From 35ee286f94ee7c706713fbf0b8f16468bb4e4381 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 10 May 2021 03:10:06 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 GITALY_SERVER_VERSION                                        | 2 +-
 .../development/security_dast_site_profiles_api_option.yml   | 2 +-
 doc/ci/pipelines/pipeline_efficiency.md                      | 2 ++
 doc/ci/services/mysql.md                                     | 5 +++++
 doc/user/application_security/dast/index.md                  | 3 +++
 doc/user/application_security/sast/index.md                  | 1 +
 6 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 24687be7f9b..ea8d3d5236d 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-2982990541d6980bf5035987996e976042c8ccc6
+6941c499e077fe2303dd5c31a08807d14ad7a616
diff --git a/config/feature_flags/development/security_dast_site_profiles_api_option.yml b/config/feature_flags/development/security_dast_site_profiles_api_option.yml
index a92e761d3ce..8a9c6fefb5d 100644
--- a/config/feature_flags/development/security_dast_site_profiles_api_option.yml
+++ b/config/feature_flags/development/security_dast_site_profiles_api_option.yml
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/325130
 milestone: '13.12'
 type: development
 group: group::dynamic analysis
-default_enabled: false
+default_enabled: true
diff --git a/doc/ci/pipelines/pipeline_efficiency.md b/doc/ci/pipelines/pipeline_efficiency.md
index faebf40462e..2deb3b27748 100644
--- a/doc/ci/pipelines/pipeline_efficiency.md
+++ b/doc/ci/pipelines/pipeline_efficiency.md
@@ -110,6 +110,8 @@ and get the pipeline status and duration. In combination with a Grafana dashboar
 this helps build an actionable view for your operations team. Metric graphs can also
 be embedded into incidents making problem resolving easier. Additionally, it can also export metrics about jobs and environments.
 
+If you use the GitLab CI Pipelines Exporter, you should start with the [example configuration](https://github.com/mvisonneau/gitlab-ci-pipelines-exporter/blob/main/docs/configuration_syntax.md).
+
 ![Grafana Dashboard for GitLab CI Pipelines Prometheus Exporter](img/ci_efficiency_pipeline_health_grafana_dashboard.png)
 
 Alternatively, you can use a monitoring tool that can execute scripts, like
diff --git a/doc/ci/services/mysql.md b/doc/ci/services/mysql.md
index 2185af0141d..1e0762ca010 100644
--- a/doc/ci/services/mysql.md
+++ b/doc/ci/services/mysql.md
@@ -14,6 +14,8 @@ need it for your tests to run.
 
 If you want to use a MySQL container, you can use [GitLab Runner](../runners/README.md) with the Docker executor.
 
+This example shows you how to set a username and password that GitLab uses to access the MySQL container. If you do not set a username and password, you must use `root`.
+
 1. [Create CI/CD variables](../variables/README.md#custom-cicd-variables) for your
    MySQL database and password by going to **Settings > CI/CD**, expanding **Variables**,
    and clicking **Add Variable**.
@@ -54,6 +56,9 @@ If you want to use a MySQL container, you can use [GitLab Runner](../runners/REA
    Database: <your_mysql_database>
    ```
 
+   In this example, the user is `runner`. You should use a user that has permission to
+   access your database.
+
 ## Use MySQL with the Shell executor
 
 You can also use MySQL on manually-configured servers that use
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index 354e92b1cc5..413326dd5ce 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -978,6 +978,7 @@ required for an on-demand DAST scan.
 A site profile contains the following:
 
 - **Profile name**: A name you assign to the site to be scanned.
+- **Site type**: The type of target to be scanned, either website or API scan.
 - **Target URL**: The URL that DAST runs against.
 - **Excluded URLs**: A comma-separated list of URLs to exclude from the scan.
 - **Request headers**: A comma-separated list of HTTP request headers, including names and values. These headers are added to every request made by DAST.
@@ -988,6 +989,8 @@ A site profile contains the following:
   - **Username form field**: The name of username field at the sign-in HTML form.
   - **Password form field**: The name of password field at the sign-in HTML form.
 
+When an API site type is selected, a [host override](#host-override) is used to ensure the API being scanned is on the same host as the target. This is done to reduce the risk of running an active scan against the wrong API.
+
 #### Site profile validation
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/233020) in GitLab 13.8.
diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md
index fe5a85cf0b0..b0e5877ae84 100644
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -518,6 +518,7 @@ Experimental features available are:
 
 - Enable scanning of iOS and Android apps using the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/).
 - Enable the [semgrep analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/).
+  - Semgrep may be inconsistent when reporting vulnerabilities found in minified JavaScript files.
 
 #### Enable experimental features