Add latest changes from gitlab-org/gitlab@master

app/models/project.rb

@@ -2916,6 +2916,10 @@ class Project < ApplicationRecord
     build_artifacts_size_refresh&.started?
   end
 
+  def security_training_available?
+    licensed_feature_available?(:security_training)
+  end
+
   private
 
   # overridden in EE

app/presenters/projects/security/configuration_presenter.rb

@@ -24,7 +24,8 @@ module Projects
           gitlab_ci_history_path: gitlab_ci_history_path,
           auto_fix_enabled: autofix_enabled,
           can_toggle_auto_fix_settings: can_toggle_autofix,
-          auto_fix_user_path: auto_fix_user_path
+          auto_fix_user_path: auto_fix_user_path,
+          security_training_enabled: project.security_training_available?
         }
       end
 

app/views/layouts/terms.html.haml

@@ -26,7 +26,7 @@
                       %li.header-user.dropdown
                         = link_to current_user, class: user_dropdown_class, data: { toggle: "dropdown" } do
                           = image_tag avatar_icon_for_user(current_user, 23), width: 23, height: 23, class: "header-user-avatar", data: { qa_selector: 'user_avatar' }
-                          = sprite_icon('angle-down', css_class: 'caret-down')
+                          = sprite_icon('chevron-down')
                         .dropdown-menu.dropdown-menu-right
                           = render 'layouts/header/current_user_dropdown'
                 = yield

db/post_migrate/20220530044712_add_index_for_vulnerability_reads_location_image.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class AddIndexForVulnerabilityReadsLocationImage < Gitlab::Database::Migration[2.0]
+  INDEX = :index_vulnerability_reads_on_location_image_partial
+
+  disable_ddl_transaction!
+
+  REPORT_TYPES = {
+    container_scanning: 2,
+    cluster_image_scanning: 7
+  }
+
+  QUERY = <<~SQL
+    report_type in (#{REPORT_TYPES[:container_scanning]}, #{REPORT_TYPES[:cluster_image_scanning]}) AND
+    location_image IS NOT NULL
+  SQL
+
+  def up
+    add_concurrent_index :vulnerability_reads, [:project_id, :location_image],
+      where: QUERY,
+      name: INDEX
+  end
+
+  def down
+    remove_concurrent_index_by_name :vulnerability_reads, INDEX
+  end
+end

db/schema_migrations/20220530044712

@@ -0,0 +1 @@
+e76914c24f23d352e275387330a8731afb409fe9ae1168c1ee25f5acf5424c07

db/structure.sql

@@ -29807,6 +29807,8 @@ CREATE INDEX index_vulnerability_reads_on_cluster_agent_id ON vulnerability_read
 
 CREATE INDEX index_vulnerability_reads_on_location_image ON vulnerability_reads USING btree (location_image) WHERE (report_type = ANY (ARRAY[2, 7]));
 
+CREATE INDEX index_vulnerability_reads_on_location_image_partial ON vulnerability_reads USING btree (project_id, location_image) WHERE ((report_type = ANY (ARRAY[2, 7])) AND (location_image IS NOT NULL));
+
 CREATE INDEX index_vulnerability_reads_on_scanner_id ON vulnerability_reads USING btree (scanner_id);
 
 CREATE UNIQUE INDEX index_vulnerability_reads_on_uuid ON vulnerability_reads USING btree (uuid);

doc/api/graphql/reference/index.md

@@ -8752,6 +8752,29 @@ The connection type for [`Vulnerability`](#vulnerability).
 | <a id="vulnerabilityconnectionnodes"></a>`nodes` | [`[Vulnerability]`](#vulnerability) | A list of nodes. |
 | <a id="vulnerabilityconnectionpageinfo"></a>`pageInfo` | [`PageInfo!`](#pageinfo) | Information to aid in pagination. |
 
+#### `VulnerabilityContainerImageConnection`
+
+The connection type for [`VulnerabilityContainerImage`](#vulnerabilitycontainerimage).
+
+##### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="vulnerabilitycontainerimageconnectionedges"></a>`edges` | [`[VulnerabilityContainerImageEdge]`](#vulnerabilitycontainerimageedge) | A list of edges. |
+| <a id="vulnerabilitycontainerimageconnectionnodes"></a>`nodes` | [`[VulnerabilityContainerImage]`](#vulnerabilitycontainerimage) | A list of nodes. |
+| <a id="vulnerabilitycontainerimageconnectionpageinfo"></a>`pageInfo` | [`PageInfo!`](#pageinfo) | Information to aid in pagination. |
+
+#### `VulnerabilityContainerImageEdge`
+
+The edge type for [`VulnerabilityContainerImage`](#vulnerabilitycontainerimage).
+
+##### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="vulnerabilitycontainerimageedgecursor"></a>`cursor` | [`String!`](#string) | A cursor for use in pagination. |
+| <a id="vulnerabilitycontainerimageedgenode"></a>`node` | [`VulnerabilityContainerImage`](#vulnerabilitycontainerimage) | The item at the end of the edge. |
+
 #### `VulnerabilityEdge`
 
 The edge type for [`Vulnerability`](#vulnerability).
@@ -14754,6 +14777,7 @@ Represents vulnerability finding of a security report on the pipeline.
 | <a id="projecttopics"></a>`topics` | [`[String!]`](#string) | List of project topics. |
 | <a id="projectuserpermissions"></a>`userPermissions` | [`ProjectPermissions!`](#projectpermissions) | Permissions for the current user on the resource. |
 | <a id="projectvisibility"></a>`visibility` | [`String`](#string) | Visibility of the project. |
+| <a id="projectvulnerabilityimages"></a>`vulnerabilityImages` | [`VulnerabilityContainerImageConnection`](#vulnerabilitycontainerimageconnection) | Container images reported on the project vulnerabilities. (see [Connections](#connections)) |
 | <a id="projectvulnerabilityscanners"></a>`vulnerabilityScanners` | [`VulnerabilityScannerConnection`](#vulnerabilityscannerconnection) | Vulnerability scanners reported on the project vulnerabilities. (see [Connections](#connections)) |
 | <a id="projectweburl"></a>`webUrl` | [`String`](#string) | Web URL of the project. |
 | <a id="projectwikienabled"></a>`wikiEnabled` | [`Boolean`](#boolean) | Indicates if Wikis are enabled for the current user. |
@@ -17469,6 +17493,16 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | ---- | ---- | ----------- |
 | <a id="vulnerabilityissuelinkslinktype"></a>`linkType` | [`VulnerabilityIssueLinkType`](#vulnerabilityissuelinktype) | Filter issue links by link type. |
 
+### `VulnerabilityContainerImage`
+
+Represents a container image reported on the related vulnerability.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="vulnerabilitycontainerimagename"></a>`name` | [`String`](#string) | Name of the container image. |
+
 ### `VulnerabilityDetailBase`
 
 Represents the vulnerability details base.

doc/ci/variables/index.md

@@ -373,7 +373,7 @@ You can configure a project, group, or instance CI/CD variable to be available
 only to pipelines that run on [protected branches](../../user/project/protected_branches.md)
 or [protected tags](../../user/project/protected_tags.md).
 
-[Merged results pipelines](../pipelines/merge_request_pipelines.md#types-of-merge-request-pipelines), which run on a
+[Merged results pipelines](../pipelines/merged_results_pipelines.md), which run on a
 temporary merge commit, not a branch or tag, do not have access to these variables.
 
 Pipelines that run directly on the merge request's source branch, with no added merge commit, can access

doc/development/integrations/index.md

@@ -43,7 +43,7 @@ if you need clarification or spot any outdated information.
 ### Define properties
 
 Integrations can define arbitrary properties to store their configuration with the class method `Integration.prop_accessor`.
-The values are stored as a serialized JSON hash in the `integrations.properties` column.
+The values are stored as an encrypted JSON hash in the `integrations.encrypted_properties` column.
 
 For example:
 

doc/integration/elasticsearch.md

@@ -502,12 +502,19 @@ In addition to the Rake tasks, there are some environment variables that can be
 | `ID_TO`              | Integer   | Tells the indexer to only index projects less than or equal to the value.    |
 | `ID_FROM`            | Integer   | Tells the indexer to only index projects greater than or equal to the value. |
 
-### Indexing a specific project
+### Indexing a range of projects or a specific project
 
-Because the `ID_TO` and `ID_FROM` environment variables use the `or equal to` comparison, you can index only one project by using both these variables with the same project ID number:
+Using the `ID_FROM` and `ID_TO` environment variables, you can index a limited number of projects. This can be useful for staging indexing.
 
 ```shell
-root@git:~# sudo gitlab-rake gitlab:elastic:index_projects ID_TO=5 ID_FROM=5
+root@git:~# sudo gitlab-rake gitlab:elastic:index_projects ID_FROM=1 ID_TO=100
+```
+
+Because `ID_FROM` and `ID_TO` use the `or equal to` comparison, you can use them to index only one project
+by setting both to the same project ID:
+
+```shell
+root@git:~# sudo gitlab-rake gitlab:elastic:index_projects ID_FROM=5 ID_TO=5
 Indexing project repositories...I, [2019-03-04T21:27:03.083410 #3384]  INFO -- : Indexing GitLab User / test (ID=33)...
 I, [2019-03-04T21:27:05.215266 #3384]  INFO -- : Indexing GitLab User / test (ID=33) is done!
 ```

doc/topics/autodevops/quick_start_guide.md

@@ -236,7 +236,7 @@ you to common environment tasks:
 - **Monitoring** (**{chart}**) - Opens the metrics page where Prometheus collects data
   about the Kubernetes cluster and how the application
   affects it in terms of memory usage, CPU usage, and latency
-- **Deploy to** (**{play}** **{chevron-down}**) - Displays a list of environments you can deploy to
+- **Deploy to** (**{play}** **{chevron-lg-down}**) - Displays a list of environments you can deploy to
 - **Terminal** (**{terminal}**) - Opens a [web terminal](../../ci/environments/index.md#web-terminals-deprecated)
   session inside the container where the application is running
 - **Re-deploy to environment** (**{repeat}**) - For more information, see

doc/user/compliance/compliance_report/index.md

@@ -113,7 +113,7 @@ You can generate a commit-specific Chain of Custody report for a given commit SH
 
 1. On the top bar, select **Menu > Groups** and find your group.
 1. On the left sidebar, select **Security & Compliance > Compliance report**.
-1. At the top of the compliance report, to the right of **List of all merge commits**, select the down arrow (**{angle-down}**).
+1. At the top of the compliance report, to the right of **List of all merge commits**, select the down arrow (**{chevron-lg-down}**).
 1. Enter the merge commit SHA, and then select **Export commit custody report**.
    SHA and then select **Export commit custody report**.
 

doc/user/project/issues/design_management.md

@@ -92,7 +92,7 @@ The design you selected opens. You can then [zoom in](#zoom-in-on-a-design) on i
 
 When viewing a design, you can move to other designs. To do so, either:
 
-- In the top-right corner, select **Go to previous design** (**{chevron-left}**) or **Go to next design** (**{chevron-right}**).
+- In the top-right corner, select **Go to previous design** (**{chevron-lg-left}**) or **Go to next design** (**{chevron-lg-right}**).
 - Press <kbd>Left</kbd> or <kbd>Right</kbd> on your keyboard.
 
 To return to the issue view, either:

doc/user/project/web_ide/index.md

@@ -19,7 +19,7 @@ and from merge requests:
 - *When viewing a file, or the repository file list* -
   1. In the upper right corner of the page, select **Open in Web IDE** if it is visible.
   1. If **Open in Web IDE** is not visible:
-     1. Select the (**{chevron-down}**) next to **Edit** or **Gitpod**, depending on your configuration.
+     1. Select the (**{chevron-lg-down}**) next to **Edit** or **Gitpod**, depending on your configuration.
      1. Select **Open in Web IDE** from the list to display it as the editing option.
      1. Select **Open in Web IDE** to open the editor.
 - *When viewing a merge request* -

lib/gitlab/ci/templates/Security/DAST-On-Demand-API-Scan.gitlab-ci.yml

@@ -1,3 +1,8 @@
+# To contribute improvements to CI/CD templates, please follow the Development guide at:
+# https://docs.gitlab.com/ee/development/cicd/templates.html
+# This specific template is located at:
+# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-On-Demand-API-Scan.gitlab-ci.yml
+
 stages:
   - build
   - test
@@ -6,12 +11,13 @@ stages:
 
 variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
-  DAST_API_VERSION: "1"
-  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
+  DAST_API_VERSION: "2"
+  DAST_API_IMAGE_SUFFIX: ""
+  DAST_API_IMAGE: api-security
 
 dast:
   stage: dast
-  image: $DAST_API_IMAGE
+  image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION$DAST_API_IMAGE_SUFFIX
   allow_failure: true
   script:
     - /peach/analyzer-dast-api

lib/tasks/gitlab/db/validate_config.rake

@@ -141,7 +141,9 @@ namespace :gitlab do
     rescue ActiveRecord::ConnectionNotEstablished, PG::ConnectionBad => err
       warn "WARNING: Could not establish database connection for #{db_config.name}: #{err.message}"
     rescue ActiveRecord::NoDatabaseError
-    rescue PG::ReadOnlySqlTransaction => err
+    rescue ActiveRecord::StatementInvalid => err
+      raise unless err.cause.is_a?(PG::ReadOnlySqlTransaction)
+
       warn "WARNING: Could not write to the database #{db_config.name}: #{err.message}"
     end
 

qa/qa/specs/features/api/1_manage/migration/gitlab_migration_release_spec.rb

@@ -29,7 +29,7 @@ module QA
         # @param [Hash] release
         # @return [Hash]
         def comparable_release(release)
-          release&.except(:_links, :evidences)&.merge(
+          release&.except(:_links)&.merge(
             {
               author: release[:author].except(:web_url),
               commit: release[:commit].except(:web_url),
@@ -42,12 +42,14 @@ module QA
                                              }),
               milestones: release[:milestones].map do |milestone|
                 milestone.except(:id, :project_id).merge({ web_url: milestone[:web_url].split("/-/").last })
-              end
-              # TODO: Add back evidence testing once implemented
-              # https://gitlab.com/gitlab-org/gitlab/-/issues/360567
-              # evidences: release[:evidences].map do |evidence|
-              #              evidence.merge({ filepath: evidence[:filepath].split("/-/").last })
-              #            end
+              end,
+              # evidences are not directly migrated but rather recreated on the same releases,
+              # so we only check the json file is there
+              evidences: release[:evidences].map do |evidence|
+                           evidence
+                            .except(:collected_at, :sha)
+                            .merge({ filepath: evidence[:filepath].split("/-/").last.gsub(/\d+\.json/, "*.json") })
+                         end
             }
           )
         end

qa/qa/specs/features/browser_ui/3_create/merge_request/merge_when_pipeline_succeeds_spec.rb

@@ -32,7 +32,7 @@ module QA
                   content: <<~YAML
                     test:
                       tags: ["#{runner_name}"]
-                      script: sleep 5
+                      script: sleep 15
                       only:
                         - merge_requests
                   YAML
@@ -62,8 +62,6 @@ module QA
               merge_request.description = Faker::Lorem.sentence
               merge_request.target_new_branch = false
               merge_request.source_branch = "mr-test-#{SecureRandom.hex(6)}-#{i + 1}"
-              merge_request.file_name = Faker::Lorem.word
-              merge_request.file_content = Faker::Lorem.sentence
             end
 
             # Load the page so that the browser is as prepared as possible to display the pipeline in progress when we
@@ -91,7 +89,7 @@ module QA
               end
 
               aggregate_failures do
-                expect { mr.merged? }.to eventually_be_truthy.within(max_duration: 60), "Expected content 'The changes were merged' but it did not appear."
+                expect { mr.merged? }.to eventually_be_truthy.within(max_duration: 120), "Expected content 'The changes were merged' but it did not appear."
                 expect(merge_request.reload!.merge_when_pipeline_succeeds).to be_truthy
                 expect(merge_request.state).to eq('merged')
                 expect(project.pipelines.last[:status]).to eq('success')

spec/controllers/registrations/welcome_controller_spec.rb

@@ -31,6 +31,7 @@ RSpec.describe Registrations::WelcomeController do
 
     context 'when role and setup_for_company is set' do
       before do
+        stub_feature_flags(about_your_company_registration_flow: false)
         user.update!(setup_for_company: false)
         sign_in(user)
       end
@@ -60,6 +61,10 @@ RSpec.describe Registrations::WelcomeController do
   end
 
   describe '#update' do
+    before do
+      stub_feature_flags(about_your_company_registration_flow: false)
+    end
+
     subject(:update) do
       patch :update, params: { user: { role: 'software_developer', setup_for_company: 'false' } }
     end

spec/features/users/signup_spec.rb

@@ -341,6 +341,7 @@ RSpec.describe 'Signup' do
   end
 
   it 'redirects to step 2 of the signup process, sets the role and redirects back' do
+    stub_feature_flags(about_your_company_registration_flow: false)
     visit new_user_registration_path
 
     fill_in_signup_form

spec/models/project_spec.rb

@@ -8387,6 +8387,14 @@ RSpec.describe Project, factory_default: :keep do
     end
   end
 
+  describe '#security_training_available?' do
+    subject { build(:project) }
+
+    it 'returns false' do
+      expect(subject.security_training_available?).to eq false
+    end
+  end
+
   private
 
   def finish_job(export_job)

spec/tasks/gitlab/db/validate_config_rake_spec.rb

@@ -213,8 +213,11 @@ RSpec.describe 'gitlab:db:validate_config', :silence_stdout do
         }
       end
 
+      let(:exception) { ActiveRecord::StatementInvalid.new("READONLY") }
+
       before do
-        expect(ActiveRecord::InternalMetadata).to receive(:upsert).at_least(:once).and_raise(PG::ReadOnlySqlTransaction, "READONLY")
+        allow(exception).to receive(:cause).and_return(PG::ReadOnlySqlTransaction.new("cannot execute INSERT in a read-only transaction"))
+        allow(ActiveRecord::InternalMetadata).to receive(:upsert).at_least(:once).and_raise(exception)
       end
 
       it_behaves_like 'validates successfully'