Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
e610587418
commit
536045b147
|
@ -6,12 +6,17 @@
|
|||
- .default-before_script
|
||||
- .rails-cache
|
||||
|
||||
.base-script: &base-script
|
||||
# Only install knapsack after bundle install! Otherwise oddly some native
|
||||
# gems could not be found under some circumstance. No idea why, hours wasted.
|
||||
- run_timed_command "gem install knapsack --no-document"
|
||||
- run_timed_command "scripts/gitaly-test-spawn"
|
||||
- source ./scripts/rspec_helpers.sh
|
||||
.minimal-bundle-install:
|
||||
script:
|
||||
- run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519"
|
||||
|
||||
.base-script:
|
||||
script:
|
||||
# Only install knapsack after bundle install! Otherwise oddly some native
|
||||
# gems could not be found under some circumstance. No idea why, hours wasted.
|
||||
- run_timed_command "gem install knapsack --no-document"
|
||||
- run_timed_command "scripts/gitaly-test-spawn"
|
||||
- source ./scripts/rspec_helpers.sh
|
||||
|
||||
.minimal-rspec-tests:
|
||||
variables:
|
||||
|
@ -27,7 +32,7 @@
|
|||
RECORD_DEPRECATIONS: "true"
|
||||
needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets", "detect-tests"]
|
||||
script:
|
||||
- *base-script
|
||||
- !reference [.base-script, script]
|
||||
- rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag ~level:migration"
|
||||
artifacts:
|
||||
expire_in: 31d
|
||||
|
@ -49,7 +54,7 @@
|
|||
.rspec-base-migration:
|
||||
extends: .rails:rules:ee-and-foss-migration
|
||||
script:
|
||||
- *base-script
|
||||
- !reference [.base-script, script]
|
||||
- rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag level:migration"
|
||||
|
||||
.rspec-base-pg11:
|
||||
|
@ -82,7 +87,7 @@
|
|||
.rspec-ee-base-geo:
|
||||
extends: .rspec-base
|
||||
script:
|
||||
- *base-script
|
||||
- !reference [.base-script, script]
|
||||
- rspec_paralellized_job "--tag ~quarantine --tag geo"
|
||||
|
||||
.rspec-ee-base-geo-pg11:
|
||||
|
@ -213,7 +218,7 @@ update-coverage-cache:
|
|||
- .shared:rules:update-cache
|
||||
stage: prepare
|
||||
script:
|
||||
- run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519"
|
||||
- !reference [.minimal-bundle-install, script]
|
||||
cache:
|
||||
policy: push # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up.
|
||||
|
||||
|
@ -317,7 +322,7 @@ rspec db-library-code pg12:
|
|||
- .rspec-base-pg12
|
||||
- .rails:rules:ee-and-foss-db-library-code
|
||||
script:
|
||||
- *base-script
|
||||
- !reference [.base-script, script]
|
||||
- rspec_db_library_code
|
||||
|
||||
rspec fast_spec_helper:
|
||||
|
@ -406,7 +411,7 @@ gitlab:setup:
|
|||
# db/fixtures/development/04_project.rb thanks to SIZE=1 below
|
||||
- git clone https://gitlab.com/gitlab-org/gitlab-test.git
|
||||
/home/git/repositories/gitlab-org/gitlab-test.git
|
||||
- *base-script
|
||||
- !reference [.base-script, script]
|
||||
- force=yes SIZE=1 FIXTURE_PATH="db/fixtures/development" bundle exec rake gitlab:setup
|
||||
artifacts:
|
||||
when: on_failure
|
||||
|
@ -486,7 +491,7 @@ rspec:coverage:
|
|||
- memory-static
|
||||
- memory-on-boot
|
||||
script:
|
||||
- run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519"
|
||||
- !reference [.minimal-bundle-install, script]
|
||||
- run_timed_command "bundle exec scripts/merge-simplecov"
|
||||
- run_timed_command "bundle exec scripts/gather-test-memory-data"
|
||||
coverage: '/LOC \((\d+\.\d+%)\) covered.$/'
|
||||
|
@ -523,7 +528,7 @@ rspec:feature-flags:
|
|||
- memory-static
|
||||
- memory-on-boot
|
||||
script:
|
||||
- run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519"
|
||||
- !reference [.minimal-bundle-install, script]
|
||||
- if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then
|
||||
run_timed_command "bundle exec scripts/used-feature-flags" || (scripts/slack master-broken "☠️ \`${CI_JOB_NAME}\` failed! ☠️ See ${CI_JOB_URL}" ci_failing "GitLab Bot" && exit 1);
|
||||
else
|
||||
|
@ -763,7 +768,7 @@ rspec fail-fast:
|
|||
stage: test
|
||||
needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets", "detect-tests"]
|
||||
script:
|
||||
- *base-script
|
||||
- !reference [.base-script, script]
|
||||
- rspec_fail_fast tmp/matching_tests.txt "--tag ~quarantine"
|
||||
artifacts:
|
||||
expire_in: 7d
|
||||
|
@ -776,7 +781,7 @@ rspec foss-impact:
|
|||
- .rails:rules:rspec-foss-impact
|
||||
needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets as-if-foss", "detect-tests as-if-foss"]
|
||||
script:
|
||||
- *base-script
|
||||
- !reference [.base-script, script]
|
||||
- rspec_matched_foss_tests tmp/matching_foss_tests.txt "--tag ~quarantine"
|
||||
artifacts:
|
||||
expire_in: 7d
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: reconcile source installation and upgrade docs
|
||||
merge_request: 55170
|
||||
author: Jörg Behrmann @behrmann
|
||||
type: fixed
|
|
@ -322,7 +322,7 @@ Consul is a tool for service discovery and configuration. Consul is distributed,
|
|||
- Configuration:
|
||||
- [Omnibus](https://docs.gitlab.com/omnibus/settings/database.html#disabling-automatic-database-migration)
|
||||
- [Charts](https://docs.gitlab.com/charts/charts/gitlab/migrations/)
|
||||
- [Source](../update/upgrading_from_source.md#14-install-libraries-migrations-etc)
|
||||
- [Source](../update/upgrading_from_source.md#10-install-libraries-migrations-etc)
|
||||
- Layer: Core Service (Data)
|
||||
|
||||
#### Elasticsearch
|
||||
|
@ -641,7 +641,7 @@ Redis is packaged to provide a place to store:
|
|||
|
||||
- [Project page](https://github.com/docker/distribution/blob/master/README.md)
|
||||
- Configuration:
|
||||
- [Omnibus](../update/upgrading_from_source.md#14-install-libraries-migrations-etc)
|
||||
- [Omnibus](../update/upgrading_from_source.md#10-install-libraries-migrations-etc)
|
||||
- [Charts](https://docs.gitlab.com/charts/charts/registry/)
|
||||
- [Source](../administration/packages/container_registry.md#enable-the-container-registry)
|
||||
- [GDK](https://gitlab.com/gitlab-org/gitlab-development-kit/blob/master/doc/howto/registry.md)
|
||||
|
|
|
@ -548,7 +548,7 @@ of the available SAST Analyzers and what data is currently available.
|
|||
|
||||
The `remediations` field of the report is an array of remediation objects.
|
||||
Each remediation describes a patch that can be applied to
|
||||
[automatically fix](../../user/application_security/#automatic-remediation-for-vulnerabilities)
|
||||
[automatically fix](../../user/application_security/#apply-an-automatic-remediation-for-a-vulnerability)
|
||||
a set of vulnerabilities.
|
||||
|
||||
Here is an example of a report that contains remediations.
|
||||
|
|
|
@ -101,7 +101,7 @@ and complete an integration with the Secure stage.
|
|||
- Users can interact with the findings from your artifact within their workflow. They can dismiss the findings or accept them and create a backlog issue.
|
||||
- To automatically create issues without user interaction, use the [issue API](../../api/issues.md).
|
||||
1. Optional: Provide auto-remediation steps:
|
||||
- If you specified `remediations` in your artifact, it is proposed through our [automatic remediation](../../user/application_security/index.md#automatic-remediation-for-vulnerabilities)
|
||||
- If you specified `remediations` in your artifact, it is proposed through our [automatic remediation](../../user/application_security/index.md#apply-an-automatic-remediation-for-a-vulnerability)
|
||||
interface.
|
||||
1. Demo the integration to GitLab:
|
||||
- After you have tested and are ready to demo your integration please
|
||||
|
|
|
@ -309,10 +309,10 @@ This action can also unintentionally click other elements, altering the test sta
|
|||
# Clicking another element to blur an input
|
||||
def add_issue_to_epic(issue_url)
|
||||
find_element(:issue_actions_split_button).find('button', text: 'Add an issue').click
|
||||
fill_element :add_issue_input, issue_url
|
||||
fill_element(:add_issue_input, issue_url)
|
||||
# Clicking the title blurs the input
|
||||
click_element :title
|
||||
click_element :add_issue_button
|
||||
click_element(:title)
|
||||
click_element(:add_issue_button)
|
||||
end
|
||||
|
||||
# Using native mouse click events in the case of a mask/overlay
|
||||
|
|
|
@ -39,7 +39,7 @@ appear on the webpage, or the test to navigate away from the page entirely.
|
|||
Dynamic element validation is instituted when using
|
||||
|
||||
```ruby
|
||||
click_element :my_element, Some::Page
|
||||
click_element(:my_element, Some::Page)
|
||||
```
|
||||
|
||||
### Required Elements
|
||||
|
@ -79,7 +79,7 @@ class MyPage < Page::Base
|
|||
end
|
||||
|
||||
def open_layer
|
||||
click_element :my_element, Layer::MyLayer
|
||||
click_element(:my_element, Layer::MyLayer)
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -109,7 +109,7 @@ Given the [source](#examples) ...
|
|||
|
||||
```ruby
|
||||
def open_layer
|
||||
click_element :my_element, Layer::MyLayer
|
||||
click_element(:my_element, Layer::MyLayer)
|
||||
end
|
||||
```
|
||||
|
||||
|
|
|
@ -201,7 +201,7 @@ We can select on that specific issue by matching on the Rails model.
|
|||
```ruby
|
||||
class Page::Project::Issues::Index < Page::Base
|
||||
def has_issue?(issue)
|
||||
has_element? :issue, issue_title: issue
|
||||
has_element?(:issue, issue_title: issue)
|
||||
end
|
||||
end
|
||||
```
|
||||
|
|
|
@ -19,7 +19,7 @@ E.g.:
|
|||
```ruby
|
||||
def click_ci_cd_pipelines
|
||||
within_sidebar do
|
||||
click_element :link_pipelines
|
||||
click_element(:link_pipelines)
|
||||
end
|
||||
end
|
||||
```
|
||||
|
|
|
@ -570,7 +570,9 @@ Install the gems (if you want to use Kerberos for user authentication, omit
|
|||
`kerberos` in the `--without` option below):
|
||||
|
||||
```shell
|
||||
sudo -u git -H bundle install --deployment --without development test mysql aws kerberos
|
||||
sudo -u git -H bundle config set deployment 'true'
|
||||
sudo -u git -H bundle config set without 'development test mysql aws kerberos'
|
||||
sudo -u git -H bundle install
|
||||
```
|
||||
|
||||
### Install GitLab Shell
|
||||
|
|
|
@ -63,7 +63,9 @@ sudo -u git -H git checkout EE_BRANCH
|
|||
```shell
|
||||
cd /home/git/gitlab
|
||||
|
||||
sudo -u git -H bundle install --deployment --without development test mysql aws kerberos
|
||||
sudo -u git -H bundle config set deployment 'true'
|
||||
sudo -u git -H bundle config set without 'development test mysql aws kerberos'
|
||||
sudo -u git -H bundle install
|
||||
|
||||
# Optional: clean up old gems
|
||||
sudo -u git -H bundle clean
|
||||
|
|
|
@ -127,41 +127,30 @@ Git v2.28 is recommended.
|
|||
To check you are running the minimum required Git version, see
|
||||
[Git versions](../install/requirements.md#git-versions).
|
||||
|
||||
In Debian or Ubuntu:
|
||||
From GitLab 13.6, we recommend you use the [Git version provided by
|
||||
Gitaly](https://gitlab.com/gitlab-org/gitaly/-/issues/2729)
|
||||
that:
|
||||
|
||||
- Is always at the version required by GitLab.
|
||||
- May contain custom patches required for proper operation.
|
||||
|
||||
```shell
|
||||
# Make sure Git is version 2.29.0 or higher
|
||||
git --version
|
||||
|
||||
# Remove packaged Git
|
||||
sudo apt-get remove git-core
|
||||
|
||||
# Install dependencies
|
||||
sudo apt-get install -y libcurl4-openssl-dev libexpat1-dev gettext libz-dev libssl-dev build-essential
|
||||
sudo apt-get install -y libcurl4-openssl-dev libexpat1-dev gettext libz-dev libssl-dev libpcre2-dev build-essential
|
||||
|
||||
# Download and compile pcre2 from source
|
||||
curl --silent --show-error --location "https://ftp.pcre.org/pub/pcre/pcre2-10.33.tar.gz" --output pcre2.tar.gz
|
||||
tar -xzf pcre2.tar.gz
|
||||
cd pcre2-10.33
|
||||
chmod +x configure
|
||||
./configure --prefix=/usr --enable-jit
|
||||
make
|
||||
make install
|
||||
# Clone the Gitaly repository
|
||||
git clone https://gitlab.com/gitlab-org/gitaly.git -b <X-Y-stable> /tmp/gitaly
|
||||
|
||||
# Download and compile from source
|
||||
cd /tmp
|
||||
curl --remote-name --location --progress "https://www.kernel.org/pub/software/scm/git/git-2.29.0.tar.gz"
|
||||
echo 'fa08dc8424ef80c0f9bf307877f9e2e49f1a6049e873530d6747c2be770742ff git-2.29.0.tar.gz' | shasum -a256 -c - && tar -xzf git-2.29.0.tar.gz
|
||||
cd git-2.29.0/
|
||||
./configure --with-libpcre
|
||||
make prefix=/usr/local all
|
||||
|
||||
# Install into /usr/local/bin
|
||||
sudo make prefix=/usr/local install
|
||||
|
||||
# You should edit config/gitlab.yml, change the git -> bin_path to /usr/local/bin/git
|
||||
# Compile and install Git
|
||||
cd /tmp/gitaly
|
||||
sudo make git GIT_PREFIX=/usr/local
|
||||
```
|
||||
|
||||
Replace `<X-Y-stable>` with the stable branch that matches the GitLab version you want to
|
||||
install. For example, if you want to install GitLab 13.6, use the branch name `13-6-stable`.
|
||||
|
||||
Remember to set `git -> bin_path` to `/usr/local/bin/git` in `config/gitlab.yml`.
|
||||
|
||||
### 7. Update PostgreSQL
|
||||
|
||||
WARNING:
|
||||
|
@ -180,8 +169,7 @@ To upgrade PostgreSQL, refer to its [documentation](https://www.postgresql.org/d
|
|||
cd /home/git/gitlab
|
||||
|
||||
sudo -u git -H git fetch --all --prune
|
||||
sudo -u git -H git checkout -- db/structure.sql # local changes will be restored automatically
|
||||
sudo -u git -H git checkout -- locale
|
||||
sudo -u git -H git checkout -- Gemfile.lock db/structure.sql locale
|
||||
```
|
||||
|
||||
For GitLab Community Edition:
|
||||
|
@ -202,55 +190,7 @@ cd /home/git/gitlab
|
|||
sudo -u git -H git checkout BRANCH-ee
|
||||
```
|
||||
|
||||
### 9. Update GitLab Shell
|
||||
|
||||
```shell
|
||||
cd /home/git/gitlab-shell
|
||||
|
||||
sudo -u git -H git fetch --all --tags --prune
|
||||
sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_SHELL_VERSION)
|
||||
sudo -u git -H make build
|
||||
```
|
||||
|
||||
### 10. Update GitLab Workhorse
|
||||
|
||||
Install and compile GitLab Workhorse.
|
||||
|
||||
```shell
|
||||
cd /home/git/gitlab
|
||||
|
||||
sudo -u git -H bundle exec rake "gitlab:workhorse:install[/home/git/gitlab-workhorse]" RAILS_ENV=production
|
||||
```
|
||||
|
||||
### 11. Update Gitaly
|
||||
|
||||
#### Compile Gitaly
|
||||
|
||||
```shell
|
||||
cd /home/git/gitaly
|
||||
sudo -u git -H git fetch --all --tags --prune
|
||||
sudo -u git -H git checkout v$(</home/git/gitlab/GITALY_SERVER_VERSION)
|
||||
sudo -u git -H make
|
||||
```
|
||||
|
||||
### 12. Update GitLab Pages
|
||||
|
||||
#### Only needed if you use GitLab Pages
|
||||
|
||||
Install and compile GitLab Pages. GitLab Pages uses
|
||||
[GNU Make](https://www.gnu.org/software/make/).
|
||||
If you are not using Linux you may have to run `gmake` instead of
|
||||
`make` below.
|
||||
|
||||
```shell
|
||||
cd /home/git/gitlab-pages
|
||||
|
||||
sudo -u git -H git fetch --all --tags --prune
|
||||
sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_PAGES_VERSION)
|
||||
sudo -u git -H make
|
||||
```
|
||||
|
||||
### 13. Update configuration files
|
||||
### 9. Update configuration files
|
||||
|
||||
#### New configuration options for `gitlab.yml`
|
||||
|
||||
|
@ -323,12 +263,17 @@ For Ubuntu 16.04.1 LTS:
|
|||
sudo systemctl daemon-reload
|
||||
```
|
||||
|
||||
### 14. Install libraries, migrations, etc
|
||||
### 10. Install libraries, migrations, etc
|
||||
|
||||
```shell
|
||||
cd /home/git/gitlab
|
||||
|
||||
sudo -u git -H bundle install --deployment --without development test mysql aws kerberos
|
||||
# If you haven't done so during installation or a previous upgrade already
|
||||
sudo -u git -H bundle config set deployment 'true'
|
||||
sudo -u git -H bundle config set without 'development test mysql aws kerberos'
|
||||
|
||||
# Update gems
|
||||
sudo -u git -H bundle install
|
||||
|
||||
# Optional: clean up old gems
|
||||
sudo -u git -H bundle clean
|
||||
|
@ -337,7 +282,6 @@ sudo -u git -H bundle clean
|
|||
sudo -u git -H bundle exec rake db:migrate RAILS_ENV=production
|
||||
|
||||
# Compile GetText PO files
|
||||
|
||||
sudo -u git -H bundle exec rake gettext:compile RAILS_ENV=production
|
||||
|
||||
# Update node dependencies and recompile assets
|
||||
|
@ -347,6 +291,54 @@ sudo -u git -H bundle exec rake yarn:install gitlab:assets:clean gitlab:assets:c
|
|||
sudo -u git -H bundle exec rake cache:clear RAILS_ENV=production
|
||||
```
|
||||
|
||||
### 11. Update GitLab Shell
|
||||
|
||||
```shell
|
||||
cd /home/git/gitlab-shell
|
||||
|
||||
sudo -u git -H git fetch --all --tags --prune
|
||||
sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_SHELL_VERSION)
|
||||
sudo -u git -H make build
|
||||
```
|
||||
|
||||
### 12. Update GitLab Workhorse
|
||||
|
||||
Install and compile GitLab Workhorse.
|
||||
|
||||
```shell
|
||||
cd /home/git/gitlab
|
||||
|
||||
sudo -u git -H bundle exec rake "gitlab:workhorse:install[/home/git/gitlab-workhorse]" RAILS_ENV=production
|
||||
```
|
||||
|
||||
### 13. Update Gitaly
|
||||
|
||||
#### Compile Gitaly
|
||||
|
||||
```shell
|
||||
cd /home/git/gitaly
|
||||
sudo -u git -H git fetch --all --tags --prune
|
||||
sudo -u git -H git checkout v$(</home/git/gitlab/GITALY_SERVER_VERSION)
|
||||
sudo -u git -H make
|
||||
```
|
||||
|
||||
### 14. Update GitLab Pages
|
||||
|
||||
#### Only needed if you use GitLab Pages
|
||||
|
||||
Install and compile GitLab Pages. GitLab Pages uses
|
||||
[GNU Make](https://www.gnu.org/software/make/).
|
||||
If you are not using Linux you may have to run `gmake` instead of
|
||||
`make` below.
|
||||
|
||||
```shell
|
||||
cd /home/git/gitlab-pages
|
||||
|
||||
sudo -u git -H git fetch --all --tags --prune
|
||||
sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_PAGES_VERSION)
|
||||
sudo -u git -H make
|
||||
```
|
||||
|
||||
### 15. Start application
|
||||
|
||||
```shell
|
||||
|
|
|
@ -944,7 +944,7 @@ pipelines. For more information, see the [Security Dashboard documentation](../s
|
|||
|
||||
Fuzzing faults show up as vulnerabilities with a severity of Unknown.
|
||||
Once a fault is found, you can interact with it. Read more on how to
|
||||
[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
|
||||
[address the vulnerabilities](../index.md#addressing-vulnerabilities).
|
||||
|
||||
## Handling False Positives
|
||||
|
||||
|
|
|
@ -455,7 +455,7 @@ For more information about the vulnerabilities database update, check the
|
|||
|
||||
## Interacting with the vulnerabilities
|
||||
|
||||
After a vulnerability is found, you can [interact with it](../index.md#interacting-with-the-vulnerabilities).
|
||||
After a vulnerability is found, you can [address it](../index.md#addressing-vulnerabilities).
|
||||
|
||||
## Solutions for vulnerabilities (auto-remediation)
|
||||
|
||||
|
@ -469,7 +469,7 @@ file, it's necessary to set [`GIT_STRATEGY: fetch`](../../../ci/runners/README.m
|
|||
your `.gitlab-ci.yml` file by following the instructions described in this document's
|
||||
[overriding the container scanning template](#overriding-the-container-scanning-template) section.
|
||||
|
||||
Read more about the [solutions for vulnerabilities](../index.md#automatic-remediation-for-vulnerabilities).
|
||||
Read more about the [solutions for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability).
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
|
|
|
@ -237,7 +237,7 @@ The `covfuzz-ci.yml` is the same as that in the [original synchronous example](h
|
|||
|
||||
## Interacting with the vulnerabilities
|
||||
|
||||
After a vulnerability is found, you can [interact with it](../index.md#interacting-with-the-vulnerabilities).
|
||||
After a vulnerability is found, you can [address it](../index.md#addressing-vulnerabilities).
|
||||
The merge request widget lists the vulnerability and contains a button for downloading the fuzzing
|
||||
artifacts. By clicking one of the detected vulnerabilities, you can see its details.
|
||||
|
||||
|
|
|
@ -1170,7 +1170,7 @@ variables:
|
|||
## Interacting with the vulnerabilities
|
||||
|
||||
Once a vulnerability is found, you can interact with it. Read more on how to
|
||||
[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
|
||||
[address the vulnerabilities](../index.md#addressing-vulnerabilities).
|
||||
|
||||
## Vulnerabilities database update
|
||||
|
||||
|
|
|
@ -226,13 +226,13 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m
|
|||
## Interacting with the vulnerabilities
|
||||
|
||||
Once a vulnerability is found, you can interact with it. Read more on how to
|
||||
[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
|
||||
[address the vulnerabilities](../index.md#addressing-vulnerabilities).
|
||||
|
||||
## Solutions for vulnerabilities (auto-remediation)
|
||||
|
||||
Some vulnerabilities can be fixed by applying the solution that GitLab
|
||||
automatically generates. Read more about the
|
||||
[solutions for vulnerabilities](../index.md#automatic-remediation-for-vulnerabilities).
|
||||
[solutions for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability).
|
||||
|
||||
## Security Dashboard
|
||||
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 33 KiB After Width: | Height: | Size: 48 KiB |
Binary file not shown.
Before Width: | Height: | Size: 15 KiB |
Binary file not shown.
Before Width: | Height: | Size: 33 KiB |
Binary file not shown.
Before Width: | Height: | Size: 35 KiB |
|
@ -5,17 +5,20 @@ info: To determine the technical writer assigned to the Stage/Group associated w
|
|||
type: reference, howto
|
||||
---
|
||||
|
||||
# GitLab Secure **(ULTIMATE)**
|
||||
# Application security **(ULTIMATE)**
|
||||
|
||||
GitLab can check your application for security vulnerabilities that may lead to unauthorized access,
|
||||
data leaks, denial of services, and more. GitLab reports vulnerabilities in the merge request so you
|
||||
can fix them before merging. The [Security Dashboard](security_dashboard/index.md) provides a
|
||||
high-level view of vulnerabilities detected in your projects, pipeline, and groups. The [Threat Monitoring](threat_monitoring/index.md)
|
||||
page provides runtime security metrics for application environments. With the information provided,
|
||||
you can immediately begin risk analysis and remediation.
|
||||
can fix them before you merge.
|
||||
|
||||
- The [Security Dashboard](security_dashboard/index.md) provides a
|
||||
high-level view of vulnerabilities detected in your projects, pipeline, and groups.
|
||||
- The [Threat Monitoring](threat_monitoring/index.md) page provides runtime security metrics
|
||||
for application environments. With the information provided,
|
||||
you can immediately begin risk analysis and remediation.
|
||||
|
||||
<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
|
||||
For an overview of application security with GitLab, see
|
||||
For an overview of GitLab application security, see
|
||||
[Security Deep Dive](https://www.youtube.com/watch?v=k4vEJnGYy84).
|
||||
|
||||
## Quick start
|
||||
|
@ -123,7 +126,7 @@ latest versions of the scanning tools without having to do anything. There are s
|
|||
with this approach, however, and there is a
|
||||
[plan to resolve them](https://gitlab.com/gitlab-org/gitlab/-/issues/9725).
|
||||
|
||||
## Viewing security scan information in merge requests **(FREE)**
|
||||
## View security scan information in merge requests **(FREE)**
|
||||
|
||||
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4393) in GitLab Free 13.5.
|
||||
> - Made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/273205) in 13.6.
|
||||
|
@ -136,25 +139,7 @@ reports are available to download. To download a report, click on the
|
|||
|
||||
![Security widget](img/security_widget_v13_7.png)
|
||||
|
||||
## Interacting with the vulnerabilities
|
||||
|
||||
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.8.
|
||||
|
||||
Each security vulnerability in the merge request report or the
|
||||
[Vulnerability Report](vulnerability_report/index.md) is actionable. Click an entry to view detailed
|
||||
information with several options:
|
||||
|
||||
- [Dismiss vulnerability](#dismissing-a-vulnerability): Dismissing a vulnerability styles it in
|
||||
strikethrough.
|
||||
- [Create issue](vulnerabilities/index.md#create-a-gitlab-issue-for-a-vulnerability): Create a new issue with the title and
|
||||
description pre-populated with information from the vulnerability report. By default, such issues
|
||||
are [confidential](../project/issues/confidential_issues.md).
|
||||
- [Automatic Remediation](#automatic-remediation-for-vulnerabilities): For some vulnerabilities,
|
||||
a solution is provided for how to fix the vulnerability.
|
||||
|
||||
![Interacting with security reports](img/interacting_with_vulnerability_v13_3.png)
|
||||
|
||||
### View details of a DAST vulnerability
|
||||
## View details of a DAST vulnerability
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36332) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
|
||||
|
||||
|
@ -165,11 +150,10 @@ investigate and rectify the underlying cause.
|
|||
To view details of DAST vulnerabilities:
|
||||
|
||||
1. To see all vulnerabilities detected:
|
||||
|
||||
- In a project, go to the project's **{shield}** **Security & Compliance** page.
|
||||
- Only in a merge request, go the merge request's **Security** tab.
|
||||
|
||||
1. Click on the vulnerability's description. The following details are provided:
|
||||
1. Select the vulnerability's description. The following details are provided:
|
||||
|
||||
| Field | Description |
|
||||
|:-----------------|:------------------------------------------------------------------ |
|
||||
|
@ -187,14 +171,14 @@ To view details of DAST vulnerabilities:
|
|||
| Links | Links to further details of the detected vulnerability. |
|
||||
| Solution | Details of a recommended solution to the vulnerability (optional). |
|
||||
|
||||
#### Hide sensitive information in headers
|
||||
### Hide sensitive information in headers
|
||||
|
||||
HTTP request and response headers may contain sensitive information, including cookies and
|
||||
authorization credentials. By default, content of specific headers are masked in DAST vulnerability
|
||||
reports. You can specify the list of all headers to be masked. For details, see
|
||||
[Hide sensitive information](dast/index.md#hide-sensitive-information).
|
||||
|
||||
### View details of an API Fuzzing vulnerability
|
||||
## View details of an API Fuzzing vulnerability
|
||||
|
||||
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.7.
|
||||
|
||||
|
@ -231,65 +215,79 @@ Follow these steps to view details of a fuzzing fault:
|
|||
| Severity | Severity of the finding is always Unknown. |
|
||||
| Scanner Type | Scanner used to perform testing. |
|
||||
|
||||
### Dismissing a vulnerability
|
||||
## Addressing vulnerabilities
|
||||
|
||||
To dismiss a vulnerability, you must set its status to Dismissed. This dismisses the vulnerability
|
||||
for the entire project. Follow these steps to do so:
|
||||
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.8.
|
||||
|
||||
For each security vulnerability in a merge request or [Vulnerability Report](vulnerability_report/index.md),
|
||||
you can:
|
||||
|
||||
- [Dismiss the vulnerability](#dismiss-a-vulnerability).
|
||||
- Create a [confidential](../project/issues/confidential_issues.md)
|
||||
[issue](vulnerabilities/index.md#create-a-gitlab-issue-for-a-vulnerability).
|
||||
- Apply an [automatically remediation](#apply-an-automatic-remediation-for-a-vulnerability).
|
||||
|
||||
### Dismiss a vulnerability
|
||||
|
||||
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0, a dismissal reason.
|
||||
|
||||
You can dismiss a vulnerability for the entire project.
|
||||
|
||||
1. Select the vulnerability in the Security Dashboard.
|
||||
1. Select **Dismissed** from the **Status** selector menu at the top-right.
|
||||
1. In the top-right, from the **Status** selector menu, select **Dismissed**.
|
||||
1. Optional. Add a reason for the dismissal and select **Save comment**.
|
||||
|
||||
You can undo this action by selecting a different status from the same menu.
|
||||
To undo this action, select a different status from the same menu.
|
||||
|
||||
#### Adding a dismissal reason
|
||||
|
||||
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0.
|
||||
|
||||
When dismissing a vulnerability, it's often helpful to provide a reason for doing so. Upon setting a
|
||||
vulnerability's status to Dismissed, a text box appears for you to add a comment with your
|
||||
dismissal. Once added, you can edit or delete it. This allows you to add and update context for a
|
||||
vulnerability as you learn more over time.
|
||||
|
||||
![Dismissed vulnerability comment](img/adding_a_dismissal_reason_v13_4.png)
|
||||
|
||||
#### Dismissing multiple vulnerabilities
|
||||
#### Dismiss multiple vulnerabilities
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
|
||||
|
||||
You can dismiss multiple vulnerabilities at once, providing an optional reason.
|
||||
Selecting the checkboxes on the side of each vulnerability in the list selects that individual vulnerability.
|
||||
Alternatively, you can select all the vulnerabilities in the list by selecting the checkbox in the table header.
|
||||
Deselecting the checkbox in the header deselects all the vulnerabilities in the list.
|
||||
After you have selected some vulnerabilities, a menu appears at the top of the table that allows you to select a dismissal reason.
|
||||
Pressing the "Dismiss Selected" button dismisses all the selected vulnerabilities at once, with the reason you chose.
|
||||
You can dismiss multiple vulnerabilities at once.
|
||||
|
||||
![Multiple vulnerability dismissal](img/multi_select_v12_9.png)
|
||||
1. In the list of vulnerabilities, select the checkbox for each vulnerability you want to dismiss.
|
||||
To select all, select the checkbox in the table header.
|
||||
1. Above the table, select a dismissal reason.
|
||||
1. Select **Dismiss Selected**.
|
||||
|
||||
### Create an issue for a vulnerability
|
||||
|
||||
You can create a GitLab issue, or a Jira issue (if it's enabled) for a vulnerability. For more
|
||||
details, see [Vulnerability Pages](vulnerabilities/index.md).
|
||||
You can create a GitLab or Jira issue for a vulnerability. For details, see [Vulnerability Pages](vulnerabilities/index.md).
|
||||
|
||||
### Automatic remediation for vulnerabilities
|
||||
#### Link to an existing issue
|
||||
|
||||
If you already have an open issue, you can link to it from the vulnerability.
|
||||
|
||||
- The vulnerability page shows related issues, but the issue page doesn't show the vulnerability it's related to.
|
||||
- An issue can only be related to one vulnerability at a time.
|
||||
- Issues can be linked across groups and projects.
|
||||
|
||||
To link to an existing issue:
|
||||
|
||||
1. Open the vulnerability.
|
||||
1. In the **Related Issues** section, select the plus (**{plus}**) icon.
|
||||
1. In the text box that appears, type an issue number or paste an issue link.
|
||||
- Type `#` followed by a number to show an autocomplete menu.
|
||||
- You can enter multiple issues at once. Press the space bar after each issue number or link to converts them to tags.
|
||||
1. Select **Add**.
|
||||
|
||||
To remove an issue, to the right of the issue number, select **{close}**.
|
||||
|
||||
![Vulnerability related issues text box tags animation](img/vulnerability_related_issues_text_box_tags_v13_2.gif)
|
||||
|
||||
### Apply an automatic remediation for a vulnerability
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5656) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.7.
|
||||
|
||||
Some vulnerabilities can be fixed by applying the solution that GitLab automatically generates.
|
||||
Although the feature name is Automatic Remediation, this feature is also commonly called
|
||||
Auto-Remediation, Auto Remediation, or Suggested Solutions. The following scanners are supported:
|
||||
The following scanners are supported:
|
||||
|
||||
- [Dependency Scanning](dependency_scanning/index.md):
|
||||
- [Dependency Scanning](dependency_scanning/index.md).
|
||||
Automatic Patch creation is only available for Node.js projects managed with
|
||||
`yarn`.
|
||||
- [Container Scanning](container_scanning/index.md)
|
||||
- [Container Scanning](container_scanning/index.md).
|
||||
|
||||
When an automatic solution is available, the button in the header shows **Resolve with merge request**:
|
||||
|
||||
![Resolve with Merge Request button](img/vulnerability_page_merge_request_button_v13_1.png)
|
||||
|
||||
Selecting the button creates a merge request with the solution.
|
||||
|
||||
#### Manually applying the suggested patch
|
||||
#### Manually apply the suggested patch
|
||||
|
||||
To manually apply the patch that GitLab generated for a vulnerability:
|
||||
|
||||
|
@ -301,49 +299,22 @@ To manually apply the patch that GitLab generated for a vulnerability:
|
|||
1. Run `git apply remediation.patch`.
|
||||
1. Verify and commit the changes to your branch.
|
||||
|
||||
#### Creating a merge request from a vulnerability
|
||||
#### Create a merge request with the suggested patch
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9224) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.9.
|
||||
|
||||
In certain cases, GitLab allows you to create a merge request that automatically remediates the
|
||||
In some cases, you can create a merge request that automatically remediates the
|
||||
vulnerability. Any vulnerability that has a
|
||||
[solution](#automatic-remediation-for-vulnerabilities) can have a merge
|
||||
[solution](#apply-an-automatic-remediation-for-a-vulnerability) can have a merge
|
||||
request created to automatically solve the issue.
|
||||
|
||||
If this action is available, the vulnerability page or modal contains a **Create merge request** button.
|
||||
Click this button to create a merge request to apply the solution onto the source branch.
|
||||
If this action is available:
|
||||
|
||||
![Create merge request from vulnerability](img/create_mr_from_vulnerability_v13_4.png)
|
||||
1. Select the **Resolve with merge request** dropdown, then select **Resolve with merge request**.
|
||||
|
||||
![Create merge request from vulnerability](img/create_mr_from_vulnerability_v13_4.png)
|
||||
|
||||
### Managing related issues for a vulnerability
|
||||
|
||||
Issues can be linked to a vulnerability using the related issues block on the vulnerability page.
|
||||
The relationship is uni-directional. The vulnerability page shows related issues, but the issue page
|
||||
doesn't show the vulnerability it's related to. An issue can only be related to one vulnerability at
|
||||
a time. Issues can be linked across groups and projects.
|
||||
|
||||
#### Adding a related issue
|
||||
|
||||
You can link an issue by clicking the **{plus}** button in the **Related Issues** block.
|
||||
|
||||
![Vulnerability related issues add button](img/vulnerability_related_issues_add_button_v13_2.png)
|
||||
|
||||
A text box appears that lets you type an issue number or paste an issue link. You can enter multiple
|
||||
issues at once. Pressing the space bar after each issue number or link converts them to tags that
|
||||
you can remove by clicking the **{close}** icon to the tag's right. Typing `#` followed by a number
|
||||
shows an autocomplete menu. Click an issue in the menu to add it as a tag. When you're finished
|
||||
entering issues, click the **Add** button to link the issues to the vulnerability. Alternatively,
|
||||
click **Cancel** to exit without linking any issues.
|
||||
|
||||
![Vulnerability related issues text box tags animation](img/vulnerability_related_issues_text_box_tags_v13_2.gif)
|
||||
|
||||
### Removing a related issue
|
||||
|
||||
Click the **{close}** icon to right of an issue to remove it as a related issue. Note that this only
|
||||
removes it as a related issue of the vulnerability; it doesn't modify or remove the issue itself.
|
||||
You can link it to the vulnerability again if desired.
|
||||
|
||||
![Vulnerability related issues remove issue animation](img/vulnerability_related_issues_remove_v13_2.gif)
|
||||
A merge request is created. It that applies the solution to the source branch.
|
||||
|
||||
## Security approvals in merge requests
|
||||
|
||||
|
|
|
@ -59,14 +59,14 @@ mirroring the packages inside your own offline network.
|
|||
### Interacting with the vulnerabilities
|
||||
|
||||
Once a vulnerability is found, you can interact with it. Read more on how to
|
||||
[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
|
||||
[address the vulnerabilities](../index.md#addressing-vulnerabilities).
|
||||
|
||||
Please note that in some cases the reported vulnerabilities provide metadata that can contain
|
||||
external links exposed in the UI. These links might not be accessible within an offline environment.
|
||||
|
||||
### Automatic remediation for vulnerabilities
|
||||
|
||||
The [automatic remediation for vulnerabilities](../index.md#automatic-remediation-for-vulnerabilities) feature is available for offline Dependency Scanning and Container Scanning, but may not work
|
||||
The [automatic remediation for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability) feature is available for offline Dependency Scanning and Container Scanning, but may not work
|
||||
depending on your instance's configuration. We can only suggest solutions, which are generally more
|
||||
current versions that have been patched, when we are able to access up-to-date registry services
|
||||
hosting the latest versions of that dependency or image.
|
||||
|
|
|
@ -137,7 +137,7 @@ as shown in the following table:
|
|||
| [Customize SAST Settings](#customizing-the-sast-settings) | **{check-circle}** | **{check-circle}** |
|
||||
| View [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** |
|
||||
| Presentation of JSON Report in Merge Request | **{dotted-circle}** | **{check-circle}** |
|
||||
| [Interaction with Vulnerabilities](../../application_security/index.md#interacting-with-the-vulnerabilities) | **{dotted-circle}** | **{check-circle}** |
|
||||
| [Address vulnerabilities](../../application_security/index.md#addressing-vulnerabilities) | **{dotted-circle}** | **{check-circle}** |
|
||||
| [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
|
||||
| [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** |
|
||||
| [Customize SAST Rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** |
|
||||
|
|
|
@ -196,4 +196,4 @@ Each scenario can be a third-level heading, e.g. `### Getting error message X`.
|
|||
If you have none to add when creating a doc, leave this section in place
|
||||
but commented out to help encourage others to add to it in the future. -->
|
||||
|
||||
Read more on how to [interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
|
||||
Read more on how to [address the vulnerabilities](../index.md#addressing-vulnerabilities).
|
||||
|
|
|
@ -123,4 +123,4 @@ Linked issues are shown in the Vulnerability Report and the vulnerability's page
|
|||
## Automatically remediate the vulnerability
|
||||
|
||||
You can fix some vulnerabilities by applying the solution that GitLab automatically
|
||||
generates for you. [Read more about the automatic remediation for vulnerabilities feature](../index.md#automatic-remediation-for-vulnerabilities).
|
||||
generates for you. [Read more about the automatic remediation for vulnerabilities feature](../index.md#apply-an-automatic-remediation-for-a-vulnerability).
|
||||
|
|
Loading…
Reference in New Issue