Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
f6db0f9b57
commit
385d7ee6af
|
@ -249,7 +249,7 @@ module Ci
|
|||
|
||||
after_transition any => ::Ci::Pipeline.completed_statuses do |pipeline|
|
||||
pipeline.run_after_commit do
|
||||
::Ci::Pipelines::CreateArtifactWorker.perform_async(pipeline.id)
|
||||
::Ci::PipelineArtifacts::CoverageReportWorker.perform_async(pipeline.id)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# frozen_string_literal: true
|
||||
module Ci
|
||||
module Pipelines
|
||||
class CreateArtifactService
|
||||
module PipelineArtifacts
|
||||
class CoverageReportService
|
||||
def execute(pipeline)
|
||||
return unless pipeline.can_generate_coverage_reports?
|
||||
return if pipeline.has_coverage_reports?
|
|
@ -1077,7 +1077,7 @@
|
|||
:weight: 1
|
||||
:idempotent: true
|
||||
:tags: []
|
||||
- :name: pipeline_background:ci_pipeline_success_unlock_artifacts
|
||||
- :name: pipeline_background:ci_pipeline_artifacts_coverage_report
|
||||
:feature_category: :continuous_integration
|
||||
:has_external_dependencies:
|
||||
:urgency: :low
|
||||
|
@ -1085,7 +1085,7 @@
|
|||
:weight: 1
|
||||
:idempotent: true
|
||||
:tags: []
|
||||
- :name: pipeline_background:ci_pipelines_create_artifact
|
||||
- :name: pipeline_background:ci_pipeline_success_unlock_artifacts
|
||||
:feature_category: :continuous_integration
|
||||
:has_external_dependencies:
|
||||
:urgency: :low
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Ci
|
||||
module Pipelines
|
||||
class CreateArtifactWorker
|
||||
module PipelineArtifacts
|
||||
class CoverageReportWorker
|
||||
include ApplicationWorker
|
||||
include PipelineBackgroundQueue
|
||||
|
||||
|
@ -10,7 +10,7 @@ module Ci
|
|||
|
||||
def perform(pipeline_id)
|
||||
Ci::Pipeline.find_by_id(pipeline_id).try do |pipeline|
|
||||
Ci::Pipelines::CreateArtifactService.new.execute(pipeline)
|
||||
Ci::PipelineArtifacts::CoverageReportService.new.execute(pipeline)
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Rename coverage report sidekiq queue
|
||||
merge_request: 50424
|
||||
author:
|
||||
type: changed
|
|
@ -0,0 +1,15 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class MigrateCoverageReportWorker < ActiveRecord::Migration[6.0]
|
||||
include Gitlab::Database::MigrationHelpers
|
||||
|
||||
DOWNTIME = false
|
||||
|
||||
def up
|
||||
sidekiq_queue_migrate 'ci_pipelines_create_artifact', to: 'ci_pipeline_artifacts_coverage_report'
|
||||
end
|
||||
|
||||
def down
|
||||
sidekiq_queue_migrate 'ci_pipeline_artifacts_coverage_report', to: 'ci_pipelines_create_artifact'
|
||||
end
|
||||
end
|
|
@ -0,0 +1 @@
|
|||
a83762c788d4ec007a26da386dc36bce16b60f5642ed3e6405482acfebefc1be
|
|
@ -0,0 +1,70 @@
|
|||
---
|
||||
type: reference
|
||||
stage: Secure
|
||||
group: Threat Insights
|
||||
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
|
||||
---
|
||||
|
||||
# Vulnerability severity levels
|
||||
|
||||
GitLab vulnerability analyzers attempt to return vulnerability severity level values whenever
|
||||
possible. The following is a list of available GitLab vulnerability severity levels, ranked from
|
||||
most to least severe:
|
||||
|
||||
- `Critical`
|
||||
- `High`
|
||||
- `Medium`
|
||||
- `Low`
|
||||
- `Info`
|
||||
- `Unknown`
|
||||
|
||||
Most GitLab vulnerability analyzers are wrappers around popular open source scanning tools. Each
|
||||
open source scanning tool provides their own native vulnerability severity level value. These values
|
||||
can be one of the following:
|
||||
|
||||
| Native vulnerability severity level type | Examples |
|
||||
|-----------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|
|
||||
| String | `WARNING`, `ERROR`, `Critical`, `Negligible` |
|
||||
| Integer | `1`, `2`, `5` |
|
||||
| [CVSS v2.0 Rating](https://nvd.nist.gov/vuln-metrics/cvss) | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)` |
|
||||
| [CVSS v3.1 Qualitative Severity Rating](https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale) | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
|
||||
|
||||
To provide consistent vulnerability severity level values, the GitLab vulnerability analyzers
|
||||
convert from the above values to a standardized GitLab vulnerability severity level, as outlined in
|
||||
the following tables:
|
||||
|
||||
## SAST
|
||||
|
||||
| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example |
|
||||
|--------------------------------------------------------------------------------------------------------|--------------------------|----------------------------|------------------------------------|
|
||||
| [security-code-scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) | **{dotted-circle}** No | N/A | N/A |
|
||||
| [brakeman](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) | **{dotted-circle}** No | N/A | N/A |
|
||||
| [sobelow](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Unknown` |
|
||||
| [nodejs-scan](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) | **{check-circle}** Yes | String | `INFO`, `WARNING`, `ERROR` |
|
||||
| [flawfinder](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) | **{check-circle}** Yes | Integer | `0`, `1`, `2`, `3`, `4`, `5` |
|
||||
| [eslint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Unknown` |
|
||||
| [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) | **{check-circle}** Yes | Integer | `1`, `2`, `3`, `11`, `12`, `18` |
|
||||
| [gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW` |
|
||||
| [bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW` |
|
||||
| [phpcs-security-audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) | **{check-circle}** Yes | String | `ERROR`, `WARNING` |
|
||||
| [pmd-apex](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) | **{check-circle}** Yes | Integer | `1`, `2`, `3`, `4`, `5` |
|
||||
| [kubesec](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) | **{check-circle}** Yes | String | `CriticalSeverity`, `InfoSeverity` |
|
||||
| [secrets](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Critical` |
|
||||
|
||||
## Dependency Scanning
|
||||
|
||||
| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example |
|
||||
|------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------|
|
||||
| [bundler-audit](https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit) | **{check-circle}** Yes | String | `low`, `medium`, `high`, `critical` |
|
||||
| [retire.js](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js) | **{check-circle}** Yes | String | `low`, `medium`, `high`, `critical` |
|
||||
| [gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) | **{check-circle}** Yes | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
|
||||
|
||||
## Container Scanning
|
||||
|
||||
| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example |
|
||||
|------------------------------------------------------------------------|--------------------------|----------------------------|--------------------------------------------------------------|
|
||||
| [klar](https://gitlab.com/gitlab-org/security-products/analyzers/klar) | **{check-circle}** Yes | String | `Negligible`, `Low`, `Medium`, `High`, `Critical`, `Defcon1` |
|
||||
|
||||
## Fuzz Testing
|
||||
|
||||
All fuzz testing results are reported as Unknown. They should be reviewed and triaged manually to find exploitable faults to prioritize for fixing.
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe ::Ci::Pipelines::CreateArtifactService do
|
||||
RSpec.describe ::Ci::PipelineArtifacts::CoverageReportService do
|
||||
describe '#execute' do
|
||||
subject { described_class.new.execute(pipeline) }
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe ::Ci::Pipelines::CreateArtifactWorker do
|
||||
RSpec.describe ::Ci::PipelineArtifacts::CoverageReportWorker do
|
||||
describe '#perform' do
|
||||
subject { described_class.new.perform(pipeline_id) }
|
||||
|
||||
|
@ -11,7 +11,7 @@ RSpec.describe ::Ci::Pipelines::CreateArtifactWorker do
|
|||
let(:pipeline_id) { pipeline.id }
|
||||
|
||||
it 'calls pipeline report result service' do
|
||||
expect_next_instance_of(::Ci::Pipelines::CreateArtifactService) do |create_artifact_service|
|
||||
expect_next_instance_of(::Ci::PipelineArtifacts::CoverageReportService) do |create_artifact_service|
|
||||
expect(create_artifact_service).to receive(:execute)
|
||||
end
|
||||
|
||||
|
@ -23,7 +23,7 @@ RSpec.describe ::Ci::Pipelines::CreateArtifactWorker do
|
|||
let(:pipeline_id) { non_existing_record_id }
|
||||
|
||||
it 'does not call pipeline create artifact service' do
|
||||
expect(Ci::Pipelines::CreateArtifactService).not_to receive(:execute)
|
||||
expect(Ci::PipelineArtifacts::CoverageReportService).not_to receive(:execute)
|
||||
|
||||
subject
|
||||
end
|
Loading…
Reference in New Issue