Add latest changes from gitlab-org/gitlab@master

app/models/ci/pipeline.rb

@@ -249,7 +249,7 @@ module Ci
 
       after_transition any => ::Ci::Pipeline.completed_statuses do |pipeline|
         pipeline.run_after_commit do
-          ::Ci::Pipelines::CreateArtifactWorker.perform_async(pipeline.id)
+          ::Ci::PipelineArtifacts::CoverageReportWorker.perform_async(pipeline.id)
         end
       end
 

app/services/ci/pipeline_artifacts/coverage_report_service.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module Ci
-  module Pipelines
-    class CreateArtifactService
+  module PipelineArtifacts
+    class CoverageReportService
       def execute(pipeline)
         return unless pipeline.can_generate_coverage_reports?
         return if pipeline.has_coverage_reports?

app/workers/all_queues.yml

@@ -1077,7 +1077,7 @@
   :weight: 1
   :idempotent: true
   :tags: []
-- :name: pipeline_background:ci_pipeline_success_unlock_artifacts
+- :name: pipeline_background:ci_pipeline_artifacts_coverage_report
   :feature_category: :continuous_integration
   :has_external_dependencies:
   :urgency: :low
@@ -1085,7 +1085,7 @@
   :weight: 1
   :idempotent: true
   :tags: []
-- :name: pipeline_background:ci_pipelines_create_artifact
+- :name: pipeline_background:ci_pipeline_success_unlock_artifacts
   :feature_category: :continuous_integration
   :has_external_dependencies:
   :urgency: :low

app/workers/ci/pipeline_artifacts/coverage_report_worker.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module Ci
-  module Pipelines
-    class CreateArtifactWorker
+  module PipelineArtifacts
+    class CoverageReportWorker
       include ApplicationWorker
       include PipelineBackgroundQueue
 
@@ -10,7 +10,7 @@ module Ci
 
       def perform(pipeline_id)
         Ci::Pipeline.find_by_id(pipeline_id).try do |pipeline|
-          Ci::Pipelines::CreateArtifactService.new.execute(pipeline)
+          Ci::PipelineArtifacts::CoverageReportService.new.execute(pipeline)
         end
       end
     end

changelogs/unreleased/mo-refactor-pipeline-artifact-coverage.yml

@@ -0,0 +1,5 @@
+---
+title: Rename coverage report sidekiq queue
+merge_request: 50424
+author:
+type: changed

db/migrate/20201224144948_migrate_coverage_report_worker.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class MigrateCoverageReportWorker < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def up
+    sidekiq_queue_migrate 'ci_pipelines_create_artifact', to: 'ci_pipeline_artifacts_coverage_report'
+  end
+
+  def down
+    sidekiq_queue_migrate 'ci_pipeline_artifacts_coverage_report', to: 'ci_pipelines_create_artifact'
+  end
+end

db/schema_migrations/20201224144948

@@ -0,0 +1 @@
+a83762c788d4ec007a26da386dc36bce16b60f5642ed3e6405482acfebefc1be

doc/user/application_security/vulnerabilities/severities.md

@@ -0,0 +1,70 @@
+---
+type: reference
+stage: Secure
+group: Threat Insights
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Vulnerability severity levels
+
+GitLab vulnerability analyzers attempt to return vulnerability severity level values whenever
+possible. The following is a list of available GitLab vulnerability severity levels, ranked from
+most to least severe:
+
+- `Critical`
+- `High`
+- `Medium`
+- `Low`
+- `Info`
+- `Unknown`
+
+Most GitLab vulnerability analyzers are wrappers around popular open source scanning tools. Each
+open source scanning tool provides their own native vulnerability severity level value. These values
+can be one of the following:
+
+| Native vulnerability severity level type                                                                                          | Examples                                       |
+|-----------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|
+| String                                                                                                                            | `WARNING`, `ERROR`, `Critical`, `Negligible`   |
+| Integer                                                                                                                           | `1`, `2`, `5`                                  |
+| [CVSS v2.0 Rating](https://nvd.nist.gov/vuln-metrics/cvss)                                                                        | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`                 |
+| [CVSS v3.1 Qualitative Severity Rating](https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale) | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
+
+To provide consistent vulnerability severity level values, the GitLab vulnerability analyzers
+convert from the above values to a standardized GitLab vulnerability severity level, as outlined in
+the following tables:
+
+## SAST
+
+|  GitLab analyzer                                                                                       | Outputs severity levels? | Native severity level type | Native severity level example      |
+|--------------------------------------------------------------------------------------------------------|--------------------------|----------------------------|------------------------------------|
+| [security-code-scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan)     | **{dotted-circle}** No   | N/A                        | N/A                                |
+| [brakeman](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman)                         | **{dotted-circle}** No   | N/A                        | N/A                                |
+| [sobelow](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow)                           | **{check-circle}** Yes   | N/A                        | Hardcodes all severity levels to `Unknown` |
+| [nodejs-scan](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan)                   | **{check-circle}** Yes   | String                     | `INFO`, `WARNING`, `ERROR`         |
+| [flawfinder](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder)                     | **{check-circle}** Yes   | Integer                    | `0`, `1`, `2`, `3`, `4`, `5`       |
+| [eslint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint)                             | **{check-circle}** Yes   | N/A                        | Hardcodes all severity levels to `Unknown` |
+| [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs)                         | **{check-circle}** Yes   | Integer                    | `1`, `2`, `3`, `11`, `12`, `18`    |
+| [gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec)                               | **{check-circle}** Yes   | String                     | `HIGH`, `MEDIUM`, `LOW`            |
+| [bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit)                             | **{check-circle}** Yes   | String                     | `HIGH`, `MEDIUM`, `LOW`            |
+| [phpcs-security-audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) | **{check-circle}** Yes   | String                     | `ERROR`, `WARNING`                 |
+| [pmd-apex](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex)                         | **{check-circle}** Yes   | Integer                    | `1`, `2`, `3`, `4`, `5`            |
+| [kubesec](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec)                           | **{check-circle}** Yes   | String                     | `CriticalSeverity`, `InfoSeverity` |
+| [secrets](https://gitlab.com/gitlab-org/security-products/analyzers/secrets)                           | **{check-circle}** Yes   | N/A                        | Hardcodes all severity levels to `Critical` |
+
+## Dependency Scanning
+
+| GitLab analyzer                                                                          | Outputs severity levels?     | Native severity level type | Native severity level example       |
+|------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------|
+| [bundler-audit](https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit) | **{check-circle}** Yes       | String                     | `low`, `medium`, `high`, `critical` |
+| [retire.js](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js)         | **{check-circle}** Yes       | String                     | `low`, `medium`, `high`, `critical` |
+| [gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium)         | **{check-circle}** Yes       | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
+
+## Container Scanning
+
+| GitLab analyzer                                                        | Outputs severity levels? | Native severity level type | Native severity level example                                |
+|------------------------------------------------------------------------|--------------------------|----------------------------|--------------------------------------------------------------|
+| [klar](https://gitlab.com/gitlab-org/security-products/analyzers/klar) | **{check-circle}** Yes   | String                     | `Negligible`, `Low`, `Medium`, `High`, `Critical`, `Defcon1` |
+
+## Fuzz Testing
+
+All fuzz testing results are reported as Unknown. They should be reviewed and triaged manually to find exploitable faults to prioritize for fixing.

spec/services/ci/pipeline_artifacts/coverage_report_service_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe ::Ci::Pipelines::CreateArtifactService do
+RSpec.describe ::Ci::PipelineArtifacts::CoverageReportService do
   describe '#execute' do
     subject { described_class.new.execute(pipeline) }
 

spec/workers/ci/pipeline_artifacts/coverage_report_worker_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe ::Ci::Pipelines::CreateArtifactWorker do
+RSpec.describe ::Ci::PipelineArtifacts::CoverageReportWorker do
   describe '#perform' do
     subject { described_class.new.perform(pipeline_id) }
 
@@ -11,7 +11,7 @@ RSpec.describe ::Ci::Pipelines::CreateArtifactWorker do
       let(:pipeline_id) { pipeline.id }
 
       it 'calls pipeline report result service' do
-        expect_next_instance_of(::Ci::Pipelines::CreateArtifactService) do |create_artifact_service|
+        expect_next_instance_of(::Ci::PipelineArtifacts::CoverageReportService) do |create_artifact_service|
           expect(create_artifact_service).to receive(:execute)
         end
 
@@ -23,7 +23,7 @@ RSpec.describe ::Ci::Pipelines::CreateArtifactWorker do
       let(:pipeline_id) { non_existing_record_id }
 
       it 'does not call pipeline create artifact service' do
-        expect(Ci::Pipelines::CreateArtifactService).not_to receive(:execute)
+        expect(Ci::PipelineArtifacts::CoverageReportService).not_to receive(:execute)
 
         subject
       end