kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-11-08 03:10:58 +00:00
parent 9695fcf519
commit 43feb20dca
21 changed files with 1529 additions and 640 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
GITALY_SERVER_VERSION
View File

@ -1 +1 @@
ba02c22370d12ccf8ec464497603394effbaf8b0
038b442dc21c71a69ad170a61ce79a12a74fb725

301
app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
View File

@ -1,176 +1,135 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"global": [
"$schema": "http://json-schema.org/draft-07/schema#",
"global": [
{
"field": "SECURE_ANALYZERS_PREFIX",
"label": "Image prefix",
"type": "string",
"default_value": "",
"value": "",
"size": "LARGE",
"description": "Analyzer image's registry prefix (or name of the registry providing the analyzers' image)"
},
{
"field": "SAST_EXCLUDED_PATHS",
"label": "Excluded Paths",
"type": "string",
"default_value": "",
"value": "",
"size": "MEDIUM",
"description": "Comma-separated list of paths to be excluded from analyzer output. Patterns can be globs, file paths, or folder paths."
}
],
"pipeline": [
{
"field": "stage",
"label": "Stage",
"type": "string",
"default_value": "",
"value": "",
"size": "MEDIUM",
"description": "Pipeline stage in which the scan jobs run"
},
{
"field": "SEARCH_MAX_DEPTH",
"label": "Search maximum depth",
"type": "string",
"default_value": "",
"value": "",
"size": "SMALL",
"description": "Maximum depth of language and framework detection"
}
],
"analyzers": [
{
"name": "brakeman",
"label": "Brakeman",
"enabled": true,
"description": "Ruby on Rails",
"variables": [
{
"field": "SECURE_ANALYZERS_PREFIX",
"label": "Image prefix",
"type": "string",
"default_value": "",
"value": "",
"size": "LARGE",
"description": "Analyzer image's registry prefix (or name of the registry providing the analyzers' image)"
},
{
"field" : "SAST_EXCLUDED_PATHS",
"label" : "Excluded Paths",
"type": "string",
"default_value": "",
"value": "",
"size": "MEDIUM",
"description": "Comma-separated list of paths to be excluded from analyzer output. Patterns can be globs, file paths, or folder paths."
"field": "SAST_BRAKEMAN_LEVEL",
"label": "Brakeman confidence level",
"type": "string",
"default_value": "1",
"value": "",
"size": "SMALL",
"description": "Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low, 2=Medium, 3=High."
}
],
"pipeline": [
]
},
{
"name": "flawfinder",
"label": "Flawfinder",
"enabled": true,
"description": "C, C++",
"variables": [
{
"field" : "stage",
"label" : "Stage",
"type": "string",
"default_value": "",
"value": "",
"size": "MEDIUM",
"description": "Pipeline stage in which the scan jobs run"
},
{
"field" : "SEARCH_MAX_DEPTH",
"label" : "Search maximum depth",
"type": "string",
"default_value": "",
"value": "",
"size": "SMALL",
"description": "Maximum depth of language and framework detection"
"field": "SAST_FLAWFINDER_LEVEL",
"label": "Flawfinder risk level",
"type": "string",
"default_value": "1",
"value": "",
"size": "SMALL",
"description": "Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk."
}
],
"analyzers": [
{
"name": "bandit",
"label": "Bandit",
"enabled" : true,
"description": "Python",
"variables": [
{
"field" : "SAST_BANDIT_EXCLUDED_PATHS",
"label" : "Paths to exclude from scan",
"type": "string",
"default_value": "",
"value": "",
"size": "SMALL",
"description": "Comma-separated list of paths to exclude from scan. Uses Pythons 'fnmatch' syntax; For example: '*/tests/*, */venv/*'"
}
]
},
{
"name": "brakeman",
"label": "Brakeman",
"enabled" : true,
"description": "Ruby on Rails",
"variables": [
{
"field" : "SAST_BRAKEMAN_LEVEL",
"label" : "Brakeman confidence level",
"type": "string",
"default_value": "1",
"value": "",
"size": "SMALL",
"description": "Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low, 2=Medium, 3=High."
}
]
},
{
"name": "eslint",
"label": "ESLint",
"enabled" : true,
"description": "JavaScript, TypeScript, React",
"variables": []
},
{
"name": "flawfinder",
"label": "Flawfinder",
"enabled" : true,
"description": "C, C++",
"variables": [
{
"field" : "SAST_FLAWFINDER_LEVEL",
"label" : "Flawfinder risk level",
"type": "string",
"default_value": "1",
"value": "",
"size": "SMALL",
"description": "Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk."
}
]
},
{
"name": "gosec",
"label": "Gosec",
"enabled" : true,
"description": "Go",
"variables": [
{
"field" : "SAST_GOSEC_LEVEL",
"label" : "Gosec confidence level",
"type": "string",
"default_value": "0",
"value": "",
"size": "SMALL",
"description": "Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High."
}
]
},
{
"name": "kubesec",
"label": "Kubesec",
"enabled" : true,
"description": "Kubernetes manifests, Helm Charts",
"variables": []
},
{
"name": "nodejs-scan",
"label": "Node.js Scan",
"enabled" : true,
"description": "Node.js",
"variables": []
},
{
"name": "phpcs-security-audit",
"label": "PHP Security Audit",
"enabled" : true,
"description": "PHP",
"variables": []
},
{
"name": "pmd-apex",
"label": "PMD APEX",
"enabled" : true,
"description": "Apex (Salesforce)",
"variables": []
},
{
"name": "security-code-scan",
"label": "Security Code Scan",
"enabled" : true,
"description": ".NET Core, .NET Framework",
"variables": []
},
{
"name": "semgrep",
"label": "Semgrep",
"enabled": true,
"description": "Multi-language scanning",
"variables": []
},
{
"name": "sobelow",
"label": "Sobelow",
"enabled" : true,
"description": "Elixir (Phoenix)",
"variables": []
},
{
"name": "spotbugs",
"label": "Spotbugs",
"enabled" : true,
"description": "Groovy, Java, Scala",
"variables": []
}
]
}
]
},
{
"name": "kubesec",
"label": "Kubesec",
"enabled": true,
"description": "Kubernetes manifests, Helm Charts",
"variables": []
},
{
"name": "nodejs-scan",
"label": "Node.js Scan",
"enabled": true,
"description": "Node.js",
"variables": []
},
{
"name": "phpcs-security-audit",
"label": "PHP Security Audit",
"enabled": true,
"description": "PHP",
"variables": []
},
{
"name": "pmd-apex",
"label": "PMD APEX",
"enabled": true,
"description": "Apex (Salesforce)",
"variables": []
},
{
"name": "security-code-scan",
"label": "Security Code Scan",
"enabled": true,
"description": ".NET Core, .NET Framework",
"variables": []
},
{
"name": "semgrep",
"label": "Semgrep",
"enabled": true,
"description": "Multi-language scanning",
"variables": []
},
{
"name": "sobelow",
"label": "Sobelow",
"enabled": true,
"description": "Elixir (Phoenix)",
"variables": []
},
{
"name": "spotbugs",
"label": "Spotbugs",
"enabled": true,
"description": "Groovy, Java, Scala",
"variables": []
}
]
}

2
config/feature_flags/ops/purge_stale_security_findings.yml
View File

@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356464
milestone: '14.9'
type: ops
group: group::threat insights
default_enabled: false
default_enabled: true

6
doc/api/graphql/custom_emoji.md
View File

@ -30,9 +30,11 @@ Parameters:
```graphql
mutation CreateCustomEmoji($groupPath: ID!) {
createCustomEmoji(input: {groupPath: $groupPath, name: "party-parrot", file: "https://cultofthepartyparrot.com/parrots/hd/parrot.gif", external: true}) {
createCustomEmoji(input: {groupPath: $groupPath, name: "party-parrot", url: "https://cultofthepartyparrot.com/parrots/hd/parrot.gif"}) {
clientMutationId
name
customEmoji {
name
}
errors
}
}

14
doc/api/vulnerability_exports.md
View File

@ -198,11 +198,11 @@ The response is `404 Not Found` if the vulnerability export is not finished yet
Example response:
```csv
Group Name,Project Name,Tool,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers,Detected At,Location,Activity,
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2019-14697 in musl-utils-1.1.20-r4,"musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",CVE-2019-14697 in musl-utils-1.1.20-r4,critical,CVE-2019-14697,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl-utils""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2019-19242 in sqlite-libs-3.26.0-r3,"SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",CVE-2019-19242 in sqlite-libs-3.26.0-r3,medium,CVE-2019-19242,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""sqlite-libs""}, ""version""=>""3.26.0-r3""}, ""operating_system""=>""alpine 3.9.2""}",true,
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2020-28928 in musl-1.1.20-r4,"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).",CVE-2020-28928 in musl-1.1.20-r4,medium,CVE-2020-28928,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,unknown,Gemfile.lock:rack:gemnasium:60b5a27f-4e4d-4ab4-8ae7-74b4b212e177,,Gemnasium-60b5a27f-4e4d-4ab4-8ae7-74b4b212e177; GHSA-wq4h-7r42-5hrr,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Denial of Service Vulnerability in Rack Multipart Parsing in rack,"Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts.",Denial of Service Vulnerability in Rack Multipart Parsing in rack,unknown,Gemfile.lock:rack:gemnasium:20daa17a-47b5-4f79-80c2-cd8f2db9805c,,Gemnasium-20daa17a-47b5-4f79-80c2-cd8f2db9805c; GHSA-hxqx-xwvh-44m2,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,
Gitlab.org,Defend,sast,Brakeman,detected,Possible SQL injection,,Possible SQL injection,medium,e52f23a259cd489168b4313317ac94a3f13bffde57b9635171c1a44a9f329e9a,,"""Brakeman Warning Code 0""",2022-10-13 15:16:36 UTC,"{""file""=>""main.rb"", ""class""=>""User"", ""method""=>""index"", ""start_line""=>3}",false
Group Name,Project Name,Tool,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers,Detected At,Location,Activity,Comments,
Gitlab.org,Defend,container_scanning,Trivy,resolved,CVE-2019-14697 in musl-utils-1.1.20-r4,"musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",CVE-2019-14697 in musl-utils-1.1.20-r4,critical,CVE-2019-14697,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl-utils""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"2022-10-07 13:41:08 UTC|root|resolved|changed vulnerability status to resolved",
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2019-19242 in sqlite-libs-3.26.0-r3,"SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",CVE-2019-19242 in sqlite-libs-3.26.0-r3,medium,CVE-2019-19242,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""sqlite-libs""}, ""version""=>""3.26.0-r3""}, ""operating_system""=>""alpine 3.9.2""}",true,"",
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2020-28928 in musl-1.1.20-r4,"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).",CVE-2020-28928 in musl-1.1.20-r4,medium,CVE-2020-28928,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"",
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,unknown,Gemfile.lock:rack:gemnasium:60b5a27f-4e4d-4ab4-8ae7-74b4b212e177,,Gemnasium-60b5a27f-4e4d-4ab4-8ae7-74b4b212e177; GHSA-wq4h-7r42-5hrr,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,"",
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Denial of Service Vulnerability in Rack Multipart Parsing in rack,"Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts.",Denial of Service Vulnerability in Rack Multipart Parsing in rack,unknown,Gemfile.lock:rack:gemnasium:20daa17a-47b5-4f79-80c2-cd8f2db9805c,,Gemnasium-20daa17a-47b5-4f79-80c2-cd8f2db9805c; GHSA-hxqx-xwvh-44m2,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,"",
Gitlab.org,Defend,sast,Brakeman,detected,Possible SQL injection,,Possible SQL injection,medium,e52f23a259cd489168b4313317ac94a3f13bffde57b9635171c1a44a9f329e9a,,"""Brakeman Warning Code 0""",2022-10-13 15:16:36 UTC,"{""file""=>""main.rb"", ""class""=>""User"", ""method""=>""index"", ""start_line""=>3}",false,""
```

26
doc/user/application_security/sast/index.md
View File

@ -304,12 +304,24 @@ spotbugs-sast:
#### Pinning to minor image version
While our templates use `MAJOR` version pinning to always ensure the latest analyzer
versions are pulled, there are certain cases where it can be beneficial to pin
an analyzer to a specific release. To do so, override the `SAST_ANALYZER_IMAGE_TAG` CI/CD variable
in the job template directly.
The GitLab-managed CI/CD template specifies a major version and automatically pulls the latest analyzer release within that major version.
In the example below, we pin to a minor version of the `semgrep` analyzer and a specific patch version of the `brakeman` analyzer:
In some cases, you may need to use a specific version.
For example, you might need to avoid a regression in a later release.
To override the automatic update behavior, set the `SAST_ANALYZER_IMAGE_TAG` CI/CD variable
in your CI/CD configuration file after you include the [`SAST.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml).
Only set this variable within a specific job.
If you set it [at the top level](../../../ci/variables/index.md#create-a-custom-cicd-variable-in-the-gitlab-ciyml-file), the version you set will be used for other SAST analyzers.
You can set the tag to:
- A major version, like `3`. Your pipelines will use any minor or patch updates that are released within this major version.
- A minor version, like `3.7`. Your pipelines will use any patch updates that are released within this minor version.
- A patch version, like `3.7.0`. Your pipelines won't receive any updates.
This example uses a specific minor version of the `semgrep` analyzer and a specific patch version of the `brakeman` analyzer:
```yaml
include:
@ -317,11 +329,11 @@ include:
semgrep-sast:
variables:
SAST_ANALYZER_IMAGE_TAG: "2.16"
SAST_ANALYZER_IMAGE_TAG: "3.7"
brakeman-sast:
variables:
SAST_ANALYZER_IMAGE_TAG: "2.21.1"
SAST_ANALYZER_IMAGE_TAG: "3.1.1"
```
### False Positive Detection **(ULTIMATE)**

27
doc/user/application_security/secret_detection/index.md
View File

@ -124,6 +124,33 @@ widget.
If the scanner detects a secret you should rotate it immediately. [Purging a file from the repository's history](../../project/repository/reducing_the_repo_size_using_git.md#purge-files-from-repository-history) may not be effective in removing all references to the file. Also, the secret remains in any forks of the repository.
## Pinning to specific analyzer version
The GitLab-managed CI/CD template specifies a major version and automatically pulls the latest analyzer release within that major version.
In some cases, you may need to use a specific version.
For example, you might need to avoid a regression in a later release.
To override the automatic update behavior, set the `SECRETS_ANALYZER_VERSION` CI/CD variable
in your CI/CD configuration file after you include the [`Secret-Detection.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml).
You can set the tag to:
- A major version, like `4`. Your pipelines will use any minor or patch updates that are released within this major version.
- A minor version, like `4.5`. Your pipelines will use any patch updates that are released within this minor version.
- A patch version, like `4.5.0`. Your pipelines won't receive any updates.
This example uses a specific minor version of the analyzer:
```yaml
include:
- template: Security/Secret-Detection.gitlab-ci.yml
secret_detection:
variables:
SECRETS_ANALYZER_VERSION: "4.5"
```
## Configure scan settings
The Secret Detection scan settings can be changed through [CI/CD variables](#available-cicd-variables)

1
doc/user/application_security/vulnerability_report/index.md
View File

@ -219,6 +219,7 @@ Fields included are:
- Detected At
- Location
- Activity
- Comments
NOTE:
Full details are available through our

3
doc/user/profile/user_passwords.md
View File

@ -60,7 +60,8 @@ Self-managed installations can configure the following additional password requi
## Block weak passwords
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/23610) in GitLab 15.4 [with a flag](../../administration/feature_flags.md) named `block_weak_passwords`, weak passwords aren't accepted. Disabled by default.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/23610) in GitLab 15.4 [with a flag](../../administration/feature_flags.md) named `block_weak_passwords`, weak passwords aren't accepted. Disabled by default on self-managed.
> - [Enabled](https://gitlab.com/gitlab-org/gitlab/-/issues/363445) on GitLab.com.
FLAG:
On self-managed GitLab, by default blocking weak passwords is not available. To make it available, ask an administrator

6
lib/api/api.rb
View File

@ -199,12 +199,14 @@ module API
mount ::API::ProjectExport
mount ::API::ProjectHooks
mount ::API::ProjectRepositoryStorageMoves
mount ::API::ProjectSnippets
mount ::API::ProjectSnapshots
mount ::API::ProtectedBranches
mount ::API::ProtectedTags
mount ::API::Release::Links
mount ::API::Releases
mount ::API::Release::Links
mount ::API::ResourceAccessTokens
mount ::API::Snippets
mount ::API::SnippetRepositoryStorageMoves
mount ::API::Statistics
mount ::API::Submodules
@ -299,7 +301,6 @@ module API
mount ::API::ProjectImport
mount ::API::ProjectMilestones
mount ::API::ProjectPackages
mount ::API::ProjectSnippets
mount ::API::ProjectStatistics
mount ::API::ProjectTemplates
mount ::API::Projects
@ -315,7 +316,6 @@ module API
mount ::API::Search
mount ::API::Settings
mount ::API::SidekiqMetrics
mount ::API::Snippets
mount ::API::Subscriptions
mount ::API::Tags
mount ::API::Templates

26
lib/api/entities/basic_snippet.rb
View File

@ -3,16 +3,30 @@
module API
module Entities
class BasicSnippet < Grape::Entity
expose :id, :title, :description, :visibility
expose :updated_at, :created_at
expose :project_id
expose :web_url do |snippet|
expose :id, documentation: { type: 'integer', example: 1 }
expose :title, documentation: { type: 'string', example: 'test' }
expose :description, documentation: { type: 'string', example: 'Ruby test snippet' }
expose :visibility, documentation: { type: 'string', example: 'public' }
expose :author, using: Entities::UserBasic, documentation: { type: 'Entities::UserBasic' }
expose :created_at, documentation: { type: 'dateTime', example: '2012-06-28T10:52:04Z' }
expose :updated_at, documentation: { type: 'dateTime', example: '2012-06-28T10:52:04Z' }
expose :project_id, documentation: { type: 'integer', example: 1 }
expose :web_url, documentation: {
type: 'string', example: 'http://example.com/example/example/snippets/1'
} do |snippet|
Gitlab::UrlBuilder.build(snippet)
end
expose :raw_url do |snippet|
expose :raw_url, documentation: {
type: 'string', example: 'http://example.com/example/example/snippets/1/raw'
} do |snippet|
Gitlab::UrlBuilder.build(snippet, raw: true)
end
expose :ssh_url_to_repo, :http_url_to_repo, if: ->(snippet) { snippet.repository_exists? }
expose :ssh_url_to_repo, documentation: {
type: 'string', example: 'ssh://user@gitlab.example.com/snippets/65.git'
}, if: ->(snippet) { snippet.repository_exists? }
expose :http_url_to_repo, documentation: {
type: 'string', example: 'https://gitlab.example.com/snippets/65.git'
}, if: ->(snippet) { snippet.repository_exists? }
end
end
end

8
lib/api/entities/snippet.rb
View File

@ -3,11 +3,13 @@
module API
module Entities
class Snippet < BasicSnippet
expose :author, using: Entities::UserBasic
expose :file_name do |snippet|
expose :author, using: Entities::UserBasic, documentation: { type: 'Entities::UserBasic' }
expose :file_name, documentation: { type: 'string', example: 'add.rb' } do |snippet|
snippet_files.first || snippet.file_name
end
expose :files do |snippet, options|
expose :files, documentation: {
is_array: true, example: 'e0d123e5f316bef78bfdf5a008837577'
} do |snippet, options|
snippet_files.map do |file|
{
path: file,

2
lib/api/entities/snippets/repository_storage_move.rb
View File

@ -4,7 +4,7 @@ module API
module Entities
module Snippets
class RepositoryStorageMove < BasicRepositoryStorageMove
expose :snippet, using: Entities::BasicSnippet
expose :snippet, using: Entities::BasicSnippet, documentation: { type: 'Entities::BasicSnippet' }
end
end
end

6
lib/api/entities/user_agent_detail.rb
View File

@ -3,9 +3,9 @@
module API
module Entities
class UserAgentDetail < Grape::Entity
expose :user_agent
expose :ip_address
expose :submitted, as: :akismet_submitted
expose :user_agent, documentation: { type: 'string', example: 'AppleWebKit/537.36' }
expose :ip_address, documentation: { type: 'string', example: '127.0.0.1' }
expose :submitted, as: :akismet_submitted, documentation: { type: 'boolean', example: false }
end
end
end

50
lib/api/project_snippets.rb
View File

@ -34,6 +34,11 @@ module API
desc 'Get all project snippets' do
success Entities::ProjectSnippet
failure [
{ code: 404, message: 'Not found' }
]
tags %w[project_snippets]
is_array true
end
params do
use :pagination
@ -46,6 +51,10 @@ module API
desc 'Get a single project snippet' do
success Entities::ProjectSnippet
failure [
{ code: 404, message: 'Not found' }
]
tags %w[project_snippets]
end
params do
requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'
@ -60,6 +69,12 @@ module API
desc 'Create a new project snippet' do
success Entities::ProjectSnippet
failure [
{ code: 400, message: 'Validation error' },
{ code: 404, message: 'Not found' },
{ code: 422, message: 'Unprocessable entity' }
]
tags %w[project_snippets]
end
params do
requires :title, type: String, allow_blank: false, desc: 'The title of the snippet'
@ -91,6 +106,12 @@ module API
desc 'Update an existing project snippet' do
success Entities::ProjectSnippet
failure [
{ code: 400, message: 'Validation error' },
{ code: 404, message: 'Not found' },
{ code: 422, message: 'Unprocessable entity' }
]
tags %w[project_snippets]
end
params do
requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'
@ -132,7 +153,14 @@ module API
end
# rubocop: enable CodeReuse/ActiveRecord
desc 'Delete a project snippet'
desc 'Delete a project snippet' do
success code: 204
failure [
{ code: 400, message: 'Validation error' },
{ code: 404, message: 'Not found' }
]
tags %w[project_snippets]
end
params do
requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'
end
@ -156,7 +184,13 @@ module API
end
# rubocop: enable CodeReuse/ActiveRecord
desc 'Get a raw project snippet'
desc 'Get a raw project snippet' do
success Entities::ProjectSnippet
failure [
{ code: 404, message: 'Not found' }
]
tags %w[project_snippets]
end
params do
requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'
end
@ -168,7 +202,13 @@ module API
present content_for(snippet)
end
desc 'Get raw project snippet file contents from the repository'
desc 'Get raw project snippet file contents from the repository' do
success Entities::ProjectSnippet
failure [
{ code: 404, message: 'Not found' }
]
tags %w[project_snippets]
end
params do
use :raw_file_params
end
@ -182,6 +222,10 @@ module API
desc 'Get the user agent details for a project snippet' do
success Entities::UserAgentDetail
failure [
{ code: 404, message: 'Not found' }
]
tags %w[project_snippets]
end
params do
requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'

46
lib/api/snippets.rb
View File

@ -28,6 +28,11 @@ module API
desc 'Get a snippets list for an authenticated user' do
detail 'This feature was introduced in GitLab 8.15.'
success Entities::Snippet
failure [
{ code: 404, message: 'Not found' }
]
tags %w[snippets]
is_array true
end
params do
optional :created_after, type: DateTime, desc: 'Return snippets created after the specified time'
@ -45,6 +50,11 @@ module API
desc 'List all public personal snippets current_user has access to' do
detail 'This feature was introduced in GitLab 8.15.'
success Entities::PersonalSnippet
failure [
{ code: 404, message: 'Not found' }
]
tags %w[snippets]
is_array true
end
params do
optional :created_after, type: DateTime, desc: 'Return snippets created after the specified time'
@ -62,6 +72,10 @@ module API
desc 'Get a single snippet' do
detail 'This feature was introduced in GitLab 8.15.'
success Entities::PersonalSnippet
failure [
{ code: 404, message: 'Not found' }
]
tags %w[snippets]
end
params do
requires :id, type: Integer, desc: 'The ID of a snippet'
@ -77,6 +91,12 @@ module API
desc 'Create new snippet' do
detail 'This feature was introduced in GitLab 8.15.'
success Entities::PersonalSnippet
failure [
{ code: 400, message: 'Validation error' },
{ code: 404, message: 'Not found' },
{ code: 422, message: 'Unprocessable entity' }
]
tags %w[snippets]
end
params do
requires :title, type: String, allow_blank: false, desc: 'The title of a snippet'
@ -110,6 +130,12 @@ module API
desc 'Update an existing snippet' do
detail 'This feature was introduced in GitLab 8.15.'
success Entities::PersonalSnippet
failure [
{ code: 400, message: 'Validation error' },
{ code: 404, message: 'Not found' },
{ code: 422, message: 'Unprocessable entity' }
]
tags %w[snippets]
end
params do
@ -154,6 +180,11 @@ module API
desc 'Remove snippet' do
detail 'This feature was introduced in GitLab 8.15.'
success Entities::PersonalSnippet
failure [
{ code: 400, message: 'Validation error' },
{ code: 404, message: 'Not found' }
]
tags %w[snippets]
end
params do
requires :id, type: Integer, desc: 'The ID of a snippet'
@ -178,6 +209,10 @@ module API
desc 'Get a raw snippet' do
detail 'This feature was introduced in GitLab 8.15.'
failure [
{ code: 404, message: 'Not found' }
]
tags %w[snippets]
end
params do
requires :id, type: Integer, desc: 'The ID of a snippet'
@ -189,7 +224,12 @@ module API
present content_for(snippet)
end
desc 'Get raw snippet file contents from the repository'
desc 'Get raw snippet file contents from the repository' do
failure [
{ code: 404, message: 'Not found' }
]
tags %w[snippets]
end
params do
use :raw_file_params
end
@ -202,6 +242,10 @@ module API
desc 'Get the user agent details for a snippet' do
success Entities::UserAgentDetail
failure [
{ code: 404, message: 'Not found' }
]
tags %w[snippets]
end
params do
requires :id, type: Integer, desc: 'The ID of a snippet'

4
spec/graphql/types/project_type_spec.rb
View File

@ -212,8 +212,8 @@ RSpec.describe GitlabSchema.types['Project'] do
it "returns the project's sast configuration for analyzer variables" do
analyzer = subject.dig('data', 'project', 'sastCiConfiguration', 'analyzers', 'nodes').first
expect(analyzer['name']).to eq('bandit')
expect(analyzer['label']).to eq('Bandit')
expect(analyzer['name']).to eq('brakeman')
expect(analyzer['label']).to eq('Brakeman')
expect(analyzer['enabled']).to eq(true)
end

8
spec/services/security/ci_configuration/sast_parser_service_spec.rb
View File

@ -11,9 +11,9 @@ RSpec.describe Security::CiConfiguration::SastParserService do
let(:sast_excluded_paths) { configuration['global'][1] }
let(:sast_pipeline_stage) { configuration['pipeline'][0] }
let(:sast_search_max_depth) { configuration['pipeline'][1] }
let(:bandit) { configuration['analyzers'][0] }
let(:brakeman) { configuration['analyzers'][1] }
let(:brakeman) { configuration['analyzers'][0] }
let(:sast_brakeman_level) { brakeman['variables'][0] }
let(:semgrep) { configuration['analyzers'][1] }
let(:secure_analyzers_prefix) { '$CI_TEMPLATE_REGISTRY_HOST/security-products' }
it 'parses the configuration for SAST' do
@ -34,7 +34,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do
expect(sast_pipeline_stage['value']).to eql('our_custom_security_stage')
expect(sast_search_max_depth['value']).to eql('8')
expect(brakeman['enabled']).to be(false)
expect(bandit['enabled']).to be(true)
expect(semgrep['enabled']).to be(true)
expect(sast_brakeman_level['value']).to eql('2')
end
@ -43,7 +43,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do
allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_excluded_analyzers_content)
expect(brakeman['enabled']).to be(false)
expect(bandit['enabled']).to be(true)
expect(semgrep['enabled']).to be(true)
end
end
end

56
workhorse/go.mod
View File

@ -1,9 +1,9 @@
module gitlab.com/gitlab-org/gitlab/workhorse
go 1.17
go 1.18
require (
github.com/Azure/azure-storage-blob-go v0.14.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1
github.com/BurntSushi/toml v1.2.1
github.com/FZambia/sentinel v1.1.1
github.com/alecthomas/chroma/v2 v2.3.0
@ -29,11 +29,11 @@ require (
gitlab.com/gitlab-org/gitaly/v15 v15.5.1
gitlab.com/gitlab-org/golang-archive-zip v0.1.1
gitlab.com/gitlab-org/labkit v1.16.1
gocloud.dev v0.26.0
gocloud.dev v0.27.0
golang.org/x/image v0.0.0-20220722155232-062f8c9fd539
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
golang.org/x/net v0.0.0-20220722155237-a158d28d115b
golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a
golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b
golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c
golang.org/x/tools v0.1.12
google.golang.org/grpc v1.50.1
google.golang.org/protobuf v1.28.1
@ -41,24 +41,23 @@ require (
)
require (
cloud.google.com/go v0.100.2 // indirect
cloud.google.com/go/compute v1.5.0 // indirect
cloud.google.com/go v0.103.0 // indirect
cloud.google.com/go/compute v1.7.0 // indirect
cloud.google.com/go/iam v0.3.0 // indirect
cloud.google.com/go/monitoring v1.4.0 // indirect
cloud.google.com/go/monitoring v1.5.0 // indirect
cloud.google.com/go/profiler v0.1.0 // indirect
cloud.google.com/go/storage v1.21.0 // indirect
cloud.google.com/go/storage v1.24.0 // indirect
cloud.google.com/go/trace v1.2.0 // indirect
contrib.go.opencensus.io/exporter/stackdriver v0.13.10 // indirect
github.com/Azure/azure-pipeline-go v0.2.3 // indirect
contrib.go.opencensus.io/exporter/stackdriver v0.13.13 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.22 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.17 // indirect
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0 // indirect
github.com/DataDog/datadog-go v4.4.0+incompatible // indirect
github.com/DataDog/sketches-go v1.0.0 // indirect
github.com/Microsoft/go-winio v0.5.0 // indirect
github.com/Microsoft/go-winio v0.5.1 // indirect
github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d // indirect
github.com/beevik/ntp v0.3.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
@ -70,30 +69,33 @@ require (
github.com/dlclark/regexp2 v1.4.0 // indirect
github.com/go-ole/go-ole v1.2.4 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt v3.2.1+incompatible // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/pprof v0.0.0-20210804190019-f964ff605595 // indirect
github.com/google/pprof v0.0.0-20220608213341-c488b8fa1db3 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/google/wire v0.5.0 // indirect
github.com/googleapis/gax-go/v2 v2.2.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
github.com/googleapis/gax-go/v2 v2.4.0 // indirect
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 // indirect
github.com/hashicorp/yamux v0.1.1 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/jtolds/gls v4.20.0+incompatible // indirect
github.com/kr/text v0.2.0 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20210210170715-a8dfcb80d3a7 // indirect
github.com/lightstep/lightstep-tracer-go v0.25.0 // indirect
github.com/mattn/go-ieproxy v0.0.6 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/oklog/ulid/v2 v2.0.2 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/philhofer/fwd v1.1.1 // indirect
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.37.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/prometheus/prometheus v0.37.0 // indirect
github.com/ryszard/goskiplist v0.0.0-20150312221310-2dfbae5fcf46 // indirect
github.com/shabbyrobe/gocovmerge v0.0.0-20190829150210-3e036491d500 // indirect
github.com/shirou/gopsutil/v3 v3.21.2 // indirect
@ -109,13 +111,13 @@ require (
golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
golang.org/x/sys v0.0.0-20220731174439-a90be440212d // indirect
golang.org/x/text v0.3.8 // indirect
golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/api v0.74.0 // indirect
golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
google.golang.org/api v0.91.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220401170504-314d38edb7de // indirect
google.golang.org/genproto v0.0.0-20220802133213-ce4fa296bf78 // indirect
gopkg.in/DataDog/dd-trace-go.v1 v1.32.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

1554
workhorse/go.sum
View File

File diff suppressed because it is too large Load Diff

21
workhorse/internal/config/config.go
View File

@ -10,7 +10,7 @@ import (
"strings"
"time"
"github.com/Azure/azure-storage-blob-go/azblob"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
"github.com/BurntSushi/toml"
"gocloud.dev/blob"
"gocloud.dev/blob/azureblob"
@ -174,18 +174,21 @@ func (c *Config) RegisterGoCloudURLOpeners() error {
}
func (creds *AzureCredentials) getURLOpener() (*azureblob.URLOpener, error) {
accountName := azureblob.AccountName(creds.AccountName)
accountKey := azureblob.AccountKey(creds.AccountKey)
serviceURLOptions := azureblob.ServiceURLOptions{
AccountName: creds.AccountName,
}
credential, err := azureblob.NewCredential(accountName, accountKey)
if err != nil {
return nil, fmt.Errorf("error creating Azure credentials: %w", err)
clientFunc := func(svcURL azureblob.ServiceURL) (*azblob.ServiceClient, error) {
sharedKeyCred, err := azblob.NewSharedKeyCredential(creds.AccountName, creds.AccountKey)
if err != nil {
return nil, fmt.Errorf("error creating Azure credentials: %w", err)
}
return azblob.NewServiceClientWithSharedKey(string(svcURL), sharedKeyCred, &azblob.ClientOptions{})
}
return &azureblob.URLOpener{
AccountName: accountName,
Pipeline: azureblob.NewPipeline(credential, azblob.PipelineOptions{}),
Options: azureblob.Options{Credential: credential},
MakeClient: clientFunc,
ServiceURLOptions: serviceURLOptions,
}, nil
}