Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-04-15 18:09:57 +00:00
parent 9bc993af35
commit 7fd0523d82
40 changed files with 381 additions and 122 deletions

130
.git-blame-ignore-revs Normal file
View File

@ -0,0 +1,130 @@
# This file contains revisions to be ignored by git blame.
# These revisions are expected to be formatting-only changes.
#
# Calling `git blame --ignore-revs-file .git-blame-ignore-revs` will
# tell git blame to ignore changes made by these revisions when assigning
# assigning blame, as if the change never happened.
#
# You can enable this as a default for your local repository by running
# `git config blame.ignoreRevsFile .git-blame-ignore-revs`
# This will probably be automatically picked by your IDE
# (VSCode+GitLens and JetBrains products are confirmed to this)
#
# Important: if you are switching to the branch without this file,
# `git blame` will fail with an error
#
# Guidelines:
# - Only large automated refactorings are expected to be included in this file.
# Do not add new revision just because it feels unimportant
# - When adding sinle revision use inline comment to link relevant issue/MR
# Example:
## d4a8b7307acc2dc8a8833ccfa65426ad28b3ffc9 # https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/60
# - When adding multiple revisions precede each addition (this could be multiple revisions) with a link to
# line with word START and link to relevant issue/MR/epic and conclude with line END and link to the
# same issue/MR/epic
# Example:
# # START https://gitlab.com/gitlab-org/issues/12345
# 6f0bd2d8a1e6cd2e794cd39976e9756e0c85ac66
# d53974df11dbc22cbea9dc7dcbc9896c25979a27
# ... <rest of the list>
# # END https://gitlab.com/gitlab-org/issues/12345
# - Please append new lines to the end of the file, no matter of real chronological
# order of revisions
# - Since this is using hashes for reformatting it might be a good idea to update
# this file in separate MR when relevant changes already landed in master. By
# utilizing this manner you will be safe from random rebase/squash issues
# - Only put full 40-character hashes on this list
# START https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/60
f2d28d7ab8525944fda634241a780006594fbe1a
94cfbb0ce38e893edda33ebc069bfa616a08a961
b69f448f0685ad96edc474f75a17e0278a6d6011
52907ac20c3af337544bdf18023730b9ada4b157
d4a8b7307acc2dc8a8833ccfa65426ad28b3ffc9
468cb9f0a4b88bf686f3e78250834f7c9d31ff76
a536349d1d219f0b79a7a711d37dd1c705e49128
6f0bd2d8a1e6cd2e794cd39976e9756e0c85ac66
d53974df11dbc22cbea9dc7dcbc9896c25979a27
818537524d13469cbc7ac5cb89263378b4cddca4
bcbbcb2e708868099301ad5039badfba2128d47b
a4c662da544b38b7e593eb79f24b24c5cb2f205e
9aa1f6207a91a76940b34c921ce89894fcd74a06
66da09846a17435f332296f73af44919ff2cfb52
216f795bab0e8fbf6023f22f6e54cc07514a04ec
e820c22892d207e138bdff717100e5240f8ffd94
2f8dbd483242575f9ceca0a2947c9b21e5ab59a0
e7d50054818ada29751539f548ef72f46deca8bb
00827a74cf3bfef985ed6046fb2d42f29cbb19ac
333bad893e98068053c888f6b020632f1c6f472e
85af3689eea96b4d9131d80d8c5c8936de520074
325fb305ea395a7f44ae1eea0a3e77e46e10c2b6
e37a6d7aa61039734025474ce901f2907283e239
dff561fa8c50e9b96aec9800b6b88ad6c7a2777b
19b0ba7265cfb154505f74b6856e73662829af2e
7c1fa749efcd59e81b565d6803285f6bd4bcefaf
5c23cb94c5d1aed2a4b02b7c1f3e5a53a0aa4760
c35cc92c80969e7c87bbcda7db6cbd04f6719589
280a79c0ec4c1383e49480f3028f5b2025a2a76b
e94556e9f9a145374bf26feb5e1823dae8a4004d
b6a8d9baf700dbb3f780b27d9a9820c9cb7a346c
9180eaee4d58a9e91c5f960148290b5271ba870c
0fdc1fc0380056836dff7aba9be3b1e4b531daea
157e117fcb530436561e3fb8faba6f751dc19e91
7cfe360c9e5460a595dfe729e81cf404c1106638
e3aca8c8f8488c55a199fc28595709b393f5040b
3b1593f2d53b735299381ad0878959cbc2fc9923
39bb37cc0d18f620006d85dfdff7b9a54077708e
cdc1a4a8eec43e6a3df05403af8d05ab6ea7a213
87ad67fef574cd102887f3dde98917f3b2bbcab8
99bff4450248457ba877dec0388241625fb0144b
d1b6d05c08e0730463084acd1a387cd9d6acea8b
557c22a8242d1d7ccf2228b9b3156e2aa0dd05aa
7f4e951ce8073b50a245ebe216a8961c88846cfa
7dae714f23f423ff362d73e0d16da7b3a6cd721f
cfb368284545a4bd1e759cfe9e3e3bde54a1ec6f
aa653d5a380d88493050b22d84df36ae6df2cddd
96ed4677c602e8f9c83b28fbc0d802aa26527ab8
72c11eb5a15735dc52dcd893e9112a10444d46e4
b48e14b89b94a1a87affabd09bc603a67fc6bb01
d46581c1fbcef34cfdd85c6c542fb4ac1b974861
ef02363c9cd41a9ce41443661efed1c0399c5551
075a78b319466aff9e94149c41c286544af91782
9f4b4de2df17268732ae198d5f48c9b99d071a35
0a8f575e365804239d29b45562ca6594b9da59e9
c04bd24738b1775b963bba3f78b48007fccce37e
1173c801ea53c9d814fdf27d878f73a1702eb4e9
a2f5e7395004c255ecaadef30d7a6b5bf453d372
80f1ea7e3f11063a4f15bdd4a2e4a1ca7f770d87
0e6e345f3b4dcb7b51403bcd096e6d3d294743f4
06ee932e0844fa4cc91c15d5ca581de262d7bedd
b3ece842f7c05230f77055ad11e3c4a07c34e1e9
5ebea3a48831351169e0a312e9d6985b31c9975b
02fad0bc640f5f91c748d692c01d6221c9b03b6e
16d4df3c7130b5a0995fdc685b272bef65ff84d5
281cc7306ab92d2e053d0bb2d79e4f3646b980f6
1877bf550016eac9ecac53ec498ec83bdd24339c
7e9741c59d1e3612017925a7b7cf0946bbdd6eca
b282f7dda6d7e93fcb0f000db8aa6634ac8d1b88
81e82875704ffb35842534433216e797c41f89c3
4914a729d17efbe250ac2cab2153f72caef3a7b7
792e349390327fa11721e2f744cafec3b05f51f4
8869ce0866823b229a863e435aa108c5d4fcf448
a223014afe14686a4e18a826fd0bac9bdaaf969b
482d756cf69e3f0dd5997ea0e58d35c0eb694e35
4700ac1d1da533cfefd50bd640db77a12c458fda
21fa9ca4832cfb57f791ff057e7c5987349aa964
8b24c8d64d9328e0884725a2075a4a21faa76842
86ce5406c3b60757f40d4c434b5ce7dfc602a643
da4eea76b3cc1d68d4bfd2705bb86e904d1b54bc
8ac8a1f21a21840b53175e9f4a423b9ffa083f71
ed189d0e9925eb08f3eb444176fad2614a3a4f83
6e183d5016afc50e60892c7f1cf79035619c2deb
9b1d8b4c2897792be067e33442ebf3ce0961a5d0
57da632154bfc193224d5a290b9c2b6cbd7fa0ad
1e3190b0049ba1b502918dc018681808b9203803
0e334037bf0f93ff6f7bc922c48fa97556f39808
07f5bc94bd983e77361c9a5020f8f229da3a465a
888002a62696ba66d8eb49f1dfe83a5a49bdf421
c152d51445d9d9dd7c2c328ca8c407fa5438d16b
26b68c70df73289210aa600fa3c1fe45f05afee4
# END https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/60

View File

@ -1,51 +0,0 @@
cloud-native-image-env:
extends:
- .default-retry
- .cng:rules
image: ${GITLAB_DEPENDENCY_PROXY}ruby:2.7-alpine3.13
stage: post-test
before_script:
- source ./scripts/utils.sh
- install_gitlab_gem
script:
- 'ruby -r./scripts/trigger-build.rb -e "puts Trigger.variables_for_env_file(Trigger::CNG.new.variables)" > build.env'
- cat build.env
artifacts:
reports:
dotenv: build.env
paths:
- build.env
expire_in: 7 days
when: always
cloud-native-image:
extends: .cng:rules
stage: post-test
needs: ["cloud-native-image-env"]
inherit:
variables: false
variables:
TOP_UPSTREAM_SOURCE_PROJECT: "${TOP_UPSTREAM_SOURCE_PROJECT}"
TOP_UPSTREAM_SOURCE_REF: "${TOP_UPSTREAM_SOURCE_REF}"
TOP_UPSTREAM_SOURCE_JOB: "${TOP_UPSTREAM_SOURCE_JOB}"
TOP_UPSTREAM_SOURCE_SHA: "${TOP_UPSTREAM_SOURCE_SHA}"
TOP_UPSTREAM_MERGE_REQUEST_PROJECT_ID: "${TOP_UPSTREAM_MERGE_REQUEST_PROJECT_ID}"
TOP_UPSTREAM_MERGE_REQUEST_IID: "${TOP_UPSTREAM_MERGE_REQUEST_IID}"
GITLAB_REF_SLUG: "${GITLAB_REF_SLUG}"
# CNG pipeline specific variables
GITLAB_VERSION: "${GITLAB_VERSION}"
GITLAB_TAG: "${GITLAB_TAG}"
GITLAB_ASSETS_TAG: "${GITLAB_ASSETS_TAG}"
FORCE_RAILS_IMAGE_BUILDS: "${FORCE_RAILS_IMAGE_BUILDS}"
CE_PIPELINE: "${CE_PIPELINE}" # Based on https://docs.gitlab.com/ee/ci/jobs/job_control.html#check-if-a-variable-exists, `if: '$CE_PIPELINE'` will evaluate to `false` when this variable is empty
EE_PIPELINE: "${EE_PIPELINE}" # Based on https://docs.gitlab.com/ee/ci/jobs/job_control.html#check-if-a-variable-exists, `if: '$EE_PIPELINE'` will evaluate to `false` when this variable is empty
GITLAB_SHELL_VERSION: "${GITLAB_SHELL_VERSION}"
GITLAB_ELASTICSEARCH_INDEXER_VERSION: "${GITLAB_ELASTICSEARCH_INDEXER_VERSION}"
GITLAB_KAS_VERSION: "${GITLAB_KAS_VERSION}"
GITLAB_WORKHORSE_VERSION: "${GITLAB_WORKHORSE_VERSION}"
GITLAB_PAGES_VERSION: "${GITLAB_PAGES_VERSION}"
GITALY_SERVER_VERSION: "${GITALY_SERVER_VERSION}"
trigger:
project: gitlab-org/build/CNG
branch: $TRIGGER_BRANCH
strategy: depend

View File

@ -1,3 +1,6 @@
include:
- remote: 'https://gitlab.com/gitlab-org/modelops/applied-ml/review-recommender/ci-templates/-/raw/v0.2.1/recommender/Reviewers.gitlab-ci.yml'
review-cleanup:
extends:
- .default-retry
@ -65,3 +68,9 @@ danger-review-local:
- .review:rules:danger-local
script:
- run_timed_command danger_as_local
reviewers-recommender:
extends:
- .default-retry
stage: test
needs: []

View File

@ -623,15 +623,6 @@
- changes: *ci-build-images-patterns
- changes: *code-qa-patterns
#############
# CNG rules #
#############
.cng:rules:
rules:
- <<: *if-dot-com-gitlab-org-and-security-tag
when: manual
allow_failure: true
######################
# CI Templates Rules #
######################

View File

@ -345,7 +345,7 @@ gem 'warning', '~> 1.2.0'
group :development do
gem 'lefthook', '~> 0.7.0', require: false
gem 'solargraph', '~> 0.43', require: false
gem 'solargraph', '~> 0.44.3', require: false
gem 'letter_opener_web', '~> 2.0.0'

View File

@ -137,7 +137,7 @@ GEM
base32 (0.3.2)
batch-loader (2.0.1)
bcrypt (3.1.16)
benchmark (0.1.1)
benchmark (0.2.0)
benchmark-ips (2.3.0)
benchmark-malloc (0.2.0)
benchmark-memory (0.1.2)
@ -1223,7 +1223,7 @@ GEM
slack-messenger (2.3.4)
snowplow-tracker (0.6.1)
contracts (~> 0.7, <= 0.11)
solargraph (0.43.0)
solargraph (0.44.3)
backport (~> 1.2)
benchmark
bundler (>= 1.17.2)
@ -1662,7 +1662,7 @@ DEPENDENCIES
simplecov-lcov (~> 0.8.0)
slack-messenger (~> 2.3.4)
snowplow-tracker (~> 0.6.1)
solargraph (~> 0.43)
solargraph (~> 0.44.3)
spamcheck (~> 0.1.0)
spring (~> 2.1.0)
spring-commands-rspec (~> 1.0.4)

View File

@ -9,6 +9,7 @@ module Users
FEATURE_FLAGS_NEW_VERSION = 'feature_flags_new_version'
REGISTRATION_ENABLED_CALLOUT = 'registration_enabled_callout'
UNFINISHED_TAG_CLEANUP_CALLOUT = 'unfinished_tag_cleanup_callout'
MINUTE_LIMIT_BANNER = 'minute_limit_banner'
SECURITY_NEWSLETTER_CALLOUT = 'security_newsletter_callout'
REGISTRATION_ENABLED_CALLOUT_ALLOWED_CONTROLLER_PATHS = [/^root/, /^dashboard\S*/, /^admin\S*/].freeze
@ -60,6 +61,10 @@ module Users
!user_dismissed?(SECURITY_NEWSLETTER_CALLOUT)
end
def minute_limit_banner_dismissed?
user_dismissed?(MINUTE_LIMIT_BANNER)
end
private
def user_dismissed?(feature_name, ignore_dismissal_earlier_than = nil)

View File

@ -92,9 +92,9 @@ class BulkImports::Entity < ApplicationRecord
def pipelines
@pipelines ||= case source_type
when 'group_entity'
BulkImports::Groups::Stage.new(bulk_import).pipelines
BulkImports::Groups::Stage.new(self).pipelines
when 'project_entity'
BulkImports::Projects::Stage.new(bulk_import).pipelines
BulkImports::Projects::Stage.new(self).pipelines
end
end

View File

@ -48,7 +48,8 @@ module Users
storage_enforcement_banner_third_enforcement_threshold: 45,
storage_enforcement_banner_fourth_enforcement_threshold: 46,
attention_requests_top_nav: 47,
attention_requests_side_nav: 48
attention_requests_side_nav: 48,
minute_limit_banner: 49
}
validates :feature_name,

View File

@ -4,6 +4,7 @@
- expanded = expanded_by_default?
= render 'shared/namespaces/cascading_settings/lock_popovers'
= render_if_exists 'shared/minute_limit_banner', namespace: @group
%section.settings.gs-general.no-animate.expanded#js-general-settings
.settings-header

View File

@ -3,6 +3,7 @@
- expanded = expanded_by_default?
- general_expanded = @group.errors.empty? ? expanded : true
= render_if_exists 'shared/minute_limit_banner', namespace: @group
-# Given we only have one field in this form which is also admin-only,
-# we don't want to show an empty section to non-admin users,

View File

@ -8,6 +8,7 @@
= render_if_exists 'shared/qrtly_reconciliation_alert', group: @group
= render_if_exists 'shared/user_over_limit_free_plan_alert', source: @group
= render_if_exists 'shared/minute_limit_banner', namespace: @group
- if show_invite_banner?(@group)
= content_for :group_invite_members_banner do

View File

@ -5,6 +5,8 @@
- expanded = expanded_by_default?
- reduce_visibility_form_id = 'reduce-visibility-form'
= render_if_exists 'shared/minute_limit_banner', namespace: @project
%section.settings.general-settings.no-animate.expanded#js-general-settings
.settings-header
%h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only= _('Naming, topics, avatar')

View File

@ -1,3 +1,5 @@
= render_if_exists 'shared/minute_limit_banner', namespace: @project
- page_title _("Jobs")
- add_page_specific_style 'page_bundles/ci_status'
- admin = local_assigns.fetch(:admin, false)

View File

@ -1,3 +1,5 @@
= render_if_exists 'shared/minute_limit_banner', namespace: @project
- breadcrumb_title _("Schedules")
- page_title _("Pipeline Schedules")
- add_page_specific_style 'page_bundles/pipeline_schedules'

View File

@ -1,3 +1,5 @@
= render_if_exists 'shared/minute_limit_banner', namespace: @project
- page_title _('Pipelines')
- add_page_specific_style 'page_bundles/pipelines'
- add_page_specific_style 'page_bundles/ci_status'

View File

@ -1,3 +1,5 @@
= render_if_exists 'shared/minute_limit_banner', namespace: @project
- @content_class = "limit-container-width" unless fluid_layout
- page_title _("CI/CD Settings")
- page_title _("CI/CD")

View File

@ -7,6 +7,7 @@
= auto_discovery_link_tag(:atom, project_path(@project, rss_url_options), title: "#{@project.name} activity")
= render_if_exists 'shared/user_over_limit_free_plan_alert', source: @project
= render_if_exists 'shared/minute_limit_banner', namespace: @project
= render partial: 'flash_messages', locals: { project: @project }
= render "projects/last_push"

View File

@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/355572
milestone: '14.9'
type: development
group: group::pipeline authoring
default_enabled: false
default_enabled: true

View File

@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353071
milestone: '14.10'
type: development
group: group::container security
default_enabled: false
default_enabled: true

View File

@ -0,0 +1,8 @@
---
name: show_minute_limit_banner
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84644
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/358191
milestone: '14.10'
type: development
group: group::workspace
default_enabled: false

View File

@ -14,15 +14,19 @@ class Gitlab::Seeder::TriageOps
Sidekiq::Testing.inline! do
puts "Ensuring required groups"
ensure_group('gitlab-com')
ensure_group('gitlab-com/gl-security/appsec')
ensure_group('gitlab-jh/jh-team')
ensure_group('gitlab-org')
ensure_group('gitlab-org/gitlab-core-team/community-members')
ensure_group('gitlab-org/security')
puts "Ensuring required projects"
ensure_project('gitlab-org/gitlab')
ensure_project('gitlab-org/security/gitlab')
puts "Ensuring required bot user"
ensure_bot_user
puts "Setting up webhooks"
ensure_webhook_for('gitlab-com')
ensure_webhook_for('gitlab-org')

View File

@ -19115,6 +19115,7 @@ Name of the feature that the callout is for.
| <a id="usercalloutfeaturenameenumgeo_migrate_hashed_storage"></a>`GEO_MIGRATE_HASHED_STORAGE` | Callout feature name for geo_migrate_hashed_storage. |
| <a id="usercalloutfeaturenameenumgke_cluster_integration"></a>`GKE_CLUSTER_INTEGRATION` | Callout feature name for gke_cluster_integration. |
| <a id="usercalloutfeaturenameenumgold_trial_billings"></a>`GOLD_TRIAL_BILLINGS` | Callout feature name for gold_trial_billings. |
| <a id="usercalloutfeaturenameenumminute_limit_banner"></a>`MINUTE_LIMIT_BANNER` | Callout feature name for minute_limit_banner. |
| <a id="usercalloutfeaturenameenumnew_user_signups_cap_reached"></a>`NEW_USER_SIGNUPS_CAP_REACHED` | Callout feature name for new_user_signups_cap_reached. |
| <a id="usercalloutfeaturenameenumpersonal_access_token_expiry"></a>`PERSONAL_ACCESS_TOKEN_EXPIRY` | Callout feature name for personal_access_token_expiry. |
| <a id="usercalloutfeaturenameenumpipeline_needs_banner"></a>`PIPELINE_NEEDS_BANNER` | Callout feature name for pipeline_needs_banner. |

View File

@ -172,8 +172,6 @@ subgraph "CNG-mirror pipeline"
them in its [registry](https://gitlab.com/gitlab-org/build/CNG-mirror/container_registry).
- We use the [`CNG-mirror`](https://gitlab.com/gitlab-org/build/CNG-mirror) project so that the `CNG`, (Cloud
Native GitLab), project's registry is not overloaded with a lot of transient Docker images.
- Note that the official CNG images are built by the `cloud-native-image`
job, which runs only for tags, and triggers itself a [`CNG`](https://gitlab.com/gitlab-org/build/CNG) pipeline.
1. Once `review-build-cng` is done, the [`review-deploy`](https://gitlab.com/gitlab-org/gitlab/-/jobs/467724810) job
deploys the Review App using [the official GitLab Helm chart](https://gitlab.com/gitlab-org/charts/gitlab/) to
the [`review-apps`](https://console.cloud.google.com/kubernetes/clusters/details/us-central1-b/review-apps?project=gitlab-review-apps)

View File

@ -579,6 +579,7 @@ The following variables allow configuration of global dependency scanning settin
| `DS_EXCLUDED_ANALYZERS` | Specify the analyzers (by name) to exclude from Dependency Scanning. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
| `DS_DEFAULT_ANALYZERS` | ([**DEPRECATED - use `DS_EXCLUDED_ANALYZERS` instead**](https://gitlab.com/gitlab-org/gitlab/-/issues/287691)) Override the names of the official default images. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
| `DS_EXCLUDED_PATHS` | Exclude files and directories from the scan based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. Default: `"spec, test, tests, tmp"`. |
| `DS_IMAGE_SUFFIX` | Suffix added to the image name. If set to `-fips`, `FIPS-enabled` images are used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/354796) in GitLab 14.10. |
| `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
| `SECURE_LOG_LEVEL` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. Default: `info`. |
@ -659,6 +660,40 @@ you can use the `MAVEN_CLI_OPTS` CI/CD variable.
Read more on [how to use private Maven repositories](../index.md#using-private-maven-repositories).
#### FIPS-enabled images
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/354796) in GitLab 14.10.
GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the Gemnasium images. You can therefore replace standard images with FIPS-enabled images.
To use FIPS-enabled images, set the `DS_IMAGE_SUFFIX` to `-fips`,
and set `DS_EXCLUDED_ANALYZERS` to `bundler-audit, retire.js`
to exclude the analyzers that don't support FIPS.
```yaml
variables:
DS_IMAGE_SUFFIX: "-fips"
DS_EXCLUDED_ANALYZERS: "bundler-audit, retire.js"
```
If you want to execute `bundler-audit` or `retire.js` in your project pipeline, you can override the
Gemnasium scanning jobs, and set `DS_IMAGE_SUFFIX` to `-fips` only for those jobs.
```yaml
gemnasium-dependency_scanning:
variables:
DS_IMAGE_SUFFIX: "-fips"
gemnasium-maven-dependency_scanning:
variables:
DS_IMAGE_SUFFIX: "-fips"
gemnasium-python-dependency_scanning:
variables:
DS_IMAGE_SUFFIX: "-fips"
```
## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to

View File

@ -46,6 +46,27 @@ GitLab IaC scanning supports a variety of IaC configuration files. Our IaC secur
1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature.
### Supported distributions
GitLab scanners are provided with a base alpine image for size and maintainability.
#### FIPS-enabled images
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6479) in GitLab 14.10.
GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the images. You can therefore replace standard images with FIPS-enabled
images. To configure the images, set the `SAST_IMAGE_SUFFIX` to `-fips` or modify the
standard tag plus the `-fips` extension.
```yaml
variables:
SAST_IMAGE_SUFFIX: '-fips'
include:
- template: Security/SAST-IaC.latest.gitlab-ci.yml
```
### Making IaC analyzers available to all GitLab tiers
All open source (OSS) analyzers are available with the GitLab Free tier. Future proprietary analyzers may be restricted to higher tiers.

View File

@ -132,6 +132,30 @@ The following analyzers have multi-project support:
Multi-project support in the Security Code Scan requires a Solution (`.sln`) file in the root of
the repository. For details on the Solution format, see the Microsoft reference [Solution (`.sln`) file](https://docs.microsoft.com/en-us/visualstudio/extensibility/internals/solution-dot-sln-file?view=vs-2019).
### Supported distributions
The default scanner images are build off a base Alpine image for size and maintainability.
#### FIPS-enabled images
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6479) in GitLab 14.10.
GitLab offers [Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the images that are FIPS-enabled. To use the FIPS-enabled images, you can either:
- Set the `SAST_IMAGE_SUFFIX` to `-fips`.
- Add the `-fips` extension to the default image name.
For example:
```yaml
variables:
SAST_IMAGE_SUFFIX: '-fips'
include:
- template: Security/SAST.gitlab-ci.yml
```
### Making SAST analyzers available to all GitLab tiers
All open source (OSS) analyzers have been moved to the GitLab Free tier as of GitLab 13.3.

View File

@ -108,6 +108,30 @@ The results are saved as a
that you can later download and analyze. Due to implementation limitations, we
always take the latest Secret Detection artifact available.
### Supported distributions
The default scanner images are build off a base Alpine image for size and maintainability.
#### FIPS-enabled images
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6479) in GitLab 14.10.
GitLab offers [Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the images that are FIPS-enabled. To use the FIPS-enabled images, you can either:
- Set the `SAST_IMAGE_SUFFIX` to `-fips`.
- Add the `-fips` extension to the default image name.
For example:
```yaml
variables:
SECRET_DETECTION_IMAGE_SUFFIX: '-fips'
include:
- template: Security/Secret-Detection.gitlab-ci.yml
```
### Enable Secret Detection via an automatic merge request
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default.

View File

@ -47,7 +47,7 @@ module BulkImports
end
def project_entities_pipeline
if project_pipeline_available? && ::Feature.enabled?(:bulk_import_projects, default_enabled: :yaml)
if project_pipeline_available? && feature_flag_enabled?
{
project_entities: {
pipeline: BulkImports::Groups::Pipelines::ProjectEntitiesPipeline,
@ -62,6 +62,18 @@ module BulkImports
def project_pipeline_available?
@bulk_import.source_version_info >= BulkImport.min_gl_version_for_project_migration
end
def feature_flag_enabled?
destination_namespace = @bulk_import_entity.destination_namespace
if destination_namespace.present?
root_ancestor = Namespace.find_by_full_path(destination_namespace)&.root_ancestor
::Feature.enabled?(:bulk_import_projects, root_ancestor, default_enabled: :yaml)
else
::Feature.enabled?(:bulk_import_projects, default_enabled: :yaml)
end
end
end
end
end

View File

@ -2,10 +2,13 @@
module BulkImports
class Stage
def initialize(bulk_import)
raise(ArgumentError, 'Expected an argument of type ::BulkImport') unless bulk_import.is_a?(::BulkImport)
def initialize(bulk_import_entity)
unless bulk_import_entity.is_a?(::BulkImports::Entity)
raise(ArgumentError, 'Expected an argument of type ::BulkImports::Entity')
end
@bulk_import = bulk_import
@bulk_import_entity = bulk_import_entity
@bulk_import = bulk_import_entity.bulk_import
end
def pipelines

View File

@ -32,6 +32,16 @@ dependency_scanning:
.ds-analyzer:
extends: dependency_scanning
allow_failure: true
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/$DS_ANALYZER_NAME:$DS_MAJOR_VERSION"
# DS_ANALYZER_NAME is an undocumented variable used in job definitions
# to inject the analyzer name in the image name.
DS_ANALYZER_NAME: ""
image:
name: "$DS_ANALYZER_IMAGE$DS_IMAGE_SUFFIX"
# `rules` must be overridden explicitly by each child job
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
script:
@ -46,13 +56,8 @@ gemnasium-dependency_scanning:
extends:
- .ds-analyzer
- .cyclone-dx-reports
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "gemnasium"
GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
@ -77,13 +82,8 @@ gemnasium-maven-dependency_scanning:
extends:
- .ds-analyzer
- .cyclone-dx-reports
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "gemnasium-maven"
# Stop reporting Gradle as "maven".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
@ -105,13 +105,8 @@ gemnasium-python-dependency_scanning:
extends:
- .ds-analyzer
- .cyclone-dx-reports
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "gemnasium-python"
# Stop reporting Pipenv and Setuptools as "pip".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
@ -138,13 +133,8 @@ gemnasium-python-dependency_scanning:
bundler-audit-dependency_scanning:
extends: .ds-analyzer
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "bundler-audit"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
@ -158,13 +148,8 @@ bundler-audit-dependency_scanning:
retire-js-dependency_scanning:
extends: .ds-analyzer
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "retire.js"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never

View File

@ -1,7 +1,14 @@
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
#
# Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
# List of available variables: https://docs.gitlab.com/ee/user/application_security/iac_scanning/index.html
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SAST_IMAGE_SUFFIX: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
iac-sast:
@ -25,7 +32,7 @@ kics-iac-sast:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 1
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG"
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
rules:
- if: $SAST_DISABLED
when: never

View File

@ -7,6 +7,7 @@ variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SAST_IMAGE_SUFFIX: ""
SAST_EXCLUDED_ANALYZERS: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
@ -251,7 +252,7 @@ semgrep-sast:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
rules:
- if: $SAST_DISABLED
when: never

View File

@ -6,12 +6,14 @@
variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SECRET_DETECTION_IMAGE_SUFFIX: ""
SECRETS_ANALYZER_VERSION: "3"
SECRET_DETECTION_EXCLUDED_PATHS: ""
.secret-analyzer:
stage: test
image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX"
services: []
allow_failure: true
variables:

View File

@ -1461,6 +1461,9 @@ msgstr[1] ""
msgid "1-9 contributions"
msgstr ""
msgid "1. Effective June 1, 2022, all free tier public projects will be %{minutes_quota_link}."
msgstr ""
msgid "10-19 contributions"
msgstr ""
@ -1473,6 +1476,9 @@ msgstr ""
msgid "1st contribution!"
msgstr ""
msgid "2. Before July 1, 2022, all free tier public open source projects will need to %{enrollment_link} to continue to receive GitLab Ultimate benefits."
msgstr ""
msgid "20-29 contributions"
msgstr ""
@ -7077,6 +7083,9 @@ msgstr ""
msgid "Changes the title to \"%{title_param}\"."
msgstr ""
msgid "Changes to free tier public projects"
msgstr ""
msgid "Changes to the title have not been saved"
msgstr ""
@ -28282,6 +28291,9 @@ msgstr ""
msgid "Please use this form to report to the admin users who create spam issues, comments or behave inappropriately."
msgstr ""
msgid "Please visit the %{faq_link} for more information."
msgstr ""
msgid "Please wait a moment, this page will automatically refresh when ready."
msgstr ""

View File

@ -3,7 +3,10 @@
require 'spec_helper'
RSpec.describe BulkImports::Groups::Stage do
let(:ancestor) { create(:group) }
let(:group) { create(:group, parent: ancestor) }
let(:bulk_import) { build(:bulk_import) }
let(:entity) { build(:bulk_import_entity, bulk_import: bulk_import, group: group, destination_namespace: ancestor.full_path) }
let(:pipelines) do
[
@ -19,26 +22,46 @@ RSpec.describe BulkImports::Groups::Stage do
end
it 'raises error when initialized without a BulkImport' do
expect { described_class.new({}) }.to raise_error(ArgumentError, 'Expected an argument of type ::BulkImport')
expect { described_class.new({}) }.to raise_error(ArgumentError, 'Expected an argument of type ::BulkImports::Entity')
end
describe '.pipelines' do
it 'list all the pipelines with their stage number, ordered by stage' do
expect(described_class.new(bulk_import).pipelines & pipelines).to contain_exactly(*pipelines)
expect(described_class.new(bulk_import).pipelines.last.last).to eq(BulkImports::Common::Pipelines::EntityFinisher)
expect(described_class.new(entity).pipelines & pipelines).to contain_exactly(*pipelines)
expect(described_class.new(entity).pipelines.last.last).to eq(BulkImports::Common::Pipelines::EntityFinisher)
end
it 'includes project entities pipeline' do
stub_feature_flags(bulk_import_projects: true)
context 'when bulk_import_projects feature flag is enabled' do
it 'includes project entities pipeline' do
stub_feature_flags(bulk_import_projects: true)
expect(described_class.new(bulk_import).pipelines).to include([1, BulkImports::Groups::Pipelines::ProjectEntitiesPipeline])
expect(described_class.new(entity).pipelines).to include([1, BulkImports::Groups::Pipelines::ProjectEntitiesPipeline])
end
context 'when feature flag is enabled on root ancestor level' do
it 'includes project entities pipeline' do
stub_feature_flags(bulk_import_projects: ancestor)
expect(described_class.new(entity).pipelines).to include([1, BulkImports::Groups::Pipelines::ProjectEntitiesPipeline])
end
end
context 'when destination namespace is not present' do
it 'includes project entities pipeline' do
stub_feature_flags(bulk_import_projects: true)
entity = create(:bulk_import_entity, destination_namespace: '')
expect(described_class.new(entity).pipelines).to include([1, BulkImports::Groups::Pipelines::ProjectEntitiesPipeline])
end
end
end
context 'when bulk_import_projects feature flag is disabled' do
it 'does not include project entities pipeline' do
stub_feature_flags(bulk_import_projects: false)
expect(described_class.new(bulk_import).pipelines.flatten).not_to include(BulkImports::Groups::Pipelines::ProjectEntitiesPipeline)
expect(described_class.new(entity).pipelines.flatten).not_to include(BulkImports::Groups::Pipelines::ProjectEntitiesPipeline)
end
end
end

View File

@ -34,9 +34,9 @@ RSpec.describe BulkImports::Projects::Stage do
end
subject do
bulk_import = build(:bulk_import)
entity = build(:bulk_import_entity, :project_entity)
described_class.new(bulk_import)
described_class.new(entity)
end
describe '#pipelines' do

View File

@ -179,7 +179,7 @@ RSpec.describe BulkImports::Entity, type: :model do
entity = create(:bulk_import_entity, :group_entity)
entity.create_pipeline_trackers!
expect(entity.trackers.count).to eq(BulkImports::Groups::Stage.new(entity.bulk_import).pipelines.count)
expect(entity.trackers.count).to eq(BulkImports::Groups::Stage.new(entity).pipelines.count)
expect(entity.trackers.map(&:pipeline_name)).to include(BulkImports::Groups::Pipelines::GroupPipeline.to_s)
end
end
@ -189,7 +189,7 @@ RSpec.describe BulkImports::Entity, type: :model do
entity = create(:bulk_import_entity, :project_entity)
entity.create_pipeline_trackers!
expect(entity.trackers.count).to eq(BulkImports::Projects::Stage.new(entity.bulk_import).pipelines.count)
expect(entity.trackers.count).to eq(BulkImports::Projects::Stage.new(entity).pipelines.count)
expect(entity.trackers.map(&:pipeline_name)).to include(BulkImports::Projects::Pipelines::ProjectPipeline.to_s)
end
end

View File

@ -66,8 +66,8 @@ RSpec.describe BulkImports::Tracker, type: :model do
describe '#pipeline_class' do
it 'returns the pipeline class' do
bulk_import = create(:bulk_import)
pipeline_class = BulkImports::Groups::Stage.new(bulk_import).pipelines.first[1]
entity = create(:bulk_import_entity)
pipeline_class = BulkImports::Groups::Stage.new(entity).pipelines.first[1]
tracker = create(:bulk_import_tracker, pipeline_name: pipeline_class)
expect(tracker.pipeline_class).to eq(pipeline_class)

View File

@ -73,7 +73,7 @@ RSpec.describe BulkImportWorker do
expect { subject.perform(bulk_import.id) }
.to change(BulkImports::Tracker, :count)
.by(BulkImports::Groups::Stage.new(bulk_import).pipelines.size * 2)
.by(BulkImports::Groups::Stage.new(entity_1).pipelines.size * 2)
expect(entity_1.trackers).not_to be_empty
expect(entity_2.trackers).not_to be_empty