, push_access_level: 0, merge_access_level: 0 }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_branch')
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(false)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
@ -200,6 +207,7 @@ RSpec.describe API::ProtectedBranches do
post post_endpoint, params: { name: branch_name, allow_force_push: true }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_branch')
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(true)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)

View File

@ -22,7 +22,7 @@ RSpec.describe API::ProtectedTags do
expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(response).to match_response_schema('protected_tags')
protected_tag_names = json_response.map { |x| x['name'] }
expected_tags_names = project.protected_tags.map { |x| x['name'] }
@ -57,6 +57,7 @@ RSpec.describe API::ProtectedTags do
get api(route, user)
expect(response).to have_gitlab_http_status(:ok)
expect(response).to match_response_schema('protected_tag')
expect(json_response['name']).to eq(tag_name)
expect(json_response['create_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
end
@ -108,6 +109,7 @@ RSpec.describe API::ProtectedTags do
post api("/projects/#{project.id}/protected_tags", user), params: { name: tag_name }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_tag')
expect(json_response['name']).to eq(tag_name)
expect(json_response['create_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
end
@ -117,6 +119,7 @@ RSpec.describe API::ProtectedTags do
params: { name: tag_name, create_access_level: 30 }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_tag')
expect(json_response['name']).to eq(tag_name)
expect(json_response['create_access_levels'][0]['access_level']).to eq(Gitlab::Access::DEVELOPER)
end
@ -126,6 +129,7 @@ RSpec.describe API::ProtectedTags do
params: { name: tag_name, create_access_level: 0 }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_tag')
expect(json_response['name']).to eq(tag_name)
expect(json_response['create_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
end
@ -142,6 +146,7 @@ RSpec.describe API::ProtectedTags do
post api("/projects/#{project2.id}/protected_tags", user), params: { name: protected_name }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_tag')
expect(json_response['name']).to eq(protected_name)
end
@ -152,6 +157,7 @@ RSpec.describe API::ProtectedTags do
post api("/projects/#{project.id}/protected_tags", user), params: { name: tag_name }
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('protected_tag')
expect(json_response['name']).to eq(tag_name)
expect(json_response['create_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
end