kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-10-20 00:09:05 +00:00
parent f7f930eadb
commit 69b1c09769
13 changed files with 213 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
danger/pajamas/Dangerfile
View File

@ -20,8 +20,6 @@ PATTERNS = %w[
<tabs
bs-callout
deprecated-modal
has-tooltip
has_tooltip
initDeprecatedJQueryDropdown
loading-button
v-popover

104
doc/api/repository_files.md
View File

@ -18,14 +18,14 @@ in the following table.
| Scope | Description |
| ----- | ----------- |
| `read_repository` | Allows read-access to the repository files. |
| `api` | Allows read-write access to the repository files. |
| `read_repository` | Allows read-access to the repository files. |
## Get file from repository
> The `execute_filemode` field in the response was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83499) in GitLab 14.10.
Allows you to receive information about file in repository like name, size,
Allows you to receive information about file in repository like name, size, and
content. File content is Base64 encoded. This endpoint can be accessed
without authentication if the repository is publicly accessible.
@ -37,11 +37,11 @@ GET /projects/:id/repository/files/:file_path
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/13083/repository/files/app%2Fmodels%2Fkey%2Erb?ref=master"
```
| Attribute | Type | Required | Description |
|-------------|----------------|----------|-----------------------------------------------------------------------------------------------------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user |
| `file_path` | string | yes | URL encoded full path to new file. Ex. `lib%2Fclass%2Erb`. |
| `ref` | string | yes | The name of branch, tag or commit |
| Attribute | Type | Required | Description |
|-------------|----------------|----------|-------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. |
| `file_path` | string | yes | URL encoded full path to new file, such as `lib%2Fclass%2Erb`. |
| `ref` | string | yes | The name of branch, tag or commit. |
Example response:
@ -62,7 +62,8 @@ Example response:
```
NOTE:
`blob_id` is the blob SHA, see [repositories - Get a blob from repository](repositories.md#get-a-blob-from-repository)
`blob_id` is the blob SHA. Refer to [Get a blob from repository](repositories.md#get-a-blob-from-repository)
in the Repositories API.
In addition to the `GET` method, you can also use `HEAD` to get just file metadata.
@ -100,14 +101,14 @@ Allows you to receive blame information. Each blame range contains lines and cor
GET /projects/:id/repository/files/:file_path/blame
```
| Attribute | Type | Required | Description |
|-----------------|-------------------|----------|--------------------------------------------------------------------------------------------------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user |
| `file_path` | string | yes | URL encoded full path to new file. Ex. `lib%2Fclass%2Erb`. |
| `ref` | string | yes | The name of branch, tag or commit |
| `range` | hash | no | Blame range |
| `range[start]` | integer | yes | The first line of the range to blame |
| `range[end]` | integer | yes | The last line of the range to blame |
| Attribute | Type | Required | Description |
|-----------------|-------------------|----------|-------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. |
| `file_path` | string | yes | URL-encoded full path to new file, such as`lib%2Fclass%2Erb`. |
| `ref` | string | yes | The name of branch, tag or commit. |
| `range[end]` | integer | yes | The last line of the range to blame. |
| `range[start]` | integer | yes | The first line of the range to blame. |
| `range` | hash | no | Blame range. |
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/13083/repository/files/path%2Fto%2Ffile.rb/blame?ref=master"
@ -142,7 +143,7 @@ Example response:
```
NOTE:
`HEAD` method return just file metadata as in [Get file from repository](repository_files.md#get-file-from-repository).
`HEAD` method returns just file metadata, as in [Get file from repository](repository_files.md#get-file-from-repository).
```shell
curl --head --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/13083/repository/files/path%2Fto%2Ffile.rb/blame?ref=master"
@ -168,7 +169,8 @@ X-Gitlab-Execute-Filemode: false
### Examples
To request a blame range, specify `range[start]` and `range[end]` parameters with the start and end line numbers of the file.
To request a blame range, specify `range[start]` and `range[end]` parameters with
the starting and ending line numbers of the file.
```shell
curl --head --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/13083/repository/files/path%2Fto%2Ffile.rb/blame?ref=master&range[start]=1&range[end]=2"
@ -207,24 +209,25 @@ Example response:
GET /projects/:id/repository/files/:file_path/raw
```
| Attribute | Type | Required | Description |
|-------------|----------------|----------|-----------------------------------------------------------------------------------------------------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user |
| `file_path` | string | yes | URL encoded full path to new file. Ex. `lib%2Fclass%2Erb`. |
| `ref` | string | yes | The name of branch, tag or commit. Default is the `HEAD` of the project. |
| Attribute | Type | Required | Description |
|-------------|----------------|----------|------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. |
| `file_path` | string | yes | URL-encoded full path to new file, such as `lib%2Fclass%2Erb`. |
| `ref` | string | yes | The name of branch, tag or commit. Default is the `HEAD` of the project. |
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/13083/repository/files/app%2Fmodels%2Fkey%2Erb/raw?ref=master"
```
NOTE:
Like [Get file from repository](repository_files.md#get-file-from-repository) you can use `HEAD` to get just file metadata.
Like [Get file from repository](repository_files.md#get-file-from-repository), you can use `HEAD` to get just file metadata.
## Create new file in repository
> The `execute_filemode` parameter was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83499) in GitLab 14.10.
This allows you to create a single file. For creating multiple files with a single request see the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions).
Allows you to create a single file. For creating multiple files with a single request,
refer to the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions).
```plaintext
POST /projects/:id/repository/files/:file_path
@ -232,16 +235,16 @@ POST /projects/:id/repository/files/:file_path
| Attribute | Type | Required | Description |
| ---------------- | -------------- | -------- | ----------- |
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. |
| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. |
| `branch` | string | yes | Name of the new branch to create. The commit is added to this branch. |
| `start_branch` | string | no | Name of the base branch to create the new branch from. |
| `encoding` | string | no | Change encoding to `base64`. Default is `text`. |
| `commit_message` | string | yes | The commit message. |
| `content` | string | yes | The file's content. |
| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. |
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. |
| `author_email` | string | no | The commit author's email address. |
| `author_name` | string | no | The commit author's name. |
| `content` | string | yes | The file's content. |
| `commit_message` | string | yes | The commit message. |
| `encoding` | string | no | Change encoding to `base64`. Default is `text`. |
| `execute_filemode` | boolean | no | Enables or disables the `execute` flag on the file. Can be `true` or `false`. |
| `start_branch` | string | no | Name of the base branch to create the new branch from. |
```shell
curl --request POST --header 'PRIVATE-TOKEN: <your_access_token>' \
@ -264,7 +267,8 @@ Example response:
> The `execute_filemode` parameter was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83499) in GitLab 14.10.
This allows you to update a single file. For updating multiple files with a single request see the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions).
Allows you to update a single file. For updating multiple files with a single request,
refer to the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions).
```plaintext
PUT /projects/:id/repository/files/:file_path
@ -272,17 +276,17 @@ PUT /projects/:id/repository/files/:file_path
| Attribute | Type | Required | Description |
| ---------------- | -------------- | -------- | ----------- |
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user |
| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. |
| `branch` | string | yes | Name of the new branch to create. The commit is added to this branch. |
| `start_branch` | string | no | Name of the base branch to create the new branch from. |
| `encoding` | string | no | Change encoding to `base64`. Default is `text`. |
| `commit_message` | string | yes | The commit message. |
| `content` | string | yes | The file's content. |
| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. |
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user |
| `author_email` | string | no | The commit author's email address. |
| `author_name` | string | no | The commit author's name. |
| `content` | string | yes | The file's content. |
| `commit_message` | string | yes | The commit message. |
| `last_commit_id` | string | no | Last known file commit ID. |
| `encoding` | string | no | Change encoding to `base64`. Default is `text`. |
| `execute_filemode` | boolean | no | Enables or disables the `execute` flag on the file. Can be `true` or `false`. |
| `last_commit_id` | string | no | Last known file commit ID. |
| `start_branch` | string | no | Name of the base branch to create the new branch from. |
```shell
curl --request PUT --header 'PRIVATE-TOKEN: <your_access_token>' \
@ -301,19 +305,19 @@ Example response:
}
```
If the commit fails for any reason we return a 400 error with a non-specific
If the commit fails for any reason we return a `400 Bad Request` error with a non-specific
error message. Possible causes for a failed commit include:
- the `file_path` contained `/../` (attempted directory traversal);
- the new file contents were identical to the current file contents. That is, the
user tried to make an empty commit;
- the branch was updated by a Git push while the file edit was in progress.
- The `file_path` contained `/../` (attempted directory traversal).
- The commit was empty: new file contents were identical to the current file contents.
- The branch was updated by `git push` while the file edit was in progress.
GitLab Shell has a boolean return code, preventing GitLab from specifying the error.
[GitLab Shell](https://gitlab.com/gitlab-org/gitlab-shell/) has a boolean return code, preventing GitLab from specifying the error.
## Delete existing file in repository
This allows you to delete a single file. For deleting multiple files with a single request, see the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions).
This allows you to delete a single file. For deleting multiple files with a single request,
refer to the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions).
```plaintext
DELETE /projects/:id/repository/files/:file_path
@ -321,14 +325,14 @@ DELETE /projects/:id/repository/files/:file_path
| Attribute | Type | Required | Description |
| ---------------- | -------------- | -------- | ----------- |
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. |
| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. |
| `branch` | string | yes | Name of the new branch to create. The commit is added to this branch. |
| `start_branch` | string | no | Name of the base branch to create the new branch from. |
| `commit_message` | string | yes | The commit message. |
| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. |
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. |
| `author_email` | string | no | The commit author's email address. |
| `author_name` | string | no | The commit author's name. |
| `commit_message` | string | yes | The commit message. |
| `last_commit_id` | string | no | Last known file commit ID. |
| `start_branch` | string | no | Name of the base branch to create the new branch from. |
```shell
curl --request DELETE --header 'PRIVATE-TOKEN: <your_access_token>' \

2
doc/api/scim.md
View File

@ -25,7 +25,7 @@ Supported attributes:
| Attribute | Type | Required | Description |
|:------------------|:--------|:---------|:----------------------|
| `id` | integer | Yes | Return SAML identities for the given group ID. |
| `id` | integer | Yes | Return SCIM identities for the given group ID. |
If successful, returns [`200`](index.md#status-codes) and the following
response attributes:

9
doc/api/users.md
View File

@ -510,6 +510,8 @@ Parameters:
Modifies an existing user. Only administrators can change attributes of a user.
The `email` field is the user's primary email address. You can only change this field to an already-added secondary email address for that user. To add more email addresses to the same user, use the [add email function](#add-email).
```plaintext
PUT /users/:id
```
@ -1486,6 +1488,7 @@ Parameters:
Deletes email owned by currently authenticated user.
This returns a `204 No Content` status code if the operation was successfully or `404` if the resource was not found.
This cannot delete a primary email address.
```plaintext
DELETE /user/emails/:email_id
@ -1499,7 +1502,11 @@ Parameters:
## Delete email for given user **(FREE SELF)**
Deletes email owned by a specified user. Available only for administrator.
Prerequisite:
- You must be an administrator of a self-managed GitLab instance.
Deletes an email address owned by a specified user. This cannot delete a primary email address.
```plaintext
DELETE /users/:id/emails/:email_id

2
doc/development/chatops_on_gitlabcom.md
View File

@ -31,7 +31,7 @@ To request access to ChatOps on GitLab.com:
1. Comment in your onboarding issue, and tag your onboarding buddy and your manager.
Request they add you to the `ops` ChatOps project by running this command
in the `#chat-ops-test` Slack channel, replacing `<username>` with your username:
in the `#chat-ops-test` Slack channel, replacing `<username>` with your GitLab.com username:
`/chatops run member add <username> gitlab-com/chatops --ops`
```plaintext

6
doc/development/deprecation_guidelines/index.md
View File

@ -83,7 +83,7 @@ For configuration removals, see the [Omnibus deprecation policy](../../administr
For versioning and upgrade details, see our [Release and Maintenance policy](../../policy/maintenance.md).
## Update the deprecations and removals documentation
## Update the deprecations and removals documentation pages
The [deprecations](../../update/deprecations.md) and [removals](../../update/removals.md)
documentation is generated from the YAML files located in
@ -131,3 +131,7 @@ Related Handbook pages:
- <https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-removals-and-breaking-changes>
- <https://about.gitlab.com/handbook/marketing/blog/release-posts/#update-the-deprecations-and-removals-docs>
## Update the related documentation
When features are deprecated and removed, [update the related documentation](../documentation/versions.md#deprecations-and-removals).

2
doc/development/documentation/restful_api_styleguide.md
View File

@ -129,7 +129,7 @@ To deprecate an attribute:
```
To widely announce a deprecation, or if it's a breaking change,
[update the deprecations and removals documentation](../deprecation_guidelines/index.md#update-the-deprecations-and-removals-documentation).
[update the deprecations and removals documentation pages](../deprecation_guidelines/index.md#update-the-deprecations-and-removals-documentation-pages).
## Method description

24
doc/user/application_security/iac_scanning/index.md
View File

@ -16,6 +16,8 @@ Currently, IaC scanning supports configuration files for Terraform, Ansible, AWS
IaC Scanning runs in the `test` stage, which is available by default. If you redefine the stages in the `.gitlab-ci.yml` file, the `test` stage is required.
We recommend a minimum of 4GB RAM to ensure consistent performance.
To run IaC scanning jobs, by default, you need GitLab Runner with the
[`docker`](https://docs.gitlab.com/runner/executors/docker.html) or
[`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor.
@ -32,16 +34,16 @@ is **not** `19.03.0`. See [troubleshooting information](../sast/index.md#error-r
GitLab IaC scanning supports a variety of IaC configuration files. Our IaC security scanners also feature automatic language detection which works even for mixed-language projects. If any supported configuration files are detected in project source code we automatically run the appropriate IaC analyzers.
| Configuration File Type | Scan tool | Introduced in GitLab Version |
|------------------------------------------|----------------------------------|-------------------------------|
| Ansible | [KICS](https://kics.io/) | 14.5 |
| AWS CloudFormation | [KICS](https://kics.io/) | 14.5 |
| Azure Resource Manager <sup>1</sup> | [KICS](https://kics.io/) | 14.5 |
| Dockerfile | [KICS](https://kics.io/) | 14.5 |
| Google Deployment Manager | [KICS](https://kics.io/) | 14.5 |
| Kubernetes | [KICS](https://kics.io/) | 14.5 |
| OpenAPI | [KICS](https://kics.io/) | 14.5 |
| Terraform <sup>2</sup> | [KICS](https://kics.io/) | 14.5 |
| Configuration File Type | Scan tool | Introduced in GitLab Version |
| ----------------------------------- | ------------------------ | ---------------------------- |
| Ansible | [KICS](https://kics.io/) | 14.5 |
| AWS CloudFormation | [KICS](https://kics.io/) | 14.5 |
| Azure Resource Manager <sup>1</sup> | [KICS](https://kics.io/) | 14.5 |
| Dockerfile | [KICS](https://kics.io/) | 14.5 |
| Google Deployment Manager | [KICS](https://kics.io/) | 14.5 |
| Kubernetes | [KICS](https://kics.io/) | 14.5 |
| OpenAPI | [KICS](https://kics.io/) | 14.5 |
| Terraform <sup>2</sup> | [KICS](https://kics.io/) | 14.5 |
1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature.
@ -77,7 +79,7 @@ Different features are available in different [GitLab tiers](https://about.gitla
as shown in the following table:
| Capability | In Free & Premium | In Ultimate |
|:----------------------------------------------------------------|:--------------------|:-------------------|
| :-------------------------------------------------------------- | :------------------ | :----------------- |
| [Configure IaC scanner](#configuration) | **{check-circle}** | **{check-circle}** |
| Download [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** |
| See new findings in merge request widget | **{dotted-circle}** | **{check-circle}** |

59
doc/user/application_security/sast/analyzers.md
View File

@ -12,7 +12,7 @@ Static Application Security Testing (SAST) uses analyzers
to detect vulnerabilities in source code. Each analyzer is a wrapper around a [scanner](../terminology/index.md#scanner), a third-party code analysis tool.
The analyzers are published as Docker images that SAST uses to launch dedicated containers for each
analysis.
analysis. We recommend a minimum of 4GB RAM to ensure consistent performance of the analyzers.
SAST default images are maintained by GitLab, but you can also integrate your own custom image.
@ -26,11 +26,8 @@ For each scanner, an analyzer:
SAST supports the following official analyzers:
- [`bandit`](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Bandit)
- [`brakeman`](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) (Brakeman)
- [`eslint`](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (ESLint (JavaScript and React))
- [`flawfinder`](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) (Flawfinder)
- [`gosec`](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Gosec)
- [`kubesec`](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) (Kubesec)
- [`mobsf`](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (MobSF (beta))
- [`nodejs-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) (NodeJsScan)
@ -41,6 +38,12 @@ SAST supports the following official analyzers:
- [`sobelow`](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) (Sobelow (Elixir Phoenix))
- [`spotbugs`](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) (SpotBugs with the Find Sec Bugs plugin (Ant, Gradle and wrapper, Grails, Maven and wrapper, SBT))
SAST has used other analyzers in previous versions. These analyzers reached End of Support status and do not receive updates:
- [`bandit`](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Bandit); [End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. Replaced by the `semgrep` analyzer with GitLab-managed rules.
- [`eslint`](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (ESLint (JavaScript and React)); [End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. Replaced by the `semgrep` analyzer with GitLab-managed rules.
- [`gosec`](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Gosec); [End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. Replaced by the `semgrep` analyzer with GitLab-managed rules.
## SAST analyzer features
For an analyzer to be considered Generally Available, it is expected to minimally
@ -126,16 +129,16 @@ You can see how Semgrep-based scanning will work in your projects before the Git
We recommend that you test this change in a merge request but continue using the Stable template in your default branch pipeline configuration.
In GitLab 15.3, we [activated a feature flag](https://gitlab.com/gitlab-org/gitlab/-/issues/362179) to migrate security findings on the default branch from other analyzers to Semgrep.
We plan to [plan to remove the deprecated analyzers](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) from the Stable CI/CD template in GitLab 15.4.
In GitLab 15.4, we [removed the deprecated analyzers](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) from the Stable CI/CD template.
To preview the upcoming changes to the CI/CD configuration:
To preview the upcoming changes to the CI/CD configuration in GitLab 15.3 or earlier:
1. Open an MR to switch from the Stable CI/CD template, `SAST.gitlab-ci.yaml`, to [the Latest template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml), `SAST.latest.gitlab-ci.yaml`.
- On GitLab.com, use the latest template directly:
```yaml
include:
template: 'SAST.latest.gitlab-ci.yaml'
template: 'Jobs/SAST.latest.gitlab-ci.yaml'
```
- On a Self-Managed instance, download the template from GitLab.com:
@ -169,8 +172,8 @@ This variable affects all Secure analyzers, not just the analyzers for SAST.
To have GitLab download the analyzers' images from a custom Docker registry, define the prefix with
the `SECURE_ANALYZERS_PREFIX` CI/CD variable.
For example, the following instructs SAST to pull `my-docker-registry/gitlab-images/bandit` instead
of `registry.gitlab.com/security-products/bandit`:
For example, the following instructs SAST to pull `my-docker-registry/gitlab-images/semgrep` instead
of `registry.gitlab.com/security-products/semgrep`:
```yaml
include:
@ -206,14 +209,14 @@ source code languages detected. However, you can disable select analyzers.
To disable select analyzers, set the CI/CD variable `SAST_EXCLUDED_ANALYZERS` to a comma-delimited
string listing the analyzers that you want to prevent running.
For example, to disable the `eslint` analyzer:
For example, to disable the `spotbugs` analyzer:
```yaml
include:
- template: Security/SAST.gitlab-ci.yml
variables:
SAST_EXCLUDED_ANALYZERS: "eslint"
SAST_EXCLUDED_ANALYZERS: "spotbugs"
```
### Custom analyzers
@ -249,25 +252,27 @@ Each analyzer provides data about the vulnerabilities it detects. The following
data available from each analyzer. The values provided by these tools are heterogeneous so they are sometimes
normalized into common values, for example, `severity` and `confidence`.
| Property / tool | Apex | Bandit | Brakeman | ESLint security | SpotBugs | Flawfinder | Gosec | Kubesec Scanner | MobSF | NodeJsScan | PHP CS Security Audit | Security code Scan (.NET) | Semgrep | Sobelow |
| Property / tool | Apex | Bandit<sup>1</sup> | Brakeman | ESLint security<sup>1</sup> | SpotBugs | Flawfinder | Gosec<sup>1</sup> | Kubesec Scanner | MobSF | NodeJsScan | PHP CS Security Audit | Security code Scan (.NET) | Semgrep | Sobelow |
|--------------------------------|------|--------|----------|-----------------|----------|------------|-------|-----------------|-------|------------|-----------------------|---------------------------|---------|---------|
| Affected item (for example, class or package) | ✓ | ✗ | ✓ | ✗ | ✓ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Confidence | ✗ | ✓ | ✓ | ✗ | ✓ | x | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✓ |
| Description | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ |
| End column | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| End line | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| External ID (for example, CVE) | ✗ | ✗ | ⚠ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ |
| File | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Internal doc/explanation | ✓ | ⚠ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Internal ID | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Severity | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ⚠ | ✗ |
| Solution | ✓ | ✗ | ✗ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ |
| Source code extract | ✗ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Start column | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ |
| Start line | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Title | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| URLs | ✓ | ✗ | ✓ | ✗ | ⚠ | ✗ | ⚠ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Confidence | ✗ | ✓ | ✓ | ✗ | ✓ | x | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✓ |
| Description | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ |
| End column | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| End line | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| External ID (for example, CVE) | ✗ | ✗ | ⚠ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ |
| File | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Internal doc/explanation | ✓ | ⚠ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Internal ID | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ |
| Severity | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ⚠ | ✗ |
| Solution | ✓ | ✗ | ✗ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ |
| Source code extract | ✗ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Start column | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ |
| Start line | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Title | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| URLs | ✓ | ✗ | ✓ | ✗ | ⚠ | ✗ | ⚠ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
- ✓ => Data is available.
- ⚠ => Data is available, but it's partially reliable, or it has to be extracted from unstructured content.
- ✗ => Data is not available or it would require specific, inefficient or unreliable, logic to obtain it.
1. This analyzer has reached [End of Support](https://about.gitlab.com/handbook/product/gitlab-the-product/#end-of-support). For more information, see the [SAST analyzers](#sast-analyzers) section.

34
doc/user/application_security/sast/index.md
View File

@ -83,14 +83,14 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu
| C | [Semgrep](https://semgrep.dev) | 14.2 |
| C/C++ | [Flawfinder](https://github.com/david-a-wheeler/flawfinder) | 10.7 |
| Elixir (Phoenix) | [Sobelow](https://github.com/nccgroup/sobelow) | 11.1 |
| Go | [Gosec](https://github.com/securego/gosec) | 10.7 |
| Go<sup>3</sup> | [Gosec](https://github.com/securego/gosec) | 10.7 |
| Go | [Semgrep](https://semgrep.dev) | 14.4 |
| Groovy<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Maven, SBT) |
| Helm Charts | [Kubesec](https://github.com/controlplaneio/kubesec) | 13.1 |
| Java (any build system) | [Semgrep](https://semgrep.dev) | 14.10 |
| Java<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (SBT) |
| Java<sup>2, 3</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (SBT) |
| Java (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
| JavaScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 |
| JavaScript<sup>3</sup> | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 |
| JavaScript | [Semgrep](https://semgrep.dev) | 13.10 |
| Kotlin (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
| Kotlin (General)<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 13.11 |
@ -98,15 +98,15 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu
| Node.js | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan) | 11.1 |
| Objective-C (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
| PHP | [phpcs-security-audit](https://github.com/FloeDesignTechnologies/phpcs-security-audit) | 10.8 |
| Python ([pip](https://pip.pypa.io/en/stable/)) | [bandit](https://github.com/PyCQA/bandit) | 10.3 |
| Python<sup>3</sup> | [bandit](https://github.com/PyCQA/bandit) | 10.3 |
| Python | [Semgrep](https://semgrep.dev) | 13.9 |
| React | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react) | 12.5 |
| React<sup>3</sup> | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react) | 12.5 |
| React | [Semgrep](https://semgrep.dev) | 13.10 |
| Ruby | [brakeman](https://brakemanscanner.org) | 13.9 |
| Ruby on Rails | [brakeman](https://brakemanscanner.org) | 10.3 |
| Scala<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Gradle, Maven) |
| Swift (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
| TypeScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 |
| TypeScript<sup>3</sup> | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 |
| TypeScript | [Semgrep](https://semgrep.dev) | 13.10 |
1. .NET 4 support is limited. The analyzer runs in a Linux container and does not have access to Windows-specific libraries or features. Use the Semgrep-based scanner if you need .NET 4 support.
@ -114,6 +114,7 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu
[Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html),
[Grails](https://grails.org/),
and the [Maven wrapper](https://github.com/takari/maven-wrapper). However, SpotBugs has [limitations](https://gitlab.com/gitlab-org/gitlab/-/issues/350801) when used against [Ant](https://ant.apache.org/)-based projects. We recommend using the Semgrep-based analyzer for Ant-based Java projects.
1. These analyzers reached [End of Support](https://about.gitlab.com/handbook/product/gitlab-the-product/#end-of-support) status [in GitLab 15.4](https://gitlab.com/gitlab-org/gitlab/-/issues/352554).
### Multi-project support
@ -473,8 +474,8 @@ All customization of GitLab security scanning tools should be tested in a merge
merging these changes to the default branch. Failure to do so can give unexpected results,
including a large number of false positives.
The following example includes the SAST template to override the `SAST_GOSEC_LEVEL`
variable to `2`. The template is [evaluated before](../../../ci/yaml/index.md#include) the pipeline
The following example includes the SAST template to override the `SEARCH_MAX_DEPTH`
variable to `10`. The template is [evaluated before](../../../ci/yaml/index.md#include) the pipeline
configuration, so the last mention of the variable takes precedence.
```yaml
@ -482,7 +483,7 @@ include:
- template: Security/SAST.gitlab-ci.yml
variables:
SAST_GOSEC_LEVEL: 2
SEARCH_MAX_DEPTH: 10
```
#### Logging level
@ -536,10 +537,10 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre
|------------------------------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `SAST_EXCLUDED_PATHS` | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs (see [`doublestar.Match`](https://pkg.go.dev/github.com/bmatcuk/doublestar/v4@v4.0.2#Match) for supported patterns), or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. You might need to exclude temporary directories used by your build tool as these can generate false positives. To exclude paths, copy and paste the default excluded paths, then **add** your own paths to be excluded. If you don't specify the default excluded paths, you will override the defaults and _only_ paths you specify will be excluded from the SAST scans. |
| `SEARCH_MAX_DEPTH` | 4 | SAST searches the repository to detect the programming languages used, and selects the matching analyzers. Set the value of `SEARCH_MAX_DEPTH` to specify how many directory levels the search phase should span. After the analyzers have been selected, the _entire_ repository is analyzed. |
| `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'` |
| `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'`. [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. |
| `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. |
| `SAST_FLAWFINDER_LEVEL` | 1 | Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk. |
| `SAST_GOSEC_LEVEL` | 0 | Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High. |
| `SAST_GOSEC_LEVEL` | 0 | Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High. [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. |
#### Analyzer settings
@ -664,11 +665,8 @@ import the following default SAST analyzer images from `registry.gitlab.com` int
[local Docker container registry](../../packages/container_registry/index.md):
```plaintext
registry.gitlab.com/security-products/bandit:2
registry.gitlab.com/security-products/brakeman:2
registry.gitlab.com/security-products/eslint:2
registry.gitlab.com/security-products/flawfinder:2
registry.gitlab.com/security-products/gosec:3
registry.gitlab.com/security-products/kubesec:2
registry.gitlab.com/security-products/nodejs-scan:2
registry.gitlab.com/security-products/phpcs-security-audit:2
@ -694,11 +692,11 @@ Support for custom certificate authorities was introduced in the following versi
| Analyzer | Version |
| -------- | ------- |
| `bandit` | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/releases/v2.3.0) |
| `bandit`<sup>1</sup> | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/releases/v2.3.0) |
| `brakeman` | [v2.1.0](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman/-/releases/v2.1.0) |
| `eslint` | [v2.9.2](https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/releases/v2.9.2) |
| `eslint`<sup>1</sup> | [v2.9.2](https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/releases/v2.9.2) |
| `flawfinder` | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/releases/v2.3.0) |
| `gosec` | [v2.5.0](https://gitlab.com/gitlab-org/security-products/analyzers/gosec/-/releases/v2.5.0) |
| `gosec`<sup>1</sup> | [v2.5.0](https://gitlab.com/gitlab-org/security-products/analyzers/gosec/-/releases/v2.5.0) |
| `kubesec` | [v2.1.0](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec/-/releases/v2.1.0) |
| `nodejs-scan` | [v2.9.5](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan/-/releases/v2.9.5) |
| `phpcs-security-audit` | [v2.8.2](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit/-/releases/v2.8.2) |
@ -708,6 +706,8 @@ Support for custom certificate authorities was introduced in the following versi
| `sobelow` | [v2.2.0](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/releases/v2.2.0) |
| `spotbugs` | [v2.7.1](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/releases/v2.7.1) |
1. These analyzers were deprecated in GitLab 14.8 and [reached End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4.
### Set SAST CI/CD variables to use local SAST analyzers
Add the following configuration to your `.gitlab-ci.yml` file. You must replace

4
qa/Gemfile
View File

@ -12,7 +12,7 @@ gem 'rspec', '~> 3.11'
gem 'selenium-webdriver', '~> 4.5'
gem 'airborne', '~> 0.3.7', require: false # airborne is messing with rspec sandboxed mode so not requiring by default
gem 'rest-client', '~> 2.1.0'
gem 'rspec-retry', '~> 0.6.1', require: 'rspec/retry'
gem 'rspec-retry', '~> 0.6.2', require: 'rspec/retry'
gem 'rspec_junit_formatter', '~> 0.6.0'
gem 'faker', '~> 2.23'
gem 'knapsack', '~> 4.0'
@ -36,7 +36,7 @@ gem "warning", "~> 1.3"
gem 'confiner', '~> 0.3'
gem 'chemlab', '~> 0.10'
gem 'chemlab-library-www-gitlab-com', '~> 0.1'
gem 'chemlab-library-www-gitlab-com', '~> 0.1', '>= 0.1.1'
# dependencies for jenkins client
gem 'nokogiri', '~> 1.13', '>= 1.13.9'

4
qa/Gemfile.lock
View File

@ -307,7 +307,7 @@ DEPENDENCIES
capybara (~> 3.37.1)
capybara-screenshot (~> 1.0.26)
chemlab (~> 0.10)
chemlab-library-www-gitlab-com (~> 0.1)
chemlab-library-www-gitlab-com (~> 0.1, >= 0.1.1)
confiner (~> 0.3)
deprecation_toolkit (~> 2.0.0)
faker (~> 2.23)
@ -328,7 +328,7 @@ DEPENDENCIES
rotp (~> 6.2.0)
rspec (~> 3.11)
rspec-parameterized (~> 0.5.2)
rspec-retry (~> 0.6.1)
rspec-retry (~> 0.6.2)
rspec_junit_formatter (~> 0.6.0)
ruby-debug-ide (~> 0.7.3)
selenium-webdriver (~> 4.5)

96
qa/qa/specs/features/api/1_manage/import/import_github_repo_spec.rb
View File

@ -3,6 +3,8 @@
module QA
# Spec uses real github.com, which means outage of github.com can actually block deployment
# Keep spec in reliable bucket but don't run in blocking pipelines
#
# https://github.com/gitlab-qa-github/import-test <- project under test
RSpec.describe 'Manage', :github, :reliable, :skip_live_env, :requires_admin, product_group: :import do
describe 'Project import', issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/353583' do
let!(:api_client) { Runtime::API::Client.as_admin }
@ -14,13 +16,15 @@ module QA
end
end
let!(:user_api_client) { Runtime::API::Client.new(user: user) }
let(:imported_project) do
Resource::ProjectImportedFromGithub.fabricate_via_api! do |project|
project.name = 'imported-project'
project.group = group
project.github_personal_access_token = Runtime::Env.github_access_token
project.github_repository_path = 'gitlab-qa-github/import-test'
project.api_client = Runtime::API::Client.new(user: user)
project.api_client = user_api_client
project.issue_events_import = true
project.full_notes_import = true
end
@ -50,6 +54,7 @@ module QA
verify_milestones_import
verify_wikis_import
verify_merge_requests_import
verify_release_import
end
end
@ -107,18 +112,6 @@ module QA
)
end
def verify_issues_import
issues = imported_project.issues
expect(issues.length).to eq(1)
expect(issues.first).to include(
title: 'Test issue',
description: "*Created by: gitlab-qa-github*\n\nTest issue description",
labels: ['good first issue', 'help wanted', 'question'],
user_notes_count: 2
)
end
def verify_milestones_import
milestones = imported_project.milestones
@ -133,14 +126,47 @@ module QA
expect(wikis.first).to include(title: 'Home', format: 'markdown')
end
def verify_issues_import
issues = imported_project.issues
issue = Resource::Issue.init do |resource|
resource.project = imported_project
resource.iid = issues.first[:iid]
resource.api_client = user_api_client
end.reload!
comments, events = fetch_events_and_comments(issue)
expect(issues.length).to eq(1)
expect(issue.api_resource).to include(
title: 'Test issue',
description: "*Created by: gitlab-qa-github*\n\nTest issue description",
labels: ['good first issue', 'help wanted', 'question']
)
expect(comments).to match_array(
[
"*Created by: gitlab-qa-github*\n\nSome test comment",
"*Created by: gitlab-qa-github*\n\nAnother test comment"
]
)
expect(events).to match_array(
[
{ name: "add_label", label: "question" },
{ name: "add_label", label: "good first issue" },
{ name: "add_label", label: "help wanted" },
{ name: "add_milestone", label: "0.0.1" },
{ name: "closed" },
{ name: "reopened" }
]
)
end
def verify_merge_requests_import
merge_requests = imported_project.merge_requests
merge_request = Resource::MergeRequest.init do |mr|
mr.project = imported_project
mr.iid = merge_requests.first[:iid]
mr.api_client = api_client
mr.api_client = user_api_client
end.reload!
mr_comments = merge_request.comments.map { |comment| comment[:body] }
comments, events = fetch_events_and_comments(merge_request)
expect(merge_requests.length).to eq(1)
expect(merge_request.api_resource).to include(
@ -149,17 +175,49 @@ module QA
target_branch: 'main',
source_branch: 'gitlab-qa-github-patch-1',
labels: %w[documentation],
description: <<~DSC.strip
*Created by: gitlab-qa-github*\n\nTest pull request body
DSC
description: "*Created by: gitlab-qa-github*\n\nTest pull request body"
)
expect(mr_comments).to match_array(
expect(comments).to match_array(
[
"*Created by: gitlab-qa-github*\n\n**Review:** Commented\n\nGood but needs some improvement",
"*Created by: gitlab-qa-github*\n\n```suggestion:-0+0\nProject for GitHub import test to GitLab\r\n```",
"*Created by: gitlab-qa-github*\n\nSome test PR comment"
]
)
expect(events).to match_array(
[
{ name: "add_label", label: "documentation" },
{ name: "add_milestone", label: "0.0.1" }
]
)
end
def verify_release_import
releases = imported_project.releases
expect(releases.length).to eq(1)
expect(releases.first).to include(
tag_name: "0.0.1",
name: "0.0.1",
description: "Initial release",
created_at: "2022-03-07T07:59:22.000Z",
released_at: "2022-03-07T08:02:09.000Z"
)
end
# Fetch events and comments from issue or mr
#
# @param [QA::Resource::Issuable] issuable
# @return [Array]
def fetch_events_and_comments(issuable)
comments = issuable.comments.map { |comment| comment[:body] }
events = [
*issuable.label_events.map { |e| { name: "#{e[:action]}_label", label: e.dig(:label, :name) } },
*issuable.state_events.map { |e| { name: e[:state] } },
*issuable.milestone_events.map { |e| { name: "#{e[:action]}_milestone", label: e.dig(:milestone, :title) } }
]
[comments, events]
end
end
end