Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-02-17 03:16:49 +00:00
parent eaec088dc5
commit f4e1a3641e
66 changed files with 832 additions and 370 deletions

View file

@ -1144,9 +1144,8 @@ GEM
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sassc (2.0.1)
sassc (2.4.0)
ffi (~> 1.9)
rake
sassc-rails (2.1.0)
railties (>= 4.0.0)
sassc (>= 2.0)

View file

@ -138,10 +138,10 @@ hr {
margin-right: -15px;
margin-left: -15px;
}
.col,
.col-sm-5,
.col-sm-12,
.col-sm-7,
.col-sm-12 {
.col-sm-5,
.col {
position: relative;
width: 100%;
padding-right: 15px;
@ -160,12 +160,12 @@ hr {
}
@media (min-width: 576px) {
.col-sm-5 {
flex: 0 0 41.66667%;
max-width: 41.66667%;
flex: 0 0 41.6666666667%;
max-width: 41.6666666667%;
}
.col-sm-7 {
flex: 0 0 58.33333%;
max-width: 58.33333%;
flex: 0 0 58.3333333333%;
max-width: 58.3333333333%;
}
.col-sm-12 {
flex: 0 0 100%;

View file

@ -65,6 +65,6 @@ class Admin::BroadcastMessagesController < Admin::ApplicationController
target_path
broadcast_type
dismissable
))
), target_access_levels: []).reverse_merge!(target_access_levels: [])
end
end

View file

@ -1,14 +1,22 @@
# frozen_string_literal: true
module BroadcastMessagesHelper
include Gitlab::Utils::StrongMemoize
def current_broadcast_banner_messages
BroadcastMessage.current_banner_messages(request.path).select do |message|
BroadcastMessage.current_banner_messages(
current_path: request.path,
user_access_level: current_user_access_level_for_project_or_group
).select do |message|
cookies["hide_broadcast_message_#{message.id}"].blank?
end
end
def current_broadcast_notification_message
not_hidden_messages = BroadcastMessage.current_notification_messages(request.path).select do |message|
not_hidden_messages = BroadcastMessage.current_notification_messages(
current_path: request.path,
user_access_level: current_user_access_level_for_project_or_group
).select do |message|
cookies["hide_broadcast_message_#{message.id}"].blank?
end
not_hidden_messages.last
@ -61,4 +69,31 @@ module BroadcastMessagesHelper
def broadcast_type_options
BroadcastMessage.broadcast_types.keys.map { |w| [w.humanize, w] }
end
def target_access_level_options
BroadcastMessage::ALLOWED_TARGET_ACCESS_LEVELS.map do |access_level|
[Gitlab::Access.human_access(access_level), access_level]
end
end
def target_access_levels_display(access_levels)
access_levels.map do |access_level|
Gitlab::Access.human_access(access_level)
end.join(', ')
end
private
def current_user_access_level_for_project_or_group
return if Feature.disabled?(:role_targeted_broadcast_messages, default_enabled: :yaml)
return unless current_user.present?
strong_memoize(:current_user_access_level_for_project_or_group) do
if controller.is_a? Projects::ApplicationController
@project&.team&.max_member_access(current_user.id)
elsif controller.is_a? Groups::ApplicationController
@group&.max_member_access_for_user(current_user)
end
end
end
end

View file

@ -4,12 +4,21 @@ class BroadcastMessage < ApplicationRecord
include CacheMarkdownField
include Sortable
ALLOWED_TARGET_ACCESS_LEVELS = [
Gitlab::Access::GUEST,
Gitlab::Access::REPORTER,
Gitlab::Access::DEVELOPER,
Gitlab::Access::MAINTAINER,
Gitlab::Access::OWNER
].freeze
cache_markdown_field :message, pipeline: :broadcast_message, whitelisted: true
validates :message, presence: true
validates :starts_at, presence: true
validates :ends_at, presence: true
validates :broadcast_type, presence: true
validates :target_access_levels, inclusion: { in: ALLOWED_TARGET_ACCESS_LEVELS }
validates :color, allow_blank: true, color: true
validates :font, allow_blank: true, color: true
@ -29,20 +38,20 @@ class BroadcastMessage < ApplicationRecord
}
class << self
def current_banner_messages(current_path = nil)
fetch_messages BANNER_CACHE_KEY, current_path do
def current_banner_messages(current_path: nil, user_access_level: nil)
fetch_messages BANNER_CACHE_KEY, current_path, user_access_level do
current_and_future_messages.banner
end
end
def current_notification_messages(current_path = nil)
fetch_messages NOTIFICATION_CACHE_KEY, current_path do
def current_notification_messages(current_path: nil, user_access_level: nil)
fetch_messages NOTIFICATION_CACHE_KEY, current_path, user_access_level do
current_and_future_messages.notification
end
end
def current(current_path = nil)
fetch_messages CACHE_KEY, current_path do
def current(current_path: nil, user_access_level: nil)
fetch_messages CACHE_KEY, current_path, user_access_level do
current_and_future_messages
end
end
@ -63,7 +72,7 @@ class BroadcastMessage < ApplicationRecord
private
def fetch_messages(cache_key, current_path)
def fetch_messages(cache_key, current_path, user_access_level)
messages = cache.fetch(cache_key, as: BroadcastMessage, expires_in: cache_expires_in) do
yield
end
@ -74,7 +83,13 @@ class BroadcastMessage < ApplicationRecord
# displaying we'll refresh the cache so we don't need to keep filtering.
cache.expire(cache_key) if now_or_future != messages
now_or_future.select(&:now?).select { |message| message.matches_current_path(current_path) }
messages = now_or_future.select(&:now?)
messages = messages.select do |message|
message.matches_current_user_access_level?(user_access_level)
end
messages.select do |message|
message.matches_current_path(current_path)
end
end
end
@ -102,6 +117,12 @@ class BroadcastMessage < ApplicationRecord
now? || future?
end
def matches_current_user_access_level?(user_access_level)
return true if target_access_levels.empty?
target_access_levels.include? user_access_level
end
def matches_current_path(current_path)
return false if current_path.blank? && target_path.present?
return true if current_path.blank? || target_path.blank?

View file

@ -86,7 +86,7 @@ class PostReceiveService
banner = nil
if project
scoped_messages = BroadcastMessage.current_banner_messages(project.full_path).select do |message|
scoped_messages = BroadcastMessage.current_banner_messages(current_path: project.full_path).select do |message|
message.target_path.present? && message.matches_current_path(project.full_path)
end

View file

@ -55,6 +55,14 @@
= f.check_box :dismissable
= f.label :dismissable do
= _('Allow users to dismiss the broadcast message')
- if Feature.enabled?(:role_targeted_broadcast_messages, default_enabled: :yaml)
.form-group.row
.col-sm-2.col-form-label
= f.label :target_access_levels, _('Target roles')
.col-sm-10
= f.select :target_access_levels, target_access_level_options, { include_hidden: false }, multiple: true, class: 'form-control'
.form-text.text-muted
= _('The broadcast message displays only to users in projects and groups who have these roles.')
.form-group.row.js-toggle-colors-container.toggle-colors.hide
.col-sm-2.col-form-label
= f.label :font, _("Font Color")

View file

@ -1,10 +1,11 @@
- breadcrumb_title _("Messages")
- page_title _("Broadcast Messages")
- targeted_broadcast_messages_enabled = Feature.enabled?(:role_targeted_broadcast_messages, default_enabled: :yaml)
%h3.page-title
= _('Broadcast Messages')
%p.light
= _('Broadcast messages are displayed for every user and can be used to notify users about scheduled maintenance, recent upgrades and more.')
= _('Use banners and notifications to notify your users about scheduled maintenance, recent upgrades, and more.')
= render 'form'
@ -19,6 +20,8 @@
%th= _('Preview')
%th= _('Starts')
%th= _('Ends')
- if targeted_broadcast_messages_enabled
%th= _('Target roles')
%th= _('Target Path')
%th= _('Type')
%th &nbsp;
@ -33,6 +36,9 @@
= message.starts_at
%td
= message.ends_at
- if targeted_broadcast_messages_enabled
%td
= target_access_levels_display(message.target_access_levels)
%td
= message.target_path
%td

View file

@ -0,0 +1,8 @@
---
name: role_targeted_broadcast_messages
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77498
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351736
milestone: '14.8'
type: development
group: group::activation
default_enabled: false

View file

@ -0,0 +1,16 @@
- name: "`CI_BUILD_*` predefined variables"
announcement_milestone: "14.8"
announcement_date: "2021-02-22"
removal_milestone: "15.0"
removal_date: "2022-05-22"
breaking_change: true
reporter: dhershkovitch
body: |
The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in GitLab 9.0, and will be removed in GitLab 15.0. If you still use these variables, be sure to change to the current [`CI_JOB_*` predefined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) which are identical (except for the updated name).
# The following items are not published on the docs page, but may be used in the future.
stage: Verify
tiers: [Free, Premium, Ultimate]
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352957
documentation_url: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
image_url: # (optional) This is a link to a thumbnail image depicting the feature
video_url: # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg

View file

@ -0,0 +1,27 @@
- name: "Secure and Protect analyzer images published in new location"
announcement_milestone: "14.8"
announcement_date: "2022-02-22"
removal_milestone: "15.0"
removal_date: "2022-05-22"
breaking_change: true
reporter: connorgilbert
body: | # Do not modify this line, instead modify the lines below.
GitLab uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/terminology/#analyzer) to [scan for security vulnerabilities](https://docs.gitlab.com/ee/user/application_security/).
Each analyzer is distributed as a container image.
Starting in GitLab 14.8, new versions of GitLab Secure and Protect analyzers are published to a new registry location under `registry.gitlab.com/security-products`.
We will update the default value of [GitLab-managed CI/CD templates](https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates/Security) to reflect this change:
- For all analyzers except Container Scanning, we will update the variable `SECURE_ANALYZERS_PREFIX` to the new image registry location.
- For Container Scanning, the default image address is already updated. There is no `SECURE_ANALYZERS_PREFIX` variable for Container Scanning.
In a future release, we will stop publishing images to `registry.gitlab.com/gitlab-org/security-products/analyzers`.
Once this happens, you must take action if you manually pull images and push them into a separate registry. This is commonly the case for [offline deployments](https://docs.gitlab.com/ee/user/application_security/offline_deployments/index.html).
Otherwise, you won't receive further updates.
See the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/352564) for more details.
# The following items are not published on the docs page, but may be used in the future.
stage: Secure
tiers: [Free, Silver, Gold, Core, Premium, Ultimate]
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352564

View file

@ -0,0 +1,28 @@
# This is a template for a feature deprecation
# A deprecation typically occurs when a feature or capability is planned to be removed in a future release.
# Deprecations should be announced at least two releases prior to removal. Any breaking changes should only be done in major releases.
#
# Below is an example of what a single entry should look like, it's required attributes,
# and what types we expect those attribute values to be.
#
# For more information please refer to the handbook documentation here:
# https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations
#
# Please delete this line and above before submitting your merge request.
- name: "Changes to the `CI_JOB_JWT`" # The name of the feature to be deprecated
announcement_milestone: "14.8" # The milestone when this feature was first announced as deprecated.
announcement_date: "2022-02-22" # The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
removal_milestone: "15.0" # The milestone when this feature is planned to be removed
removal_date: # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
breaking_change: true # If this deprecation is a breaking change, set this value to true
reporter: dhershkovitch # GitLab username of the person reporting the deprecation
body: | # Do not modify this line, instead modify the lines below.
The `CI_JOB_JWT` will be updated to support a wider variety of cloud providers. It will be changed to match [`CI_JOB_JWT_V2`](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html), but this change may not be backwards compatible for all users, including Hashicorp Vault users. To maintain the current behavior, users can switch to using `CI_JOB_JWT_V1`, or update their configuration in GitLab 15.0 to use the improved `CI_JOB_JWT`.
# The following items are not published on the docs page, but may be used in the future.
stage: # (optional - may be required in the future) String value of the stage that the feature was created in. e.g., Growth
tiers: # (optional - may be required in the future) An array of tiers that the feature is available in currently. e.g., [Free, Silver, Gold, Core, Premium, Ultimate]
issue_url: # (optional) This is a link to the deprecation issue in GitLab
documentation_url: # (optional) This is a link to the current documentation page
image_url: # (optional) This is a link to a thumbnail image depicting the feature
video_url: # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg

View file

@ -1,4 +1,4 @@
- name: "Deprecations for Dependency Scanning"
- name: "Dependency Scanning"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: nicoleschwartz

View file

@ -1,4 +1,4 @@
- name: "Removals for License Compliance"
- name: "License Compliance"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: nicoleschwartz

View file

@ -1,4 +1,4 @@
- name: "Remove `?w=1` URL parameter to ignore whitespace changes"
- name: "`?w=1` URL parameter to ignore whitespace changes"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: phikai

View file

@ -1,4 +1,4 @@
- name: "New Terraform template version"
- name: "Terraform template version"
removal_date: "2021-06-22"
removal_milestone: "14.0" # example
issue_url: ""

View file

@ -1,4 +1,4 @@
- name: "Update CI/CD templates to stop using hardcoded `master`"
- name: "Hardcoded `master` in CI/CD templates"
reporter: dhershkovitch
removal_date: "2021-06-22"
removal_milestone: "14.0"

View file

@ -1,4 +1,4 @@
- name: "Service Templates removed"
- name: "Service Templates"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deuley

View file

@ -1,4 +1,4 @@
- name: "Removal of release description in the Tags API"
- name: "Release description in the Tags API"
reporter: kbychu
removal_date: "2021-06-22"
removal_milestone: "14.0"

View file

@ -1,10 +1,10 @@
- name: "Update Auto Deploy template version"
- name: "Auto Deploy CI template v1"
reporter: kbychu
removal_date: "2021-06-22"
removal_milestone: "14.0"
issue_url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/300862'
breaking_change: true
body: |
In GitLab 14.0, we will update the [Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/stages.html#auto-deploy) CI template to the latest version. This includes new features, bug fixes, and performance improvements with a dependency on the v2 [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image). Auto Deploy CI template v1 will is deprecated going forward.
In GitLab 14.0, we will update the [Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/stages.html#auto-deploy) CI template to the latest version. This includes new features, bug fixes, and performance improvements with a dependency on the v2 [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image). Auto Deploy CI template v1 is deprecated going forward.
Since the v1 and v2 versions are not backward-compatible, your project might encounter an unexpected failure if you already have a deployed application. Follow the [upgrade guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#upgrade-guide) to upgrade your environments. You can also start using the latest template today by following the [early adoption guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#early-adopters).

View file

@ -1,4 +1,4 @@
- name: "Remove disk source configuration for GitLab Pages"
- name: "Disk source configuration for GitLab Pages"
reporter: kbychu
removal_date: "2021-06-22"
removal_milestone: "14.0"

View file

@ -1,4 +1,4 @@
- name: "Legacy feature flags removed"
- name: "Legacy feature flags"
reporter: kbychu
removal_date: "2021-06-22"
removal_milestone: "14.0"

View file

@ -1,4 +1,4 @@
- name: "Remove redundant timestamp field from DORA metrics API payload"
- name: "Redundant timestamp field from DORA metrics API payload"
reporter: kbychu
removal_date: "2021-06-22"
removal_milestone: "14.0"

View file

@ -1,4 +1,4 @@
- name: "Geo Foreign Data Wrapper settings removed"
- name: "Geo Foreign Data Wrapper settings"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: fzimmer

View file

@ -1,4 +1,4 @@
- name: "Deprecated GraphQL fields have been removed"
- name: "Deprecated GraphQL fields"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: gweaver

View file

@ -1,4 +1,4 @@
- name: "Legacy storage removed"
- name: "Legacy storage"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: fzimmer

View file

@ -1,4 +1,4 @@
- name: Sidekiq queue selector options no longer accept the 'experimental' prefix
- name: Experimental prefix in Sidekiq queue selector options
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: smcgivern

View file

@ -1,4 +1,4 @@
- name: "Unicorn removed in favor of Puma for GitLab self-managed"
- name: "Unicorn in GitLab self-managed"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: fzimmer

View file

@ -1,4 +1,4 @@
- name: "`CI_PROJECT_CONFIG_PATH` variable has been removed"
- name: "`CI_PROJECT_CONFIG_PATH` variable"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: stkerr

View file

@ -8,7 +8,7 @@
Until GitLab 13.9, if you wanted to avoid running one particular GitLab SAST analyzer, you needed to remove it from the [long string of analyzers in the `SAST.gitlab-ci.yml` file](https://gitlab.com/gitlab-org/gitlab/-/blob/390afc431e7ce1ac253b35beb39f19e49c746bff/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L12) and use that to set the [`SAST_DEFAULT_ANALYZERS`](https://docs.gitlab.com/ee/user/application_security/sast/#docker-images) variable in your project's CI file. If you did this, it would exclude you from future new analyzers because this string hard codes the list of analyzers to execute. We avoid this problem by inverting this variable's logic to exclude, rather than choose default analyzers.
Beginning with 13.9, [we migrated](https://gitlab.com/gitlab-org/gitlab/-/blob/14fed7a33bfdbd4663d8928e46002a5ef3e3282c/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L13) to `SAST_EXCLUDED_ANALYZERS` in our `SAST.gitlab-ci.yml` file. We encourage anyone who uses a [customized SAST configuration](https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings) in their project CI file to migrate to this new variable. If you have not overridden `SAST_DEFAULT_ANALYZERS`, no action is needed. The CI/CD variable `SAST_DEFAULT_ANALYZERS` has been removed in GitLab 14.0, which released on June 22, 2021.
- name: "Remove `secret_detection_default_branch` job"
- name: "`secret_detection_default_branch` job"
reporter: tmccaslin
removal_date: "2021-06-22"
removal_milestone: "14.0"
@ -18,8 +18,7 @@
To ensure Secret Detection was scanning both default branches and feature branches, we introduced two separate secret detection CI jobs (`secret_detection_default_branch` and `secret_detection`) in our managed [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml) template. These two CI jobs created confusion and complexity in the CI rules logic. This deprecation moves the `rule` logic into the `script` section, which then determines how the `secret_detection` job is run (historic, on a branch, commits, etc).
If you override or maintain custom versions of `SAST.gitlab-ci.yml` or `Secret-Detection.gitlab-ci.yml`, you must update your CI templates. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/secret_detection/#custom-settings-example) to future-proof your CI templates. GitLab 14.0 no longer supports the old `secret_detection_default_branch` job.
- name: "Remove SAST analyzer `SAST_GOSEC_CONFIG` variable in favor of
custom rulesets"
- name: "SAST analyzer `SAST_GOSEC_CONFIG` variable"
reporter: tmccaslin
removal_date: "2021-06-22"
removal_milestone: "14.0"
@ -29,7 +28,7 @@
With the release of [SAST Custom Rulesets](https://docs.gitlab.com/ee/user/application_security/sast/#customize-rulesets) in GitLab 13.5 we allow greater flexibility in configuration options for our Go analyzer (GoSec). As a result we no longer plan to support our less flexible [`SAST_GOSEC_CONFIG`](https://docs.gitlab.com/ee/user/application_security/sast/#analyzer-settings) analyzer setting. This variable was deprecated in GitLab 13.10.
GitLab 14.0 removes the old `SAST_GOSEC_CONFIG variable`. If you use or override `SAST_GOSEC_CONFIG` in your CI file, update your SAST CI configuration or pin to an older version of the GoSec analyzer. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates.
- name: "Removed Global `SAST_ANALYZER_IMAGE_TAG` in SAST CI template"
- name: "Global `SAST_ANALYZER_IMAGE_TAG` in SAST CI template"
reporter: tmccaslin
removal_date: "2021-06-22"
removal_milestone: "14.0"

View file

@ -1,4 +1,4 @@
- name: "Remove off peak time mode configuration for Docker Machine autoscaling"
- name: "Off peak time mode configuration for Docker Machine autoscaling"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deastman

View file

@ -1,4 +1,4 @@
- name: "Remove Ubuntu 19.10 (Eoan Ermine) package"
- name: "Ubuntu 19.10 (Eoan Ermine) package"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deastman

View file

@ -1,4 +1,4 @@
- name: "Remove `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL` feature flag"
- name: "`FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL` feature flag"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deastman

View file

@ -1,4 +1,4 @@
- name: "Remove `/usr/lib/gitlab-runner` symlink from package"
- name: "`/usr/lib/gitlab-runner` symlink from package"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deastman

View file

@ -1,4 +1,4 @@
- name: "Remove `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag"
- name: "`FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deastman

View file

@ -1,4 +1,4 @@
- name: "Remove success and failure for finished build metric conversion"
- name: "Success and failure for finished build metric conversion"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deastman

View file

@ -1,4 +1,4 @@
- name: "Remove `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag"
- name: "`FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deastman

View file

@ -1,4 +1,4 @@
- name: "Remove support for Windows Server 1903 image"
- name: "Windows Server 1903 image support"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deastman

View file

@ -1,4 +1,4 @@
- name: "Remove support for Windows Server 1909 image"
- name: "Windows Server 1909 image support"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: deastman

View file

@ -1,4 +1,4 @@
- name: "Gitaly Cluster SQL primary elector has been removed"
- name: "Gitaly Cluster SQL primary elector"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: mjwood

View file

@ -1,4 +1,4 @@
- name: "Remove legacy DAST domain validation"
- name: "Legacy DAST domain validation"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: derekferguson

View file

@ -1,4 +1,4 @@
- name: "Removal of legacy fields from DAST report"
- name: "Legacy fields from DAST report"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: derekferguson

View file

@ -1,4 +1,4 @@
- name: "Remove DAST default template stages"
- name: "DAST default template stages"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: derekferguson

View file

@ -1,4 +1,4 @@
- name: "Segments removed from DevOps Adoption API"
- name: "DevOps Adoption API Segments"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: ljlane

View file

@ -1,4 +1,4 @@
- name: "Removal of deprecated `trace` parameter from `jobs` API endpoint"
- name: "`trace` parameter in `jobs` API"
removal_date: "2021-06-22"
removal_milestone: "14.0"
reporter: jreporter

View file

@ -9,7 +9,7 @@
#
# Please delete this line and above before submitting your merge request.
- name: "Announcement headline" # The headline announcing the removal. i.e. "`CI_PROJECT_CONFIG_PATH` removed in Gitlab 14.0"
- name: "Feature name" # the name of the feature being removed. Avoid the words `deprecation`, `deprecate`, `removal`, and `remove` in this field because these are implied.
announcement_milestone: "XX.YY" # The milestone when this feature was deprecated.
announcement_date: "YYYY-MM-DD" # The date of the milestone release when this feature was deprecated. This should almost always be the 22nd of a month (YYYY-MM-DD), unless you did an out of band blog post.
removal_milestone: "XX.YY" # The milestone when this feature is being removed.

View file

@ -0,0 +1,7 @@
# frozen_string_literal: true
class AddTargetAccessLevelsToBroadcastMessages < Gitlab::Database::Migration[1.0]
def change
add_column :broadcast_messages, :target_access_levels, :integer, array: true, null: false, default: []
end
end

View file

@ -0,0 +1,60 @@
# frozen_string_literal: true
# Reproduce the indices on integrations.type on integrations.type_new
class CreateIndexesOnIntegrationTypeNew < Gitlab::Database::Migration[1.0]
disable_ddl_transaction!
TABLE_NAME = :integrations
COLUMN = :type_new
def indices
[
{
name: "index_integrations_on_project_and_#{COLUMN}_where_inherit_null",
columns: [:project_id, COLUMN],
where: 'inherit_from_id IS NULL'
},
{
name: "index_integrations_on_project_id_and_#{COLUMN}_unique",
columns: [:project_id, COLUMN],
unique: true
},
{
name: "index_integrations_on_#{COLUMN}",
columns: [COLUMN]
},
{
name: "index_integrations_on_#{COLUMN}_and_instance_partial",
columns: [COLUMN, :instance],
where: 'instance = true'
},
{
name: "index_integrations_on_#{COLUMN}_and_template_partial",
columns: [COLUMN, :template],
where: 'template = true'
},
{
# column names are limited to 63 characters, so this one is re-worded for clarity
name: "index_integrations_on_#{COLUMN}_id_when_active_and_has_project",
columns: [COLUMN, :id],
where: '((active = true) AND (project_id IS NOT NULL))'
},
{
name: "index_integrations_on_unique_group_id_and_#{COLUMN}",
columns: [:group_id, COLUMN]
}
]
end
def up
indices.each do |index|
add_concurrent_index TABLE_NAME, index[:columns], index.except(:columns)
end
end
def down
indices.each do |index|
remove_concurrent_index_by_name TABLE_NAME, index[:name]
end
end
end

View file

@ -0,0 +1 @@
6e273d5b92595ae6054b0665b4ff446fb2bed24ff1aab122537833dc8f4d9ab8

View file

@ -0,0 +1 @@
9ce8aa469b9469d25fbba52147e24c95f6242c2ab1e114df8baaf5a45268d2fd

View file

@ -11364,7 +11364,8 @@ CREATE TABLE broadcast_messages (
cached_markdown_version integer,
target_path character varying(255),
broadcast_type smallint DEFAULT 1 NOT NULL,
dismissable boolean
dismissable boolean,
target_access_levels integer[] DEFAULT '{}'::integer[] NOT NULL
);
CREATE SEQUENCE broadcast_messages_id_seq
@ -26665,8 +26666,12 @@ CREATE INDEX index_insights_on_project_id ON insights USING btree (project_id);
CREATE INDEX index_integrations_on_inherit_from_id ON integrations USING btree (inherit_from_id);
CREATE INDEX index_integrations_on_project_and_type_new_where_inherit_null ON integrations USING btree (project_id, type_new) WHERE (inherit_from_id IS NULL);
CREATE INDEX index_integrations_on_project_and_type_where_inherit_null ON integrations USING btree (project_id, type) WHERE (inherit_from_id IS NULL);
CREATE UNIQUE INDEX index_integrations_on_project_id_and_type_new_unique ON integrations USING btree (project_id, type_new);
CREATE UNIQUE INDEX index_integrations_on_project_id_and_type_unique ON integrations USING btree (project_id, type);
CREATE INDEX index_integrations_on_template ON integrations USING btree (template);
@ -26679,8 +26684,18 @@ CREATE UNIQUE INDEX index_integrations_on_type_and_template_partial ON integrati
CREATE INDEX index_integrations_on_type_id_when_active_and_project_id_not_nu ON integrations USING btree (type, id) WHERE ((active = true) AND (project_id IS NOT NULL));
CREATE INDEX index_integrations_on_type_new ON integrations USING btree (type_new);
CREATE INDEX index_integrations_on_type_new_and_instance_partial ON integrations USING btree (type_new, instance) WHERE (instance = true);
CREATE INDEX index_integrations_on_type_new_and_template_partial ON integrations USING btree (type_new, template) WHERE (template = true);
CREATE INDEX index_integrations_on_type_new_id_when_active_and_has_project ON integrations USING btree (type_new, id) WHERE ((active = true) AND (project_id IS NOT NULL));
CREATE UNIQUE INDEX index_integrations_on_unique_group_id_and_type ON integrations USING btree (group_id, type);
CREATE INDEX index_integrations_on_unique_group_id_and_type_new ON integrations USING btree (group_id, type_new);
CREATE INDEX index_internal_ids_on_namespace_id ON internal_ids USING btree (namespace_id);
CREATE INDEX index_internal_ids_on_project_id ON internal_ids USING btree (project_id);

View file

@ -727,6 +727,18 @@ The `merged_by` field in the [merge request API](https://docs.gitlab.com/ee/api/
## 14.8
### Changes to the `CI_JOB_JWT`
WARNING:
This feature will be changed or removed in 15.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
The `CI_JOB_JWT` will be updated to support a wider variety of cloud providers. It will be changed to match [`CI_JOB_JWT_V2`](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html), but this change may not be backwards compatible for all users, including Hashicorp Vault users. To maintain the current behavior, users can switch to using `CI_JOB_JWT_V1`, or update their configuration in GitLab 15.0 to use the improved `CI_JOB_JWT`.
**Planned removal milestone: 15.0 ()**
### Configurable Gitaly `per_repository` election strategy
Configuring the `per_repository` Gitaly election strategy is [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/352612).
@ -1247,6 +1259,32 @@ For further details, see [the deprecation issue for this change](https://gitlab.
**Planned removal milestone: 15.0 (2022-05-22)**
### Secure and Protect analyzer images published in new location
WARNING:
This feature will be changed or removed in 15.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/terminology/#analyzer) to [scan for security vulnerabilities](https://docs.gitlab.com/ee/user/application_security/).
Each analyzer is distributed as a container image.
Starting in GitLab 14.8, new versions of GitLab Secure and Protect analyzers are published to a new registry location under `registry.gitlab.com/security-products`.
We will update the default value of [GitLab-managed CI/CD templates](https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates/Security) to reflect this change:
- For all analyzers except Container Scanning, we will update the variable `SECURE_ANALYZERS_PREFIX` to the new image registry location.
- For Container Scanning, the default image address is already updated. There is no `SECURE_ANALYZERS_PREFIX` variable for Container Scanning.
In a future release, we will stop publishing images to `registry.gitlab.com/gitlab-org/security-products/analyzers`.
Once this happens, you must take action if you manually pull images and push them into a separate registry. This is commonly the case for [offline deployments](https://docs.gitlab.com/ee/user/application_security/offline_deployments/index.html).
Otherwise, you won't receive further updates.
See the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/352564) for more details.
**Planned removal milestone: 15.0 (2022-05-22)**
### Support for gRPC-aware proxy deployed between Gitaly and rest of GitLab
WARNING:
@ -1305,6 +1343,18 @@ The new security approvals feature is similar to vulnerability check. For exampl
**Planned removal milestone: 15.0 (2022-05-22)**
### `CI_BUILD_*` predefined variables
WARNING:
This feature will be changed or removed in 15.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in GitLab 9.0, and will be removed in GitLab 15.0. If you still use these variables, be sure to change to the current [`CI_JOB_*` predefined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) which are identical (except for the updated name).
**Planned removal milestone: 15.0 (2022-05-22)**
### `fixup!` commit messages setting draft status of associated Merge Request
The use of `fixup!` as a commit message to trigger draft status

View file

@ -30,6 +30,18 @@ For removal reviewers (Technical Writers only):
## 14.0
### Auto Deploy CI template v1
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In GitLab 14.0, we will update the [Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/stages.html#auto-deploy) CI template to the latest version. This includes new features, bug fixes, and performance improvements with a dependency on the v2 [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image). Auto Deploy CI template v1 is deprecated going forward.
Since the v1 and v2 versions are not backward-compatible, your project might encounter an unexpected failure if you already have a deployed application. Follow the [upgrade guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#upgrade-guide) to upgrade your environments. You can also start using the latest template today by following the [early adoption guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#early-adopters).
### Breaking changes to Terraform CI template
WARNING:
@ -64,6 +76,16 @@ changes to your code, settings, or workflow.
Clair, the default container scanning engine, was deprecated in GitLab 13.9 and is removed from GitLab 14.0 and replaced by Trivy. We advise customers who are customizing variables for their container scanning job to [follow these instructions](https://docs.gitlab.com/ee/user/application_security/container_scanning/#change-scanners) to ensure that their container scanning jobs continue to work.
### DAST default template stages
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In GitLab 14.0, we've removed the stages defined in the current `DAST.gitlab-ci.yml` template to avoid the situation where the template overrides manual changes made by DAST users. We're making this change in response to customer issues where the stages in the template cause problems when used with customized DAST configurations. Because of this removal, `gitlab-ci.yml` configurations that do not specify a `dast` stage must be updated to include this stage.
### DAST environment variable renaming and removal
WARNING:
@ -119,7 +141,21 @@ GitLab has already introduced changes that allow you to change the default branc
For more information, check out our [blog post](https://about.gitlab.com/blog/2021/03/10/new-git-default-branch-name/).
### Deprecated GraphQL fields have been removed
### Dependency Scanning
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
As mentioned in [13.9](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#deprecations-for-dependency-scanning) and [this blog post](https://about.gitlab.com/blog/2021/02/08/composition-analysis-14-deprecations-and-removals/) several removals for Dependency Scanning take effect.
Previously, to exclude a DS analyzer, you needed to remove it from the default list of analyzers, and use that to set the `DS_DEFAULT_ANALYZERS` variable in your projects CI template. We determined it should be easier to avoid running a particular analyzer without losing the benefit of newly added analyzers. As a result, we ask you to migrate from `DS_DEFAULT_ANALYZERS` to `DS_EXCLUDED_ANALYZERS` when it is available. Read about it in [issue #287691](https://gitlab.com/gitlab-org/gitlab/-/issues/287691).
Previously, to prevent the Gemnasium analyzers to fetch the advisory database at runtime, you needed to set the `GEMNASIUM_DB_UPDATE` variable. However, this is not documented properly, and its naming is inconsistent with the equivalent `BUNDLER_AUDIT_UPDATE_DISABLED` variable. As a result, we ask you to migrate from `GEMNASIUM_DB_UPDATE` to `GEMNASIUM_UPDATE_DISABLED` when it is available. Read about it in [issue #215483](https://gitlab.com/gitlab-org/gitlab/-/issues/215483).
### Deprecated GraphQL fields
WARNING:
This feature was changed or removed in 14.0
@ -136,7 +172,7 @@ In accordance with our [GraphQL deprecation and removal process](https://docs.gi
- `DeprecatedMutations (concern**)` - `AddAwardEmoji`, `RemoveAwardEmoji`, `ToggleAwardEmoji`
- `EE::Types::DeprecatedMutations (concern***)` - `Mutations::Pipelines::RunDastScan`, `Mutations::Vulnerabilities::Dismiss`, `Mutations::Vulnerabilities::RevertToDetected`
### Deprecations for Dependency Scanning
### DevOps Adoption API Segments
WARNING:
This feature was changed or removed in 14.0
@ -144,11 +180,29 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
As mentioned in [13.9](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#deprecations-for-dependency-scanning) and [this blog post](https://about.gitlab.com/blog/2021/02/08/composition-analysis-14-deprecations-and-removals/) several removals for Dependency Scanning take effect.
The first release of the DevOps Adoption report had a concept of **Segments**. Segments were [quickly removed from the report](https://gitlab.com/groups/gitlab-org/-/epics/5251) because they introduced an additional layer of complexity on top of **Groups** and **Projects**. Subsequent iterations of the DevOps Adoption report focus on comparing adoption across groups rather than segments. GitLab 14.0 removes all references to **Segments** [from the GraphQL API](https://gitlab.com/gitlab-org/gitlab/-/issues/324414) and replaces them with **Enabled groups**.
Previously, to exclude a DS analyzer, you needed to remove it from the default list of analyzers, and use that to set the `DS_DEFAULT_ANALYZERS` variable in your projects CI template. We determined it should be easier to avoid running a particular analyzer without losing the benefit of newly added analyzers. As a result, we ask you to migrate from `DS_DEFAULT_ANALYZERS` to `DS_EXCLUDED_ANALYZERS` when it is available. Read about it in [issue #287691](https://gitlab.com/gitlab-org/gitlab/-/issues/287691).
### Disk source configuration for GitLab Pages
Previously, to prevent the Gemnasium analyzers to fetch the advisory database at runtime, you needed to set the `GEMNASIUM_DB_UPDATE` variable. However, this is not documented properly, and its naming is inconsistent with the equivalent `BUNDLER_AUDIT_UPDATE_DISABLED` variable. As a result, we ask you to migrate from `GEMNASIUM_DB_UPDATE` to `GEMNASIUM_UPDATE_DISABLED` when it is available. Read about it in [issue #215483](https://gitlab.com/gitlab-org/gitlab/-/issues/215483).
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab Pages [API-based configuration](https://docs.gitlab.com/ee/administration/pages/#gitlab-api-based-configuration) has been available since GitLab 13.0. It replaces the unsupported `disk` source configuration removed in GitLab 14.0, which can no longer be chosen. You should stop using `disk` source configuration, and move to `gitlab` for an API-based configuration. To migrate away from the 'disk' source configuration, set `gitlab_pages['domain_config_source'] = "gitlab"` in your `/etc/gitlab/gitlab.rb` file. We recommend you migrate before updating to GitLab 14.0, to identify and troubleshoot any potential problems before upgrading.
### Experimental prefix in Sidekiq queue selector options
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab supports a [queue selector](https://docs.gitlab.com/ee/administration/operations/extra_sidekiq_processes.html#queue-selector) to run only a subset of background jobs for a given process. When it was introduced, this option had an 'experimental' prefix (`experimental_queue_selector` in Omnibus, `experimentalQueueSelector` in Helm charts).
As announced in the [13.6 release post](https://about.gitlab.com/releases/2020/11/22/gitlab-13-6-released/#sidekiq-cluster-queue-selector-configuration-option-has-been-renamed), the 'experimental' prefix is no longer supported. Instead, `queue_selector` for Omnibus and `queueSelector` in Helm charts should be used.
### External Pipeline Validation Service Code Changes
@ -160,7 +214,7 @@ changes to your code, settings, or workflow.
For self-managed instances using the experimental [external pipeline validation service](https://docs.gitlab.com/ee/administration/external_pipeline_validation.html), the range of error codes GitLab accepts will be reduced. Currently, pipelines are invalidated when the validation service returns a response code from `400` to `499`. In GitLab 14.0 and later, pipelines will be invalidated for the `406: Not Accepted` response code only.
### Geo Foreign Data Wrapper settings removed
### Geo Foreign Data Wrapper settings
WARNING:
This feature was changed or removed in 14.0
@ -207,7 +261,7 @@ changes to your code, settings, or workflow.
In GitLab Runner 14.0, the installation process will ignore the `skel` directory by default when creating the user home directory. Refer to [issue #4845](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4845) for details.
### Gitaly Cluster SQL primary elector has been removed
### Gitaly Cluster SQL primary elector
WARNING:
This feature was changed or removed in 14.0
@ -220,6 +274,30 @@ The `per_repository` election strategy is the new default, which is automaticall
If you had configured the `sql` election strategy, you must follow the [migration instructions](https://docs.gitlab.com/ee/administration/gitaly/praefect.html#migrate-to-repository-specific-primary-gitaly-nodes) before upgrading to 14.0.
### Global `SAST_ANALYZER_IMAGE_TAG` in SAST CI template
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
With the maturity of GitLab Secure scanning tools, we've needed to add more granularity to our release process. Previously, GitLab shared a major version number for [all analyzers and tools](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks). This requires all tools to share a major version, and prevents the use of [semantic version numbering](https://semver.org/). In GitLab 14.0, SAST removes the `SAST_ANALYZER_IMAGE_TAG` global variable in our [managed `SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) CI template, in favor of the analyzer job variable setting the `major.minor` tag in the SAST vendored template.
Each analyzer job now has a scoped `SAST_ANALYZER_IMAGE_TAG` variable, which will be actively managed by GitLab and set to the `major` tag for the respective analyzer. To pin to a specific version, [change the variable value to the specific version tag](https://docs.gitlab.com/ee/user/application_security/sast/#pinning-to-minor-image-version).
If you override or maintain custom versions of `SAST.gitlab-ci.yml`, update your CI templates to stop referencing the global `SAST_ANALYZER_IMAGE_TAG`, and move it to a scoped analyzer job tag. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates. This change allows you to more granularly control future analyzer updates with a pinned `major.minor` version.
This deprecation and removal changes our [previously announced plan](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#pin-static-analysis-analyzers-and-tools-to-minor-versions) to pin the Static Analysis tools.
### Hardcoded `master` in CI/CD templates
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
Our CI/CD templates have been updated to no longer use hard-coded references to a `master` branch. In 14.0, they all use a variable that points to your project's configured default branch instead. If your CI/CD pipeline relies on our built-in templates, verify that this change works with your current configuration. For example, if you have a `master` branch and a different default branch, the updates to the templates may cause changes to your pipeline behavior. For more information, [read the issue](https://gitlab.com/gitlab-org/gitlab/-/issues/324131).
### Helm v2 support
WARNING:
@ -232,7 +310,19 @@ Helm v2 was [officially deprecated](https://helm.sh/blog/helm-v2-deprecation-tim
Users of the chart should [upgrade to Helm v3](https://helm.sh/docs/topics/v2_v3_migration/) to deploy GitLab 14.0 and later.
### Legacy feature flags removed
### Legacy DAST domain validation
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
The legacy method of DAST Domain Validation for CI/CD scans was deprecated in GitLab 13.8, and is removed in GitLab 14.0. This method of domain validation only disallows scans if the `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` environment variable is set to `true` in the `gitlab-ci.yml` file, and a `Gitlab-DAST-Permission` header on the site is not set to `allow`. This two-step method required users to opt in to using the variable before they could opt out from using the header.
For more information, see the [removal issue](https://gitlab.com/gitlab-org/gitlab/-/issues/293595).
### Legacy feature flags
WARNING:
This feature was changed or removed in 14.0
@ -242,7 +332,19 @@ changes to your code, settings, or workflow.
Legacy feature flags became read-only in GitLab 13.4. GitLab 14.0 removes support for legacy feature flags, so you must migrate them to the [new version](https://docs.gitlab.com/ee/operations/feature_flags.html). You can do this by first taking a note (screenshot) of the legacy flag, then deleting the flag through the API or UI (you don't need to alter the code), and finally create a new Feature Flag with the same name as the legacy flag you deleted. Also, make sure the strategies and environments match the deleted flag. We created a [video tutorial](https://www.youtube.com/watch?v=CAJY2IGep7Y) to help with this migration.
### Legacy storage removed
### Legacy fields from DAST report
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
As a part of the migration to a common report format for all of the Secure scanners in GitLab, DAST is making changes to the DAST JSON report. Certain legacy fields were deprecated in 13.8 and have been completely removed in 14.0. These fields are `@generated`, `@version`, `site`, and `spider`. This should not affect any normal DAST operation, but does affect users who consume the JSON report in an automated way and use these fields. Anyone affected by these changes, and needs these fields for business reasons, is encouraged to open a new GitLab issue and explain the need.
For more information, see [the removal issue](https://gitlab.com/gitlab-org/gitlab/-/issues/33915).
### Legacy storage
WARNING:
This feature was changed or removed in 14.0
@ -252,6 +354,16 @@ changes to your code, settings, or workflow.
As [announced in GitLab 13.0](https://about.gitlab.com/releases/2020/05/22/gitlab-13-0-released/#planned-removal-of-legacy-storage-in-14.0), [legacy storage](https://docs.gitlab.com/ee/administration/repository_storage_types.html#legacy-storage) has been removed in GitLab 14.0.
### License Compliance
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In 13.0, we deprecated the License-Management CI template and renamed it License-Scanning. We have been providing backward compatibility by warning users of the old template to switch. Now in 14.0, we are completely removing the License-Management CI template. Read about it in [issue #216261](https://gitlab.com/gitlab-org/gitlab/-/issues/216261) or [this blog post](https://about.gitlab.com/blog/2021/02/08/composition-analysis-14-deprecations-and-removals/).
### Limit projects returned in `GET /groups/:id/`
WARNING:
@ -283,7 +395,7 @@ changes to your code, settings, or workflow.
Until GitLab 13.9, if you wanted to avoid running one particular GitLab SAST analyzer, you needed to remove it from the [long string of analyzers in the `SAST.gitlab-ci.yml` file](https://gitlab.com/gitlab-org/gitlab/-/blob/390afc431e7ce1ac253b35beb39f19e49c746bff/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L12) and use that to set the [`SAST_DEFAULT_ANALYZERS`](https://docs.gitlab.com/ee/user/application_security/sast/#docker-images) variable in your project's CI file. If you did this, it would exclude you from future new analyzers because this string hard codes the list of analyzers to execute. We avoid this problem by inverting this variable's logic to exclude, rather than choose default analyzers.
Beginning with 13.9, [we migrated](https://gitlab.com/gitlab-org/gitlab/-/blob/14fed7a33bfdbd4663d8928e46002a5ef3e3282c/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L13) to `SAST_EXCLUDED_ANALYZERS` in our `SAST.gitlab-ci.yml` file. We encourage anyone who uses a [customized SAST configuration](https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings) in their project CI file to migrate to this new variable. If you have not overridden `SAST_DEFAULT_ANALYZERS`, no action is needed. The CI/CD variable `SAST_DEFAULT_ANALYZERS` has been removed in GitLab 14.0, which released on June 22, 2021.
### New Terraform template version
### Off peak time mode configuration for Docker Machine autoscaling
WARNING:
This feature was changed or removed in 14.0
@ -291,18 +403,7 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
As we continuously [develop GitLab's Terraform integrations](https://gitlab.com/gitlab-org/gitlab/-/issues/325312), to minimize customer disruption, we maintain two GitLab CI/CD templates for Terraform:
- The ["latest version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml), which is updated frequently between minor releases of GitLab (such as 13.10, 13.11, etc).
- The ["major version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml), which is updated only at major releases (such as 13.0, 14.0, etc).
At every major release of GitLab, the "latest version" template becomes the "major version" template, inheriting the "latest template" setup.
As we have added many new features to the Terraform integration, the new setup for the "major version" template can be considered a breaking change.
The latest template supports the [Terraform Merge Request widget](https://docs.gitlab.com/ee/user/infrastructure/mr_integration.html) and
doesn't need additional setup to work with the [GitLab managed Terraform state](https://docs.gitlab.com/ee/user/infrastructure/terraform_state.html).
To check the new changes, see the [new "major version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml).
In GitLab Runner 13.0, [issue #5069](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/5069), we introduced new timing options for the GitLab Docker Machine executor. In GitLab Runner 14.0, we have removed the old configuration option, [off peak time mode](https://docs.gitlab.com/runner/configuration/autoscale.html#off-peak-time-mode-configuration-deprecated).
### OpenSUSE Leap 15.1
@ -326,173 +427,7 @@ PostgreSQL 12 will be the minimum required version in GitLab 14.0. It offers [si
Starting in GitLab 13.7, all new installations default to version 12. From GitLab 13.8, single-node instances are automatically upgraded as well. If you aren't ready to upgrade, you can [opt out of automatic upgrades](https://docs.gitlab.com/omnibus/settings/database.html#opt-out-of-automatic-postgresql-upgrades).
### Removal of deprecated `trace` parameter from `jobs` API endpoint
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab Runner was updated in GitLab 13.4 to internally stop passing the `trace` parameter to the `/api/jobs/:id` endpoint. GitLab 14.0 deprecates the `trace` parameter entirely for all other requests of this endpoint. Make sure your [GitLab Runner version matches your GitLab version](https://docs.gitlab.com/runner/#gitlab-runner-versions) to ensure consistent behavior.
### Removal of legacy fields from DAST report
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
As a part of the migration to a common report format for all of the Secure scanners in GitLab, DAST is making changes to the DAST JSON report. Certain legacy fields were deprecated in 13.8 and have been completely removed in 14.0. These fields are `@generated`, `@version`, `site`, and `spider`. This should not affect any normal DAST operation, but does affect users who consume the JSON report in an automated way and use these fields. Anyone affected by these changes, and needs these fields for business reasons, is encouraged to open a new GitLab issue and explain the need.
For more information, see [the removal issue](https://gitlab.com/gitlab-org/gitlab/-/issues/33915).
### Removal of release description in the Tags API
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab 14.0 removes support for the release description in the Tags API. You can no longer add a release description when [creating a new tag](https://docs.gitlab.com/ee/api/tags.html#create-a-new-tag). You also can no longer [create](https://docs.gitlab.com/ee/api/tags.html#create-a-new-release) or [update](https://docs.gitlab.com/ee/api/tags.html#update-a-release) a release through the Tags API. Please migrate to use the [Releases API](https://docs.gitlab.com/ee/api/releases/#create-a-release) instead.
### Removals for License Compliance
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In 13.0, we deprecated the License-Management CI template and renamed it License-Scanning. We have been providing backward compatibility by warning users of the old template to switch. Now in 14.0, we are completely removing the License-Management CI template. Read about it in [issue #216261](https://gitlab.com/gitlab-org/gitlab/-/issues/216261) or [this blog post](https://about.gitlab.com/blog/2021/02/08/composition-analysis-14-deprecations-and-removals/).
### Remove DAST default template stages
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In GitLab 14.0, we've removed the stages defined in the current `DAST.gitlab-ci.yml` template to avoid the situation where the template overrides manual changes made by DAST users. We're making this change in response to customer issues where the stages in the template cause problems when used with customized DAST configurations. Because of this removal, `gitlab-ci.yml` configurations that do not specify a `dast` stage must be updated to include this stage.
### Remove SAST analyzer `SAST_GOSEC_CONFIG` variable in favor of custom rulesets
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
With the release of [SAST Custom Rulesets](https://docs.gitlab.com/ee/user/application_security/sast/#customize-rulesets) in GitLab 13.5 we allow greater flexibility in configuration options for our Go analyzer (GoSec). As a result we no longer plan to support our less flexible [`SAST_GOSEC_CONFIG`](https://docs.gitlab.com/ee/user/application_security/sast/#analyzer-settings) analyzer setting. This variable was deprecated in GitLab 13.10.
GitLab 14.0 removes the old `SAST_GOSEC_CONFIG variable`. If you use or override `SAST_GOSEC_CONFIG` in your CI file, update your SAST CI configuration or pin to an older version of the GoSec analyzer. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates.
### Remove Ubuntu 19.10 (Eoan Ermine) package
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
Ubuntu 19.10 (Eoan Ermine) reached end of life on Friday, July 17, 2020. In GitLab Runner 14.0, Ubuntu 19.10 (Eoan Ermine) is no longer available from our package distribution. Refer to [issue #26036](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26036) for details.
### Remove `/usr/lib/gitlab-runner` symlink from package
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In GitLab Runner 13.3, a symlink was added from `/user/lib/gitlab-runner/gitlab-runner` to `/usr/bin/gitlab-runner`. In 14.0, the symlink has been removed and the runner is now installed in `/usr/bin/gitlab-runner`. Refer to [issue #26651](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26651) for details.
### Remove `?w=1` URL parameter to ignore whitespace changes
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
To create a consistent experience for users based on their preferences, support for toggling whitespace changes via URL parameter has been removed in GitLab 14.0.
### Remove `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In 14.0, we have deactivated the `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag. Refer to issue [#26679](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26679) for details.
### Remove `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL` feature flag
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In [GitLab Runner 13.1](https://docs.gitlab.com/runner/executors/shell.html#gitlab-131-and-later), [issue #3376](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3376), we introduced `sigterm` and then `sigkill` to a process in the Shell executor. We also introduced a new feature flag, `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL`, so you can use the previous process termination sequence. In GitLab Runner 14.0, [issue #6413](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6413), the feature flag has been removed.
### Remove `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab Runner 14.0 removes the `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag. Refer to [issue #27175](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27175) for details.
### Remove `secret_detection_default_branch` job
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
To ensure Secret Detection was scanning both default branches and feature branches, we introduced two separate secret detection CI jobs (`secret_detection_default_branch` and `secret_detection`) in our managed [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml) template. These two CI jobs created confusion and complexity in the CI rules logic. This deprecation moves the `rule` logic into the `script` section, which then determines how the `secret_detection` job is run (historic, on a branch, commits, etc).
If you override or maintain custom versions of `SAST.gitlab-ci.yml` or `Secret-Detection.gitlab-ci.yml`, you must update your CI templates. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/secret_detection/#custom-settings-example) to future-proof your CI templates. GitLab 14.0 no longer supports the old `secret_detection_default_branch` job.
### Remove disk source configuration for GitLab Pages
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab Pages [API-based configuration](https://docs.gitlab.com/ee/administration/pages/#gitlab-api-based-configuration) has been available since GitLab 13.0. It replaces the unsupported `disk` source configuration removed in GitLab 14.0, which can no longer be chosen. You should stop using `disk` source configuration, and move to `gitlab` for an API-based configuration. To migrate away from the 'disk' source configuration, set `gitlab_pages['domain_config_source'] = "gitlab"` in your `/etc/gitlab/gitlab.rb` file. We recommend you migrate before updating to GitLab 14.0, to identify and troubleshoot any potential problems before upgrading.
### Remove legacy DAST domain validation
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
The legacy method of DAST Domain Validation for CI/CD scans was deprecated in GitLab 13.8, and is removed in GitLab 14.0. This method of domain validation only disallows scans if the `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` environment variable is set to `true` in the `gitlab-ci.yml` file, and a `Gitlab-DAST-Permission` header on the site is not set to `allow`. This two-step method required users to opt in to using the variable before they could opt out from using the header.
For more information, see the [removal issue](https://gitlab.com/gitlab-org/gitlab/-/issues/293595).
### Remove off peak time mode configuration for Docker Machine autoscaling
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In GitLab Runner 13.0, [issue #5069](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/5069), we introduced new timing options for the GitLab Docker Machine executor. In GitLab Runner 14.0, we have removed the old configuration option, [off peak time mode](https://docs.gitlab.com/runner/configuration/autoscale.html#off-peak-time-mode-configuration-deprecated).
### Remove redundant timestamp field from DORA metrics API payload
### Redundant timestamp field from DORA metrics API payload
WARNING:
This feature was changed or removed in 14.0
@ -502,7 +437,7 @@ changes to your code, settings, or workflow.
The [deployment frequency project-level API](https://docs.gitlab.com/ee/api/dora4_project_analytics.html#list-project-deployment-frequencies) endpoint has been deprecated in favor of the [DORA 4 API](https://docs.gitlab.com/ee/api/dora/metrics.html), which consolidates all the metrics under one API with the specific metric as a required field. As a result, the timestamp field, which doesn't allow adding future extensions and causes performance issues, will be removed. With the old API, an example response would be `{ "2021-03-01": 3, "date": "2021-03-01", "value": 3 }`. The first key/value (`"2021-03-01": 3`) will be removed and replaced by the last two (`"date": "2021-03-01", "value": 3`).
### Remove success and failure for finished build metric conversion
### Release description in the Tags API
WARNING:
This feature was changed or removed in 14.0
@ -510,41 +445,7 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In GitLab Runner 13.5, we introduced `failed` and `success` states for a job. To support Prometheus rules, we chose to convert `success/failure` to `finished` for the metric. In 14.0, the conversion has now been removed. Refer to [issue #26900](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26900) for details.
### Remove support for Windows Server 1903 image
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In 14.0, we have removed Windows Server 1903. Microsoft ended support for this version on 2020-08-12. Refer to [issue #27551](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27551) for details.
### Remove support for Windows Server 1909 image
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In 14.0, we have removed Windows Server 1909. Microsoft ended support for this version on 2021-05-11. Refer to [issue #27899](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27899) for details.
### Removed Global `SAST_ANALYZER_IMAGE_TAG` in SAST CI template
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
With the maturity of GitLab Secure scanning tools, we've needed to add more granularity to our release process. Previously, GitLab shared a major version number for [all analyzers and tools](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks). This requires all tools to share a major version, and prevents the use of [semantic version numbering](https://semver.org/). In GitLab 14.0, SAST removes the `SAST_ANALYZER_IMAGE_TAG` global variable in our [managed `SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) CI template, in favor of the analyzer job variable setting the `major.minor` tag in the SAST vendored template.
Each analyzer job now has a scoped `SAST_ANALYZER_IMAGE_TAG` variable, which will be actively managed by GitLab and set to the `major` tag for the respective analyzer. To pin to a specific version, [change the variable value to the specific version tag](https://docs.gitlab.com/ee/user/application_security/sast/#pinning-to-minor-image-version).
If you override or maintain custom versions of `SAST.gitlab-ci.yml`, update your CI templates to stop referencing the global `SAST_ANALYZER_IMAGE_TAG`, and move it to a scoped analyzer job tag. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates. This change allows you to more granularly control future analyzer updates with a pinned `major.minor` version.
This deprecation and removal changes our [previously announced plan](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#pin-static-analysis-analyzers-and-tools-to-minor-versions) to pin the Static Analysis tools.
GitLab 14.0 removes support for the release description in the Tags API. You can no longer add a release description when [creating a new tag](https://docs.gitlab.com/ee/api/tags.html#create-a-new-tag). You also can no longer [create](https://docs.gitlab.com/ee/api/tags.html#create-a-new-release) or [update](https://docs.gitlab.com/ee/api/tags.html#update-a-release) a release through the Tags API. Please migrate to use the [Releases API](https://docs.gitlab.com/ee/api/releases/#create-a-release) instead.
### Ruby version changed in `Ruby.gitlab-ci.yml`
@ -560,7 +461,7 @@ To better support the latest versions of Ruby, the template is changed to use `r
Relevant Issue: [Updates Ruby version 2.5 to 3.0](https://gitlab.com/gitlab-org/gitlab/-/issues/329160)
### Segments removed from DevOps Adoption API
### SAST analyzer `SAST_GOSEC_CONFIG` variable
WARNING:
This feature was changed or removed in 14.0
@ -568,9 +469,10 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
The first release of the DevOps Adoption report had a concept of **Segments**. Segments were [quickly removed from the report](https://gitlab.com/groups/gitlab-org/-/epics/5251) because they introduced an additional layer of complexity on top of **Groups** and **Projects**. Subsequent iterations of the DevOps Adoption report focus on comparing adoption across groups rather than segments. GitLab 14.0 removes all references to **Segments** [from the GraphQL API](https://gitlab.com/gitlab-org/gitlab/-/issues/324414) and replaces them with **Enabled groups**.
With the release of [SAST Custom Rulesets](https://docs.gitlab.com/ee/user/application_security/sast/#customize-rulesets) in GitLab 13.5 we allow greater flexibility in configuration options for our Go analyzer (GoSec). As a result we no longer plan to support our less flexible [`SAST_GOSEC_CONFIG`](https://docs.gitlab.com/ee/user/application_security/sast/#analyzer-settings) analyzer setting. This variable was deprecated in GitLab 13.10.
GitLab 14.0 removes the old `SAST_GOSEC_CONFIG variable`. If you use or override `SAST_GOSEC_CONFIG` in your CI file, update your SAST CI configuration or pin to an older version of the GoSec analyzer. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/sast/#overriding-sast-jobs) to future-proof your CI templates.
### Service Templates removed
### Service Templates
WARNING:
This feature was changed or removed in 14.0
@ -582,7 +484,7 @@ Service Templates are [removed in GitLab 14.0](https://gitlab.com/groups/gitlab-
While they solved part of the problem, _updating_ those values later proved to be a major pain point. [Project Integration Management](https://docs.gitlab.com/ee/user/admin_area/settings/project_integration_management.html) solves this problem by enabling you to create settings at the Group or Instance level, and projects within that namespace inheriting those settings.
### Sidekiq queue selector options no longer accept the 'experimental' prefix
### Success and failure for finished build metric conversion
WARNING:
This feature was changed or removed in 14.0
@ -590,9 +492,28 @@ as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#brea
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab supports a [queue selector](https://docs.gitlab.com/ee/administration/operations/extra_sidekiq_processes.html#queue-selector) to run only a subset of background jobs for a given process. When it was introduced, this option had an 'experimental' prefix (`experimental_queue_selector` in Omnibus, `experimentalQueueSelector` in Helm charts).
In GitLab Runner 13.5, we introduced `failed` and `success` states for a job. To support Prometheus rules, we chose to convert `success/failure` to `finished` for the metric. In 14.0, the conversion has now been removed. Refer to [issue #26900](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26900) for details.
As announced in the [13.6 release post](https://about.gitlab.com/releases/2020/11/22/gitlab-13-6-released/#sidekiq-cluster-queue-selector-configuration-option-has-been-renamed), the 'experimental' prefix is no longer supported. Instead, `queue_selector` for Omnibus and `queueSelector` in Helm charts should be used.
### Terraform template version
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
As we continuously [develop GitLab's Terraform integrations](https://gitlab.com/gitlab-org/gitlab/-/issues/325312), to minimize customer disruption, we maintain two GitLab CI/CD templates for Terraform:
- The ["latest version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml), which is updated frequently between minor releases of GitLab (such as 13.10, 13.11, etc).
- The ["major version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml), which is updated only at major releases (such as 13.0, 14.0, etc).
At every major release of GitLab, the "latest version" template becomes the "major version" template, inheriting the "latest template" setup.
As we have added many new features to the Terraform integration, the new setup for the "major version" template can be considered a breaking change.
The latest template supports the [Terraform Merge Request widget](https://docs.gitlab.com/ee/user/infrastructure/mr_integration.html) and
doesn't need additional setup to work with the [GitLab managed Terraform state](https://docs.gitlab.com/ee/user/infrastructure/terraform_state.html).
To check the new changes, see the [new "major version" template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml).
### Ubuntu 16.04 support
@ -606,7 +527,17 @@ Ubuntu 16.04 [reached end-of-life in April 2021](https://ubuntu.com/about/releas
GitLab 13.12 will be the last release with Ubuntu 16.04 support.
### Unicorn removed in favor of Puma for GitLab self-managed
### Ubuntu 19.10 (Eoan Ermine) package
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
Ubuntu 19.10 (Eoan Ermine) reached end of life on Friday, July 17, 2020. In GitLab Runner 14.0, Ubuntu 19.10 (Eoan Ermine) is no longer available from our package distribution. Refer to [issue #26036](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26036) for details.
### Unicorn in GitLab self-managed
WARNING:
This feature was changed or removed in 14.0
@ -616,28 +547,6 @@ changes to your code, settings, or workflow.
[Support for Unicorn](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/6078) has been removed in GitLab 14.0 in favor of Puma. [Puma has a multi-threaded architecture](https://docs.gitlab.com/ee/administration/operations/puma.html) which uses less memory than a multi-process application server like Unicorn. On GitLab.com, we saw a 40% reduction in memory consumption by using Puma.
### Update Auto Deploy template version
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In GitLab 14.0, we will update the [Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/stages.html#auto-deploy) CI template to the latest version. This includes new features, bug fixes, and performance improvements with a dependency on the v2 [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image). Auto Deploy CI template v1 will is deprecated going forward.
Since the v1 and v2 versions are not backward-compatible, your project might encounter an unexpected failure if you already have a deployed application. Follow the [upgrade guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#upgrade-guide) to upgrade your environments. You can also start using the latest template today by following the [early adoption guide](https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html#early-adopters).
### Update CI/CD templates to stop using hardcoded `master`
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
Our CI/CD templates have been updated to no longer use hard-coded references to a `master` branch. In 14.0, they all use a variable that points to your project's configured default branch instead. If your CI/CD pipeline relies on our built-in templates, verify that this change works with your current configuration. For example, if you have a `master` branch and a different default branch, the updates to the templates may cause changes to your pipeline behavior. For more information, [read the issue](https://gitlab.com/gitlab-org/gitlab/-/issues/324131).
### WIP merge requests renamed 'draft merge requests'
WARNING:
@ -658,7 +567,47 @@ changes to your code, settings, or workflow.
The Web Application Firewall (WAF) was deprecated in GitLab 13.6 and is removed from GitLab 14.0. The WAF had limitations inherent in the architectural design that made it difficult to meet the requirements traditionally expected of a WAF. By removing the WAF, GitLab is able to focus on improving other areas in the product where more value can be provided to users. Users who currently rely on the WAF can continue to use the free and open source [ModSecurity](https://github.com/SpiderLabs/ModSecurity) project, which is independent from GitLab. Additional details are available in the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/271276).
### `CI_PROJECT_CONFIG_PATH` variable has been removed
### Windows Server 1903 image support
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In 14.0, we have removed Windows Server 1903. Microsoft ended support for this version on 2020-08-12. Refer to [issue #27551](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27551) for details.
### Windows Server 1909 image support
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In 14.0, we have removed Windows Server 1909. Microsoft ended support for this version on 2021-05-11. Refer to [issue #27899](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27899) for details.
### `/usr/lib/gitlab-runner` symlink from package
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In GitLab Runner 13.3, a symlink was added from `/user/lib/gitlab-runner/gitlab-runner` to `/usr/bin/gitlab-runner`. In 14.0, the symlink has been removed and the runner is now installed in `/usr/bin/gitlab-runner`. Refer to [issue #26651](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26651) for details.
### `?w=1` URL parameter to ignore whitespace changes
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
To create a consistent experience for users based on their preferences, support for toggling whitespace changes via URL parameter has been removed in GitLab 14.0.
### `CI_PROJECT_CONFIG_PATH` variable
WARNING:
This feature was changed or removed in 14.0
@ -672,6 +621,57 @@ has been removed in favor of `CI_CONFIG_PATH`, which is functionally the same.
If you are using `CI_PROJECT_CONFIG_PATH` in your pipeline configurations,
please update them to use `CI_CONFIG_PATH` instead.
### `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In 14.0, we have deactivated the `FF_RESET_HELPER_IMAGE_ENTRYPOINT` feature flag. Refer to issue [#26679](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/26679) for details.
### `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL` feature flag
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
In [GitLab Runner 13.1](https://docs.gitlab.com/runner/executors/shell.html#gitlab-131-and-later), [issue #3376](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3376), we introduced `sigterm` and then `sigkill` to a process in the Shell executor. We also introduced a new feature flag, `FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL`, so you can use the previous process termination sequence. In GitLab Runner 14.0, [issue #6413](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/6413), the feature flag has been removed.
### `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab Runner 14.0 removes the `FF_USE_GO_CLOUD_WITH_CACHE_ARCHIVER` feature flag. Refer to [issue #27175](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27175) for details.
### `secret_detection_default_branch` job
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
To ensure Secret Detection was scanning both default branches and feature branches, we introduced two separate secret detection CI jobs (`secret_detection_default_branch` and `secret_detection`) in our managed [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml) template. These two CI jobs created confusion and complexity in the CI rules logic. This deprecation moves the `rule` logic into the `script` section, which then determines how the `secret_detection` job is run (historic, on a branch, commits, etc).
If you override or maintain custom versions of `SAST.gitlab-ci.yml` or `Secret-Detection.gitlab-ci.yml`, you must update your CI templates. We strongly encourage [inheriting and overriding our managed CI templates](https://docs.gitlab.com/ee/user/application_security/secret_detection/#custom-settings-example) to future-proof your CI templates. GitLab 14.0 no longer supports the old `secret_detection_default_branch` job.
### `trace` parameter in `jobs` API
WARNING:
This feature was changed or removed in 14.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
GitLab Runner was updated in GitLab 13.4 to internally stop passing the `trace` parameter to the `/api/jobs/:id` endpoint. GitLab 14.0 deprecates the `trace` parameter entirely for all other requests of this endpoint. Make sure your [GitLab Runner version matches your GitLab version](https://docs.gitlab.com/runner/#gitlab-runner-versions) to ensure consistent behavior.
## 14.1
### Remove support for `prometheus.listen_address` and `prometheus.enable`

View file

@ -514,7 +514,7 @@ registry.gitlab.com/security-products/container-scanning/trivy:4
The process for importing Docker images into a local offline Docker registry depends on
**your network security policy**. Please consult your IT staff to find an accepted and approved
process by which you can import or temporarily access external resources. These scanners
are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance),
are [periodically updated](../index.md#vulnerability-scanner-maintenance),
and you may be able to make occasional updates on your own.
For more information, see [the specific steps on how to update an image with a pipeline](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline).
@ -738,7 +738,7 @@ scanner includes data from multiple sources:
- [Trivy](https://aquasecurity.github.io/trivy/latest/vulnerability/detection/data-source/).
Database update information for other analyzers is available in the
[maintenance table](../vulnerabilities/index.md#vulnerability-scanner-maintenance).
[maintenance table](../index.md#vulnerability-scanner-maintenance).
## Interacting with the vulnerabilities

View file

@ -36,7 +36,7 @@ For DAST, import the following default DAST analyzer image from `registry.gitlab
The process for importing Docker images into a local offline Docker registry depends on
**your network security policy**. Please consult your IT staff to find an accepted and approved
process by which external resources can be imported or temporarily accessed.
These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance)
These scanners are [periodically updated](../index.md#vulnerability-scanner-maintenance)
with new definitions, and you may be able to make occasional updates on your own.
For details on saving and transporting Docker images as a file, see Docker's documentation on

View file

@ -645,7 +645,7 @@ vulnerabilities in your groups, projects and pipelines. Read more about the
## Vulnerabilities database update
For more information about the vulnerabilities database update, see the
[maintenance table](../vulnerabilities/index.md#vulnerability-scanner-maintenance).
[maintenance table](../index.md#vulnerability-scanner-maintenance).
## Dependency List
@ -821,7 +821,7 @@ registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
The process for importing Docker images into a local offline Docker registry depends on
**your network security policy**. Please consult your IT staff to find an accepted and approved
process by which external resources can be imported or temporarily accessed.
These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance)
These scanners are [periodically updated](../index.md#vulnerability-scanner-maintenance)
with new definitions, and you may be able to make occasional updates on your own.
For details on saving and transporting Docker images as a file, see Docker's documentation on

View file

@ -2,7 +2,6 @@
stage: Secure
group: Static Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
type: reference, howto
---
# Secure your application **(ULTIMATE)**
@ -46,6 +45,25 @@ GitLab uses the following tools to scan and report known vulnerabilities found i
| [Coverage fuzzing](coverage_fuzzing/index.md) | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. |
| [Cluster Image Scanning](cluster_image_scanning/index.md) | Scan Kubernetes clusters for known vulnerabilities. |
## Vulnerability scanner maintenance
The following vulnerability scanners and their databases are regularly updated:
| Secure scanning tool | Vulnerabilities database updates |
|:----------------------------------------------------------------|:---------------------------------|
| [Container Scanning](container_scanning/index.md) | A job runs on a daily basis to build new images with the latest vulnerability database updates from the upstream scanner. For more details, see [Vulnerabilities database update](container_scanning/index.md#vulnerabilities-database-update). |
| [Dependency Scanning](dependency_scanning/index.md) | Relies on `bundler-audit` (for Ruby gems), `retire.js` (for npm packages), and `gemnasium` (the GitLab tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated on a daily basis using [data from NVD, the `ruby-advisory-db` and the GitHub Security Advisory Database as data sources](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/SOURCES.md). See our [current measurement of time from CVE being issued to our product being updated](https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update). |
| [Dynamic Application Security Testing (DAST)](dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/main/Dockerfile#L1). The scanning rules are downloaded at scan runtime. |
| [Static Application Security Testing (SAST)](sast/index.md) | Relies exclusively on [the tools GitLab wraps](sast/index.md#supported-languages-and-frameworks). The underlying analyzers are updated at least once per month if a relevant update is available. The vulnerabilities database is updated by the upstream tools. |
In versions of GitLab that use the same major version of the analyzer, you do not have to update
GitLab to benefit from the latest vulnerabilities definitions. The security tools are released as
Docker images. The vendored job definitions that enable them use major release tags according to
[semantic versioning](https://semver.org/). Each new release of the tools overrides these tags.
Although in a major analyzer version you automatically get the latest versions of the scanning
tools, there are some [known issues](https://gitlab.com/gitlab-org/gitlab/-/issues/9725) with this
approach.
## Security scanning with Auto DevOps
To enable all GitLab Security scanning tools, with default settings, enable
@ -149,8 +167,8 @@ The artifact generated by the secure analyzer contains all findings it discovers
### All tiers
Merge requests which have run security scans let you know that the generated
reports are available to download. To download a report, click on the
**Download results** dropdown, and select the desired report.
reports are available to download. To download a report, select
**Download results**, and select the desired report.
![Security widget](img/security_widget_v13_7.png)
@ -210,7 +228,7 @@ Vulnerability-Check rule. While this rule is enabled, additional merge request a
[eligible approvers](../project/merge_requests/approvals/rules.md#eligible-approvers)
is required when the latest security report in a merge request:
- Contains vulnerabilities with states (for example, `previously detected`, `dismissed`) matching the rule's vulnerability states. Only `newly detected` will be considered if the target branch differs from the project default branch.
- Contains vulnerabilities with states (for example, `previously detected`, `dismissed`) matching the rule's vulnerability states. Only `newly detected` are considered if the target branch differs from the project default branch.
- Contains vulnerabilities with severity levels (for example, `high`, `critical`, or `unknown`)
matching the rule's severity levels.
- Contains a vulnerability count higher than the rule allows.

View file

@ -936,7 +936,7 @@ registry.gitlab.com/security-products/sast/spotbugs:2
The process for importing Docker images into a local offline Docker registry depends on
**your network security policy**. Please consult your IT staff to find an accepted and approved
process by which external resources can be imported or temporarily accessed. These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance)
process by which external resources can be imported or temporarily accessed. These scanners are [periodically updated](../index.md#vulnerability-scanner-maintenance)
with new definitions, and you may be able to make occasional updates on your own.
For details on saving and transporting Docker images as a file, see Docker's documentation on

View file

@ -368,7 +368,7 @@ registry.gitlab.com/security-products/secret-detection:3
The process for importing Docker images into a local offline Docker registry depends on
**your network security policy**. Please consult your IT staff to find an accepted and approved
process by which external resources can be imported or temporarily accessed. These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance)
process by which external resources can be imported or temporarily accessed. These scanners are [periodically updated](../index.md#vulnerability-scanner-maintenance)
with new definitions, and you may be able to make occasional updates on your own.
For details on saving and transporting Docker images as a file, see Docker's documentation on

View file

@ -1,5 +1,4 @@
---
type: reference, howto
stage: Secure
group: Threat Insights
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
@ -160,23 +159,3 @@ To manually apply the patch that GitLab generated for a vulnerability:
1. Ensure your local project has the same commit checked out that was used to generate the patch.
1. Run `git apply remediation.patch`.
1. Verify and commit the changes to your branch.
## Vulnerability scanner maintenance
The following vulnerability scanners and their databases are regularly updated:
| Secure scanning tool | Vulnerabilities database updates |
|:----------------------------------------------------------------|----------------------------------|
| [Container Scanning](../container_scanning/index.md) | A job runs on a daily basis to build new images with the latest vulnerability database updates from the upstream scanner. For more details, see [Vulnerabilities database update](../container_scanning/index.md#vulnerabilities-database-update). |
| [Dependency Scanning](../dependency_scanning/index.md) | Relies on `bundler-audit` (for Ruby gems), `retire.js` (for npm packages), and `gemnasium` (the GitLab tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated on a daily basis using [data from NVD, the `ruby-advisory-db` and the GitHub Security Advisory Database as data sources](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/SOURCES.md). See our [current measurement of time from CVE being issued to our product being updated](https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update). |
| [Dynamic Application Security Testing (DAST)](../dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/main/Dockerfile#L1). The scanning rules are downloaded at scan runtime. |
| [Static Application Security Testing (SAST)](../sast/index.md) | Relies exclusively on [the tools GitLab wraps](../sast/index.md#supported-languages-and-frameworks). The underlying analyzers are updated at least once per month if a relevant update is available. The vulnerabilities database is updated by the upstream tools. |
You do not have to update GitLab to benefit from the latest vulnerabilities definitions.
The security tools are released as Docker images. The vendored job definitions that enable them use
major release tags according to [semantic versioning](https://semver.org/). Each new release of the
tools overrides these tags.
The Docker images are updated to match the previous GitLab releases. Although
you automatically get the latest versions of the scanning tools,
there are some [known issues](https://gitlab.com/gitlab-org/gitlab/-/issues/9725)
with this approach.

View file

@ -22,6 +22,8 @@ You can take advantage of License Compliance by either:
[Auto License Compliance](../../../topics/autodevops/stages.md#auto-license-compliance),
provided by [Auto DevOps](../../../topics/autodevops/index.md).
The current major version of the License Scanning analyzer is 3.
To detect the licenses in use, License Compliance uses the [License Finder](https://github.com/pivotal/LicenseFinder) scan tool that runs as part of the CI/CD pipeline.
For the job to activate, License Finder needs to find a compatible package definition in the project directory. For details, see the [Activation on License Finder documentation](https://github.com/pivotal/LicenseFinder#activation).
GitLab checks the License Compliance report, compares the
@ -674,7 +676,7 @@ registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
The process for importing Docker images into a local offline Docker registry depends on
**your network security policy**. Please consult your IT staff to find an accepted and approved
process by which external resources can be imported or temporarily accessed. Note that these scanners are [updated periodically](../../application_security/vulnerabilities/index.md#vulnerability-scanner-maintenance)
process by which external resources can be imported or temporarily accessed. Note that these scanners are [updated periodically](../../application_security/index.md#vulnerability-scanner-maintenance)
with new definitions, so consider if you are able to make periodic updates yourself.
For details on saving and transporting Docker images as a file, see Docker's documentation on

View file

@ -28,15 +28,9 @@ msgstr ""
msgid " Please sign in."
msgstr ""
msgid " Target Path"
msgstr ""
msgid " Try to %{action} this file again."
msgstr ""
msgid " Type"
msgstr ""
msgid " You need to do this before %{grace_period_deadline}."
msgstr ""
@ -6136,9 +6130,6 @@ msgstr ""
msgid "Broadcast Messages"
msgstr ""
msgid "Broadcast messages are displayed for every user and can be used to notify users about scheduled maintenance, recent upgrades and more."
msgstr ""
msgid "Browse Directory"
msgstr ""
@ -31732,6 +31723,12 @@ msgstr ""
msgid "Saving project."
msgstr ""
msgid "ScanResultPolicy|%{thenLabelStart}Then%{thenLabelEnd} Require approval from %{approvalsRequired} of the following approvers: %{approvers}"
msgstr ""
msgid "ScanResultPolicy|add an approver"
msgstr ""
msgid "Scanner"
msgstr ""
@ -35702,6 +35699,9 @@ msgstr ""
msgid "Target branch"
msgstr ""
msgid "Target roles"
msgstr ""
msgid "Target-Branch"
msgstr ""
@ -36190,6 +36190,9 @@ msgstr ""
msgid "The branch or tag does not exist"
msgstr ""
msgid "The broadcast message displays only to users in projects and groups who have these roles."
msgstr ""
msgid "The character highlighter helps you keep the subject line to %{titleLength} characters and wrap the body at %{bodyLength} so they are readable in git."
msgstr ""
@ -39435,6 +39438,9 @@ msgstr ""
msgid "Use authorized_keys file to authenticate SSH keys"
msgstr ""
msgid "Use banners and notifications to notify your users about scheduled maintenance, recent upgrades, and more."
msgstr ""
msgid "Use cURL"
msgstr ""

View file

@ -7,7 +7,12 @@ RSpec.describe 'Admin Broadcast Messages' do
admin = create(:admin)
sign_in(admin)
gitlab_enable_admin_mode_sign_in(admin)
create(:broadcast_message, :expired, message: 'Migration to new server')
create(
:broadcast_message,
:expired,
message: 'Migration to new server',
target_access_levels: [Gitlab::Access::DEVELOPER]
)
visit admin_broadcast_messages_path
end
@ -21,10 +26,13 @@ RSpec.describe 'Admin Broadcast Messages' do
fill_in 'broadcast_message_target_path', with: '*/user_onboarded'
fill_in 'broadcast_message_font', with: '#b94a48'
select Date.today.next_year.year, from: 'broadcast_message_ends_at_1i'
select 'Guest', from: 'broadcast_message_target_access_levels'
select 'Owner', from: 'broadcast_message_target_access_levels'
click_button 'Add broadcast message'
expect(current_path).to eq admin_broadcast_messages_path
expect(page).to have_content 'Application update from 4:00 CST to 5:00 CST'
expect(page).to have_content 'Guest, Owner'
expect(page).to have_content '*/user_onboarded'
expect(page).to have_selector 'strong', text: '4:00 CST to 5:00 CST'
expect(page).to have_selector %(div[style="background-color: #f2dede; color: #b94a48"])
@ -35,10 +43,14 @@ RSpec.describe 'Admin Broadcast Messages' do
fill_in 'broadcast_message_target_path', with: '*/user_onboarded'
select 'Notification', from: 'broadcast_message_broadcast_type'
select Date.today.next_year.year, from: 'broadcast_message_ends_at_1i'
select 'Reporter', from: 'broadcast_message_target_access_levels'
select 'Developer', from: 'broadcast_message_target_access_levels'
select 'Maintainer', from: 'broadcast_message_target_access_levels'
click_button 'Add broadcast message'
expect(current_path).to eq admin_broadcast_messages_path
expect(page).to have_content 'Application update from 4:00 CST to 5:00 CST'
expect(page).to have_content 'Reporter, Developer, Maintainer'
expect(page).to have_content '*/user_onboarded'
expect(page).to have_content 'Notification'
expect(page).to have_selector 'strong', text: '4:00 CST to 5:00 CST'
@ -47,10 +59,15 @@ RSpec.describe 'Admin Broadcast Messages' do
it 'edit an existing broadcast message' do
click_link 'Edit'
fill_in 'broadcast_message_message', with: 'Application update RIGHT NOW'
select 'Reporter', from: 'broadcast_message_target_access_levels'
click_button 'Update broadcast message'
expect(current_path).to eq admin_broadcast_messages_path
expect(page).to have_content 'Application update RIGHT NOW'
page.within('.table-responsive') do
expect(page).to have_content 'Reporter, Developer'
end
end
it 'remove an existing broadcast message' do

View file

@ -3,6 +3,71 @@
require 'spec_helper'
RSpec.describe BroadcastMessagesHelper do
include Gitlab::Routing.url_helpers
let_it_be(:user) { create(:user) }
before do
allow(helper).to receive(:current_user).and_return(user)
end
shared_examples 'returns role-targeted broadcast message when in project, group, or sub-group URL' do
let(:feature_flag_state) { true }
before do
stub_feature_flags(role_targeted_broadcast_messages: feature_flag_state)
allow(helper).to receive(:cookies) { {} }
end
context 'when in a project page' do
let_it_be(:project) { create(:project) }
before do
project.add_developer(user)
assign(:project, project)
allow(helper).to receive(:controller) { ProjectsController.new }
end
it { is_expected.to eq message }
context 'when feature flag is disabled' do
let(:feature_flag_state) { false }
it { is_expected.to be_nil }
end
end
context 'when in a group page' do
let_it_be(:group) { create(:group) }
before do
group.add_developer(user)
assign(:group, group)
allow(helper).to receive(:controller) { GroupsController.new }
end
it { is_expected.to eq message }
context 'when feature flag is disabled' do
let(:feature_flag_state) { false }
it { is_expected.to be_nil }
end
end
context 'when not in a project, group, or sub-group page' do
it { is_expected.to be_nil }
context 'when feature flag is disabled' do
let(:feature_flag_state) { false }
it { is_expected.to be_nil }
end
end
end
describe 'current_broadcast_notification_message' do
subject { helper.current_broadcast_notification_message }
@ -24,17 +89,27 @@ RSpec.describe BroadcastMessagesHelper do
context 'without broadcast notification messages' do
it { is_expected.to be_nil }
end
describe 'user access level targeted messages' do
let_it_be(:message) { create(:broadcast_message, broadcast_type: 'notification', starts_at: Time.now, target_access_levels: [Gitlab::Access::DEVELOPER]) }
include_examples 'returns role-targeted broadcast message when in project, group, or sub-group URL'
end
end
describe 'current_broadcast_banner_messages' do
describe 'user access level targeted messages' do
let_it_be(:message) { create(:broadcast_message, broadcast_type: 'banner', starts_at: Time.now, target_access_levels: [Gitlab::Access::DEVELOPER]) }
subject { helper.current_broadcast_banner_messages.first }
include_examples 'returns role-targeted broadcast message when in project, group, or sub-group URL'
end
end
describe 'broadcast_message' do
let_it_be(:user) { create(:user) }
let(:current_broadcast_message) { BroadcastMessage.new(message: 'Current Message') }
before do
allow(helper).to receive(:current_user).and_return(user)
end
it 'returns nil when no current message' do
expect(helper.broadcast_message(nil)).to be_nil
end

View file

@ -23,6 +23,8 @@ RSpec.describe BroadcastMessage do
it { is_expected.to allow_value(1).for(:broadcast_type) }
it { is_expected.not_to allow_value(nil).for(:broadcast_type) }
it { is_expected.not_to allow_value(nil).for(:target_access_levels) }
it { is_expected.to validate_inclusion_of(:target_access_levels).in_array(described_class::ALLOWED_TARGET_ACCESS_LEVELS) }
end
shared_examples 'time constrainted' do |broadcast_type|
@ -175,12 +177,48 @@ RSpec.describe BroadcastMessage do
end
end
shared_examples "matches with user access level" do |broadcast_type|
context 'when target_access_levels is empty' do
let_it_be(:message) { create(:broadcast_message, target_access_levels: [], broadcast_type: broadcast_type) }
it 'returns the message if user access level is not nil' do
expect(subject.call(nil, Gitlab::Access::MINIMAL_ACCESS)).to include(message)
end
it 'returns the message if user access level is nil' do
expect(subject.call(nil, nil)).to include(message)
end
end
context 'when target_access_levels is not empty' do
let_it_be(:target_access_levels) { [Gitlab::Access::GUEST] }
let_it_be(:message) { create(:broadcast_message, target_access_levels: target_access_levels, broadcast_type: broadcast_type) }
it "does not return the message if user access level is nil" do
expect(subject.call(nil, nil)).to be_empty
end
it "returns the message if user access level is in target_access_levels" do
expect(subject.call(nil, Gitlab::Access::GUEST)).to include(message)
end
it "does not return the message if user access level is not in target_access_levels" do
expect(subject.call(nil, Gitlab::Access::MINIMAL_ACCESS)).to be_empty
end
end
end
describe '.current', :use_clean_rails_memory_store_caching do
subject { -> (path = nil) { described_class.current(path) } }
subject do
-> (path = nil, user_access_level = nil) do
described_class.current(current_path: path, user_access_level: user_access_level)
end
end
it_behaves_like 'time constrainted', :banner
it_behaves_like 'message cache', :banner
it_behaves_like 'matches with current path', :banner
it_behaves_like 'matches with user access level', :banner
it 'returns both types' do
banner_message = create(:broadcast_message, broadcast_type: :banner)
@ -191,11 +229,16 @@ RSpec.describe BroadcastMessage do
end
describe '.current_banner_messages', :use_clean_rails_memory_store_caching do
subject { -> (path = nil) { described_class.current_banner_messages(path) } }
subject do
-> (path = nil, user_access_level = nil) do
described_class.current_banner_messages(current_path: path, user_access_level: user_access_level)
end
end
it_behaves_like 'time constrainted', :banner
it_behaves_like 'message cache', :banner
it_behaves_like 'matches with current path', :banner
it_behaves_like 'matches with user access level', :banner
it 'only returns banners' do
banner_message = create(:broadcast_message, broadcast_type: :banner)
@ -206,11 +249,16 @@ RSpec.describe BroadcastMessage do
end
describe '.current_notification_messages', :use_clean_rails_memory_store_caching do
subject { -> (path = nil) { described_class.current_notification_messages(path) } }
subject do
-> (path = nil, user_access_level = nil) do
described_class.current_notification_messages(current_path: path, user_access_level: user_access_level)
end
end
it_behaves_like 'time constrainted', :notification
it_behaves_like 'message cache', :notification
it_behaves_like 'matches with current path', :notification
it_behaves_like 'matches with user access level', :notification
it 'only returns notifications' do
notification_message = create(:broadcast_message, broadcast_type: :notification)

View file

@ -0,0 +1,36 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'admin/broadcast_messages/index' do
describe 'Target roles select and table column' do
let(:feature_flag_state) { true }
let_it_be(:message) { create(:broadcast_message, broadcast_type: 'banner', target_access_levels: [Gitlab::Access::GUEST, Gitlab::Access::DEVELOPER]) }
before do
assign(:broadcast_messages, BroadcastMessage.page(1))
assign(:broadcast_message, BroadcastMessage.new)
stub_feature_flags(role_targeted_broadcast_messages: feature_flag_state)
render
end
it 'rendered' do
expect(rendered).to have_content('Target roles')
expect(rendered).to have_content('Owner')
expect(rendered).to have_content('Guest, Developer')
end
context 'when feature flag is off' do
let(:feature_flag_state) { false }
it 'is not rendered' do
expect(rendered).not_to have_content('Target roles')
expect(rendered).not_to have_content('Owner')
expect(rendered).not_to have_content('Guest, Developer')
end
end
end
end