diff --git a/.rubocop_todo/gitlab/service_response.yml b/.rubocop_todo/gitlab/service_response.yml new file mode 100644 index 00000000000..f5be713cdd1 --- /dev/null +++ b/.rubocop_todo/gitlab/service_response.yml @@ -0,0 +1,80 @@ +--- +Gitlab/ServiceResponse: + Details: grace period + Exclude: + - 'app/services/alert_management/metric_images/upload_service.rb' + - 'app/services/analytics/cycle_analytics/stages/base_service.rb' + - 'app/services/boards/lists/base_update_service.rb' + - 'app/services/branches/delete_service.rb' + - 'app/services/bulk_imports/create_service.rb' + - 'app/services/bulk_imports/export_service.rb' + - 'app/services/ci/build_cancel_service.rb' + - 'app/services/ci/build_erase_service.rb' + - 'app/services/ci/build_unschedule_service.rb' + - 'app/services/ci/prometheus_metrics/observe_histograms_service.rb' + - 'app/services/ci/retry_pipeline_service.rb' + - 'app/services/ci/runners/assign_runner_service.rb' + - 'app/services/ci/runners/register_runner_service.rb' + - 'app/services/concerns/alert_management/responses.rb' + - 'app/services/concerns/services/return_service_responses.rb' + - 'app/services/container_expiration_policies/update_service.rb' + - 'app/services/dependency_proxy/group_settings/update_service.rb' + - 'app/services/dependency_proxy/image_ttl_group_policies/update_service.rb' + - 'app/services/groups/update_statistics_service.rb' + - 'app/services/incident_management/pager_duty/create_incident_issue_service.rb' + - 'app/services/incident_management/pager_duty/process_webhook_service.rb' + - 'app/services/issuable/bulk_update_service.rb' + - 'app/services/jira_import/start_import_service.rb' + - 'app/services/namespaces/package_settings/update_service.rb' + - 'app/services/packages/debian/create_distribution_service.rb' + - 'app/services/packages/mark_package_for_destruction_service.rb' + - 'app/services/packages/rubygems/dependency_resolver_service.rb' + - 'app/services/snippets/base_service.rb' + - 'app/services/snippets/bulk_destroy_service.rb' + - 'app/services/snippets/destroy_service.rb' + - 'app/services/snippets/repository_validation_service.rb' + - 'app/services/snippets/update_statistics_service.rb' + - 'app/services/timelogs/base_service.rb' + - 'app/services/work_items/create_and_link_service.rb' + - 'app/services/work_items/create_from_task_service.rb' + - 'app/services/work_items/delete_task_service.rb' + - 'ee/app/services/analytics/cycle_analytics/value_streams/create_service.rb' + - 'ee/app/services/app_sec/dast/profiles/destroy_service.rb' + - 'ee/app/services/app_sec/dast/scanner_profiles/destroy_service.rb' + - 'ee/app/services/app_sec/dast/scanner_profiles/update_service.rb' + - 'ee/app/services/app_sec/dast/site_profiles/destroy_service.rb' + - 'ee/app/services/ee/analytics/cycle_analytics/stages/base_service.rb' + - 'ee/app/services/ee/ci/retry_pipeline_service.rb' + - 'ee/app/services/external_status_checks/create_service.rb' + - 'ee/app/services/external_status_checks/destroy_service.rb' + - 'ee/app/services/external_status_checks/dispatch_service.rb' + - 'ee/app/services/external_status_checks/update_service.rb' + - 'ee/app/services/gitlab_subscriptions/create_trial_or_lead_service.rb' + - 'ee/app/services/group_saml/saml_group_links/create_service.rb' + - 'ee/app/services/iterations/cadences/create_iterations_in_advance_service.rb' + - 'ee/app/services/iterations/cadences/create_service.rb' + - 'ee/app/services/iterations/cadences/destroy_service.rb' + - 'ee/app/services/iterations/cadences/update_service.rb' + - 'ee/app/services/iterations/create_service.rb' + - 'ee/app/services/iterations/delete_service.rb' + - 'ee/app/services/iterations/roll_over_issues_service.rb' + - 'ee/app/services/iterations/update_service.rb' + - 'ee/app/services/security/findings/dismiss_service.rb' + - 'ee/app/services/vulnerabilities/finding_dismiss_service.rb' + - 'ee/app/services/vulnerability_issue_links/create_service.rb' + - 'ee/app/services/vulnerability_issue_links/delete_service.rb' + - 'ee/spec/graphql/mutations/security/finding/dismiss_spec.rb' + - 'spec/controllers/import/bulk_imports_controller_spec.rb' + - 'spec/controllers/import/fogbugz_controller_spec.rb' + - 'spec/controllers/projects/alerting/notifications_controller_spec.rb' + - 'spec/controllers/projects/pipelines_controller_spec.rb' + - 'spec/controllers/projects/prometheus/alerts_controller_spec.rb' + - 'spec/lib/gitlab/import_export/snippet_repo_restorer_spec.rb' + - 'spec/requests/api/ci/pipelines_spec.rb' + - 'spec/requests/api/ci/runner/runners_post_spec.rb' + - 'spec/requests/api/group_export_spec.rb' + - 'spec/requests/api/project_export_spec.rb' + - 'spec/requests/api/project_import_spec.rb' + - 'spec/requests/projects/incident_management/pagerduty_incidents_spec.rb' + - 'spec/services/bulk_imports/export_service_spec.rb' + - 'spec/support/shared_examples/requests/api/rubygems_packages_shared_examples.rb' diff --git a/app/views/notify/project_was_not_exported_email.html.haml b/app/views/notify/project_was_not_exported_email.html.haml index c888da29c17..dcd212099b5 100644 --- a/app/views/notify/project_was_not_exported_email.html.haml +++ b/app/views/notify/project_was_not_exported_email.html.haml @@ -1,7 +1,7 @@ %p - Project #{@project.name} couldn't be exported. + = s_("Notify|Project %{project_name} couldn't be exported.") % {project_name: @project.name} %p - The errors we encountered were: + = s_('Notify|The errors we encountered were:') %ul - @errors.each do |error| diff --git a/db/migrate/20221009085130_add_mr_checks_columns_to_namespace_settings.rb b/db/migrate/20221009085130_add_mr_checks_columns_to_namespace_settings.rb new file mode 100644 index 00000000000..947a662575a --- /dev/null +++ b/db/migrate/20221009085130_add_mr_checks_columns_to_namespace_settings.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +class AddMrChecksColumnsToNamespaceSettings < Gitlab::Database::Migration[2.0] + def change + add_column :namespace_settings, :only_allow_merge_if_pipeline_succeeds, :boolean, default: false, null: false + add_column :namespace_settings, :allow_merge_on_skipped_pipeline, :boolean, default: false, null: false + add_column :namespace_settings, :only_allow_merge_if_all_discussions_are_resolved, \ + :boolean, default: false, null: false + end +end diff --git a/db/schema_migrations/20221009085130 b/db/schema_migrations/20221009085130 new file mode 100644 index 00000000000..cbdfb3014cd --- /dev/null +++ b/db/schema_migrations/20221009085130 @@ -0,0 +1 @@ +125ce9bf81966840774eb69be7995c1a8e2abd901fe5f19b73df43a577a9dc44 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 5db8614c868..3d607b2ea40 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -17925,6 +17925,9 @@ CREATE TABLE namespace_settings ( include_for_free_user_cap_preview boolean DEFAULT false NOT NULL, unique_project_download_limit_allowlist text[] DEFAULT '{}'::text[] NOT NULL, auto_ban_user_on_excessive_projects_download boolean DEFAULT false NOT NULL, + only_allow_merge_if_pipeline_succeeds boolean DEFAULT false NOT NULL, + allow_merge_on_skipped_pipeline boolean DEFAULT false NOT NULL, + only_allow_merge_if_all_discussions_are_resolved boolean DEFAULT false NOT NULL, CONSTRAINT check_0ba93c78c7 CHECK ((char_length(default_branch_name) <= 255)), CONSTRAINT namespace_settings_unique_project_download_limit_allowlist_size CHECK ((cardinality(unique_project_download_limit_allowlist) <= 100)) ); diff --git a/doc/user/application_security/configuration/index.md b/doc/user/application_security/configuration/index.md index 7e39f1086b0..3eb82eb5dc8 100644 --- a/doc/user/application_security/configuration/index.md +++ b/doc/user/application_security/configuration/index.md @@ -19,19 +19,23 @@ The Security Configuration page lists the following for the security testing and - Whether or not it is available. - A configuration button or a link to its configuration guide. -The status of each security control is determined by the following process: +To determine the status of each security control, GitLab checks for a [CI/CD pipeline](../../../ci/pipelines/index.md) +in the most recent commit on the default branch. -1. Check for a [CI pipeline](../../../ci/pipelines/index.md) in the most recent commit on the default branch. -1. If no CI pipelines exist, then consider all security scanners disabled. Show the **Not enabled** status. -1. If a pipeline is found, then inspect the CI YAML for each job in the CI/CD pipeline. If a - job in the pipeline defines an [`artifacts:reports` keyword](../../../ci/yaml/artifacts_reports.md) - for a security scanner, then consider the security scanner enabled. Show the **Enabled** status. +If GitLab finds a CI/CD pipeline, then it inspects each job in the `.gitlab-ci.yml` file. + +- If a job defines an [`artifacts:reports` keyword](../../../ci/yaml/artifacts_reports.md) + for a security scanner, then GitLab considers the security scanner enabled and shows the **Enabled** status. +- If no jobs define an `artifacts:reports` keyword for a security scanner, then GitLab considers + the security scanner disabled and shows the **Not enabled** status. + +If GitLab does not find a CI/CD pipeline, then it considers all security scanners disabled and shows the **Not enabled** status. Failed pipelines and jobs are included in this process. If a scanner is configured but the job fails, that scanner is still considered enabled. This process also determines the scanners and statuses -returned through [our API](../../../api/graphql/reference/index.md#securityscanners). +returned through the [API](../../../api/graphql/reference/index.md#securityscanners). -If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md), +If the latest pipeline uses [Auto DevOps](../../../topics/autodevops/index.md), all security features are configured by default. To view a project's security configuration: diff --git a/doc/user/application_security/vulnerabilities/severities.md b/doc/user/application_security/vulnerabilities/severities.md index 2264b741890..36f9578f999 100644 --- a/doc/user/application_security/vulnerabilities/severities.md +++ b/doc/user/application_security/vulnerabilities/severities.md @@ -56,7 +56,9 @@ the following tables: | GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | |------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------| -| [`gemnasium`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) | **{check-circle}** Yes | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` | +| [`gemnasium`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) | **{check-circle}** Yes | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating 1 | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` | + +1. The CVSS v3.1 rating is used to calculate the severity level. If it's not available, the CVSS v2.0 rating is used instead. ## Container Scanning diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 5dc30cb9381..7cac382c22f 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -27509,6 +27509,9 @@ msgstr "" msgid "Notify|Project %{old_path_with_namespace} was moved to another location." msgstr "" +msgid "Notify|Project %{project_name} couldn't be exported." +msgstr "" + msgid "Notify|Project %{project_name} was exported successfully." msgstr "" @@ -27530,6 +27533,9 @@ msgstr "" msgid "Notify|The download link will expire in 24 hours." msgstr "" +msgid "Notify|The errors we encountered were:" +msgstr "" + msgid "Notify|The project is now located under %{project_full_name_link_start}%{project_full_name}%{link_end}." msgstr "" diff --git a/rubocop/cop/gitlab/service_response.rb b/rubocop/cop/gitlab/service_response.rb new file mode 100644 index 00000000000..edde662a038 --- /dev/null +++ b/rubocop/cop/gitlab/service_response.rb @@ -0,0 +1,43 @@ +# frozen_string_literal: true + +require_relative '../../code_reuse_helpers' + +module RuboCop + module Cop + module Gitlab + class ServiceResponse < ::RuboCop::Cop::Base + include CodeReuseHelpers + + # This cop checks that ServiceResponse object is not used with the + # deprecated attribute `http_status`. + # + # @example + # + # # bad + # ServiceResponse.error(message: "...", http_status: :forbidden) + # + # # good + # ServiceResponse.error(message: "...", reason: :insufficient_permissions) + MSG = 'Use `reason` instead of the deprecated `http_status`: https://gitlab.com/gitlab-org/gitlab/-/issues/356036' + + RESTRICT_ON_SEND = %i[error success new].freeze + METHOD_NAMES = RESTRICT_ON_SEND.map(&:inspect).join(' ').freeze + + def_node_matcher :service_response_with_http_status, <<~PATTERN + (send + (const {nil? cbase} :ServiceResponse) + {#{METHOD_NAMES}} + (hash <$(pair (sym :http_status) _) ...>) + ) + PATTERN + + def on_send(node) + pair = service_response_with_http_status(node) + return unless pair + + add_offense(pair) + end + end + end + end +end diff --git a/spec/rubocop/cop/gitlab/service_response_spec.rb b/spec/rubocop/cop/gitlab/service_response_spec.rb new file mode 100644 index 00000000000..84cf0dbff52 --- /dev/null +++ b/spec/rubocop/cop/gitlab/service_response_spec.rb @@ -0,0 +1,41 @@ +# frozen_string_literal: true + +require 'rubocop_spec_helper' +require_relative '../../../../rubocop/cop/gitlab/service_response' + +RSpec.describe RuboCop::Cop::Gitlab::ServiceResponse do + subject(:cop) { described_class.new } + + it 'does not flag the `http_status:` param on a homonym method' do + expect_no_offenses("MyClass.error(http_status: :ok)") + end + + it 'does not flag calls without params' do + expect_no_offenses('ServiceResponse.error') + end + + it 'does not flag the offense when `http_status` is not used' do + expect_no_offenses('ServiceResponse.error(message: "some error", reason: :bad_time)') + end + + it 'flags the use of `http_status:` parameter in ServiceResponse in error' do + expect_offense(<<~CODE, msg: described_class::MSG) + ServiceResponse.error(message: "some error", http_status: :bad_request) + ^^^^^^^^^^^^^^^^^^^^^^^^^ %{msg} + CODE + end + + it 'flags the use of `http_status:` parameter in ServiceResponse in success' do + expect_offense(<<~CODE, msg: described_class::MSG) + ServiceResponse.success(message: "some error", http_status: :bad_request) + ^^^^^^^^^^^^^^^^^^^^^^^^^ %{msg} + CODE + end + + it 'flags the use of `http_status:` parameter in ServiceResponse in initializer' do + expect_offense(<<~CODE, msg: described_class::MSG) + ServiceResponse.new(message: "some error", http_status: :bad_request) + ^^^^^^^^^^^^^^^^^^^^^^^^^ %{msg} + CODE + end +end diff --git a/vendor/gems/attr_encrypted/Gemfile.lock b/vendor/gems/attr_encrypted/Gemfile.lock index 72626225cf7..1094e6da3fc 100644 --- a/vendor/gems/attr_encrypted/Gemfile.lock +++ b/vendor/gems/attr_encrypted/Gemfile.lock @@ -100,9 +100,11 @@ GEM loofah (2.19.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) + mini_portile2 (2.8.0) minitest (5.16.3) multi_json (1.15.0) - nokogiri (1.13.8-x86_64-linux) + nokogiri (1.13.8) + mini_portile2 (~> 2.8.0) racc (~> 1.4) public_suffix (5.0.0) racc (1.6.0) @@ -124,15 +126,16 @@ GEM simplecov-rcov (0.3.1) simplecov (>= 0.4.1) simplecov_json_formatter (0.1.4) - sqlite3 (1.5.0-x86_64-linux) + sqlite3 (1.5.0) + mini_portile2 (~> 2.8.0) stringex (1.5.1) tzinfo (2.0.5) concurrent-ruby (~> 1.0) uuidtools (2.2.0) - zeitwerk (2.6.0) + zeitwerk (2.6.1) PLATFORMS - x86_64-linux + ruby DEPENDENCIES actionpack (~> 6.1) @@ -149,4 +152,4 @@ DEPENDENCIES sqlite3 BUNDLED WITH - 2.3.19 + 2.3.22 diff --git a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.checksum b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.checksum index cf70611c97a..1670ac8e688 100644 --- a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.checksum +++ b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.checksum @@ -21,6 +21,7 @@ {"name":"marcel","version":"1.0.2","platform":"ruby","checksum":"a013b677ef46cbcb49fd5c59b3d35803d2ee04dd75d8bfdc43533fc5a31f7e4e"}, {"name":"method_source","version":"1.0.0","platform":"ruby","checksum":"d779455a2b5666a079ce58577bfad8534f571af7cec8107f4dce328f0981dede"}, {"name":"mini_mime","version":"1.1.2","platform":"ruby","checksum":"a54aec0cc7438a03a850adb00daca2bdb60747f839e28186994df057cea87151"}, +{"name":"mini_portile2","version":"2.8.0","platform":"ruby","checksum":"1e06b286ff19b73cfc9193cb3dd2bd80416f8262443564b25b23baea74a05765"}, {"name":"minitest","version":"5.16.2","platform":"ruby","checksum":"c1be0c6b57fab451faa08e74ffa71e7d6a259b90f4bacb881c7f4808ec8b4991"}, {"name":"nio4r","version":"2.5.8","platform":"java","checksum":"b2b1800f6bf7ce4b797ca8b639ad278a99c9c904fb087a91d944f38e4bd71401"}, {"name":"nio4r","version":"2.5.8","platform":"ruby","checksum":"3becb4ad95ab8ac0a9bd2e1b16466869402be62848082bf6329ae9091f276676"}, diff --git a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.lock b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.lock index 8f4bb5fa40d..d633184e300 100644 --- a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.lock +++ b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.lock @@ -76,11 +76,11 @@ GEM marcel (1.0.2) method_source (1.0.0) mini_mime (1.1.2) + mini_portile2 (2.8.0) minitest (5.16.2) nio4r (2.5.8) - nokogiri (1.13.8-arm64-darwin) - racc (~> 1.4) - nokogiri (1.13.8-x86_64-linux) + nokogiri (1.13.8) + mini_portile2 (~> 2.8.0) racc (~> 1.4) racc (1.6.0) rack (2.2.4) @@ -129,11 +129,10 @@ GEM zeitwerk (2.6.0) PLATFORMS - arm64-darwin-21 - x86_64-linux + ruby DEPENDENCIES rails (~> 6.1.6.1) BUNDLED WITH - 2.3.19 + 2.3.22 diff --git a/vendor/gems/omniauth-google-oauth2/examples/Gemfile.lock b/vendor/gems/omniauth-google-oauth2/examples/Gemfile.lock new file mode 100644 index 00000000000..5ac8f1be5e0 --- /dev/null +++ b/vendor/gems/omniauth-google-oauth2/examples/Gemfile.lock @@ -0,0 +1,72 @@ +GEM + remote: https://rubygems.org/ + specs: + ast (2.4.2) + faraday (2.5.2) + faraday-net_http (>= 2.0, < 3.1) + ruby2_keywords (>= 0.0.4) + faraday-net_http (3.0.0) + hashie (5.0.0) + json (2.6.2) + jwt (2.5.0) + multi_json (1.15.0) + multi_xml (0.6.0) + oauth2 (1.4.11) + faraday (>= 0.17.3, < 3.0) + jwt (>= 1.0, < 3.0) + multi_json (~> 1.3) + multi_xml (~> 0.5) + rack (>= 1.2, < 4) + omniauth (1.9.2) + hashie (>= 3.4.6) + rack (>= 1.6.2, < 3) + omniauth-google-oauth2 (0.8.2) + jwt (>= 2.0) + oauth2 (~> 1.1) + omniauth (~> 1.1) + omniauth-oauth2 (>= 1.6) + omniauth-oauth2 (1.7.3) + oauth2 (>= 1.4, < 3) + omniauth (>= 1.9, < 3) + parallel (1.22.1) + parser (3.1.2.1) + ast (~> 2.4.1) + rack (1.6.13) + rack-protection (1.5.5) + rack + rainbow (3.1.1) + regexp_parser (2.6.0) + rexml (3.2.5) + rubocop (1.36.0) + json (~> 2.3) + parallel (~> 1.10) + parser (>= 3.1.2.1) + rainbow (>= 2.2.2, < 4.0) + regexp_parser (>= 1.8, < 3.0) + rexml (>= 3.2.5, < 4.0) + rubocop-ast (>= 1.20.1, < 2.0) + ruby-progressbar (~> 1.7) + unicode-display_width (>= 1.4.0, < 3.0) + rubocop-ast (1.21.0) + parser (>= 3.1.1.0) + ruby-progressbar (1.11.0) + ruby2_keywords (0.0.5) + sinatra (1.4.8) + rack (~> 1.5) + rack-protection (~> 1.4) + tilt (>= 1.3, < 3) + tilt (2.0.11) + unicode-display_width (2.3.0) + webrick (1.7.0) + +PLATFORMS + ruby + +DEPENDENCIES + omniauth-google-oauth2 (~> 0.8.1) + rubocop + sinatra (~> 1.4) + webrick + +BUNDLED WITH + 2.3.22