diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb index 9796970e4fd..4a579892e3f 100644 --- a/app/models/ci/pipeline.rb +++ b/app/models/ci/pipeline.rb @@ -249,7 +249,7 @@ module Ci after_transition any => ::Ci::Pipeline.completed_statuses do |pipeline| pipeline.run_after_commit do - ::Ci::Pipelines::CreateArtifactWorker.perform_async(pipeline.id) + ::Ci::PipelineArtifacts::CoverageReportWorker.perform_async(pipeline.id) end end diff --git a/app/services/ci/pipelines/create_artifact_service.rb b/app/services/ci/pipeline_artifacts/coverage_report_service.rb similarity index 93% rename from app/services/ci/pipelines/create_artifact_service.rb rename to app/services/ci/pipeline_artifacts/coverage_report_service.rb index bfaf317241a..9f5c445c91a 100644 --- a/app/services/ci/pipelines/create_artifact_service.rb +++ b/app/services/ci/pipeline_artifacts/coverage_report_service.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module Ci - module Pipelines - class CreateArtifactService + module PipelineArtifacts + class CoverageReportService def execute(pipeline) return unless pipeline.can_generate_coverage_reports? return if pipeline.has_coverage_reports? diff --git a/app/workers/all_queues.yml b/app/workers/all_queues.yml index 888bc50cbbb..082937f8d78 100644 --- a/app/workers/all_queues.yml +++ b/app/workers/all_queues.yml @@ -1077,7 +1077,7 @@ :weight: 1 :idempotent: true :tags: [] -- :name: pipeline_background:ci_pipeline_success_unlock_artifacts +- :name: pipeline_background:ci_pipeline_artifacts_coverage_report :feature_category: :continuous_integration :has_external_dependencies: :urgency: :low @@ -1085,7 +1085,7 @@ :weight: 1 :idempotent: true :tags: [] -- :name: pipeline_background:ci_pipelines_create_artifact +- :name: pipeline_background:ci_pipeline_success_unlock_artifacts :feature_category: :continuous_integration :has_external_dependencies: :urgency: :low diff --git a/app/workers/ci/pipelines/create_artifact_worker.rb b/app/workers/ci/pipeline_artifacts/coverage_report_worker.rb similarity index 66% rename from app/workers/ci/pipelines/create_artifact_worker.rb rename to app/workers/ci/pipeline_artifacts/coverage_report_worker.rb index 220df975503..f8c9994a746 100644 --- a/app/workers/ci/pipelines/create_artifact_worker.rb +++ b/app/workers/ci/pipeline_artifacts/coverage_report_worker.rb @@ -1,8 +1,8 @@ # frozen_string_literal: true module Ci - module Pipelines - class CreateArtifactWorker + module PipelineArtifacts + class CoverageReportWorker include ApplicationWorker include PipelineBackgroundQueue @@ -10,7 +10,7 @@ module Ci def perform(pipeline_id) Ci::Pipeline.find_by_id(pipeline_id).try do |pipeline| - Ci::Pipelines::CreateArtifactService.new.execute(pipeline) + Ci::PipelineArtifacts::CoverageReportService.new.execute(pipeline) end end end diff --git a/changelogs/unreleased/mo-refactor-pipeline-artifact-coverage.yml b/changelogs/unreleased/mo-refactor-pipeline-artifact-coverage.yml new file mode 100644 index 00000000000..02fccaaf4ab --- /dev/null +++ b/changelogs/unreleased/mo-refactor-pipeline-artifact-coverage.yml @@ -0,0 +1,5 @@ +--- +title: Rename coverage report sidekiq queue +merge_request: 50424 +author: +type: changed diff --git a/db/migrate/20201224144948_migrate_coverage_report_worker.rb b/db/migrate/20201224144948_migrate_coverage_report_worker.rb new file mode 100644 index 00000000000..a13e5e859e0 --- /dev/null +++ b/db/migrate/20201224144948_migrate_coverage_report_worker.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +class MigrateCoverageReportWorker < ActiveRecord::Migration[6.0] + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + + def up + sidekiq_queue_migrate 'ci_pipelines_create_artifact', to: 'ci_pipeline_artifacts_coverage_report' + end + + def down + sidekiq_queue_migrate 'ci_pipeline_artifacts_coverage_report', to: 'ci_pipelines_create_artifact' + end +end diff --git a/db/schema_migrations/20201224144948 b/db/schema_migrations/20201224144948 new file mode 100644 index 00000000000..84e2816433c --- /dev/null +++ b/db/schema_migrations/20201224144948 @@ -0,0 +1 @@ +a83762c788d4ec007a26da386dc36bce16b60f5642ed3e6405482acfebefc1be \ No newline at end of file diff --git a/doc/user/application_security/vulnerabilities/severities.md b/doc/user/application_security/vulnerabilities/severities.md new file mode 100644 index 00000000000..ce2297f7a1a --- /dev/null +++ b/doc/user/application_security/vulnerabilities/severities.md @@ -0,0 +1,70 @@ +--- +type: reference +stage: Secure +group: Threat Insights +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Vulnerability severity levels + +GitLab vulnerability analyzers attempt to return vulnerability severity level values whenever +possible. The following is a list of available GitLab vulnerability severity levels, ranked from +most to least severe: + +- `Critical` +- `High` +- `Medium` +- `Low` +- `Info` +- `Unknown` + +Most GitLab vulnerability analyzers are wrappers around popular open source scanning tools. Each +open source scanning tool provides their own native vulnerability severity level value. These values +can be one of the following: + +| Native vulnerability severity level type | Examples | +|-----------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------| +| String | `WARNING`, `ERROR`, `Critical`, `Negligible` | +| Integer | `1`, `2`, `5` | +| [CVSS v2.0 Rating](https://nvd.nist.gov/vuln-metrics/cvss) | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)` | +| [CVSS v3.1 Qualitative Severity Rating](https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale) | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` | + +To provide consistent vulnerability severity level values, the GitLab vulnerability analyzers +convert from the above values to a standardized GitLab vulnerability severity level, as outlined in +the following tables: + +## SAST + +| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | +|--------------------------------------------------------------------------------------------------------|--------------------------|----------------------------|------------------------------------| +| [security-code-scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) | **{dotted-circle}** No | N/A | N/A | +| [brakeman](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) | **{dotted-circle}** No | N/A | N/A | +| [sobelow](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Unknown` | +| [nodejs-scan](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) | **{check-circle}** Yes | String | `INFO`, `WARNING`, `ERROR` | +| [flawfinder](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) | **{check-circle}** Yes | Integer | `0`, `1`, `2`, `3`, `4`, `5` | +| [eslint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Unknown` | +| [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) | **{check-circle}** Yes | Integer | `1`, `2`, `3`, `11`, `12`, `18` | +| [gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW` | +| [bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW` | +| [phpcs-security-audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) | **{check-circle}** Yes | String | `ERROR`, `WARNING` | +| [pmd-apex](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) | **{check-circle}** Yes | Integer | `1`, `2`, `3`, `4`, `5` | +| [kubesec](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) | **{check-circle}** Yes | String | `CriticalSeverity`, `InfoSeverity` | +| [secrets](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Critical` | + +## Dependency Scanning + +| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | +|------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------| +| [bundler-audit](https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit) | **{check-circle}** Yes | String | `low`, `medium`, `high`, `critical` | +| [retire.js](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js) | **{check-circle}** Yes | String | `low`, `medium`, `high`, `critical` | +| [gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) | **{check-circle}** Yes | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` | + +## Container Scanning + +| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | +|------------------------------------------------------------------------|--------------------------|----------------------------|--------------------------------------------------------------| +| [klar](https://gitlab.com/gitlab-org/security-products/analyzers/klar) | **{check-circle}** Yes | String | `Negligible`, `Low`, `Medium`, `High`, `Critical`, `Defcon1` | + +## Fuzz Testing + +All fuzz testing results are reported as Unknown. They should be reviewed and triaged manually to find exploitable faults to prioritize for fixing. diff --git a/spec/services/ci/pipelines/create_artifact_service_spec.rb b/spec/services/ci/pipeline_artifacts/coverage_report_service_spec.rb similarity index 96% rename from spec/services/ci/pipelines/create_artifact_service_spec.rb rename to spec/services/ci/pipeline_artifacts/coverage_report_service_spec.rb index 4e9248d9d1a..b48ea70aa4c 100644 --- a/spec/services/ci/pipelines/create_artifact_service_spec.rb +++ b/spec/services/ci/pipeline_artifacts/coverage_report_service_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe ::Ci::Pipelines::CreateArtifactService do +RSpec.describe ::Ci::PipelineArtifacts::CoverageReportService do describe '#execute' do subject { described_class.new.execute(pipeline) } diff --git a/spec/workers/ci/pipelines/create_artifact_worker_spec.rb b/spec/workers/ci/pipeline_artifacts/coverage_report_worker_spec.rb similarity index 70% rename from spec/workers/ci/pipelines/create_artifact_worker_spec.rb rename to spec/workers/ci/pipeline_artifacts/coverage_report_worker_spec.rb index 31d2c4e9559..000eda055af 100644 --- a/spec/workers/ci/pipelines/create_artifact_worker_spec.rb +++ b/spec/workers/ci/pipeline_artifacts/coverage_report_worker_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe ::Ci::Pipelines::CreateArtifactWorker do +RSpec.describe ::Ci::PipelineArtifacts::CoverageReportWorker do describe '#perform' do subject { described_class.new.perform(pipeline_id) } @@ -11,7 +11,7 @@ RSpec.describe ::Ci::Pipelines::CreateArtifactWorker do let(:pipeline_id) { pipeline.id } it 'calls pipeline report result service' do - expect_next_instance_of(::Ci::Pipelines::CreateArtifactService) do |create_artifact_service| + expect_next_instance_of(::Ci::PipelineArtifacts::CoverageReportService) do |create_artifact_service| expect(create_artifact_service).to receive(:execute) end @@ -23,7 +23,7 @@ RSpec.describe ::Ci::Pipelines::CreateArtifactWorker do let(:pipeline_id) { non_existing_record_id } it 'does not call pipeline create artifact service' do - expect(Ci::Pipelines::CreateArtifactService).not_to receive(:execute) + expect(Ci::PipelineArtifacts::CoverageReportService).not_to receive(:execute) subject end