diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml index ccdc2c1b90a..22e4b181c0e 100644 --- a/.gitlab/ci/rules.gitlab-ci.yml +++ b/.gitlab/ci/rules.gitlab-ci.yml @@ -1456,6 +1456,24 @@ - <<: *if-merge-request changes: *ci-patterns +.semgrep-appsec-custom-rules:rules: + rules: + - <<: *if-not-ee + when: never + - <<: *if-merge-request + changes: *code-backstage-qa-patterns + +.ping-appsec-for-sast-findings:rules: + rules: + # Requiring $CUSTOM_SAST_RULES_BOT_PAT prevents the bot from running on forks or CE + # Without it the script would fail too. + - if: "$CUSTOM_SAST_RULES_BOT_PAT == null" + when: never + - <<: *if-not-ee + when: never + - <<: *if-merge-request + changes: *code-backstage-qa-patterns + ####################### # Vendored gems rules # ####################### diff --git a/.gitlab/ci/static-analysis.gitlab-ci.yml b/.gitlab/ci/static-analysis.gitlab-ci.yml index e1257e778bd..0fda3872500 100644 --- a/.gitlab/ci/static-analysis.gitlab-ci.yml +++ b/.gitlab/ci/static-analysis.gitlab-ci.yml @@ -152,3 +152,39 @@ feature-flags-usage: when: always paths: - tmp/feature_flags/ + +semgrep-appsec-custom-rules: + stage: lint + extends: + - .semgrep-appsec-custom-rules:rules + image: returntocorp/semgrep + needs: [] + script: + # Required to avoid a timeout https://github.com/returntocorp/semgrep/issues/5395 + - git fetch origin master + # Include/exclude list isn't ideal https://github.com/returntocorp/semgrep/issues/5399 + - | + semgrep ci --gitlab-sast --metrics off --config $CUSTOM_RULES_URL \ + --include app --include lib --include workhorse \ + --exclude '*_test.go' --exclude spec --exclude qa > gl-sast-report.json || true + variables: + CUSTOM_RULES_URL: https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/-/raw/main/appsec-pings/rules.yml + artifacts: + paths: + - gl-sast-report.json + reports: + sast: gl-sast-report.json + +ping-appsec-for-sast-findings: + stage: lint + image: alpine:latest + extends: + - .ping-appsec-for-sast-findings:rules + variables: + # Project Access Token bot ID for /gitlab-com/gl-security/appsec/sast-custom-rules + BOT_USER_ID: 11727358 + needs: + - semgrep-appsec-custom-rules + script: + - apk add jq curl + - scripts/process_custom_semgrep_results.sh diff --git a/.rubocop.yml b/.rubocop.yml index 47c7e5b5e35..e4b46121df6 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -779,3 +779,6 @@ Migration/BackgroundMigrationBaseClass: Style/ClassAndModuleChildren: Enabled: true + +Fips/OpenSSL: + Enabled: false diff --git a/.rubocop_todo/fips/open_ssl.yml b/.rubocop_todo/fips/open_ssl.yml deleted file mode 100644 index 03a551112ab..00000000000 --- a/.rubocop_todo/fips/open_ssl.yml +++ /dev/null @@ -1,222 +0,0 @@ ---- -# Cop supports --auto-correct. -Fips/OpenSSL: - Exclude: - - 'app/controllers/application_controller.rb' - - 'app/controllers/concerns/authenticates_with_two_factor.rb' - - 'app/controllers/projects/merge_requests/diffs_controller.rb' - - 'app/controllers/projects/merge_requests_controller.rb' - - 'app/helpers/application_helper.rb' - - 'app/models/ci/artifact_blob.rb' - - 'app/models/concerns/analytics/cycle_analytics/stage.rb' - - 'app/models/concerns/checksummable.rb' - - 'app/models/concerns/token_authenticatable_strategies/encryption_helper.rb' - - 'app/models/diff_discussion.rb' - - 'app/models/discussion.rb' - - 'app/models/legacy_diff_note.rb' - - 'app/models/namespace.rb' - - 'app/models/note.rb' - - 'app/models/performance_monitoring/prometheus_panel.rb' - - 'app/models/protected_branch.rb' - - 'app/models/release_highlight.rb' - - 'app/models/repository.rb' - - 'app/models/resource_event.rb' - - 'app/models/snippet.rb' - - 'app/models/storage/hashed.rb' - - 'app/models/token_with_iv.rb' - - 'app/presenters/packages/composer/packages_presenter.rb' - - 'app/services/ci/build_report_result_service.rb' - - 'app/services/metrics/dashboard/transient_embed_service.rb' - - 'app/services/packages/debian/generate_distribution_service.rb' - - 'app/services/packages/go/create_package_service.rb' - - 'app/services/packages/maven/metadata/append_package_file_service.rb' - - 'app/services/packages/rubygems/create_gemspec_service.rb' - - 'app/services/pages/migrate_legacy_storage_to_deployment_service.rb' - - 'app/services/projects/lfs_pointers/lfs_download_service.rb' - - 'app/uploaders/ci/secure_file_uploader.rb' - - 'config/initializers/doorkeeper_openid_connect.rb' - - 'config/initializers/session_store.rb' - - 'config/settings.rb' - - 'db/post_migrate/20210731132939_backfill_stage_event_hash.rb' - - 'ee/app/models/storage_shard.rb' - - 'ee/app/services/elastic/bookkeeping_shard_service.rb' - - 'ee/app/services/security/track_scan_service.rb' - - 'ee/app/services/vulnerabilities/create_service_base.rb' - - 'ee/app/services/vulnerabilities/manually_create_service.rb' - - 'ee/app/services/vulnerabilities/starboard_vulnerability_create_service.rb' - - 'ee/lib/ee/gitlab/background_migration/populate_latest_pipeline_ids.rb' - - 'ee/lib/ee/gitlab/background_migration/populate_resolved_on_default_branch_column.rb' - - 'ee/lib/ee/gitlab/background_migration/recalculate_vulnerability_finding_signatures_for_findings.rb' - - 'ee/lib/gitlab/analytics/cycle_analytics/stage_events/label_based_stage_event.rb' - - 'ee/lib/gitlab/ci/reports/dependency_list/dependency.rb' - - 'ee/lib/gitlab/ci/reports/security/remediation.rb' - - 'ee/lib/gitlab/geo/replication/blob_downloader.rb' - - 'ee/spec/factories/vulnerabilities/feedback.rb' - - 'ee/spec/factories/vulnerabilities/finding_signatures.rb' - - 'ee/spec/factories/vulnerabilities/remediations.rb' - - 'ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb' - - 'ee/spec/lib/ee/gitlab/alert_management/payload/generic_spec.rb' - - 'ee/spec/lib/ee/gitlab/background_migration/populate_uuids_for_security_findings_spec.rb' - - 'ee/spec/lib/ee/gitlab/background_migration/recalculate_vulnerability_finding_signatures_for_findings_spec.rb' - - 'ee/spec/lib/ee/gitlab/background_migration/update_vulnerability_occurrences_location_spec.rb' - - 'ee/spec/lib/gitlab/analytics/cycle_analytics/stage_events/issue_label_added_spec.rb' - - 'ee/spec/lib/gitlab/analytics/cycle_analytics/stage_events/issue_label_removed_spec.rb' - - 'ee/spec/lib/gitlab/analytics/cycle_analytics/stage_events/merge_request_label_added_spec.rb' - - 'ee/spec/lib/gitlab/analytics/cycle_analytics/stage_events/merge_request_label_removed_spec.rb' - - 'ee/spec/lib/gitlab/ci/reports/security/locations/cluster_image_scanning_spec.rb' - - 'ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb' - - 'ee/spec/lib/gitlab/ci/reports/security/locations/dast_spec.rb' - - 'ee/spec/lib/gitlab/ci/reports/security/locations/dependency_scanning_spec.rb' - - 'ee/spec/migrations/update_vulnerability_occurrences_location_spec.rb' - - 'ee/spec/models/merge_train_spec.rb' - - 'ee/spec/models/resource_weight_event_spec.rb' - - 'ee/spec/models/vulnerabilities/finding_signature_spec.rb' - - 'ee/spec/models/vulnerabilities/finding_spec.rb' - - 'ee/spec/services/alert_management/process_prometheus_alert_service_spec.rb' - - 'ee/spec/services/merge_trains/check_status_service_spec.rb' - - 'ee/spec/services/projects/alerting/notify_service_spec.rb' - - 'ee/spec/services/security/ingestion/tasks/ingest_identifiers_spec.rb' - - 'ee/spec/services/security/ingestion/tasks/ingest_remediations_spec.rb' - - 'ee/spec/services/security/override_uuids_service_spec.rb' - - 'ee/spec/services/security/track_scan_service_spec.rb' - - 'ee/spec/services/vulnerabilities/manually_create_service_spec.rb' - - 'ee/spec/support/matchers/locked_schema.rb' - - 'lib/api/files.rb' - - 'lib/api/maven_packages.rb' - - 'lib/atlassian/jira_connect/serializers/branch_entity.rb' - - 'lib/container_registry/client.rb' - - 'lib/extracts_path.rb' - - 'lib/gitlab/alert_management/fingerprint.rb' - - 'lib/gitlab/analytics/cycle_analytics/stage_events/stage_event.rb' - - 'lib/gitlab/background_migration/backfill_note_discussion_id.rb' - - 'lib/gitlab/background_migration/backfill_project_repositories.rb' - - 'lib/gitlab/ci/pipeline/seed/build/cache.rb' - - 'lib/gitlab/ci/reports/security/finding.rb' - - 'lib/gitlab/ci/reports/security/finding_signature.rb' - - 'lib/gitlab/ci/reports/security/identifier.rb' - - 'lib/gitlab/ci/reports/security/locations/base.rb' - - 'lib/gitlab/ci/reports/test_case.rb' - - 'lib/gitlab/color.rb' - - 'lib/gitlab/composer/version_index.rb' - - 'lib/gitlab/crypto_helper.rb' - - 'lib/gitlab/database/migration_helpers.rb' - - 'lib/gitlab/database/migration_helpers/v2.rb' - - 'lib/gitlab/database/partitioning_migration_helpers/foreign_key_helpers.rb' - - 'lib/gitlab/database/schema_helpers.rb' - - 'lib/gitlab/database/schema_migrations/migrations.rb' - - 'lib/gitlab/database/unidirectional_copy_trigger.rb' - - 'lib/gitlab/diff/file.rb' - - 'lib/gitlab/diff/formatters/base_formatter.rb' - - 'lib/gitlab/diff/position.rb' - - 'lib/gitlab/experimentation/controller_concern.rb' - - 'lib/gitlab/git.rb' - - 'lib/gitlab/git/branch.rb' - - 'lib/gitlab/git/lfs_pointer_file.rb' - - 'lib/gitlab/git/tag.rb' - - 'lib/gitlab/hashed_path.rb' - - 'lib/gitlab/insecure_key_fingerprint.rb' - - 'lib/gitlab/sidekiq_middleware/duplicate_jobs/duplicate_job.rb' - - 'lib/gitlab/slug/environment.rb' - - 'lib/gitlab/verify/job_artifacts.rb' - - 'lib/json_web_token/rsa_token.rb' - - 'lib/tasks/gitlab/assets.rake' - - 'lib/tasks/tanuki_emoji.rake' - - 'qa/qa/service/praefect_manager.rb' - - 'qa/qa/specs/features/browser_ui/6_release/deploy_key/clone_using_deploy_key_spec.rb' - - 'qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_non_enforced_sso_spec.rb' - - 'scripts/security-harness' - - 'spec/components/diffs/stats_component_spec.rb' - - 'spec/controllers/projects/blob_controller_spec.rb' - - 'spec/factories/ci/job_artifacts.rb' - - 'spec/factories/ci/reports/security/finding_keys.rb' - - 'spec/factories/ci/unit_test.rb' - - 'spec/factories/commit_signature/gpg_signature.rb' - - 'spec/factories/commit_signature/ssh_signature.rb' - - 'spec/factories/commit_signature/x509_commit_signature.rb' - - 'spec/factories/design_management/designs.rb' - - 'spec/factories/diff_position.rb' - - 'spec/factories/gitaly/commit.rb' - - 'spec/factories/merge_request_context_commit.rb' - - 'spec/factories/merge_request_context_commit_diff_file.rb' - - 'spec/factories/merge_request_diff_commits.rb' - - 'spec/factories/merge_request_diffs.rb' - - 'spec/factories/pages_deployments.rb' - - 'spec/factories/sequences.rb' - - 'spec/factories/token_with_ivs.rb' - - 'spec/features/file_uploads/git_lfs_spec.rb' - - 'spec/features/merge_request/user_sees_diff_spec.rb' - - 'spec/features/merge_request/user_suggests_changes_on_diff_spec.rb' - - 'spec/finders/merge_requests/oldest_per_commit_finder_spec.rb' - - 'spec/lib/gitlab/alert_management/fingerprint_spec.rb' - - 'spec/lib/gitlab/alert_management/payload/base_spec.rb' - - 'spec/lib/gitlab/alert_management/payload/generic_spec.rb' - - 'spec/lib/gitlab/alert_management/payload/prometheus_spec.rb' - - 'spec/lib/gitlab/background_migration/backfill_note_discussion_id_spec.rb' - - 'spec/lib/gitlab/background_migration/populate_vulnerability_reads_spec.rb' - - 'spec/lib/gitlab/ci/reports/security/finding_signature_spec.rb' - - 'spec/lib/gitlab/ci/reports/security/locations/sast_spec.rb' - - 'spec/lib/gitlab/ci/reports/security/locations/secret_detection_spec.rb' - - 'spec/lib/gitlab/ci/reports/test_case_spec.rb' - - 'spec/lib/gitlab/crypto_helper_spec.rb' - - 'spec/lib/gitlab/database/migration_helpers_spec.rb' - - 'spec/lib/gitlab/database/schema_migrations/migrations_spec.rb' - - 'spec/lib/gitlab/diff/file_spec.rb' - - 'spec/lib/gitlab/diff/position_spec.rb' - - 'spec/lib/gitlab/diff/position_tracer/image_strategy_spec.rb' - - 'spec/lib/gitlab/diff/position_tracer/line_strategy_spec.rb' - - 'spec/lib/gitlab/experimentation/controller_concern_spec.rb' - - 'spec/lib/gitlab/git/branch_spec.rb' - - 'spec/lib/gitlab/git/tag_spec.rb' - - 'spec/lib/gitlab/sidekiq_middleware/duplicate_jobs/duplicate_job_spec.rb' - - 'spec/lib/gitlab/slug/environment_spec.rb' - - 'spec/migrations/20220107064845_populate_vulnerability_reads_spec.rb' - - 'spec/migrations/20220524074947_finalize_backfill_null_note_discussion_ids_spec.rb' - - 'spec/migrations/delete_security_findings_without_uuid_spec.rb' - - 'spec/migrations/schedule_recalculate_vulnerability_finding_signatures_for_findings_spec.rb' - - 'spec/models/ci/artifact_blob_spec.rb' - - 'spec/models/ci/job_artifact_spec.rb' - - 'spec/models/ci/pipeline_spec.rb' - - 'spec/models/ci/secure_file_spec.rb' - - 'spec/models/ci/unit_test_spec.rb' - - 'spec/models/concerns/checksummable_spec.rb' - - 'spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb' - - 'spec/models/design_management/version_spec.rb' - - 'spec/models/diff_discussion_spec.rb' - - 'spec/models/discussion_spec.rb' - - 'spec/models/lfs_object_spec.rb' - - 'spec/models/merge_request_diff_spec.rb' - - 'spec/models/merge_request_spec.rb' - - 'spec/models/note_spec.rb' - - 'spec/models/pages_deployment_spec.rb' - - 'spec/models/performance_monitoring/prometheus_panel_spec.rb' - - 'spec/models/project_spec.rb' - - 'spec/models/release_highlight_spec.rb' - - 'spec/models/repository_spec.rb' - - 'spec/models/token_with_iv_spec.rb' - - 'spec/models/upload_spec.rb' - - 'spec/requests/api/ci/runner/jobs_artifacts_spec.rb' - - 'spec/requests/api/ci/secure_files_spec.rb' - - 'spec/requests/openid_connect_spec.rb' - - 'spec/services/dependency_proxy/find_cached_manifest_service_spec.rb' - - 'spec/services/dependency_proxy/head_manifest_service_spec.rb' - - 'spec/services/dependency_proxy/request_token_service_spec.rb' - - 'spec/services/import_export_clean_up_service_spec.rb' - - 'spec/services/pages/migrate_legacy_storage_to_deployment_service_spec.rb' - - 'spec/services/projects/after_rename_service_spec.rb' - - 'spec/services/projects/create_service_spec.rb' - - 'spec/services/projects/lfs_pointers/lfs_download_service_spec.rb' - - 'spec/support/helpers/workhorse_helpers.rb' - - 'spec/support/migrations_helpers/vulnerabilities_findings_helper.rb' - - 'spec/support/shared_examples/lib/gitlab/ci/ci_trace_shared_examples.rb' - - 'spec/support/shared_examples/lib/gitlab/cycle_analytics/event_shared_examples.rb' - - 'spec/support/shared_examples/lib/gitlab/position_formatters_shared_examples.rb' - - 'spec/support/shared_examples/services/alert_management/alert_processing/alert_firing_shared_examples.rb' - - 'spec/support/shared_examples/services/alert_management/alert_processing/alert_recovery_shared_examples.rb' - - 'spec/support/shared_examples/services/metrics/dashboard_shared_examples.rb' - - 'spec/support/shared_examples/services/packages/debian/generate_distribution_shared_examples.rb' - - 'spec/support/shared_examples/uploaders/object_storage_shared_examples.rb' - - 'spec/support/trace/trace_helpers.rb' - - 'spec/uploaders/ci/secure_file_uploader_spec.rb' - - 'spec/uploaders/job_artifact_uploader_spec.rb' - - 'spec/validators/sha_validator_spec.rb' - - 'spec/workers/update_head_pipeline_for_merge_request_worker_spec.rb' diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 7144b774b05..b60ef3d1d5d 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -5caf724a8305ea04370dc49f0d9a7d5f3bc8dd4a +2b069d8536df98547acba92719b7554d1c7f2262 diff --git a/Gemfile b/Gemfile index 195a4b2861b..aad6cbc551d 100644 --- a/Gemfile +++ b/Gemfile @@ -407,7 +407,7 @@ group :development, :test do end group :development, :test, :danger do - gem 'gitlab-dangerfiles', '~> 3.4.0', require: false + gem 'gitlab-dangerfiles', '~> 3.3.0', require: false end group :development, :test, :coverage do diff --git a/Gemfile.lock b/Gemfile.lock index dab51a0803c..de2646f7d9c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -475,7 +475,7 @@ GEM terminal-table (~> 1.5, >= 1.5.1) gitlab-chronic (0.10.5) numerizer (~> 0.2) - gitlab-dangerfiles (3.4.0) + gitlab-dangerfiles (3.3.0) danger (>= 8.4.5) danger-gitlab (>= 8.0.0) rake @@ -1534,7 +1534,7 @@ DEPENDENCIES gitaly (~> 15.1.0.pre.rc1) github-markup (~> 1.7.0) gitlab-chronic (~> 0.10.5) - gitlab-dangerfiles (~> 3.4.0) + gitlab-dangerfiles (~> 3.3.0) gitlab-experiment (~> 0.7.1) gitlab-fog-azure-rm (~> 1.3.0) gitlab-labkit (~> 0.23.0) diff --git a/app/assets/javascripts/diffs/components/commit_item.vue b/app/assets/javascripts/diffs/components/commit_item.vue index 54b648e8d03..ad163a2a615 100644 --- a/app/assets/javascripts/diffs/components/commit_item.vue +++ b/app/assets/javascripts/diffs/components/commit_item.vue @@ -134,7 +134,9 @@ export default { class="avatar-cell d-none d-sm-block" /> -
+
-
+
.branch-item, -.branch-title { - display: flex; - align-items: center; -} - .branch-info { flex: auto; min-width: 0; diff --git a/app/assets/stylesheets/pages/commits.scss b/app/assets/stylesheets/pages/commits.scss index 80b9e378252..fab7efe03f6 100644 --- a/app/assets/stylesheets/pages/commits.scss +++ b/app/assets/stylesheets/pages/commits.scss @@ -133,18 +133,6 @@ } } -.commit-detail { - display: flex; - justify-content: space-between; - align-items: start; - flex-grow: 1; - min-width: 0; - - .project-namespace { - color: $gl-text-color-tertiary; - } -} - .commit-content { padding-right: 10px; white-space: normal; diff --git a/app/views/projects/branches/_branch.html.haml b/app/views/projects/branches/_branch.html.haml index e4ec7a43d61..1477ae66d80 100644 --- a/app/views/projects/branches/_branch.html.haml +++ b/app/views/projects/branches/_branch.html.haml @@ -1,9 +1,9 @@ - merged = local_assigns.fetch(:merged, false) - commit = @repository.commit(branch.dereferenced_target) - merge_project = merge_request_source_project_for_project(@project) -%li{ class: "branch-item js-branch-item js-branch-#{branch.name}", data: { name: branch.name } } +%li{ class: "branch-item gl-display-flex! gl-align-items-center! js-branch-item js-branch-#{branch.name}", data: { name: branch.name } } .branch-info - .branch-title + .gl-display-flex.gl-align-items-center = sprite_icon('branch', size: 12, css_class: 'gl-flex-shrink-0') = link_to project_tree_path(@project, branch.name), class: 'item-title str-truncated-100 ref-name gl-ml-3 qa-branch-name' do = branch.name diff --git a/app/views/projects/commits/_commit.html.haml b/app/views/projects/commits/_commit.html.haml index 4442f62b221..71485e203db 100644 --- a/app/views/projects/commits/_commit.html.haml +++ b/app/views/projects/commits/_commit.html.haml @@ -24,7 +24,7 @@ .avatar-cell.d-none.d-sm-block = author_avatar(commit, size: 40, has_tooltip: false) - .commit-detail.flex-list + .commit-detail.flex-list.gl-display-flex.gl-justify-content-space-between.gl-align-items-flex-start.gl-flex-grow-1.gl-min-w-0 .commit-content{ data: { qa_selector: 'commit_content' } } - if view_details && merge_request = link_to commit.title, project_commit_path(project, commit.id, merge_request_iid: merge_request.iid), class: ["commit-row-message item-title js-onboarding-commit-item", ("font-italic" if commit.message.empty?)] diff --git a/app/views/projects/empty.html.haml b/app/views/projects/empty.html.haml index ce6d021ce2f..6f2e135f9d3 100644 --- a/app/views/projects/empty.html.haml +++ b/app/views/projects/empty.html.haml @@ -21,10 +21,10 @@ = _('You can get started by cloning the repository or start adding files to it with one of the following options.') .project-buttons.qa-quick-actions - .project-clone-holder.d-block.d-md-none.mt-2.mr-2 + .project-clone-holder.d-block.d-md-none.gl-mt-3.gl-mr-3 = render "shared/mobile_clone_panel" - .project-clone-holder.d-none.d-md-inline-block.mb-2.mr-2.float-left + .project-clone-holder.d-none.d-md-inline-block.gl-mb-3.gl-mr-3.float-left = render "projects/buttons/clone" = render 'stat_anchor_list', anchors: @project.empty_repo_statistics_buttons, project_buttons: true diff --git a/app/workers/projects/refresh_build_artifacts_size_statistics_worker.rb b/app/workers/projects/refresh_build_artifacts_size_statistics_worker.rb index a91af72cc2c..705bf0534f7 100644 --- a/app/workers/projects/refresh_build_artifacts_size_statistics_worker.rb +++ b/app/workers/projects/refresh_build_artifacts_size_statistics_worker.rb @@ -5,10 +5,6 @@ module Projects include ApplicationWorker include LimitedCapacity::Worker - MAX_RUNNING_LOW = 2 - MAX_RUNNING_MEDIUM = 20 - MAX_RUNNING_HIGH = 50 - data_consistency :always feature_category :build_artifacts @@ -37,12 +33,8 @@ module Projects end def max_running_jobs - if ::Feature.enabled?(:projects_build_artifacts_size_refresh_high) - MAX_RUNNING_HIGH - elsif ::Feature.enabled?(:projects_build_artifacts_size_refresh_medium) - MAX_RUNNING_MEDIUM - elsif ::Feature.enabled?(:projects_build_artifacts_size_refresh_low) - MAX_RUNNING_LOW + if ::Feature.enabled?(:projects_build_artifacts_size_refresh, type: :ops) + 10 else 0 end diff --git a/config/feature_flags/development/group_name_path_vue.yml b/config/feature_flags/development/group_name_path_vue.yml index 6ecb0eaf20e..71adb199b77 100644 --- a/config/feature_flags/development/group_name_path_vue.yml +++ b/config/feature_flags/development/group_name_path_vue.yml @@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/363623 milestone: '15.1' type: development group: group::workspace -default_enabled: false +default_enabled: true diff --git a/config/feature_flags/development/projects_build_artifacts_size_refresh_high.yml b/config/feature_flags/development/projects_build_artifacts_size_refresh_high.yml deleted file mode 100644 index 77b5feafd6a..00000000000 --- a/config/feature_flags/development/projects_build_artifacts_size_refresh_high.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: projects_build_artifacts_size_refresh_high -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81306 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356018 -milestone: '14.9' -type: development -group: group::pipeline insights -default_enabled: false diff --git a/config/feature_flags/development/projects_build_artifacts_size_refresh_low.yml b/config/feature_flags/development/projects_build_artifacts_size_refresh_low.yml deleted file mode 100644 index cefecb245e3..00000000000 --- a/config/feature_flags/development/projects_build_artifacts_size_refresh_low.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: projects_build_artifacts_size_refresh_low -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81306 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356018 -milestone: '14.9' -type: development -group: group::pipeline insights -default_enabled: false diff --git a/config/feature_flags/development/projects_build_artifacts_size_refresh_medium.yml b/config/feature_flags/development/projects_build_artifacts_size_refresh_medium.yml deleted file mode 100644 index caeb6647782..00000000000 --- a/config/feature_flags/development/projects_build_artifacts_size_refresh_medium.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: projects_build_artifacts_size_refresh_medium -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81306 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356018 -milestone: '14.9' -type: development -group: group::pipeline insights -default_enabled: false diff --git a/config/feature_flags/ops/projects_build_artifacts_size_refresh.yml b/config/feature_flags/ops/projects_build_artifacts_size_refresh.yml new file mode 100644 index 00000000000..8b54a0e3ff5 --- /dev/null +++ b/config/feature_flags/ops/projects_build_artifacts_size_refresh.yml @@ -0,0 +1,8 @@ +--- +name: projects_build_artifacts_size_refresh +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84701 +rollout_issue_url: +milestone: '15.1' +type: ops +group: group::pipeline insights +default_enabled: true diff --git a/danger/roulette/Dangerfile b/danger/roulette/Dangerfile index 0e6af5792cd..527cdf58391 100644 --- a/danger/roulette/Dangerfile +++ b/danger/roulette/Dangerfile @@ -111,10 +111,6 @@ if changes.any? markdown_row_for_spin(spin.category, spin) end - roulette.required_approvals.each do |approval| - rows << markdown_row_for_spin(approval.category, approval.spin) - end - markdown(REVIEW_ROULETTE_SECTION) if rows.empty? diff --git a/doc/development/dangerbot.md b/doc/development/dangerbot.md index 003df4fe078..34b61858995 100644 --- a/doc/development/dangerbot.md +++ b/doc/development/dangerbot.md @@ -175,15 +175,7 @@ at GitLab so far: - Database review - Documentation review - Merge request metrics -- Reviewer roulette. Reviewers and maintainers are chosen based on: - - Their roles (backend, frontend, database, etc). - - Their availability: - - No "OOO"/"PTO"/"Parental Leave" in their GitLab or Slack status. - - No `:red_circle:`/`:palm_tree:`/`:beach:`/`:beach_umbrella:`/`:beach_with_umbrella:` emojis in GitLab or Slack status. - - (Experimental) Their time zone: people for which the local hour is between - 6 AM and 2 PM are eligible to be picked. This is to ensure they have a good - chance to get to perform a review during their current work day. The experimentation is tracked in - [this issue](https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/563) +- [Reviewer roulette](code_review.md#reviewer-roulette) - Single codebase effort ## Limitations diff --git a/lib/tasks/gitlab/db.rake b/lib/tasks/gitlab/db.rake index a446a17dfc3..026511d5943 100644 --- a/lib/tasks/gitlab/db.rake +++ b/lib/tasks/gitlab/db.rake @@ -367,5 +367,68 @@ namespace :gitlab do Rake::Task['gitlab:db:execute_batched_migrations'].invoke end end + + namespace :dictionary do + DB_DOCS_PATH = File.join(Rails.root, 'db', 'docs') + + desc 'Generate database docs yaml' + task generate: :environment do + FileUtils.mkdir_p(DB_DOCS_PATH) unless Dir.exist?(DB_DOCS_PATH) + + Rails.application.eager_load! + + tables = Gitlab::Database.database_base_models.flat_map { |_, m| m.connection.tables } + classes = tables.to_h { |t| [t, []] } + + Gitlab::Database.database_base_models.each do |_, model_class| + model_class + .descendants + .reject(&:abstract_class) + .reject { |c| c.name =~ /^(?:EE::)?Gitlab::(?:BackgroundMigration|DatabaseImporters)::/ } + .reject { |c| c.name =~ /^HABTM_/ } + .each { |c| classes[c.table_name] << c.name if classes.has_key?(c.table_name) } + end + + version = Gem::Version.new(File.read('VERSION')) + milestone = version.release.segments[0..1].join('.') + + tables.each do |table_name| + file = File.join(DB_DOCS_PATH, "#{table_name}.yml") + + table_metadata = { + 'table_name' => table_name, + 'classes' => classes[table_name]&.sort&.uniq, + 'feature_categories' => [], + 'description' => nil, + 'introduced_by_url' => nil, + 'milestone' => milestone + } + + if File.exist?(file) + outdated = false + + existing_metadata = YAML.safe_load(File.read(file)) + + if existing_metadata['table_name'] != table_metadata['table_name'] + existing_metadata['table_name'] = table_metadata['table_name'] + outdated = true + end + + if existing_metadata['classes'].difference(table_metadata['classes']).any? + existing_metadata['classes'] = table_metadata['classes'] + outdated = true + end + + File.write(file, existing_metadata.to_yaml) if outdated + else + File.write(file, table_metadata.to_yaml) + end + end + end + + Rake::Task['db:migrate'].enhance do + Rake::Task['gitlab:db:dictionary:generate'].invoke if Rails.env.development? + end + end end end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 3f6743e6318..c0d9157ea5d 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -34110,6 +34110,9 @@ msgstr "" msgid "SecurityOrchestration|Enforce security for this project. %{linkStart}More information.%{linkEnd}" msgstr "" +msgid "SecurityOrchestration|Failed to load cluster agents." +msgstr "" + msgid "SecurityOrchestration|If any scanner finds a newly detected critical vulnerability in an open merge request targeting the master branch, then require two approvals from any member of App security." msgstr "" @@ -34401,6 +34404,9 @@ msgstr "" msgid "SecurityReports|Check the messages generated while parsing the following security reports, as they may prevent the results from being ingested by GitLab. Ensure the security report conforms to a supported %{helpPageLinkStart}JSON schema%{helpPageLinkEnd}." msgstr "" +msgid "SecurityReports|Cluster" +msgstr "" + msgid "SecurityReports|Comment added to '%{vulnerabilityName}'" msgstr "" @@ -44751,6 +44757,9 @@ msgstr "" msgid "ciReport|API fuzzing" msgstr "" +msgid "ciReport|All clusters" +msgstr "" + msgid "ciReport|All projects" msgstr "" diff --git a/scripts/process_custom_semgrep_results.sh b/scripts/process_custom_semgrep_results.sh new file mode 100755 index 00000000000..28fb5c79598 --- /dev/null +++ b/scripts/process_custom_semgrep_results.sh @@ -0,0 +1,55 @@ +# This script requires BOT_USER_ID, CUSTOM_SAST_RULES_BOT_PAT and CI_MERGE_REQUEST_IID variables to be set + +echo "Processing vuln report" + +# Preparing the message for the comment that will be posted by the bot +# Empty string if there are no findings +jq -crM '.vulnerabilities | + map( select( .identifiers[0].name | test( "glappsec_" ) ) | + "- `" + .location.file + "` line " + ( .location.start_line | tostring ) + + ( + if .location.start_line = .location.end_line then "" + else ( " to " + ( .location.end_line | tostring ) ) end + ) + ": " + .message + ) | + sort | + if length > 0 then + { body: ("The findings below have been detected based on the [AppSec custom Semgrep rules](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/) and need attention:\n\n" + join("\n") + "\n\n/cc @gitlab-com/gl-security/appsec") } + else + empty + end' gl-sast-report.json >findings.txt + +echo "Resulting file:" +cat findings.txt + +EXISTING_COMMENT_ID=$(curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" | + jq -crM 'map( select( .author.id == (env.BOT_USER_ID | tonumber) ) | .id ) | first') + +echo "EXISTING_COMMENT_ID: $EXISTING_COMMENT_ID" + +if [ "$EXISTING_COMMENT_ID" == "null" ]; then + if [ -s findings.txt ]; then + echo "No existing comment and there are findings: a new comment will be posted" + curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \ + --header 'Content-Type: application/json' \ + --data '@findings.txt' + else + echo "No existing comment and no findings: nothing to do" + fi +else + if [ -s findings.txt ]; then + echo "There is an existing comment and there are findings: the existing comment will be updated" + curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \ + --header 'Content-Type: application/json' \ + --data '@findings.txt' + else + echo "There is an existing comment but no findings: the existing comment will be updated to mention everything is resolved" + curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \ + --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \ + --header 'Content-Type: application/json' \ + --data '{"body":"All findings based on the [AppSec custom Semgrep rules](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/) have been resolved! :tada:"}' + fi +fi diff --git a/spec/frontend/repository/components/__snapshots__/last_commit_spec.js.snap b/spec/frontend/repository/components/__snapshots__/last_commit_spec.js.snap index 4732d68c8c6..cb56f392ec9 100644 --- a/spec/frontend/repository/components/__snapshots__/last_commit_spec.js.snap +++ b/spec/frontend/repository/components/__snapshots__/last_commit_spec.js.snap @@ -17,7 +17,7 @@ exports[`Repository last commit component renders commit widget 1`] = ` />