Add latest changes from gitlab-org/gitlab@master

2022-11-08 03:10:58 +00:00 · 2022-11-08 03:10:58 +00:00 · 43feb20dca
parent 9695fcf519
commit 43feb20dca
21 changed files with 1529 additions and 640 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-ba02c22370d12ccf8ec464497603394effbaf8b0
+038b442dc21c71a69ad170a61ce79a12a74fb725
--- a/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
+++ b/app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
@ -1,176 +1,135 @@
 {
-    "$schema": "http://json-schema.org/draft-07/schema#",
+  "$schema": "http://json-schema.org/draft-07/schema#",
-    "global": [
+  "global": [
    {
      "field": "SECURE_ANALYZERS_PREFIX",
      "label": "Image prefix",
      "type": "string",
      "default_value": "",
      "value": "",
      "size": "LARGE",
      "description": "Analyzer image's registry prefix (or name of the registry providing the analyzers' image)"
    },
    {
      "field": "SAST_EXCLUDED_PATHS",
      "label": "Excluded Paths",
      "type": "string",
      "default_value": "",
      "value": "",
      "size": "MEDIUM",
      "description": "Comma-separated list of paths to be excluded from analyzer output. Patterns can be globs, file paths, or folder paths."
    }
  ],
  "pipeline": [
    {
      "field": "stage",
      "label": "Stage",
      "type": "string",
      "default_value": "",
      "value": "",
      "size": "MEDIUM",
      "description": "Pipeline stage in which the scan jobs run"
    },
    {
      "field": "SEARCH_MAX_DEPTH",
      "label": "Search maximum depth",
      "type": "string",
      "default_value": "",
      "value": "",
      "size": "SMALL",
      "description": "Maximum depth of language and framework detection"
    }
  ],
  "analyzers": [
    {
      "name": "brakeman",
      "label": "Brakeman",
      "enabled": true,
      "description": "Ruby on Rails",
      "variables": [
        {
-            "field": "SECURE_ANALYZERS_PREFIX",
+          "field": "SAST_BRAKEMAN_LEVEL",
-            "label": "Image prefix",
+          "label": "Brakeman confidence level",
-            "type": "string",
+          "type": "string",
-            "default_value": "",
+          "default_value": "1",
-            "value": "",
+          "value": "",
-            "size": "LARGE",
+          "size": "SMALL",
-            "description": "Analyzer image's registry prefix (or name of the registry providing the analyzers' image)"
+          "description": "Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low, 2=Medium, 3=High."
        },
        {
            "field" : "SAST_EXCLUDED_PATHS",
            "label" : "Excluded Paths",
            "type": "string",
            "default_value": "",
            "value": "",
            "size": "MEDIUM",
            "description": "Comma-separated list of paths to be excluded from analyzer output. Patterns can be globs, file paths, or folder paths."
        }
-    ],
+      ]
-    "pipeline": [
+    },
    {
      "name": "flawfinder",
      "label": "Flawfinder",
      "enabled": true,
      "description": "C, C++",
      "variables": [
        {
-            "field" : "stage",
+          "field": "SAST_FLAWFINDER_LEVEL",
-            "label" : "Stage",
+          "label": "Flawfinder risk level",
-            "type": "string",
+          "type": "string",
-            "default_value": "",
+          "default_value": "1",
-            "value": "",
+          "value": "",
-            "size": "MEDIUM",
+          "size": "SMALL",
-            "description": "Pipeline stage in which the scan jobs run"
+          "description": "Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk."
        },
        {
            "field" : "SEARCH_MAX_DEPTH",
            "label" : "Search maximum depth",
            "type": "string",
            "default_value": "",
            "value": "",
            "size": "SMALL",
            "description": "Maximum depth of language and framework detection"
        }
-    ],
+      ]
-    "analyzers": [
+    },
-        {
+    {
-            "name": "bandit",
+      "name": "kubesec",
-            "label": "Bandit",
+      "label": "Kubesec",
-            "enabled" : true,
+      "enabled": true,
-            "description": "Python",
+      "description": "Kubernetes manifests, Helm Charts",
-            "variables": [
+      "variables": []
-                {
+    },
-                    "field" : "SAST_BANDIT_EXCLUDED_PATHS",
+    {
-                    "label" : "Paths to exclude from scan",
+      "name": "nodejs-scan",
-                    "type": "string",
+      "label": "Node.js Scan",
-                    "default_value": "",
+      "enabled": true,
-                    "value": "",
+      "description": "Node.js",
-                    "size": "SMALL",
+      "variables": []
-                    "description": "Comma-separated list of paths to exclude from scan. Uses Python’s 'fnmatch' syntax; For example: '*/tests/*, */venv/*'"
+    },
-                }
+    {
-            ]
+      "name": "phpcs-security-audit",
-        },
+      "label": "PHP Security Audit",
-        {
+      "enabled": true,
-            "name": "brakeman",
+      "description": "PHP",
-            "label": "Brakeman",
+      "variables": []
-            "enabled" : true,
+    },
-            "description": "Ruby on Rails",
+    {
-            "variables": [
+      "name": "pmd-apex",
-                {
+      "label": "PMD APEX",
-                    "field" : "SAST_BRAKEMAN_LEVEL",
+      "enabled": true,
-                    "label" : "Brakeman confidence level",
+      "description": "Apex (Salesforce)",
-                    "type": "string",
+      "variables": []
-                    "default_value": "1",
+    },
-                    "value": "",
+    {
-                    "size": "SMALL",
+      "name": "security-code-scan",
-                    "description": "Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low, 2=Medium, 3=High."
+      "label": "Security Code Scan",
-                }
+      "enabled": true,
-            ]
+      "description": ".NET Core, .NET Framework",
-        },
+      "variables": []
-        {
+    },
-            "name": "eslint",
+    {
-            "label": "ESLint",
+      "name": "semgrep",
-            "enabled" : true,
+      "label": "Semgrep",
-            "description": "JavaScript, TypeScript, React",
+      "enabled": true,
-            "variables": []
+      "description": "Multi-language scanning",
-        },
+      "variables": []
-        {
+    },
-            "name": "flawfinder",
+    {
-            "label": "Flawfinder",
+      "name": "sobelow",
-            "enabled" : true,
+      "label": "Sobelow",
-            "description": "C, C++",
+      "enabled": true,
-            "variables": [
+      "description": "Elixir (Phoenix)",
-                {
+      "variables": []
-                    "field" : "SAST_FLAWFINDER_LEVEL",
+    },
-                    "label" : "Flawfinder risk level",
+    {
-                    "type": "string",
+      "name": "spotbugs",
-                    "default_value": "1",
+      "label": "Spotbugs",
-                    "value": "",
+      "enabled": true,
-                    "size": "SMALL",
+      "description": "Groovy, Java, Scala",
-                    "description": "Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk."
+      "variables": []
-                }
+    }
-            ]
+  ]
-        },
+}
        {
            "name": "gosec",
            "label": "Gosec",
            "enabled" : true,
            "description": "Go",
            "variables": [
                {
                    "field" : "SAST_GOSEC_LEVEL",
                    "label" : "Gosec confidence level",
                    "type": "string",
                    "default_value": "0",
                    "value": "",
                    "size": "SMALL",
                    "description": "Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High."
                }
            ]
        },
        {
            "name": "kubesec",
            "label": "Kubesec",
            "enabled" : true,
            "description": "Kubernetes manifests, Helm Charts",
            "variables": []
        },
        {
            "name": "nodejs-scan",
            "label": "Node.js Scan",
            "enabled" : true,
            "description": "Node.js",
            "variables": []
        },
        {
            "name": "phpcs-security-audit",
            "label": "PHP Security Audit",
            "enabled" : true,
            "description": "PHP",
            "variables": []
        },
        {
            "name": "pmd-apex",
            "label": "PMD APEX",
            "enabled" : true,
            "description": "Apex (Salesforce)",
            "variables": []
        },
        {
            "name": "security-code-scan",
            "label": "Security Code Scan",
            "enabled" : true,
            "description": ".NET Core, .NET Framework",
            "variables": []
        },
        {
            "name": "semgrep",
            "label": "Semgrep",
            "enabled": true,
            "description": "Multi-language scanning",
            "variables": []
        },
        {
            "name": "sobelow",
            "label": "Sobelow",
            "enabled" : true,
            "description": "Elixir (Phoenix)",
            "variables": []
        },
        {
            "name": "spotbugs",
            "label": "Spotbugs",
            "enabled" : true,
            "description": "Groovy, Java, Scala",
            "variables": []
        }
    ]
 }
--- a/config/feature_flags/ops/purge_stale_security_findings.yml
+++ b/config/feature_flags/ops/purge_stale_security_findings.yml
@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356464
 milestone: '14.9'
 type: ops
 group: group::threat insights
-default_enabled: false
+default_enabled: true
--- a/doc/api/graphql/custom_emoji.md
+++ b/doc/api/graphql/custom_emoji.md
@ -30,9 +30,11 @@ Parameters:
 ```graphql
 mutation CreateCustomEmoji($groupPath: ID!) {
-  createCustomEmoji(input: {groupPath: $groupPath, name: "party-parrot", file: "https://cultofthepartyparrot.com/parrots/hd/parrot.gif", external: true}) {
+  createCustomEmoji(input: {groupPath: $groupPath, name: "party-parrot", url: "https://cultofthepartyparrot.com/parrots/hd/parrot.gif"}) {
    clientMutationId
-    name
+    customEmoji {
      name
    }
    errors
  }
 }
--- a/doc/api/vulnerability_exports.md
+++ b/doc/api/vulnerability_exports.md
@ -198,11 +198,11 @@ The response is `404 Not Found` if the vulnerability export is not finished yet
 Example response:
 ```csv
-Group Name,Project Name,Tool,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers,Detected At,Location,Activity,
+Group Name,Project Name,Tool,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers,Detected At,Location,Activity,Comments,
-Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2019-14697 in musl-utils-1.1.20-r4,"musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",CVE-2019-14697 in musl-utils-1.1.20-r4,critical,CVE-2019-14697,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl-utils""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,
+Gitlab.org,Defend,container_scanning,Trivy,resolved,CVE-2019-14697 in musl-utils-1.1.20-r4,"musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",CVE-2019-14697 in musl-utils-1.1.20-r4,critical,CVE-2019-14697,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl-utils""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"2022-10-07 13:41:08 UTC|root|resolved|changed vulnerability status to resolved",
-Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2019-19242 in sqlite-libs-3.26.0-r3,"SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",CVE-2019-19242 in sqlite-libs-3.26.0-r3,medium,CVE-2019-19242,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""sqlite-libs""}, ""version""=>""3.26.0-r3""}, ""operating_system""=>""alpine 3.9.2""}",true,
+Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2019-19242 in sqlite-libs-3.26.0-r3,"SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",CVE-2019-19242 in sqlite-libs-3.26.0-r3,medium,CVE-2019-19242,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""sqlite-libs""}, ""version""=>""3.26.0-r3""}, ""operating_system""=>""alpine 3.9.2""}",true,"",
-Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2020-28928 in musl-1.1.20-r4,"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).",CVE-2020-28928 in musl-1.1.20-r4,medium,CVE-2020-28928,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,
+Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2020-28928 in musl-1.1.20-r4,"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).",CVE-2020-28928 in musl-1.1.20-r4,medium,CVE-2020-28928,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"",
-Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,unknown,Gemfile.lock:rack:gemnasium:60b5a27f-4e4d-4ab4-8ae7-74b4b212e177,,Gemnasium-60b5a27f-4e4d-4ab4-8ae7-74b4b212e177; GHSA-wq4h-7r42-5hrr,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,
+Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,unknown,Gemfile.lock:rack:gemnasium:60b5a27f-4e4d-4ab4-8ae7-74b4b212e177,,Gemnasium-60b5a27f-4e4d-4ab4-8ae7-74b4b212e177; GHSA-wq4h-7r42-5hrr,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,"",
-Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Denial of Service Vulnerability in Rack Multipart Parsing in rack,"Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts.",Denial of Service Vulnerability in Rack Multipart Parsing in rack,unknown,Gemfile.lock:rack:gemnasium:20daa17a-47b5-4f79-80c2-cd8f2db9805c,,Gemnasium-20daa17a-47b5-4f79-80c2-cd8f2db9805c; GHSA-hxqx-xwvh-44m2,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,
+Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Denial of Service Vulnerability in Rack Multipart Parsing in rack,"Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts.",Denial of Service Vulnerability in Rack Multipart Parsing in rack,unknown,Gemfile.lock:rack:gemnasium:20daa17a-47b5-4f79-80c2-cd8f2db9805c,,Gemnasium-20daa17a-47b5-4f79-80c2-cd8f2db9805c; GHSA-hxqx-xwvh-44m2,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,"",
-Gitlab.org,Defend,sast,Brakeman,detected,Possible SQL injection,,Possible SQL injection,medium,e52f23a259cd489168b4313317ac94a3f13bffde57b9635171c1a44a9f329e9a,,"""Brakeman Warning Code 0""",2022-10-13 15:16:36 UTC,"{""file""=>""main.rb"", ""class""=>""User"", ""method""=>""index"", ""start_line""=>3}",false
+Gitlab.org,Defend,sast,Brakeman,detected,Possible SQL injection,,Possible SQL injection,medium,e52f23a259cd489168b4313317ac94a3f13bffde57b9635171c1a44a9f329e9a,,"""Brakeman Warning Code 0""",2022-10-13 15:16:36 UTC,"{""file""=>""main.rb"", ""class""=>""User"", ""method""=>""index"", ""start_line""=>3}",false,""
 ```
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@ -304,12 +304,24 @@ spotbugs-sast:
 #### Pinning to minor image version
-While our templates use `MAJOR` version pinning to always ensure the latest analyzer
+The GitLab-managed CI/CD template specifies a major version and automatically pulls the latest analyzer release within that major version.
 versions are pulled, there are certain cases where it can be beneficial to pin
 an analyzer to a specific release. To do so, override the `SAST_ANALYZER_IMAGE_TAG` CI/CD variable
 in the job template directly.
-In the example below, we pin to a minor version of the `semgrep` analyzer and a specific patch version of the `brakeman` analyzer:
+In some cases, you may need to use a specific version.
 For example, you might need to avoid a regression in a later release.
 To override the automatic update behavior, set the `SAST_ANALYZER_IMAGE_TAG` CI/CD variable
 in your CI/CD configuration file after you include the [`SAST.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml).
 Only set this variable within a specific job.
 If you set it [at the top level](../../../ci/variables/index.md#create-a-custom-cicd-variable-in-the-gitlab-ciyml-file), the version you set will be used for other SAST analyzers.
 You can set the tag to:
 - A major version, like `3`. Your pipelines will use any minor or patch updates that are released within this major version.
 - A minor version, like `3.7`. Your pipelines will use any patch updates that are released within this minor version.
 - A patch version, like `3.7.0`. Your pipelines won't receive any updates.
 This example uses a specific minor version of the `semgrep` analyzer and a specific patch version of the `brakeman` analyzer:
 ```yaml
 include:
@ -317,11 +329,11 @@ include:
 semgrep-sast:
  variables:
-    SAST_ANALYZER_IMAGE_TAG: "2.16"
+    SAST_ANALYZER_IMAGE_TAG: "3.7"
 brakeman-sast:
  variables:
-    SAST_ANALYZER_IMAGE_TAG: "2.21.1"
+    SAST_ANALYZER_IMAGE_TAG: "3.1.1"
 ```
 ### False Positive Detection **(ULTIMATE)**
--- a/doc/user/application_security/secret_detection/index.md
+++ b/doc/user/application_security/secret_detection/index.md
@ -124,6 +124,33 @@ widget.
 If the scanner detects a secret you should rotate it immediately. [Purging a file from the repository's history](../../project/repository/reducing_the_repo_size_using_git.md#purge-files-from-repository-history) may not be effective in removing all references to the file. Also, the secret remains in any forks of the repository.
 ## Pinning to specific analyzer version
 The GitLab-managed CI/CD template specifies a major version and automatically pulls the latest analyzer release within that major version.
 In some cases, you may need to use a specific version.
 For example, you might need to avoid a regression in a later release.
 To override the automatic update behavior, set the `SECRETS_ANALYZER_VERSION` CI/CD variable
 in your CI/CD configuration file after you include the [`Secret-Detection.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml).
 You can set the tag to:
 - A major version, like `4`. Your pipelines will use any minor or patch updates that are released within this major version.
 - A minor version, like `4.5`. Your pipelines will use any patch updates that are released within this minor version.
 - A patch version, like `4.5.0`. Your pipelines won't receive any updates.
 This example uses a specific minor version of the analyzer:
 ```yaml
 include:
  - template: Security/Secret-Detection.gitlab-ci.yml
 secret_detection:
  variables:
    SECRETS_ANALYZER_VERSION: "4.5"
 ```
 ## Configure scan settings
 The Secret Detection scan settings can be changed through [CI/CD variables](#available-cicd-variables)
--- a/doc/user/application_security/vulnerability_report/index.md
+++ b/doc/user/application_security/vulnerability_report/index.md
@ -219,6 +219,7 @@ Fields included are:
 - Detected At
 - Location
 - Activity
 - Comments
 NOTE:
 Full details are available through our
--- a/doc/user/profile/user_passwords.md
+++ b/doc/user/profile/user_passwords.md
@ -60,7 +60,8 @@ Self-managed installations can configure the following additional password requi
 ## Block weak passwords
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/23610) in GitLab 15.4 [with a flag](../../administration/feature_flags.md) named `block_weak_passwords`, weak passwords aren't accepted. Disabled by default.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/23610) in GitLab 15.4 [with a flag](../../administration/feature_flags.md) named `block_weak_passwords`, weak passwords aren't accepted. Disabled by default on self-managed.
 > - [Enabled](https://gitlab.com/gitlab-org/gitlab/-/issues/363445) on GitLab.com.
 FLAG:
 On self-managed GitLab, by default blocking weak passwords is not available. To make it available, ask an administrator
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@ -199,12 +199,14 @@ module API
        mount ::API::ProjectExport
        mount ::API::ProjectHooks
        mount ::API::ProjectRepositoryStorageMoves
        mount ::API::ProjectSnippets
        mount ::API::ProjectSnapshots
        mount ::API::ProtectedBranches
        mount ::API::ProtectedTags
        mount ::API::Release::Links
        mount ::API::Releases
        mount ::API::Release::Links
        mount ::API::ResourceAccessTokens
        mount ::API::Snippets
        mount ::API::SnippetRepositoryStorageMoves
        mount ::API::Statistics
        mount ::API::Submodules
@ -299,7 +301,6 @@ module API
      mount ::API::ProjectImport
      mount ::API::ProjectMilestones
      mount ::API::ProjectPackages
      mount ::API::ProjectSnippets
      mount ::API::ProjectStatistics
      mount ::API::ProjectTemplates
      mount ::API::Projects
@ -315,7 +316,6 @@ module API
      mount ::API::Search
      mount ::API::Settings
      mount ::API::SidekiqMetrics
      mount ::API::Snippets
      mount ::API::Subscriptions
      mount ::API::Tags
      mount ::API::Templates
--- a/lib/api/entities/basic_snippet.rb
+++ b/lib/api/entities/basic_snippet.rb
@ -3,16 +3,30 @@
 module API
  module Entities
    class BasicSnippet < Grape::Entity
-      expose :id, :title, :description, :visibility
+      expose :id, documentation: { type: 'integer', example: 1 }
-      expose :updated_at, :created_at
+      expose :title, documentation: { type: 'string', example: 'test' }
-      expose :project_id
+      expose :description, documentation: { type: 'string', example: 'Ruby test snippet' }
-      expose :web_url do |snippet|
+      expose :visibility, documentation: { type: 'string', example: 'public' }
      expose :author, using: Entities::UserBasic, documentation: { type: 'Entities::UserBasic' }
      expose :created_at, documentation: { type: 'dateTime', example: '2012-06-28T10:52:04Z' }
      expose :updated_at, documentation: { type: 'dateTime', example: '2012-06-28T10:52:04Z' }
      expose :project_id, documentation: { type: 'integer', example: 1 }
      expose :web_url, documentation: {
        type: 'string', example: 'http://example.com/example/example/snippets/1'
      } do |snippet|
        Gitlab::UrlBuilder.build(snippet)
      end
-      expose :raw_url do |snippet|
+      expose :raw_url, documentation: {
        type: 'string', example: 'http://example.com/example/example/snippets/1/raw'
      } do |snippet|
        Gitlab::UrlBuilder.build(snippet, raw: true)
      end
-      expose :ssh_url_to_repo, :http_url_to_repo, if: ->(snippet) { snippet.repository_exists? }
+      expose :ssh_url_to_repo, documentation: {
        type: 'string', example: 'ssh://user@gitlab.example.com/snippets/65.git'
      }, if: ->(snippet) { snippet.repository_exists? }
      expose :http_url_to_repo, documentation: {
        type: 'string', example: 'https://gitlab.example.com/snippets/65.git'
      }, if: ->(snippet) { snippet.repository_exists? }
    end
  end
 end
--- a/lib/api/entities/snippet.rb
+++ b/lib/api/entities/snippet.rb
@ -3,11 +3,13 @@
 module API
  module Entities
    class Snippet < BasicSnippet
-      expose :author, using: Entities::UserBasic
+      expose :author, using: Entities::UserBasic, documentation: { type: 'Entities::UserBasic' }
-      expose :file_name do |snippet|
+      expose :file_name, documentation: { type: 'string', example: 'add.rb' } do |snippet|
        snippet_files.first || snippet.file_name
      end
-      expose :files do |snippet, options|
+      expose :files, documentation: {
        is_array: true, example: 'e0d123e5f316bef78bfdf5a008837577'
      } do |snippet, options|
        snippet_files.map do |file|
          {
            path: file,
--- a/lib/api/entities/snippets/repository_storage_move.rb
+++ b/lib/api/entities/snippets/repository_storage_move.rb
@ -4,7 +4,7 @@ module API
  module Entities
    module Snippets
      class RepositoryStorageMove < BasicRepositoryStorageMove
-        expose :snippet, using: Entities::BasicSnippet
+        expose :snippet, using: Entities::BasicSnippet, documentation: { type: 'Entities::BasicSnippet' }
      end
    end
  end
--- a/lib/api/entities/user_agent_detail.rb
+++ b/lib/api/entities/user_agent_detail.rb
@ -3,9 +3,9 @@
 module API
  module Entities
    class UserAgentDetail < Grape::Entity
-      expose :user_agent
+      expose :user_agent, documentation: { type: 'string', example: 'AppleWebKit/537.36' }
-      expose :ip_address
+      expose :ip_address, documentation: { type: 'string', example: '127.0.0.1' }
-      expose :submitted, as: :akismet_submitted
+      expose :submitted, as: :akismet_submitted, documentation: { type: 'boolean', example: false }
    end
  end
 end
--- a/lib/api/project_snippets.rb
+++ b/lib/api/project_snippets.rb
@ -34,6 +34,11 @@ module API
      desc 'Get all project snippets' do
        success Entities::ProjectSnippet
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[project_snippets]
        is_array true
      end
      params do
        use :pagination
@ -46,6 +51,10 @@ module API
      desc 'Get a single project snippet' do
        success Entities::ProjectSnippet
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[project_snippets]
      end
      params do
        requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'
@ -60,6 +69,12 @@ module API
      desc 'Create a new project snippet' do
        success Entities::ProjectSnippet
        failure [
          { code: 400, message: 'Validation error' },
          { code: 404, message: 'Not found' },
          { code: 422, message: 'Unprocessable entity' }
        ]
        tags %w[project_snippets]
      end
      params do
        requires :title, type: String, allow_blank: false, desc: 'The title of the snippet'
@ -91,6 +106,12 @@ module API
      desc 'Update an existing project snippet' do
        success Entities::ProjectSnippet
        failure [
          { code: 400, message: 'Validation error' },
          { code: 404, message: 'Not found' },
          { code: 422, message: 'Unprocessable entity' }
        ]
        tags %w[project_snippets]
      end
      params do
        requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'
@ -132,7 +153,14 @@ module API
      end
      # rubocop: enable CodeReuse/ActiveRecord
-      desc 'Delete a project snippet'
+      desc 'Delete a project snippet' do
        success code: 204
        failure [
          { code: 400, message: 'Validation error' },
          { code: 404, message: 'Not found' }
        ]
        tags %w[project_snippets]
      end
      params do
        requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'
      end
@ -156,7 +184,13 @@ module API
      end
      # rubocop: enable CodeReuse/ActiveRecord
-      desc 'Get a raw project snippet'
+      desc 'Get a raw project snippet' do
        success Entities::ProjectSnippet
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[project_snippets]
      end
      params do
        requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'
      end
@ -168,7 +202,13 @@ module API
        present content_for(snippet)
      end
-      desc 'Get raw project snippet file contents from the repository'
+      desc 'Get raw project snippet file contents from the repository' do
        success Entities::ProjectSnippet
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[project_snippets]
      end
      params do
        use :raw_file_params
      end
@ -182,6 +222,10 @@ module API
      desc 'Get the user agent details for a project snippet' do
        success Entities::UserAgentDetail
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[project_snippets]
      end
      params do
        requires :snippet_id, type: Integer, desc: 'The ID of a project snippet'
--- a/lib/api/snippets.rb
+++ b/lib/api/snippets.rb
@ -28,6 +28,11 @@ module API
      desc 'Get a snippets list for an authenticated user' do
        detail 'This feature was introduced in GitLab 8.15.'
        success Entities::Snippet
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[snippets]
        is_array true
      end
      params do
        optional :created_after, type: DateTime, desc: 'Return snippets created after the specified time'
@ -45,6 +50,11 @@ module API
      desc 'List all public personal snippets current_user has access to' do
        detail 'This feature was introduced in GitLab 8.15.'
        success Entities::PersonalSnippet
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[snippets]
        is_array true
      end
      params do
        optional :created_after, type: DateTime, desc: 'Return snippets created after the specified time'
@ -62,6 +72,10 @@ module API
      desc 'Get a single snippet' do
        detail 'This feature was introduced in GitLab 8.15.'
        success Entities::PersonalSnippet
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[snippets]
      end
      params do
        requires :id, type: Integer, desc: 'The ID of a snippet'
@ -77,6 +91,12 @@ module API
      desc 'Create new snippet' do
        detail 'This feature was introduced in GitLab 8.15.'
        success Entities::PersonalSnippet
        failure [
          { code: 400, message: 'Validation error' },
          { code: 404, message: 'Not found' },
          { code: 422, message: 'Unprocessable entity' }
        ]
        tags %w[snippets]
      end
      params do
        requires :title, type: String, allow_blank: false, desc: 'The title of a snippet'
@ -110,6 +130,12 @@ module API
      desc 'Update an existing snippet' do
        detail 'This feature was introduced in GitLab 8.15.'
        success Entities::PersonalSnippet
        failure [
          { code: 400, message: 'Validation error' },
          { code: 404, message: 'Not found' },
          { code: 422, message: 'Unprocessable entity' }
        ]
        tags %w[snippets]
      end
      params do
@ -154,6 +180,11 @@ module API
      desc 'Remove snippet' do
        detail 'This feature was introduced in GitLab 8.15.'
        success Entities::PersonalSnippet
        failure [
          { code: 400, message: 'Validation error' },
          { code: 404, message: 'Not found' }
        ]
        tags %w[snippets]
      end
      params do
        requires :id, type: Integer, desc: 'The ID of a snippet'
@ -178,6 +209,10 @@ module API
      desc 'Get a raw snippet' do
        detail 'This feature was introduced in GitLab 8.15.'
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[snippets]
      end
      params do
        requires :id, type: Integer, desc: 'The ID of a snippet'
@ -189,7 +224,12 @@ module API
        present content_for(snippet)
      end
-      desc 'Get raw snippet file contents from the repository'
+      desc 'Get raw snippet file contents from the repository' do
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[snippets]
      end
      params do
        use :raw_file_params
      end
@ -202,6 +242,10 @@ module API
      desc 'Get the user agent details for a snippet' do
        success Entities::UserAgentDetail
        failure [
          { code: 404, message: 'Not found' }
        ]
        tags %w[snippets]
      end
      params do
        requires :id, type: Integer, desc: 'The ID of a snippet'
--- a/spec/graphql/types/project_type_spec.rb
+++ b/spec/graphql/types/project_type_spec.rb
@ -212,8 +212,8 @@ RSpec.describe GitlabSchema.types['Project'] do
    it "returns the project's sast configuration for analyzer variables" do
      analyzer = subject.dig('data', 'project', 'sastCiConfiguration', 'analyzers', 'nodes').first
-      expect(analyzer['name']).to eq('bandit')
+      expect(analyzer['name']).to eq('brakeman')
-      expect(analyzer['label']).to eq('Bandit')
+      expect(analyzer['label']).to eq('Brakeman')
      expect(analyzer['enabled']).to eq(true)
    end
--- a/spec/services/security/ci_configuration/sast_parser_service_spec.rb
+++ b/spec/services/security/ci_configuration/sast_parser_service_spec.rb
@ -11,9 +11,9 @@ RSpec.describe Security::CiConfiguration::SastParserService do
    let(:sast_excluded_paths) { configuration['global'][1] }
    let(:sast_pipeline_stage) { configuration['pipeline'][0] }
    let(:sast_search_max_depth) { configuration['pipeline'][1] }
-    let(:bandit) { configuration['analyzers'][0] }
+    let(:brakeman) { configuration['analyzers'][0] }
    let(:brakeman) { configuration['analyzers'][1] }
    let(:sast_brakeman_level) { brakeman['variables'][0] }
    let(:semgrep) { configuration['analyzers'][1] }
    let(:secure_analyzers_prefix) { '$CI_TEMPLATE_REGISTRY_HOST/security-products' }
    it 'parses the configuration for SAST' do
@ -34,7 +34,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do
          expect(sast_pipeline_stage['value']).to eql('our_custom_security_stage')
          expect(sast_search_max_depth['value']).to eql('8')
          expect(brakeman['enabled']).to be(false)
-          expect(bandit['enabled']).to be(true)
+          expect(semgrep['enabled']).to be(true)
          expect(sast_brakeman_level['value']).to eql('2')
        end
@ -43,7 +43,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do
            allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_excluded_analyzers_content)
            expect(brakeman['enabled']).to be(false)
-            expect(bandit['enabled']).to be(true)
+            expect(semgrep['enabled']).to be(true)
          end
        end
      end
--- a/workhorse/go.mod
+++ b/workhorse/go.mod
@ -1,9 +1,9 @@
 module gitlab.com/gitlab-org/gitlab/workhorse
-go 1.17
+go 1.18
 require (
-	github.com/Azure/azure-storage-blob-go v0.14.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1
 	github.com/BurntSushi/toml v1.2.1
 	github.com/FZambia/sentinel v1.1.1
 	github.com/alecthomas/chroma/v2 v2.3.0
@ -29,11 +29,11 @@ require (
 	gitlab.com/gitlab-org/gitaly/v15 v15.5.1
 	gitlab.com/gitlab-org/golang-archive-zip v0.1.1
 	gitlab.com/gitlab-org/labkit v1.16.1
-	gocloud.dev v0.26.0
+	gocloud.dev v0.27.0
 	golang.org/x/image v0.0.0-20220722155232-062f8c9fd539
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
-	golang.org/x/net v0.0.0-20220722155237-a158d28d115b
+	golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b
-	golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a
+	golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c
 	golang.org/x/tools v0.1.12
 	google.golang.org/grpc v1.50.1
 	google.golang.org/protobuf v1.28.1
@ -41,24 +41,23 @@ require (
 )
 require (
-	cloud.google.com/go v0.100.2 // indirect
+	cloud.google.com/go v0.103.0 // indirect
-	cloud.google.com/go/compute v1.5.0 // indirect
+	cloud.google.com/go/compute v1.7.0 // indirect
 	cloud.google.com/go/iam v0.3.0 // indirect
-	cloud.google.com/go/monitoring v1.4.0 // indirect
+	cloud.google.com/go/monitoring v1.5.0 // indirect
 	cloud.google.com/go/profiler v0.1.0 // indirect
-	cloud.google.com/go/storage v1.21.0 // indirect
+	cloud.google.com/go/storage v1.24.0 // indirect
 	cloud.google.com/go/trace v1.2.0 // indirect
-	contrib.go.opencensus.io/exporter/stackdriver v0.13.10 // indirect
+	contrib.go.opencensus.io/exporter/stackdriver v0.13.13 // indirect
-	github.com/Azure/azure-pipeline-go v0.2.3 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.22 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.17 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/DataDog/datadog-go v4.4.0+incompatible // indirect
 	github.com/DataDog/sketches-go v1.0.0 // indirect
-	github.com/Microsoft/go-winio v0.5.0 // indirect
+	github.com/Microsoft/go-winio v0.5.1 // indirect
 	github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d // indirect
 	github.com/beevik/ntp v0.3.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@ -70,30 +69,33 @@ require (
 	github.com/dlclark/regexp2 v1.4.0 // indirect
 	github.com/go-ole/go-ole v1.2.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.1+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/pprof v0.0.0-20210804190019-f964ff605595 // indirect
+	github.com/google/pprof v0.0.0-20220608213341-c488b8fa1db3 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/google/wire v0.5.0 // indirect
-	github.com/googleapis/gax-go/v2 v2.2.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jtolds/gls v4.20.0+incompatible // indirect
-	github.com/kr/text v0.2.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20210210170715-a8dfcb80d3a7 // indirect
 	github.com/lightstep/lightstep-tracer-go v0.25.0 // indirect
-	github.com/mattn/go-ieproxy v0.0.6 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/oklog/ulid/v2 v2.0.2 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/philhofer/fwd v1.1.1 // indirect
 	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/prometheus/prometheus v0.37.0 // indirect
 	github.com/ryszard/goskiplist v0.0.0-20150312221310-2dfbae5fcf46 // indirect
 	github.com/shabbyrobe/gocovmerge v0.0.0-20190829150210-3e036491d500 // indirect
 	github.com/shirou/gopsutil/v3 v3.21.2 // indirect
@ -109,13 +111,13 @@ require (
 	golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
+	golang.org/x/sys v0.0.0-20220731174439-a90be440212d // indirect
 	golang.org/x/text v0.3.8 // indirect
-	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
+	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
-	google.golang.org/api v0.74.0 // indirect
+	google.golang.org/api v0.91.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220401170504-314d38edb7de // indirect
+	google.golang.org/genproto v0.0.0-20220802133213-ce4fa296bf78 // indirect
 	gopkg.in/DataDog/dd-trace-go.v1 v1.32.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/workhorse/go.sum
+++ b/workhorse/go.sum
--- a/workhorse/internal/config/config.go
+++ b/workhorse/internal/config/config.go
@ -10,7 +10,7 @@ import (
 	"strings"
 	"time"
-	"github.com/Azure/azure-storage-blob-go/azblob"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
 	"github.com/BurntSushi/toml"
 	"gocloud.dev/blob"
 	"gocloud.dev/blob/azureblob"
@ -174,18 +174,21 @@ func (c *Config) RegisterGoCloudURLOpeners() error {
 }
 func (creds *AzureCredentials) getURLOpener() (*azureblob.URLOpener, error) {
-	accountName := azureblob.AccountName(creds.AccountName)
+	serviceURLOptions := azureblob.ServiceURLOptions{
-	accountKey := azureblob.AccountKey(creds.AccountKey)
+		AccountName: creds.AccountName,
 	}
-	credential, err := azureblob.NewCredential(accountName, accountKey)
+	clientFunc := func(svcURL azureblob.ServiceURL) (*azblob.ServiceClient, error) {
-	if err != nil {
+		sharedKeyCred, err := azblob.NewSharedKeyCredential(creds.AccountName, creds.AccountKey)
-		return nil, fmt.Errorf("error creating Azure credentials: %w", err)
+		if err != nil {
 			return nil, fmt.Errorf("error creating Azure credentials: %w", err)
 		}
 		return azblob.NewServiceClientWithSharedKey(string(svcURL), sharedKeyCred, &azblob.ClientOptions{})
 	}
 	return &azureblob.URLOpener{
-		AccountName: accountName,
+		MakeClient:        clientFunc,
-		Pipeline:    azureblob.NewPipeline(credential, azblob.PipelineOptions{}),
+		ServiceURLOptions: serviceURLOptions,
 		Options:     azureblob.Options{Credential: credential},
 	}, nil
 }
`@ -1 +1 @@`
	`ba02c22370d12ccf8ec464497603394effbaf8b0`	`038b442dc21c71a69ad170a61ce79a12a74fb725`