diff --git a/danger/pajamas/Dangerfile b/danger/pajamas/Dangerfile index fde12c08b35..5fe9e9e8b19 100644 --- a/danger/pajamas/Dangerfile +++ b/danger/pajamas/Dangerfile @@ -20,8 +20,6 @@ PATTERNS = %w[ The `execute_filemode` field in the response was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83499) in GitLab 14.10. -Allows you to receive information about file in repository like name, size, +Allows you to receive information about file in repository like name, size, and content. File content is Base64 encoded. This endpoint can be accessed without authentication if the repository is publicly accessible. @@ -37,11 +37,11 @@ GET /projects/:id/repository/files/:file_path curl --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/projects/13083/repository/files/app%2Fmodels%2Fkey%2Erb?ref=master" ``` -| Attribute | Type | Required | Description | -|-------------|----------------|----------|-----------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user | -| `file_path` | string | yes | URL encoded full path to new file. Ex. `lib%2Fclass%2Erb`. | -| `ref` | string | yes | The name of branch, tag or commit | +| Attribute | Type | Required | Description | +|-------------|----------------|----------|-------------| +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. | +| `file_path` | string | yes | URL encoded full path to new file, such as `lib%2Fclass%2Erb`. | +| `ref` | string | yes | The name of branch, tag or commit. | Example response: @@ -62,7 +62,8 @@ Example response: ``` NOTE: -`blob_id` is the blob SHA, see [repositories - Get a blob from repository](repositories.md#get-a-blob-from-repository) +`blob_id` is the blob SHA. Refer to [Get a blob from repository](repositories.md#get-a-blob-from-repository) +in the Repositories API. In addition to the `GET` method, you can also use `HEAD` to get just file metadata. @@ -100,14 +101,14 @@ Allows you to receive blame information. Each blame range contains lines and cor GET /projects/:id/repository/files/:file_path/blame ``` -| Attribute | Type | Required | Description | -|-----------------|-------------------|----------|--------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user | -| `file_path` | string | yes | URL encoded full path to new file. Ex. `lib%2Fclass%2Erb`. | -| `ref` | string | yes | The name of branch, tag or commit | -| `range` | hash | no | Blame range | -| `range[start]` | integer | yes | The first line of the range to blame | -| `range[end]` | integer | yes | The last line of the range to blame | +| Attribute | Type | Required | Description | +|-----------------|-------------------|----------|-------------| +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. | +| `file_path` | string | yes | URL-encoded full path to new file, such as`lib%2Fclass%2Erb`. | +| `ref` | string | yes | The name of branch, tag or commit. | +| `range[end]` | integer | yes | The last line of the range to blame. | +| `range[start]` | integer | yes | The first line of the range to blame. | +| `range` | hash | no | Blame range. | ```shell curl --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/projects/13083/repository/files/path%2Fto%2Ffile.rb/blame?ref=master" @@ -142,7 +143,7 @@ Example response: ``` NOTE: -`HEAD` method return just file metadata as in [Get file from repository](repository_files.md#get-file-from-repository). +`HEAD` method returns just file metadata, as in [Get file from repository](repository_files.md#get-file-from-repository). ```shell curl --head --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/projects/13083/repository/files/path%2Fto%2Ffile.rb/blame?ref=master" @@ -168,7 +169,8 @@ X-Gitlab-Execute-Filemode: false ### Examples -To request a blame range, specify `range[start]` and `range[end]` parameters with the start and end line numbers of the file. +To request a blame range, specify `range[start]` and `range[end]` parameters with +the starting and ending line numbers of the file. ```shell curl --head --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/projects/13083/repository/files/path%2Fto%2Ffile.rb/blame?ref=master&range[start]=1&range[end]=2" @@ -207,24 +209,25 @@ Example response: GET /projects/:id/repository/files/:file_path/raw ``` -| Attribute | Type | Required | Description | -|-------------|----------------|----------|-----------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user | -| `file_path` | string | yes | URL encoded full path to new file. Ex. `lib%2Fclass%2Erb`. | -| `ref` | string | yes | The name of branch, tag or commit. Default is the `HEAD` of the project. | +| Attribute | Type | Required | Description | +|-------------|----------------|----------|------------| +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. | +| `file_path` | string | yes | URL-encoded full path to new file, such as `lib%2Fclass%2Erb`. | +| `ref` | string | yes | The name of branch, tag or commit. Default is the `HEAD` of the project. | ```shell curl --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/projects/13083/repository/files/app%2Fmodels%2Fkey%2Erb/raw?ref=master" ``` NOTE: -Like [Get file from repository](repository_files.md#get-file-from-repository) you can use `HEAD` to get just file metadata. +Like [Get file from repository](repository_files.md#get-file-from-repository), you can use `HEAD` to get just file metadata. ## Create new file in repository > The `execute_filemode` parameter was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83499) in GitLab 14.10. -This allows you to create a single file. For creating multiple files with a single request see the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions). +Allows you to create a single file. For creating multiple files with a single request, +refer to the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions). ```plaintext POST /projects/:id/repository/files/:file_path @@ -232,16 +235,16 @@ POST /projects/:id/repository/files/:file_path | Attribute | Type | Required | Description | | ---------------- | -------------- | -------- | ----------- | -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. | -| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. | | `branch` | string | yes | Name of the new branch to create. The commit is added to this branch. | -| `start_branch` | string | no | Name of the base branch to create the new branch from. | -| `encoding` | string | no | Change encoding to `base64`. Default is `text`. | +| `commit_message` | string | yes | The commit message. | +| `content` | string | yes | The file's content. | +| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. | | `author_email` | string | no | The commit author's email address. | | `author_name` | string | no | The commit author's name. | -| `content` | string | yes | The file's content. | -| `commit_message` | string | yes | The commit message. | +| `encoding` | string | no | Change encoding to `base64`. Default is `text`. | | `execute_filemode` | boolean | no | Enables or disables the `execute` flag on the file. Can be `true` or `false`. | +| `start_branch` | string | no | Name of the base branch to create the new branch from. | ```shell curl --request POST --header 'PRIVATE-TOKEN: ' \ @@ -264,7 +267,8 @@ Example response: > The `execute_filemode` parameter was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83499) in GitLab 14.10. -This allows you to update a single file. For updating multiple files with a single request see the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions). +Allows you to update a single file. For updating multiple files with a single request, +refer to the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions). ```plaintext PUT /projects/:id/repository/files/:file_path @@ -272,17 +276,17 @@ PUT /projects/:id/repository/files/:file_path | Attribute | Type | Required | Description | | ---------------- | -------------- | -------- | ----------- | -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user | -| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. | | `branch` | string | yes | Name of the new branch to create. The commit is added to this branch. | -| `start_branch` | string | no | Name of the base branch to create the new branch from. | -| `encoding` | string | no | Change encoding to `base64`. Default is `text`. | +| `commit_message` | string | yes | The commit message. | +| `content` | string | yes | The file's content. | +| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user | | `author_email` | string | no | The commit author's email address. | | `author_name` | string | no | The commit author's name. | -| `content` | string | yes | The file's content. | -| `commit_message` | string | yes | The commit message. | -| `last_commit_id` | string | no | Last known file commit ID. | +| `encoding` | string | no | Change encoding to `base64`. Default is `text`. | | `execute_filemode` | boolean | no | Enables or disables the `execute` flag on the file. Can be `true` or `false`. | +| `last_commit_id` | string | no | Last known file commit ID. | +| `start_branch` | string | no | Name of the base branch to create the new branch from. | ```shell curl --request PUT --header 'PRIVATE-TOKEN: ' \ @@ -301,19 +305,19 @@ Example response: } ``` -If the commit fails for any reason we return a 400 error with a non-specific +If the commit fails for any reason we return a `400 Bad Request` error with a non-specific error message. Possible causes for a failed commit include: -- the `file_path` contained `/../` (attempted directory traversal); -- the new file contents were identical to the current file contents. That is, the - user tried to make an empty commit; -- the branch was updated by a Git push while the file edit was in progress. +- The `file_path` contained `/../` (attempted directory traversal). +- The commit was empty: new file contents were identical to the current file contents. +- The branch was updated by `git push` while the file edit was in progress. -GitLab Shell has a boolean return code, preventing GitLab from specifying the error. +[GitLab Shell](https://gitlab.com/gitlab-org/gitlab-shell/) has a boolean return code, preventing GitLab from specifying the error. ## Delete existing file in repository -This allows you to delete a single file. For deleting multiple files with a single request, see the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions). +This allows you to delete a single file. For deleting multiple files with a single request, +refer to the [commits API](commits.md#create-a-commit-with-multiple-files-and-actions). ```plaintext DELETE /projects/:id/repository/files/:file_path @@ -321,14 +325,14 @@ DELETE /projects/:id/repository/files/:file_path | Attribute | Type | Required | Description | | ---------------- | -------------- | -------- | ----------- | -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. | -| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. | | `branch` | string | yes | Name of the new branch to create. The commit is added to this branch. | -| `start_branch` | string | no | Name of the base branch to create the new branch from. | +| `commit_message` | string | yes | The commit message. | +| `file_path` | string | yes | URL-encoded full path to new file. For example: `lib%2Fclass%2Erb`. | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) owned by the authenticated user. | | `author_email` | string | no | The commit author's email address. | | `author_name` | string | no | The commit author's name. | -| `commit_message` | string | yes | The commit message. | | `last_commit_id` | string | no | Last known file commit ID. | +| `start_branch` | string | no | Name of the base branch to create the new branch from. | ```shell curl --request DELETE --header 'PRIVATE-TOKEN: ' \ diff --git a/doc/api/scim.md b/doc/api/scim.md index b1763a44fc4..5ac5a127e8a 100644 --- a/doc/api/scim.md +++ b/doc/api/scim.md @@ -25,7 +25,7 @@ Supported attributes: | Attribute | Type | Required | Description | |:------------------|:--------|:---------|:----------------------| -| `id` | integer | Yes | Return SAML identities for the given group ID. | +| `id` | integer | Yes | Return SCIM identities for the given group ID. | If successful, returns [`200`](index.md#status-codes) and the following response attributes: diff --git a/doc/api/users.md b/doc/api/users.md index 4a924f3b5f3..dd712cc881c 100644 --- a/doc/api/users.md +++ b/doc/api/users.md @@ -510,6 +510,8 @@ Parameters: Modifies an existing user. Only administrators can change attributes of a user. +The `email` field is the user's primary email address. You can only change this field to an already-added secondary email address for that user. To add more email addresses to the same user, use the [add email function](#add-email). + ```plaintext PUT /users/:id ``` @@ -1486,6 +1488,7 @@ Parameters: Deletes email owned by currently authenticated user. This returns a `204 No Content` status code if the operation was successfully or `404` if the resource was not found. +This cannot delete a primary email address. ```plaintext DELETE /user/emails/:email_id @@ -1499,7 +1502,11 @@ Parameters: ## Delete email for given user **(FREE SELF)** -Deletes email owned by a specified user. Available only for administrator. +Prerequisite: + +- You must be an administrator of a self-managed GitLab instance. + +Deletes an email address owned by a specified user. This cannot delete a primary email address. ```plaintext DELETE /users/:id/emails/:email_id diff --git a/doc/development/chatops_on_gitlabcom.md b/doc/development/chatops_on_gitlabcom.md index 16dc17dd229..fbb0453e6c9 100644 --- a/doc/development/chatops_on_gitlabcom.md +++ b/doc/development/chatops_on_gitlabcom.md @@ -31,7 +31,7 @@ To request access to ChatOps on GitLab.com: 1. Comment in your onboarding issue, and tag your onboarding buddy and your manager. Request they add you to the `ops` ChatOps project by running this command - in the `#chat-ops-test` Slack channel, replacing `` with your username: + in the `#chat-ops-test` Slack channel, replacing `` with your GitLab.com username: `/chatops run member add gitlab-com/chatops --ops` ```plaintext diff --git a/doc/development/deprecation_guidelines/index.md b/doc/development/deprecation_guidelines/index.md index a940cd9404c..be4a3369dcb 100644 --- a/doc/development/deprecation_guidelines/index.md +++ b/doc/development/deprecation_guidelines/index.md @@ -83,7 +83,7 @@ For configuration removals, see the [Omnibus deprecation policy](../../administr For versioning and upgrade details, see our [Release and Maintenance policy](../../policy/maintenance.md). -## Update the deprecations and removals documentation +## Update the deprecations and removals documentation pages The [deprecations](../../update/deprecations.md) and [removals](../../update/removals.md) documentation is generated from the YAML files located in @@ -131,3 +131,7 @@ Related Handbook pages: - - + +## Update the related documentation + +When features are deprecated and removed, [update the related documentation](../documentation/versions.md#deprecations-and-removals). diff --git a/doc/development/documentation/restful_api_styleguide.md b/doc/development/documentation/restful_api_styleguide.md index dc84f3a08dd..4be7055b45f 100644 --- a/doc/development/documentation/restful_api_styleguide.md +++ b/doc/development/documentation/restful_api_styleguide.md @@ -129,7 +129,7 @@ To deprecate an attribute: ``` To widely announce a deprecation, or if it's a breaking change, -[update the deprecations and removals documentation](../deprecation_guidelines/index.md#update-the-deprecations-and-removals-documentation). +[update the deprecations and removals documentation pages](../deprecation_guidelines/index.md#update-the-deprecations-and-removals-documentation-pages). ## Method description diff --git a/doc/user/application_security/iac_scanning/index.md b/doc/user/application_security/iac_scanning/index.md index 150c2b732d8..a01ce59c860 100644 --- a/doc/user/application_security/iac_scanning/index.md +++ b/doc/user/application_security/iac_scanning/index.md @@ -16,6 +16,8 @@ Currently, IaC scanning supports configuration files for Terraform, Ansible, AWS IaC Scanning runs in the `test` stage, which is available by default. If you redefine the stages in the `.gitlab-ci.yml` file, the `test` stage is required. +We recommend a minimum of 4GB RAM to ensure consistent performance. + To run IaC scanning jobs, by default, you need GitLab Runner with the [`docker`](https://docs.gitlab.com/runner/executors/docker.html) or [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor. @@ -32,16 +34,16 @@ is **not** `19.03.0`. See [troubleshooting information](../sast/index.md#error-r GitLab IaC scanning supports a variety of IaC configuration files. Our IaC security scanners also feature automatic language detection which works even for mixed-language projects. If any supported configuration files are detected in project source code we automatically run the appropriate IaC analyzers. -| Configuration File Type | Scan tool | Introduced in GitLab Version | -|------------------------------------------|----------------------------------|-------------------------------| -| Ansible | [KICS](https://kics.io/) | 14.5 | -| AWS CloudFormation | [KICS](https://kics.io/) | 14.5 | -| Azure Resource Manager 1 | [KICS](https://kics.io/) | 14.5 | -| Dockerfile | [KICS](https://kics.io/) | 14.5 | -| Google Deployment Manager | [KICS](https://kics.io/) | 14.5 | -| Kubernetes | [KICS](https://kics.io/) | 14.5 | -| OpenAPI | [KICS](https://kics.io/) | 14.5 | -| Terraform 2 | [KICS](https://kics.io/) | 14.5 | +| Configuration File Type | Scan tool | Introduced in GitLab Version | +| ----------------------------------- | ------------------------ | ---------------------------- | +| Ansible | [KICS](https://kics.io/) | 14.5 | +| AWS CloudFormation | [KICS](https://kics.io/) | 14.5 | +| Azure Resource Manager 1 | [KICS](https://kics.io/) | 14.5 | +| Dockerfile | [KICS](https://kics.io/) | 14.5 | +| Google Deployment Manager | [KICS](https://kics.io/) | 14.5 | +| Kubernetes | [KICS](https://kics.io/) | 14.5 | +| OpenAPI | [KICS](https://kics.io/) | 14.5 | +| Terraform 2 | [KICS](https://kics.io/) | 14.5 | 1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them. 1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature. @@ -77,7 +79,7 @@ Different features are available in different [GitLab tiers](https://about.gitla as shown in the following table: | Capability | In Free & Premium | In Ultimate | -|:----------------------------------------------------------------|:--------------------|:-------------------| +| :-------------------------------------------------------------- | :------------------ | :----------------- | | [Configure IaC scanner](#configuration) | **{check-circle}** | **{check-circle}** | | Download [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** | | See new findings in merge request widget | **{dotted-circle}** | **{check-circle}** | diff --git a/doc/user/application_security/sast/analyzers.md b/doc/user/application_security/sast/analyzers.md index b7932aae35c..e83825636bf 100644 --- a/doc/user/application_security/sast/analyzers.md +++ b/doc/user/application_security/sast/analyzers.md @@ -12,7 +12,7 @@ Static Application Security Testing (SAST) uses analyzers to detect vulnerabilities in source code. Each analyzer is a wrapper around a [scanner](../terminology/index.md#scanner), a third-party code analysis tool. The analyzers are published as Docker images that SAST uses to launch dedicated containers for each -analysis. +analysis. We recommend a minimum of 4GB RAM to ensure consistent performance of the analyzers. SAST default images are maintained by GitLab, but you can also integrate your own custom image. @@ -26,11 +26,8 @@ For each scanner, an analyzer: SAST supports the following official analyzers: -- [`bandit`](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Bandit) - [`brakeman`](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) (Brakeman) -- [`eslint`](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (ESLint (JavaScript and React)) - [`flawfinder`](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) (Flawfinder) -- [`gosec`](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Gosec) - [`kubesec`](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) (Kubesec) - [`mobsf`](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (MobSF (beta)) - [`nodejs-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) (NodeJsScan) @@ -41,6 +38,12 @@ SAST supports the following official analyzers: - [`sobelow`](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) (Sobelow (Elixir Phoenix)) - [`spotbugs`](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) (SpotBugs with the Find Sec Bugs plugin (Ant, Gradle and wrapper, Grails, Maven and wrapper, SBT)) +SAST has used other analyzers in previous versions. These analyzers reached End of Support status and do not receive updates: + +- [`bandit`](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Bandit); [End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. Replaced by the `semgrep` analyzer with GitLab-managed rules. +- [`eslint`](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (ESLint (JavaScript and React)); [End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. Replaced by the `semgrep` analyzer with GitLab-managed rules. +- [`gosec`](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Gosec); [End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. Replaced by the `semgrep` analyzer with GitLab-managed rules. + ## SAST analyzer features For an analyzer to be considered Generally Available, it is expected to minimally @@ -126,16 +129,16 @@ You can see how Semgrep-based scanning will work in your projects before the Git We recommend that you test this change in a merge request but continue using the Stable template in your default branch pipeline configuration. In GitLab 15.3, we [activated a feature flag](https://gitlab.com/gitlab-org/gitlab/-/issues/362179) to migrate security findings on the default branch from other analyzers to Semgrep. -We plan to [plan to remove the deprecated analyzers](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) from the Stable CI/CD template in GitLab 15.4. +In GitLab 15.4, we [removed the deprecated analyzers](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) from the Stable CI/CD template. -To preview the upcoming changes to the CI/CD configuration: +To preview the upcoming changes to the CI/CD configuration in GitLab 15.3 or earlier: 1. Open an MR to switch from the Stable CI/CD template, `SAST.gitlab-ci.yaml`, to [the Latest template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml), `SAST.latest.gitlab-ci.yaml`. - On GitLab.com, use the latest template directly: ```yaml include: - template: 'SAST.latest.gitlab-ci.yaml' + template: 'Jobs/SAST.latest.gitlab-ci.yaml' ``` - On a Self-Managed instance, download the template from GitLab.com: @@ -169,8 +172,8 @@ This variable affects all Secure analyzers, not just the analyzers for SAST. To have GitLab download the analyzers' images from a custom Docker registry, define the prefix with the `SECURE_ANALYZERS_PREFIX` CI/CD variable. -For example, the following instructs SAST to pull `my-docker-registry/gitlab-images/bandit` instead -of `registry.gitlab.com/security-products/bandit`: +For example, the following instructs SAST to pull `my-docker-registry/gitlab-images/semgrep` instead +of `registry.gitlab.com/security-products/semgrep`: ```yaml include: @@ -206,14 +209,14 @@ source code languages detected. However, you can disable select analyzers. To disable select analyzers, set the CI/CD variable `SAST_EXCLUDED_ANALYZERS` to a comma-delimited string listing the analyzers that you want to prevent running. -For example, to disable the `eslint` analyzer: +For example, to disable the `spotbugs` analyzer: ```yaml include: - template: Security/SAST.gitlab-ci.yml variables: - SAST_EXCLUDED_ANALYZERS: "eslint" + SAST_EXCLUDED_ANALYZERS: "spotbugs" ``` ### Custom analyzers @@ -249,25 +252,27 @@ Each analyzer provides data about the vulnerabilities it detects. The following data available from each analyzer. The values provided by these tools are heterogeneous so they are sometimes normalized into common values, for example, `severity` and `confidence`. -| Property / tool | Apex | Bandit | Brakeman | ESLint security | SpotBugs | Flawfinder | Gosec | Kubesec Scanner | MobSF | NodeJsScan | PHP CS Security Audit | Security code Scan (.NET) | Semgrep | Sobelow | +| Property / tool | Apex | Bandit1 | Brakeman | ESLint security1 | SpotBugs | Flawfinder | Gosec1 | Kubesec Scanner | MobSF | NodeJsScan | PHP CS Security Audit | Security code Scan (.NET) | Semgrep | Sobelow | |--------------------------------|------|--------|----------|-----------------|----------|------------|-------|-----------------|-------|------------|-----------------------|---------------------------|---------|---------| | Affected item (for example, class or package) | ✓ | ✗ | ✓ | ✗ | ✓ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| Confidence | ✗ | ✓ | ✓ | ✗ | ✓ | x | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✓ | -| Description | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | -| End column | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| End line | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| External ID (for example, CVE) | ✗ | ✗ | ⚠ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ | -| File | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | -| Internal doc/explanation | ✓ | ⚠ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | -| Internal ID | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | -| Severity | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ⚠ | ✗ | -| Solution | ✓ | ✗ | ✗ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ | -| Source code extract | ✗ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| Start column | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | -| Start line | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | -| Title | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | -| URLs | ✓ | ✗ | ✓ | ✗ | ⚠ | ✗ | ⚠ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | +| Confidence | ✗ | ✓ | ✓ | ✗ | ✓ | x | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✓ | +| Description | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | +| End column | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | +| End line | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | +| External ID (for example, CVE) | ✗ | ✗ | ⚠ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ | +| File | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | +| Internal doc/explanation | ✓ | ⚠ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | +| Internal ID | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | +| Severity | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ⚠ | ✗ | +| Solution | ✓ | ✗ | ✗ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ | +| Source code extract | ✗ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | +| Start column | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | +| Start line | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | +| Title | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | +| URLs | ✓ | ✗ | ✓ | ✗ | ⚠ | ✗ | ⚠ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | - ✓ => Data is available. - ⚠ => Data is available, but it's partially reliable, or it has to be extracted from unstructured content. - ✗ => Data is not available or it would require specific, inefficient or unreliable, logic to obtain it. + +1. This analyzer has reached [End of Support](https://about.gitlab.com/handbook/product/gitlab-the-product/#end-of-support). For more information, see the [SAST analyzers](#sast-analyzers) section. diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 6b8bc1933a3..a7624db4604 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -83,14 +83,14 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu | C | [Semgrep](https://semgrep.dev) | 14.2 | | C/C++ | [Flawfinder](https://github.com/david-a-wheeler/flawfinder) | 10.7 | | Elixir (Phoenix) | [Sobelow](https://github.com/nccgroup/sobelow) | 11.1 | -| Go | [Gosec](https://github.com/securego/gosec) | 10.7 | +| Go3 | [Gosec](https://github.com/securego/gosec) | 10.7 | | Go | [Semgrep](https://semgrep.dev) | 14.4 | | Groovy2 | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Maven, SBT) | | Helm Charts | [Kubesec](https://github.com/controlplaneio/kubesec) | 13.1 | | Java (any build system) | [Semgrep](https://semgrep.dev) | 14.10 | -| Java2 | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (SBT) | +| Java2, 3 | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (SBT) | | Java (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | -| JavaScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 | +| JavaScript3 | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 | | JavaScript | [Semgrep](https://semgrep.dev) | 13.10 | | Kotlin (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | | Kotlin (General)2 | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 13.11 | @@ -98,15 +98,15 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu | Node.js | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan) | 11.1 | | Objective-C (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | | PHP | [phpcs-security-audit](https://github.com/FloeDesignTechnologies/phpcs-security-audit) | 10.8 | -| Python ([pip](https://pip.pypa.io/en/stable/)) | [bandit](https://github.com/PyCQA/bandit) | 10.3 | +| Python3 | [bandit](https://github.com/PyCQA/bandit) | 10.3 | | Python | [Semgrep](https://semgrep.dev) | 13.9 | -| React | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react) | 12.5 | +| React3 | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react) | 12.5 | | React | [Semgrep](https://semgrep.dev) | 13.10 | | Ruby | [brakeman](https://brakemanscanner.org) | 13.9 | | Ruby on Rails | [brakeman](https://brakemanscanner.org) | 10.3 | | Scala2 | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Gradle, Maven) | | Swift (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | -| TypeScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 | +| TypeScript3 | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 | | TypeScript | [Semgrep](https://semgrep.dev) | 13.10 | 1. .NET 4 support is limited. The analyzer runs in a Linux container and does not have access to Windows-specific libraries or features. Use the Semgrep-based scanner if you need .NET 4 support. @@ -114,6 +114,7 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu [Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html), [Grails](https://grails.org/), and the [Maven wrapper](https://github.com/takari/maven-wrapper). However, SpotBugs has [limitations](https://gitlab.com/gitlab-org/gitlab/-/issues/350801) when used against [Ant](https://ant.apache.org/)-based projects. We recommend using the Semgrep-based analyzer for Ant-based Java projects. +1. These analyzers reached [End of Support](https://about.gitlab.com/handbook/product/gitlab-the-product/#end-of-support) status [in GitLab 15.4](https://gitlab.com/gitlab-org/gitlab/-/issues/352554). ### Multi-project support @@ -473,8 +474,8 @@ All customization of GitLab security scanning tools should be tested in a merge merging these changes to the default branch. Failure to do so can give unexpected results, including a large number of false positives. -The following example includes the SAST template to override the `SAST_GOSEC_LEVEL` -variable to `2`. The template is [evaluated before](../../../ci/yaml/index.md#include) the pipeline +The following example includes the SAST template to override the `SEARCH_MAX_DEPTH` +variable to `10`. The template is [evaluated before](../../../ci/yaml/index.md#include) the pipeline configuration, so the last mention of the variable takes precedence. ```yaml @@ -482,7 +483,7 @@ include: - template: Security/SAST.gitlab-ci.yml variables: - SAST_GOSEC_LEVEL: 2 + SEARCH_MAX_DEPTH: 10 ``` #### Logging level @@ -536,10 +537,10 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre |------------------------------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `SAST_EXCLUDED_PATHS` | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs (see [`doublestar.Match`](https://pkg.go.dev/github.com/bmatcuk/doublestar/v4@v4.0.2#Match) for supported patterns), or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. You might need to exclude temporary directories used by your build tool as these can generate false positives. To exclude paths, copy and paste the default excluded paths, then **add** your own paths to be excluded. If you don't specify the default excluded paths, you will override the defaults and _only_ paths you specify will be excluded from the SAST scans. | | `SEARCH_MAX_DEPTH` | 4 | SAST searches the repository to detect the programming languages used, and selects the matching analyzers. Set the value of `SEARCH_MAX_DEPTH` to specify how many directory levels the search phase should span. After the analyzers have been selected, the _entire_ repository is analyzed. | -| `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'` | +| `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'`. [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. | | `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. | | `SAST_FLAWFINDER_LEVEL` | 1 | Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk. | -| `SAST_GOSEC_LEVEL` | 0 | Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High. | +| `SAST_GOSEC_LEVEL` | 0 | Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High. [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. | #### Analyzer settings @@ -664,11 +665,8 @@ import the following default SAST analyzer images from `registry.gitlab.com` int [local Docker container registry](../../packages/container_registry/index.md): ```plaintext -registry.gitlab.com/security-products/bandit:2 registry.gitlab.com/security-products/brakeman:2 -registry.gitlab.com/security-products/eslint:2 registry.gitlab.com/security-products/flawfinder:2 -registry.gitlab.com/security-products/gosec:3 registry.gitlab.com/security-products/kubesec:2 registry.gitlab.com/security-products/nodejs-scan:2 registry.gitlab.com/security-products/phpcs-security-audit:2 @@ -694,11 +692,11 @@ Support for custom certificate authorities was introduced in the following versi | Analyzer | Version | | -------- | ------- | -| `bandit` | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/releases/v2.3.0) | +| `bandit`1 | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/releases/v2.3.0) | | `brakeman` | [v2.1.0](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman/-/releases/v2.1.0) | -| `eslint` | [v2.9.2](https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/releases/v2.9.2) | +| `eslint`1 | [v2.9.2](https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/releases/v2.9.2) | | `flawfinder` | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/releases/v2.3.0) | -| `gosec` | [v2.5.0](https://gitlab.com/gitlab-org/security-products/analyzers/gosec/-/releases/v2.5.0) | +| `gosec`1 | [v2.5.0](https://gitlab.com/gitlab-org/security-products/analyzers/gosec/-/releases/v2.5.0) | | `kubesec` | [v2.1.0](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec/-/releases/v2.1.0) | | `nodejs-scan` | [v2.9.5](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan/-/releases/v2.9.5) | | `phpcs-security-audit` | [v2.8.2](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit/-/releases/v2.8.2) | @@ -708,6 +706,8 @@ Support for custom certificate authorities was introduced in the following versi | `sobelow` | [v2.2.0](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/releases/v2.2.0) | | `spotbugs` | [v2.7.1](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/releases/v2.7.1) | +1. These analyzers were deprecated in GitLab 14.8 and [reached End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. + ### Set SAST CI/CD variables to use local SAST analyzers Add the following configuration to your `.gitlab-ci.yml` file. You must replace diff --git a/qa/Gemfile b/qa/Gemfile index 12e5d66fc6b..19dc62c71dd 100644 --- a/qa/Gemfile +++ b/qa/Gemfile @@ -12,7 +12,7 @@ gem 'rspec', '~> 3.11' gem 'selenium-webdriver', '~> 4.5' gem 'airborne', '~> 0.3.7', require: false # airborne is messing with rspec sandboxed mode so not requiring by default gem 'rest-client', '~> 2.1.0' -gem 'rspec-retry', '~> 0.6.1', require: 'rspec/retry' +gem 'rspec-retry', '~> 0.6.2', require: 'rspec/retry' gem 'rspec_junit_formatter', '~> 0.6.0' gem 'faker', '~> 2.23' gem 'knapsack', '~> 4.0' @@ -36,7 +36,7 @@ gem "warning", "~> 1.3" gem 'confiner', '~> 0.3' gem 'chemlab', '~> 0.10' -gem 'chemlab-library-www-gitlab-com', '~> 0.1' +gem 'chemlab-library-www-gitlab-com', '~> 0.1', '>= 0.1.1' # dependencies for jenkins client gem 'nokogiri', '~> 1.13', '>= 1.13.9' diff --git a/qa/Gemfile.lock b/qa/Gemfile.lock index 23f82f553f1..be1df81ccef 100644 --- a/qa/Gemfile.lock +++ b/qa/Gemfile.lock @@ -307,7 +307,7 @@ DEPENDENCIES capybara (~> 3.37.1) capybara-screenshot (~> 1.0.26) chemlab (~> 0.10) - chemlab-library-www-gitlab-com (~> 0.1) + chemlab-library-www-gitlab-com (~> 0.1, >= 0.1.1) confiner (~> 0.3) deprecation_toolkit (~> 2.0.0) faker (~> 2.23) @@ -328,7 +328,7 @@ DEPENDENCIES rotp (~> 6.2.0) rspec (~> 3.11) rspec-parameterized (~> 0.5.2) - rspec-retry (~> 0.6.1) + rspec-retry (~> 0.6.2) rspec_junit_formatter (~> 0.6.0) ruby-debug-ide (~> 0.7.3) selenium-webdriver (~> 4.5) diff --git a/qa/qa/specs/features/api/1_manage/import/import_github_repo_spec.rb b/qa/qa/specs/features/api/1_manage/import/import_github_repo_spec.rb index c3e41e9298b..a79e7516578 100644 --- a/qa/qa/specs/features/api/1_manage/import/import_github_repo_spec.rb +++ b/qa/qa/specs/features/api/1_manage/import/import_github_repo_spec.rb @@ -3,6 +3,8 @@ module QA # Spec uses real github.com, which means outage of github.com can actually block deployment # Keep spec in reliable bucket but don't run in blocking pipelines + # + # https://github.com/gitlab-qa-github/import-test <- project under test RSpec.describe 'Manage', :github, :reliable, :skip_live_env, :requires_admin, product_group: :import do describe 'Project import', issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/353583' do let!(:api_client) { Runtime::API::Client.as_admin } @@ -14,13 +16,15 @@ module QA end end + let!(:user_api_client) { Runtime::API::Client.new(user: user) } + let(:imported_project) do Resource::ProjectImportedFromGithub.fabricate_via_api! do |project| project.name = 'imported-project' project.group = group project.github_personal_access_token = Runtime::Env.github_access_token project.github_repository_path = 'gitlab-qa-github/import-test' - project.api_client = Runtime::API::Client.new(user: user) + project.api_client = user_api_client project.issue_events_import = true project.full_notes_import = true end @@ -50,6 +54,7 @@ module QA verify_milestones_import verify_wikis_import verify_merge_requests_import + verify_release_import end end @@ -107,18 +112,6 @@ module QA ) end - def verify_issues_import - issues = imported_project.issues - - expect(issues.length).to eq(1) - expect(issues.first).to include( - title: 'Test issue', - description: "*Created by: gitlab-qa-github*\n\nTest issue description", - labels: ['good first issue', 'help wanted', 'question'], - user_notes_count: 2 - ) - end - def verify_milestones_import milestones = imported_project.milestones @@ -133,14 +126,47 @@ module QA expect(wikis.first).to include(title: 'Home', format: 'markdown') end + def verify_issues_import + issues = imported_project.issues + issue = Resource::Issue.init do |resource| + resource.project = imported_project + resource.iid = issues.first[:iid] + resource.api_client = user_api_client + end.reload! + comments, events = fetch_events_and_comments(issue) + + expect(issues.length).to eq(1) + expect(issue.api_resource).to include( + title: 'Test issue', + description: "*Created by: gitlab-qa-github*\n\nTest issue description", + labels: ['good first issue', 'help wanted', 'question'] + ) + expect(comments).to match_array( + [ + "*Created by: gitlab-qa-github*\n\nSome test comment", + "*Created by: gitlab-qa-github*\n\nAnother test comment" + ] + ) + expect(events).to match_array( + [ + { name: "add_label", label: "question" }, + { name: "add_label", label: "good first issue" }, + { name: "add_label", label: "help wanted" }, + { name: "add_milestone", label: "0.0.1" }, + { name: "closed" }, + { name: "reopened" } + ] + ) + end + def verify_merge_requests_import merge_requests = imported_project.merge_requests merge_request = Resource::MergeRequest.init do |mr| mr.project = imported_project mr.iid = merge_requests.first[:iid] - mr.api_client = api_client + mr.api_client = user_api_client end.reload! - mr_comments = merge_request.comments.map { |comment| comment[:body] } + comments, events = fetch_events_and_comments(merge_request) expect(merge_requests.length).to eq(1) expect(merge_request.api_resource).to include( @@ -149,17 +175,49 @@ module QA target_branch: 'main', source_branch: 'gitlab-qa-github-patch-1', labels: %w[documentation], - description: <<~DSC.strip - *Created by: gitlab-qa-github*\n\nTest pull request body - DSC + description: "*Created by: gitlab-qa-github*\n\nTest pull request body" ) - expect(mr_comments).to match_array( + expect(comments).to match_array( [ "*Created by: gitlab-qa-github*\n\n**Review:** Commented\n\nGood but needs some improvement", "*Created by: gitlab-qa-github*\n\n```suggestion:-0+0\nProject for GitHub import test to GitLab\r\n```", "*Created by: gitlab-qa-github*\n\nSome test PR comment" ] ) + expect(events).to match_array( + [ + { name: "add_label", label: "documentation" }, + { name: "add_milestone", label: "0.0.1" } + ] + ) + end + + def verify_release_import + releases = imported_project.releases + + expect(releases.length).to eq(1) + expect(releases.first).to include( + tag_name: "0.0.1", + name: "0.0.1", + description: "Initial release", + created_at: "2022-03-07T07:59:22.000Z", + released_at: "2022-03-07T08:02:09.000Z" + ) + end + + # Fetch events and comments from issue or mr + # + # @param [QA::Resource::Issuable] issuable + # @return [Array] + def fetch_events_and_comments(issuable) + comments = issuable.comments.map { |comment| comment[:body] } + events = [ + *issuable.label_events.map { |e| { name: "#{e[:action]}_label", label: e.dig(:label, :name) } }, + *issuable.state_events.map { |e| { name: e[:state] } }, + *issuable.milestone_events.map { |e| { name: "#{e[:action]}_milestone", label: e.dig(:milestone, :title) } } + ] + + [comments, events] end end end