diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-24 17:28:19 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-24 17:28:19 +0000 |
| commit | 0c2b07bfcb884e2b1ab6b5521596423578a3cdf8 (patch) | |
| tree | e141bb9c790d02bdcae6d3d66f563c94475a9d51 | |
| parent | a77c4d2dce9e77e7104f009822faf56063a37dea (diff) | |
| download | gitlab-ce-0c2b07bfcb884e2b1ab6b5521596423578a3cdf8.tar.gz | |
Add latest changes from gitlab-org/gitlab@15-5-stable-ee
| -rw-r--r-- | data/whats_new/202210220001_15_5.yml | 79 | ||||
| -rw-r--r-- | doc/administration/package_information/supported_os.md | 1 | ||||
| -rw-r--r-- | doc/user/application_security/sast/analyzers.md | 63 | ||||
| -rw-r--r-- | doc/user/application_security/sast/index.md | 34 | ||||
| -rw-r--r-- | doc/user/project/issues/managing_issues.md | 7 | ||||
| -rw-r--r-- | lib/gitlab/kas/client.rb | 2 | ||||
| -rw-r--r-- | lib/tasks/gitlab/gitaly.rake | 2 | ||||
| -rw-r--r-- | spec/lib/gitlab/kas/client_spec.rb | 9 | ||||
| -rw-r--r-- | spec/support/database/multiple_databases.rb | 20 | ||||
| -rw-r--r-- | spec/support/database_cleaner.rb | 10 | ||||
| -rw-r--r-- | spec/support/migration.rb | 2 | ||||
| -rw-r--r-- | spec/tasks/gitlab/gitaly_rake_spec.rb | 8 |
12 files changed, 165 insertions, 72 deletions
diff --git a/data/whats_new/202210220001_15_5.yml b/data/whats_new/202210220001_15_5.yml new file mode 100644 index 00000000000..817dff2b192 --- /dev/null +++ b/data/whats_new/202210220001_15_5.yml @@ -0,0 +1,79 @@ +- name: "Deploy apps to Google Cloud with GitLab Cloud Seed" + description: | + Cloud Seed allows GitLab and Google Cloud customers to migrate to the cloud using a single platform, consolidating their tech stack without slowing down their cloud adoption process. Cloud Seed is built into the GitLab web UI and leverages CI/CD pipeline capabilities. It is specifically tailored to offer a frictionless developer experience for consuming Google Cloud services, supporting [Service Accounts](https://docs.gitlab.com/ee/cloud_seed/index.html#set-up-deployment-credentials), [Regions](https://docs.gitlab.com/ee/cloud_seed/index.html#configure-your-preferred-gcp-region), [Cloud Run](https://docs.gitlab.com/ee/cloud_seed/index.html#deploy-to-google-cloud-run), and [Cloud SQL](https://docs.gitlab.com/ee/cloud_seed/index.html#provision-cloud-sql-databases). + stage: Release + self-managed: true + gitlab-com: true + available_in: [Free, Premium, Ultimate] + documentation_link: 'https://docs.gitlab.com/ee/cloud_seed/index.html' + image_url: 'https://img.youtube.com/vi/zDMGCyAgCPY/hqdefault.jpg' + published_at: 2022-10-22 + release: 15.5 +- name: "Autocomplete suggestions in the Content Editor" + description: | + GitLab Flavored Markdown provides convenient shortcuts for referencing GitLab-specific items like users, issues, epics, and even emojis in your content. For example, you can type `#35266` to link to that issue or `:thumb` to see a list of thumb emojis. Now when you use the Content Editor, you get access to the same powerful autocomplete suggestions. + stage: Create + self-managed: true + gitlab-com: true + available_in: [Free, Premium, Ultimate] + documentation_link: 'https://docs.gitlab.com/ee/user/markdown.html#gitlab-specific-references' + image_url: 'https://about.gitlab.com/images/15_5/content-editor-suggestions.png' + published_at: 2022-10-22 + release: 15.5 +- name: "Rule Mode for Scan Execution Policies" + description: | + GitLab now supports editing scan execution policies through the UI in `Rule Mode` in addition to the `Yaml Mode` that was available previously. This new visual editor makes it easy to construct a policy, even for non-technical users. Policies can be used to require security scans to run on a schedule or as part of a project pipeline. To get started, have a Project Owner link an associated security policy project on the **Security & Compliance > Policies** page. + stage: Govern + self-managed: true + gitlab-com: true + available_in: [Ultimate] + documentation_link: 'https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html' + image_url: 'https://about.gitlab.com/images/15_5/govern-scan-execution-policy-rule-mode.png' + published_at: 2022-10-22 + release: 15.5 +- name: "Email notification when two-factor OTP attempt is wrong" + description: | + On accounts with two-factor authentication (2FA) enabled, bad actors that enter correct usernames and passwords must still enter a + correct one-time password (OTP) to access the account. However, users would not know incorrect codes are being entered. Now users are + immediately sent an email when an incorrect OTP is entered, improving security by notifying them that their account might be compromised. + stage: Manage + self-managed: true + gitlab-com: true + available_in: [Free, Premium, Ultimate] + documentation_link: 'https://docs.gitlab.com/ee/user/profile/notifications.html#notifications-for-attempted-sign-in-using-wrong-two-factor-authentication-codes' + image_url: 'https://about.gitlab.com/images/15_5/manage-otp-email.png' + published_at: 2022-10-22 + release: 15.5 +- name: "Error Tracking Open Beta" + description: | + In GitLab 15.5, we are re-enabling GitLab [integrated error tracking](https://docs.gitlab.com/ee/operations/error_tracking.html#integrated-error-tracking) for GitLab.com in [Open Beta](https://about.gitlab.com/handbook/product/gitlab-the-product/#open-beta). We've reworked the architecture so it uses our new Observability backend, leveraging the ClickHouse database. This improvement will enable scaling and a more performant system for the user. In addition, this sets the groundwork to have errors in the same database as other observability data such as metrics, traces, and logs. We want to allow users to see errors on the same dashboard as other observability data, and enable them to be embedded into issues and incidents. + stage: Monitor + self-managed: false + gitlab-com: true + available_in: [Free, Premium, Ultimate] + documentation_link: 'https://docs.gitlab.com/ee/operations/error_tracking.html#integrated-error-tracking' + image_url: "https://about.gitlab.com/images/15_5/feature_error_tracking.png" + published_at: 2022-10-22 + release: 15.5 +- name: "Search by environment name in the Environments overview page" + description: | + You can now search the list of environments in the Environments page by name. Previously, there was no search functionality. This sometimes required you to scroll through many pages to find a specific environment and its latest deployment. Now you can easily find an environment by typing in the name into the search bar. Please note you can search for an exact or partial match of the environment name. Wildcards are not yet supported. + stage: Release + self-managed: true + gitlab-com: true + available_in: [Free, Premium, Ultimate] + documentation_link: 'https://docs.gitlab.com/ee/ci/environments/#view-environments-and-deployments' + image_url: 'https://about.gitlab.com/images/15_5/release-env-search.png' + published_at: 2022-10-22 + release: 15.5 +- name: "Operational container scanning" + description: | + GitLab now officially supports vulnerability scanning of container images in operational or production Kubernetes environments. You can set up scanning either through the [configuration file](https://docs.gitlab.com/ee/user/clusters/agent/vulnerabilities.html#enable-operational-container-scanning) for your GitLab Agent for Kubernetes or by creating a [scan execution policy](https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html) to require scans to run on a regular cadence. + stage: Secure + self-managed: true + gitlab-com: true + available_in: [Ultimate] + documentation_link: 'https://docs.gitlab.com/ee/user/clusters/agent/vulnerabilities.html' + image_url: 'https://about.gitlab.com/images/15_5/secure-operational-vulnerabilities.png' + published_at: 2022-10-22 + release: 15.5 diff --git a/doc/administration/package_information/supported_os.md b/doc/administration/package_information/supported_os.md index 00f1bc1eec3..fdbb17f3c71 100644 --- a/doc/administration/package_information/supported_os.md +++ b/doc/administration/package_information/supported_os.md @@ -29,6 +29,7 @@ The following lists the currently supported OSs and their possible EOL dates. | Scientific Linux | GitLab CE / GitLab EE 8.14.0 | x86_64 | [Use CentOS Install Documentation](https://about.gitlab.com/install/#centos-7) | June 2024 | <https://scientificlinux.org/downloads/sl-versions/sl7/> | | Ubuntu 18.04 | GitLab CE / GitLab EE 10.7.0 | amd64 | [Ubuntu Install Documentation](https://about.gitlab.com/install/#ubuntu) | April 2023 | <https://wiki.ubuntu.com/Releases> | | Ubuntu 20.04 | GitLab CE / GitLab EE 13.2.0 | amd64, arm64 | [Ubuntu Install Documentation](https://about.gitlab.com/install/#ubuntu) | April 2025 | <https://wiki.ubuntu.com/Releases> | +| Ubuntu 22.04 | GitLab CE / GitLab EE 15.5.0 | amd64, arm64 | [Ubuntu Install Documentation](https://about.gitlab.com/install/#ubuntu) | April 2027 | <https://wiki.ubuntu.com/Releases> | | Amazon Linux 2 | GitLab CE / GitLab EE 14.9.0 | amd64, arm64 | [Amazon Linux 2 Install Documentation](https://about.gitlab.com/install/#amazonlinux-2) | June 2023 | <https://aws.amazon.com/amazon-linux-2/faqs/> | | Raspberry Pi OS (Buster) (formerly known as Raspbian Buster) | GitLab CE 12.2.0 | armhf | [Raspberry Pi Install Documentation](https://about.gitlab.com/install/#raspberry-pi-os) | 2024 | [Raspberry Pi Details](https://www.raspberrypi.com/news/new-old-functionality-with-raspberry-pi-os-legacy/) | | Raspberry Pi OS (Bullseye) | GitLab CE 15.5.0 | armhf | [Raspberry Pi Install Documentation](https://about.gitlab.com/install/#raspberry-pi-os) | 2026 | [Raspberry Pi Details](https://www.raspberrypi.com/news/raspberry-pi-os-debian-bullseye/) | diff --git a/doc/user/application_security/sast/analyzers.md b/doc/user/application_security/sast/analyzers.md index b7932aae35c..dfb096f14cc 100644 --- a/doc/user/application_security/sast/analyzers.md +++ b/doc/user/application_security/sast/analyzers.md @@ -26,11 +26,8 @@ For each scanner, an analyzer: SAST supports the following official analyzers: -- [`bandit`](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Bandit) - [`brakeman`](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) (Brakeman) -- [`eslint`](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (ESLint (JavaScript and React)) - [`flawfinder`](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) (Flawfinder) -- [`gosec`](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Gosec) - [`kubesec`](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) (Kubesec) - [`mobsf`](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (MobSF (beta)) - [`nodejs-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) (NodeJsScan) @@ -41,6 +38,12 @@ SAST supports the following official analyzers: - [`sobelow`](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) (Sobelow (Elixir Phoenix)) - [`spotbugs`](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) (SpotBugs with the Find Sec Bugs plugin (Ant, Gradle and wrapper, Grails, Maven and wrapper, SBT)) +SAST has used other analyzers in previous versions. These analyzers reached End of Support status and do not receive updates: + +- [`bandit`](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Bandit); [End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. Replaced by the `semgrep` analyzer with GitLab-managed rules. +- [`eslint`](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (ESLint (JavaScript and React)); [End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. Replaced by the `semgrep` analyzer with GitLab-managed rules. +- [`gosec`](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Gosec); [End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. Replaced by the `semgrep` analyzer with GitLab-managed rules. + ## SAST analyzer features For an analyzer to be considered Generally Available, it is expected to minimally @@ -126,19 +129,11 @@ You can see how Semgrep-based scanning will work in your projects before the Git We recommend that you test this change in a merge request but continue using the Stable template in your default branch pipeline configuration. In GitLab 15.3, we [activated a feature flag](https://gitlab.com/gitlab-org/gitlab/-/issues/362179) to migrate security findings on the default branch from other analyzers to Semgrep. -We plan to [plan to remove the deprecated analyzers](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) from the Stable CI/CD template in GitLab 15.4. +In GitLab 15.4, we [removed the deprecated analyzers](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) from the Stable CI/CD template. -To preview the upcoming changes to the CI/CD configuration: +To preview the upcoming changes to the CI/CD configuration in GitLab 15.3 or earlier: 1. Open an MR to switch from the Stable CI/CD template, `SAST.gitlab-ci.yaml`, to [the Latest template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml), `SAST.latest.gitlab-ci.yaml`. - - On GitLab.com, use the latest template directly: - - ```yaml - include: - template: 'SAST.latest.gitlab-ci.yaml' - ``` - - - On a Self-Managed instance, download the template from GitLab.com: ```yaml include: @@ -169,8 +164,8 @@ This variable affects all Secure analyzers, not just the analyzers for SAST. To have GitLab download the analyzers' images from a custom Docker registry, define the prefix with the `SECURE_ANALYZERS_PREFIX` CI/CD variable. -For example, the following instructs SAST to pull `my-docker-registry/gitlab-images/bandit` instead -of `registry.gitlab.com/security-products/bandit`: +For example, the following instructs SAST to pull `my-docker-registry/gitlab-images/semgrep` instead +of `registry.gitlab.com/security-products/semgrep`: ```yaml include: @@ -206,14 +201,14 @@ source code languages detected. However, you can disable select analyzers. To disable select analyzers, set the CI/CD variable `SAST_EXCLUDED_ANALYZERS` to a comma-delimited string listing the analyzers that you want to prevent running. -For example, to disable the `eslint` analyzer: +For example, to disable the `spotbugs` analyzer: ```yaml include: - template: Security/SAST.gitlab-ci.yml variables: - SAST_EXCLUDED_ANALYZERS: "eslint" + SAST_EXCLUDED_ANALYZERS: "spotbugs" ``` ### Custom analyzers @@ -249,25 +244,27 @@ Each analyzer provides data about the vulnerabilities it detects. The following data available from each analyzer. The values provided by these tools are heterogeneous so they are sometimes normalized into common values, for example, `severity` and `confidence`. -| Property / tool | Apex | Bandit | Brakeman | ESLint security | SpotBugs | Flawfinder | Gosec | Kubesec Scanner | MobSF | NodeJsScan | PHP CS Security Audit | Security code Scan (.NET) | Semgrep | Sobelow | +| Property / tool | Apex | Bandit<sup>1</sup> | Brakeman | ESLint security<sup>1</sup> | SpotBugs | Flawfinder | Gosec<sup>1</sup> | Kubesec Scanner | MobSF | NodeJsScan | PHP CS Security Audit | Security code Scan (.NET) | Semgrep | Sobelow | |--------------------------------|------|--------|----------|-----------------|----------|------------|-------|-----------------|-------|------------|-----------------------|---------------------------|---------|---------| | Affected item (for example, class or package) | ✓ | ✗ | ✓ | ✗ | ✓ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| Confidence | ✗ | ✓ | ✓ | ✗ | ✓ | x | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✓ | -| Description | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | -| End column | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| End line | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| External ID (for example, CVE) | ✗ | ✗ | ⚠ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ | -| File | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | -| Internal doc/explanation | ✓ | ⚠ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | -| Internal ID | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | -| Severity | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ⚠ | ✗ | -| Solution | ✓ | ✗ | ✗ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ | -| Source code extract | ✗ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | -| Start column | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | -| Start line | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | -| Title | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | -| URLs | ✓ | ✗ | ✓ | ✗ | ⚠ | ✗ | ⚠ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | +| Confidence | ✗ | ✓ | ✓ | ✗ | ✓ | x | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✓ | +| Description | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | +| End column | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | +| End line | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | +| External ID (for example, CVE) | ✗ | ✗ | ⚠ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ | +| File | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | +| Internal doc/explanation | ✓ | ⚠ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | +| Internal ID | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | +| Severity | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ⚠ | ✗ | +| Solution | ✓ | ✗ | ✗ | ✗ | ⚠ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ⚠ | ✗ | +| Source code extract | ✗ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | +| Start column | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | +| Start line | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | +| Title | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | +| URLs | ✓ | ✗ | ✓ | ✗ | ⚠ | ✗ | ⚠ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | - ✓ => Data is available. - ⚠ => Data is available, but it's partially reliable, or it has to be extracted from unstructured content. - ✗ => Data is not available or it would require specific, inefficient or unreliable, logic to obtain it. + +1. This analyzer has reached [End of Support](https://about.gitlab.com/handbook/product/gitlab-the-product/#end-of-support). For more information, see the [SAST analyzers](#sast-analyzers) section. diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 6b8bc1933a3..a7624db4604 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -83,14 +83,14 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu | C | [Semgrep](https://semgrep.dev) | 14.2 | | C/C++ | [Flawfinder](https://github.com/david-a-wheeler/flawfinder) | 10.7 | | Elixir (Phoenix) | [Sobelow](https://github.com/nccgroup/sobelow) | 11.1 | -| Go | [Gosec](https://github.com/securego/gosec) | 10.7 | +| Go<sup>3</sup> | [Gosec](https://github.com/securego/gosec) | 10.7 | | Go | [Semgrep](https://semgrep.dev) | 14.4 | | Groovy<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Maven, SBT) | | Helm Charts | [Kubesec](https://github.com/controlplaneio/kubesec) | 13.1 | | Java (any build system) | [Semgrep](https://semgrep.dev) | 14.10 | -| Java<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (SBT) | +| Java<sup>2, 3</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (SBT) | | Java (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | -| JavaScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 | +| JavaScript<sup>3</sup> | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 | | JavaScript | [Semgrep](https://semgrep.dev) | 13.10 | | Kotlin (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | | Kotlin (General)<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 13.11 | @@ -98,15 +98,15 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu | Node.js | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan) | 11.1 | | Objective-C (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | | PHP | [phpcs-security-audit](https://github.com/FloeDesignTechnologies/phpcs-security-audit) | 10.8 | -| Python ([pip](https://pip.pypa.io/en/stable/)) | [bandit](https://github.com/PyCQA/bandit) | 10.3 | +| Python<sup>3</sup> | [bandit](https://github.com/PyCQA/bandit) | 10.3 | | Python | [Semgrep](https://semgrep.dev) | 13.9 | -| React | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react) | 12.5 | +| React<sup>3</sup> | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react) | 12.5 | | React | [Semgrep](https://semgrep.dev) | 13.10 | | Ruby | [brakeman](https://brakemanscanner.org) | 13.9 | | Ruby on Rails | [brakeman](https://brakemanscanner.org) | 10.3 | | Scala<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Gradle, Maven) | | Swift (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | -| TypeScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 | +| TypeScript<sup>3</sup> | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 | | TypeScript | [Semgrep](https://semgrep.dev) | 13.10 | 1. .NET 4 support is limited. The analyzer runs in a Linux container and does not have access to Windows-specific libraries or features. Use the Semgrep-based scanner if you need .NET 4 support. @@ -114,6 +114,7 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu [Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html), [Grails](https://grails.org/), and the [Maven wrapper](https://github.com/takari/maven-wrapper). However, SpotBugs has [limitations](https://gitlab.com/gitlab-org/gitlab/-/issues/350801) when used against [Ant](https://ant.apache.org/)-based projects. We recommend using the Semgrep-based analyzer for Ant-based Java projects. +1. These analyzers reached [End of Support](https://about.gitlab.com/handbook/product/gitlab-the-product/#end-of-support) status [in GitLab 15.4](https://gitlab.com/gitlab-org/gitlab/-/issues/352554). ### Multi-project support @@ -473,8 +474,8 @@ All customization of GitLab security scanning tools should be tested in a merge merging these changes to the default branch. Failure to do so can give unexpected results, including a large number of false positives. -The following example includes the SAST template to override the `SAST_GOSEC_LEVEL` -variable to `2`. The template is [evaluated before](../../../ci/yaml/index.md#include) the pipeline +The following example includes the SAST template to override the `SEARCH_MAX_DEPTH` +variable to `10`. The template is [evaluated before](../../../ci/yaml/index.md#include) the pipeline configuration, so the last mention of the variable takes precedence. ```yaml @@ -482,7 +483,7 @@ include: - template: Security/SAST.gitlab-ci.yml variables: - SAST_GOSEC_LEVEL: 2 + SEARCH_MAX_DEPTH: 10 ``` #### Logging level @@ -536,10 +537,10 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre |------------------------------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `SAST_EXCLUDED_PATHS` | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs (see [`doublestar.Match`](https://pkg.go.dev/github.com/bmatcuk/doublestar/v4@v4.0.2#Match) for supported patterns), or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. You might need to exclude temporary directories used by your build tool as these can generate false positives. To exclude paths, copy and paste the default excluded paths, then **add** your own paths to be excluded. If you don't specify the default excluded paths, you will override the defaults and _only_ paths you specify will be excluded from the SAST scans. | | `SEARCH_MAX_DEPTH` | 4 | SAST searches the repository to detect the programming languages used, and selects the matching analyzers. Set the value of `SEARCH_MAX_DEPTH` to specify how many directory levels the search phase should span. After the analyzers have been selected, the _entire_ repository is analyzed. | -| `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'` | +| `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'`. [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. | | `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. | | `SAST_FLAWFINDER_LEVEL` | 1 | Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk. | -| `SAST_GOSEC_LEVEL` | 0 | Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High. | +| `SAST_GOSEC_LEVEL` | 0 | Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High. [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. | #### Analyzer settings @@ -664,11 +665,8 @@ import the following default SAST analyzer images from `registry.gitlab.com` int [local Docker container registry](../../packages/container_registry/index.md): ```plaintext -registry.gitlab.com/security-products/bandit:2 registry.gitlab.com/security-products/brakeman:2 -registry.gitlab.com/security-products/eslint:2 registry.gitlab.com/security-products/flawfinder:2 -registry.gitlab.com/security-products/gosec:3 registry.gitlab.com/security-products/kubesec:2 registry.gitlab.com/security-products/nodejs-scan:2 registry.gitlab.com/security-products/phpcs-security-audit:2 @@ -694,11 +692,11 @@ Support for custom certificate authorities was introduced in the following versi | Analyzer | Version | | -------- | ------- | -| `bandit` | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/releases/v2.3.0) | +| `bandit`<sup>1</sup> | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/releases/v2.3.0) | | `brakeman` | [v2.1.0](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman/-/releases/v2.1.0) | -| `eslint` | [v2.9.2](https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/releases/v2.9.2) | +| `eslint`<sup>1</sup> | [v2.9.2](https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/releases/v2.9.2) | | `flawfinder` | [v2.3.0](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/releases/v2.3.0) | -| `gosec` | [v2.5.0](https://gitlab.com/gitlab-org/security-products/analyzers/gosec/-/releases/v2.5.0) | +| `gosec`<sup>1</sup> | [v2.5.0](https://gitlab.com/gitlab-org/security-products/analyzers/gosec/-/releases/v2.5.0) | | `kubesec` | [v2.1.0](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec/-/releases/v2.1.0) | | `nodejs-scan` | [v2.9.5](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan/-/releases/v2.9.5) | | `phpcs-security-audit` | [v2.8.2](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit/-/releases/v2.8.2) | @@ -708,6 +706,8 @@ Support for custom certificate authorities was introduced in the following versi | `sobelow` | [v2.2.0](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/releases/v2.2.0) | | `spotbugs` | [v2.7.1](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/releases/v2.7.1) | +1. These analyzers were deprecated in GitLab 14.8 and [reached End of Support](https://gitlab.com/gitlab-org/gitlab/-/issues/352554) in GitLab 15.4. + ### Set SAST CI/CD variables to use local SAST analyzers Add the following configuration to your `.gitlab-ci.yml` file. You must replace diff --git a/doc/user/project/issues/managing_issues.md b/doc/user/project/issues/managing_issues.md index 213c615326f..9ec6d5b300c 100644 --- a/doc/user/project/issues/managing_issues.md +++ b/doc/user/project/issues/managing_issues.md @@ -689,8 +689,11 @@ Up to five similar issues, sorted by most recently updated, are displayed below > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/213567) in GitLab 13.7. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218618) in GitLab 15.4: health status is visible on issue cards in issue boards. -To help you track issue statuses, you can assign a status to each issue. -This status marks issues as progressing as planned or needing attention to keep on schedule. +To better track the risk in meeting your plans, you can assign a health status to each issue. +You can use health status to signal to others in your organization whether issues are progressing +as planned or need attention to stay on schedule. + +Incorporate a review of issue health status into your daily stand-up, project status reports, or weekly meetings to address risks to timely delivery of your planned work. Prerequisites: diff --git a/lib/gitlab/kas/client.rb b/lib/gitlab/kas/client.rb index 753a185344e..768810d5545 100644 --- a/lib/gitlab/kas/client.rb +++ b/lib/gitlab/kas/client.rb @@ -64,7 +64,7 @@ module Gitlab def credentials if URI(Gitlab::Kas.internal_url).scheme == 'grpcs' - GRPC::Core::ChannelCredentials.new + GRPC::Core::ChannelCredentials.new(::Gitlab::X509::Certificate.ca_certs_bundle) else :this_channel_is_insecure end diff --git a/lib/tasks/gitlab/gitaly.rake b/lib/tasks/gitlab/gitaly.rake index 960d0e51a47..e814d59aaf9 100644 --- a/lib/tasks/gitlab/gitaly.rake +++ b/lib/tasks/gitlab/gitaly.rake @@ -34,7 +34,7 @@ Usage: rake "gitlab:gitaly:install[/installation/dir,/storage/path]") env["BUNDLE_DEPLOYMENT"] = 'false' end - output, status = Gitlab::Popen.popen([make_cmd, 'clean-build', 'all', 'git'], nil, env) + output, status = Gitlab::Popen.popen([make_cmd, 'clean-build', 'all'], nil, env) raise "Gitaly failed to compile: #{output}" unless status&.zero? end end diff --git a/spec/lib/gitlab/kas/client_spec.rb b/spec/lib/gitlab/kas/client_spec.rb index 5b89023cc13..9a0fa6c4067 100644 --- a/spec/lib/gitlab/kas/client_spec.rb +++ b/spec/lib/gitlab/kas/client_spec.rb @@ -111,11 +111,16 @@ RSpec.describe Gitlab::Kas::Client do describe 'with grpcs' do let(:stub) { instance_double(Gitlab::Agent::ConfigurationProject::Rpc::ConfigurationProject::Stub) } + let(:credentials) { instance_double(GRPC::Core::ChannelCredentials) } let(:kas_url) { 'grpcs://example.kas.internal' } - it 'uses a ChannelCredentials object' do + it 'uses a ChannelCredentials object with the correct certificates' do + expect(GRPC::Core::ChannelCredentials).to receive(:new) + .with(Gitlab::X509::Certificate.ca_certs_bundle) + .and_return(credentials) + expect(Gitlab::Agent::ConfigurationProject::Rpc::ConfigurationProject::Stub).to receive(:new) - .with('example.kas.internal', instance_of(GRPC::Core::ChannelCredentials), timeout: described_class::TIMEOUT) + .with('example.kas.internal', credentials, timeout: described_class::TIMEOUT) .and_return(stub) allow(stub).to receive(:list_agent_config_files) diff --git a/spec/support/database/multiple_databases.rb b/spec/support/database/multiple_databases.rb index b863767b5df..b6341c2caec 100644 --- a/spec/support/database/multiple_databases.rb +++ b/spec/support/database/multiple_databases.rb @@ -2,15 +2,6 @@ module Database module MultipleDatabases - def run_and_cleanup(example) - # Each example may call `migrate!`, so we must ensure we are migrated down every time - schema_migrate_down! - - example.run - - delete_from_all_tables!(except: deletion_except_tables) - end - def skip_if_multiple_databases_not_setup skip 'Skipping because multiple databases not set up' unless Gitlab::Database.has_config?(:ci) end @@ -40,10 +31,15 @@ module Database config_model: base_model ) - schema_migrate_up! delete_from_all_tables!(except: deletion_except_tables) + schema_migrate_up! end end + + # ActiveRecord::Base.clear_all_connections! disconnects and clears attribute methods + # Force a refresh to avoid schema failures. + reset_column_in_all_models + refresh_attribute_methods end # The usage of this method switches temporarily used `connection_handler` @@ -152,10 +148,10 @@ RSpec.configure do |config| config_model: base_model ) - run_and_cleanup(example) + example.run end else - run_and_cleanup(example) + example.run end self.class.use_transactional_tests = true diff --git a/spec/support/database_cleaner.rb b/spec/support/database_cleaner.rb index 7bd1f0c5dfa..222cbe9feeb 100644 --- a/spec/support/database_cleaner.rb +++ b/spec/support/database_cleaner.rb @@ -22,4 +22,14 @@ RSpec.configure do |config| self.class.use_transactional_tests = true end + + config.around(:each, :migration) do |example| + self.class.use_transactional_tests = false + + example.run + + delete_from_all_tables!(except: deletion_except_tables) + + self.class.use_transactional_tests = true + end end diff --git a/spec/support/migration.rb b/spec/support/migration.rb index 24e2fc2ff31..490aa836d74 100644 --- a/spec/support/migration.rb +++ b/spec/support/migration.rb @@ -19,6 +19,8 @@ RSpec.configure do |config| # Each example may call `migrate!`, so we must ensure we are migrated down every time config.before(:each, :migration) do use_fake_application_settings + + schema_migrate_down! end config.after(:context, :migration) do diff --git a/spec/tasks/gitlab/gitaly_rake_spec.rb b/spec/tasks/gitlab/gitaly_rake_spec.rb index e57021f749b..d2f4fa0b8ef 100644 --- a/spec/tasks/gitlab/gitaly_rake_spec.rb +++ b/spec/tasks/gitlab/gitaly_rake_spec.rb @@ -66,7 +66,7 @@ RSpec.describe 'gitlab:gitaly namespace rake task', :silence_stdout do .with(%w[which gmake]) .and_return(['/usr/bin/gmake', 0]) expect(Gitlab::Popen).to receive(:popen) - .with(%w[gmake clean-build all git], nil, { "BUNDLE_GEMFILE" => nil, "RUBYOPT" => nil }) + .with(%w[gmake clean-build all], nil, { "BUNDLE_GEMFILE" => nil, "RUBYOPT" => nil }) .and_return(['ok', 0]) subject @@ -78,7 +78,7 @@ RSpec.describe 'gitlab:gitaly namespace rake task', :silence_stdout do .with(%w[which gmake]) .and_return(['/usr/bin/gmake', 0]) expect(Gitlab::Popen).to receive(:popen) - .with(%w[gmake clean-build all git], nil, { "BUNDLE_GEMFILE" => nil, "RUBYOPT" => nil }) + .with(%w[gmake clean-build all], nil, { "BUNDLE_GEMFILE" => nil, "RUBYOPT" => nil }) .and_return(['output', 1]) expect { subject }.to raise_error /Gitaly failed to compile: output/ @@ -95,14 +95,14 @@ RSpec.describe 'gitlab:gitaly namespace rake task', :silence_stdout do it 'calls make in the gitaly directory' do expect(Gitlab::Popen).to receive(:popen) - .with(%w[make clean-build all git], nil, { "BUNDLE_GEMFILE" => nil, "RUBYOPT" => nil }) + .with(%w[make clean-build all], nil, { "BUNDLE_GEMFILE" => nil, "RUBYOPT" => nil }) .and_return(['output', 0]) subject end context 'when Rails.env is test' do - let(:command) { %w[make clean-build all git] } + let(:command) { %w[make clean-build all] } before do stub_rails_env('test') |