Add latest changes from gitlab-org/gitlab@master

9 files changed, 202 insertions, 15 deletions

diff --git a/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml b/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml
new file mode 100644
index 00000000000..461a2fda6cd
--- /dev/null
+++ b/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml
@@ -0,0 +1,5 @@
+---
+title: Improve SAST NO_DIND file detection with proper boundary conditions
+merge_request: 28036
+author:
+type: fixed
diff --git a/changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml b/changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml
new file mode 100644
index 00000000000..2587ed0f05d
--- /dev/null
+++ b/changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml
@@ -0,0 +1,5 @@
+---
+title: Refactor projects/:id/packages API to supply only necessary params to PackagesFinder
+merge_request: 29052
+author: Sashi Kumar
+type: other
diff --git a/doc/administration/troubleshooting/debug.md b/doc/administration/troubleshooting/debug.md
index d0c1f3fa0ff..1e1b2ad8378 100644
--- a/doc/administration/troubleshooting/debug.md
+++ b/doc/administration/troubleshooting/debug.md
@@ -62,8 +62,8 @@ puts Readline::HISTORY.to_a
 
 ## Using the Rails Runner
 
-If you need to run some Ruby code in thex context of your GitLab production
-environment, you can do so using the [Rails Runner](https://guides.rubyonrails.org/command_line.html#rails-runner).
+If you need to run some Ruby code in the context of your GitLab production
+environment, you can do so using the [Rails Runner](https://guides.rubyonrails.org/command_line.html#rails-runner). When executing a script file, the script must be accessible by the `git` user.
 
 **For Omnibus installations**
 
@@ -72,6 +72,9 @@ sudo gitlab-rails runner "RAILS_COMMAND"
 
 # Example with a two-line Ruby script
 sudo gitlab-rails runner "user = User.first; puts user.username"
+
+# Example with a ruby script file
+sudo gitlab-rails runner /path/to/script.rb
 ```
 
 **For installations from source**
@@ -81,6 +84,9 @@ sudo -u git -H bundle exec rails runner -e production "RAILS_COMMAND"
 
 # Example with a two-line Ruby script
 sudo -u git -H bundle exec rails runner -e production "user = User.first; puts user.username"
+
+# Example with a ruby script file
+sudo -u git -H bundle exec rails runner -e production /path/to/script.rb
 ```
 
 ## Mail not working
diff --git a/doc/api/graphql/reference/gitlab_schema.graphql b/doc/api/graphql/reference/gitlab_schema.graphql
index 22ca25e45d3..4ce54a1b3fb 100644
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -7174,6 +7174,51 @@ type Query {
     """
     visibility: VisibilityScopesEnum
   ): SnippetConnection
+
+  """
+  Vulnerabilities reported on projects on the current user's instance security dashboard
+  """
+  vulnerabilities(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+
+    """
+    Filter vulnerabilities by project
+    """
+    projectId: [ID!]
+
+    """
+    Filter vulnerabilities by report type
+    """
+    reportType: [VulnerabilityReportType!]
+
+    """
+    Filter vulnerabilities by severity
+    """
+    severity: [VulnerabilitySeverity!]
+
+    """
+    Filter vulnerabilities by state
+    """
+    state: [VulnerabilityState!]
+  ): VulnerabilityConnection
 }
 
 """
diff --git a/doc/api/graphql/reference/gitlab_schema.json b/doc/api/graphql/reference/gitlab_schema.json
index 40bd27062b3..bf8206e61cc 100644
--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -21480,6 +21480,131 @@
               },
               "isDeprecated": false,
               "deprecationReason": null
+            },
+            {
+              "name": "vulnerabilities",
+              "description": "Vulnerabilities reported on projects on the current user's instance security dashboard",
+              "args": [
+                {
+                  "name": "projectId",
+                  "description": "Filter vulnerabilities by project",
+                  "type": {
+                    "kind": "LIST",
+                    "name": null,
+                    "ofType": {
+                      "kind": "NON_NULL",
+                      "name": null,
+                      "ofType": {
+                        "kind": "SCALAR",
+                        "name": "ID",
+                        "ofType": null
+                      }
+                    }
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "reportType",
+                  "description": "Filter vulnerabilities by report type",
+                  "type": {
+                    "kind": "LIST",
+                    "name": null,
+                    "ofType": {
+                      "kind": "NON_NULL",
+                      "name": null,
+                      "ofType": {
+                        "kind": "ENUM",
+                        "name": "VulnerabilityReportType",
+                        "ofType": null
+                      }
+                    }
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "severity",
+                  "description": "Filter vulnerabilities by severity",
+                  "type": {
+                    "kind": "LIST",
+                    "name": null,
+                    "ofType": {
+                      "kind": "NON_NULL",
+                      "name": null,
+                      "ofType": {
+                        "kind": "ENUM",
+                        "name": "VulnerabilitySeverity",
+                        "ofType": null
+                      }
+                    }
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "state",
+                  "description": "Filter vulnerabilities by state",
+                  "type": {
+                    "kind": "LIST",
+                    "name": null,
+                    "ofType": {
+                      "kind": "NON_NULL",
+                      "name": null,
+                      "ofType": {
+                        "kind": "ENUM",
+                        "name": "VulnerabilityState",
+                        "ofType": null
+                      }
+                    }
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "after",
+                  "description": "Returns the elements in the list that come after the specified cursor.",
+                  "type": {
+                    "kind": "SCALAR",
+                    "name": "String",
+                    "ofType": null
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "before",
+                  "description": "Returns the elements in the list that come before the specified cursor.",
+                  "type": {
+                    "kind": "SCALAR",
+                    "name": "String",
+                    "ofType": null
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "first",
+                  "description": "Returns the first _n_ elements from the list.",
+                  "type": {
+                    "kind": "SCALAR",
+                    "name": "Int",
+                    "ofType": null
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "last",
+                  "description": "Returns the last _n_ elements from the list.",
+                  "type": {
+                    "kind": "SCALAR",
+                    "name": "Int",
+                    "ofType": null
+                  },
+                  "defaultValue": null
+                }
+              ],
+              "type": {
+                "kind": "OBJECT",
+                "name": "VulnerabilityConnection",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
             }
           ],
           "inputFields": null,
diff --git a/doc/development/contributing/issue_workflow.md b/doc/development/contributing/issue_workflow.md
index a4c55cdbd1b..5df357eee9e 100644
--- a/doc/development/contributing/issue_workflow.md
+++ b/doc/development/contributing/issue_workflow.md
@@ -449,7 +449,7 @@ It's common to discover technical debt during development of a new feature. In
 the spirit of "minimum viable change", resolution is often deferred to a
 follow-up issue. However, this cannot be used as an excuse to merge poor-quality
 code that would otherwise not pass review, or to overlook trivial matters that
-don't deserve the be scheduled independently, and would be best resolved in the
+don't deserve to be scheduled independently, and would be best resolved in the
 original merge request - or not tracked at all!
 
 The overheads of scheduling, and rate of change in the GitLab codebase, mean
diff --git a/doc/user/application_security/offline_deployments/index.md b/doc/user/application_security/offline_deployments/index.md
index 5a5f149a3bf..61b34901849 100644
--- a/doc/user/application_security/offline_deployments/index.md
+++ b/doc/user/application_security/offline_deployments/index.md
@@ -76,6 +76,6 @@ Each individual scanner may be slightly different than the steps described
 above. You can find more information at each of the pages below:
 
 - [Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-environment)
-- [SAST offline directions](../sast/index.md#gitlab-sast-in-an-offline-environment)
+- [SAST offline directions](../sast/index.md#running-sast-in-an-offline-environment)
 - [DAST offline directions](../dast/index.md#running-dast-in-an-offline-environment)
 - [License Compliance offline directions](../../compliance/license_compliance/index.md#running-license-compliance-in-an-offline-environment)
diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md
index 3a711138a76..75afdfb5cf5 100644
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -504,16 +504,17 @@ Once a vulnerability is found, you can interact with it. Read more on how to
 For more information about the vulnerabilities database update, check the
 [maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database).
 
-## GitLab SAST in an offline environment
+## Running SAST in an offline environment
 
 For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
 to external resources through the internet, some adjustments are required for the SAST job to
-successfully run.
+successfully run. For more information, see [Offline environments](../offline_deployments/index.md).
 
 ### Requirements for offline SAST
 
 To use SAST in an offline environment, you need:
 
+- [Disable Docker-In-Docker](#disabling-docker-in-docker-for-sast)
 - GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
 - Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
 
diff --git a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
index b710ad3d0db..03b9720747d 100644
--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -65,7 +65,7 @@ bandit-sast:
     variables:
       - $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /bandit/&&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bpython\b/
 
 brakeman-sast:
   extends: .sast-analyzer
@@ -75,7 +75,7 @@ brakeman-sast:
     variables:
       - $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /brakeman/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bruby\b/
 
 eslint-sast:
   extends: .sast-analyzer
@@ -85,7 +85,7 @@ eslint-sast:
     variables:
       - $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /eslint/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
 
 flawfinder-sast:
   extends: .sast-analyzer
@@ -95,7 +95,7 @@ flawfinder-sast:
     variables:
       - $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /flawfinder/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c)\b/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /(c(\+\+)?,)|(c(\+\+)?$)/
 
 kubesec-sast:
   extends: .sast-analyzer
@@ -125,7 +125,7 @@ nodejs-scan-sast:
     variables:
       - $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
 
 phpcs-security-audit-sast:
   extends: .sast-analyzer
@@ -135,7 +135,7 @@ phpcs-security-audit-sast:
     variables:
       - $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /php/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bphp\b/
 
 pmd-apex-sast:
   extends: .sast-analyzer
@@ -145,7 +145,7 @@ pmd-apex-sast:
     variables:
       - $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /apex/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bapex\b/
 
 secrets-sast:
   extends: .sast-analyzer
@@ -174,7 +174,7 @@ sobelow-sast:
     variables:
       - $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /sobelow/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /elixir/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\belixir\b/
 
 spotbugs-sast:
   extends: .sast-analyzer
@@ -194,4 +194,4 @@ tslint-sast:
     variables:
       - $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /tslint/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /typescript/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\btypescript\b/