Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-05-10 06:09:43 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-05-10 06:09:43 +0000
commit: 213da19cda5309148952ab770e2a9e122fe32e22 (patch)
tree: 80a48af510839497fa83625a34530543d255a957 /lib
parent: 3591ecba91126089ebf916f9bd95fe497609920c (diff)
download: gitlab-ce-213da19cda5309148952ab770e2a9e122fe32e22.tar.gz
11 files changed, 54 insertions, 171 deletions
diff --git a/lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml
index 97a9d94f42a..192d06bfa14 100644
--- a/lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml
@@ -45,7 +45,7 @@ container_scanning:
   script:
     - gtcs scan
   rules:
-    - if: $CONTAINER_SCANNING_DISABLED
+    - if: $CONTAINER_SCANNING_DISABLED == 'true' || $CONTAINER_SCANNING_DISABLED == '1'
       when: never
     - if: $CI_COMMIT_BRANCH &&
           $CI_GITLAB_FIPS_MODE == "true" &&
diff --git a/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
index dd9575371dc..63cf265fc6e 100644
--- a/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
@@ -75,7 +75,7 @@ gemnasium-dependency_scanning:
     DS_ANALYZER_NAME: "gemnasium"
     GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
   rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED
+    - if: $DEPENDENCY_SCANNING_DISABLED == 'true' || $DEPENDENCY_SCANNING_DISABLED == '1'
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
       when: never
@@ -104,7 +104,7 @@ gemnasium-maven-dependency_scanning:
   variables:
     DS_ANALYZER_NAME: "gemnasium-maven"
   rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED
+    - if: $DEPENDENCY_SCANNING_DISABLED == 'true' || $DEPENDENCY_SCANNING_DISABLED == '1'
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
       when: never
@@ -135,7 +135,7 @@ gemnasium-python-dependency_scanning:
   variables:
     DS_ANALYZER_NAME: "gemnasium-python"
   rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED
+    - if: $DEPENDENCY_SCANNING_DISABLED == 'true' || $DEPENDENCY_SCANNING_DISABLED == '1'
       when: never
     - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
       when: never
diff --git a/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml
index f8668699fe5..b1c81e9ed5b 100644
--- a/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml
@@ -32,7 +32,7 @@ license_scanning:
       license_scanning: gl-license-scanning-report.json
   dependencies: []
   rules:
-    - if: $LICENSE_MANAGEMENT_DISABLED
+    - if: $LICENSE_MANAGEMENT_DISABLED == 'true' || $LICENSE_MANAGEMENT_DISABLED == '1'
       when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\blicense_scanning\b/
diff --git a/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml
index c195ecd8ee5..a64e1e4a40f 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml
@@ -31,10 +31,10 @@ kics-iac-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /kics/
       when: never
diff --git a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
index 123dea09524..d567ab2a141 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -48,10 +48,10 @@ brakeman-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
       when: never
@@ -74,10 +74,10 @@ flawfinder-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/
       when: never
@@ -95,10 +95,10 @@ kubesec-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/
       when: never
@@ -119,13 +119,13 @@ gosec-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
 
 mobsf-android-sast:
   extends: .mobsf-sast
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
       when: never
@@ -138,7 +138,7 @@ mobsf-android-sast:
 mobsf-ios-sast:
   extends: .mobsf-sast
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
       when: never
@@ -153,10 +153,10 @@ nodejs-scan-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
       when: never
@@ -169,10 +169,10 @@ phpcs-security-audit-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/
       when: never
@@ -185,10 +185,10 @@ pmd-apex-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/
       when: never
@@ -211,10 +211,10 @@ semgrep-sast:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
     SEARCH_MAX_DEPTH: 20
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
       when: never
@@ -238,10 +238,10 @@ sobelow-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
   rules:
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/
       when: never
@@ -254,7 +254,7 @@ spotbugs-sast:
   image:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 3
+    SAST_ANALYZER_IMAGE_TAG: 4
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/
@@ -263,7 +263,7 @@ spotbugs-sast:
       exists:
         - '**/AndroidManifest.xml'
       when: never
-    - if: $SAST_DISABLED
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never
     - if: $CI_COMMIT_BRANCH
       exists:
diff --git a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
index b7a9dbf7bc6..9d0b904117a 100644
--- a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
@@ -8,7 +8,7 @@ variables:
   SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
   SECRET_DETECTION_IMAGE_SUFFIX: ""
 
-  SECRETS_ANALYZER_VERSION: "4"
+  SECRETS_ANALYZER_VERSION: "5"
   SECRET_DETECTION_EXCLUDED_PATHS: ""
 
 .secret-analyzer:
@@ -27,7 +27,7 @@ variables:
 secret_detection:
   extends: .secret-analyzer
   rules:
-    - if: $SECRET_DETECTION_DISABLED
+    - if: $SECRET_DETECTION_DISABLED == 'true' || $SECRET_DETECTION_DISABLED == '1'
       when: never
     - if: $CI_COMMIT_BRANCH
   script:
diff --git a/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml
index 56c46dc216a..544aee904d5 100644
--- a/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml
@@ -35,9 +35,12 @@ apifuzzer_fuzz:
     image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_IMAGE_SUFFIX
     allow_failure: true
     rules:
-        - if: $API_FUZZING_DISABLED
+        - if: $API_FUZZING_DISABLED == 'true' || $API_FUZZING_DISABLED == '1'
           when: never
-        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
+        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH == 'true'  &&
+                $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
+          when: never
+        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH == '1'  &&
                 $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
           when: never
         - if: $CI_COMMIT_BRANCH &&
diff --git a/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml
index 89944e347f6..1f11ec8e288 100644
--- a/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml
@@ -49,6 +49,6 @@ coverage_fuzzing_unlicensed:
       coverage_fuzzing: gl-coverage-fuzzing-report.json
     when: always
   rules:
-    - if: $COVFUZZ_DISABLED
+    - if: $COVFUZZ_DISABLED == 'true' || $COVFUZZ_DISABLED == '1'
       when: never
     - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bcoverage_fuzzing\b/
diff --git a/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml
index b5ee1e053f2..ee99d3b4614 100644
--- a/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml
@@ -35,9 +35,12 @@ dast_api:
   image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION$DAST_API_IMAGE_SUFFIX
   allow_failure: true
   rules:
-    - if: $DAST_API_DISABLED
+    - if: $DAST_API_DISABLED == 'true' || $DAST_API_DISABLED == '1'
       when: never
-    - if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH &&
+    - if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH == 'true' &&
+          $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
+      when: never
+    - if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH == '1' &&
           $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
       when: never
     - if: $CI_COMMIT_BRANCH &&
diff --git a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
index c43296b5865..6e1d96d4add 100644
--- a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
@@ -42,13 +42,23 @@ dast:
     reports:
       dast: gl-dast-report.json
   rules:
-    - if: $DAST_DISABLED
+    - if: $DAST_DISABLED == 'true' || $DAST_DISABLED == '1'
       when: never
-    - if: $DAST_DISABLED_FOR_DEFAULT_BRANCH &&
+    - if: $DAST_DISABLED_FOR_DEFAULT_BRANCH == 'true' &&
           $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
       when: never
+    - if: $DAST_DISABLED_FOR_DEFAULT_BRANCH == '1' &&
+          $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
+      when: never
+    - if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME &&
+          $REVIEW_DISABLED == 'true'
+      when: never
     - if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME &&
-          $REVIEW_DISABLED
+          $REVIEW_DISABLED == '1'
       when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdast\b/
+  after_script:
+    # Remove any debug.log files because they might contain secrets.
+    - rm -f /zap/wrk/**/debug.log
+    - cp -r /zap/wrk dast_artifacts
diff --git a/lib/gitlab/database_importers/instance_administrators/create_group.rb b/lib/gitlab/database_importers/instance_administrators/create_group.rb
deleted file mode 100644
index bb489ced3d2..00000000000
--- a/lib/gitlab/database_importers/instance_administrators/create_group.rb
+++ /dev/null
@@ -1,133 +0,0 @@
-# frozen_string_literal: true
-
-module Gitlab
-  module DatabaseImporters
-    module InstanceAdministrators
-      class CreateGroup < ::BaseService
-        include Stepable
-
-        NAME = 'GitLab Instance'
-        PATH_PREFIX = 'gitlab-instance'
-        VISIBILITY_LEVEL = Gitlab::VisibilityLevel::INTERNAL
-
-        steps :validate_application_settings,
-          :validate_admins,
-          :create_group,
-          :save_group_id,
-          :add_group_members,
-          :track_event
-
-        def initialize
-          super(nil)
-        end
-
-        def execute
-          execute_steps
-        end
-
-        private
-
-        def validate_application_settings(result)
-          return success(result) if application_settings
-
-          log_error('No application_settings found')
-          error(_('No application_settings found'))
-        end
-
-        def validate_admins(result)
-          unless instance_admins.any?
-            log_error('No active admin user found')
-            return error(_('No active admin user found'))
-          end
-
-          success(result)
-        end
-
-        def create_group(result)
-          if group_created?
-            log_info(_('Instance administrators group already exists'))
-            result[:group] = instance_administrators_group
-            return success(result)
-          end
-
-          result[:group] = ::Groups::CreateService.new(instance_admins.first, create_group_params).execute
-
-          if result[:group].persisted?
-            success(result)
-          else
-            log_error("Could not create instance administrators group. Errors: %{errors}" % { errors: result[:group].errors.full_messages })
-            error(_('Could not create group'))
-          end
-        end
-
-        def save_group_id(result)
-          return success(result) if group_created?
-
-          response = application_settings.update(
-            instance_administrators_group_id: result[:group].id
-          )
-
-          if response
-            success(result)
-          else
-            log_error("Could not save instance administrators group ID, errors: %{errors}" % { errors: application_settings.errors.full_messages })
-            error(_('Could not save group ID'))
-          end
-        end
-
-        def add_group_members(result)
-          group = result[:group]
-          members = group.add_members(members_to_add(group), Gitlab::Access::MAINTAINER)
-          errors = members.flat_map { |member| member.errors.full_messages }
-
-          if errors.any?
-            log_error('Could not add admins as members to self-monitoring project. Errors: %{errors}' % { errors: errors })
-            error(_('Could not add admins as members'))
-          else
-            success(result)
-          end
-        end
-
-        def track_event(result)
-          ::Gitlab::Tracking.event("instance_administrators_group", "group_created", namespace: result[:group])
-
-          success(result)
-        end
-
-        def group_created?
-          instance_administrators_group.present?
-        end
-
-        def application_settings
-          @application_settings ||= ApplicationSetting.current_without_cache
-        end
-
-        def instance_administrators_group
-          application_settings.instance_administrators_group
-        end
-
-        def instance_admins
-          @instance_admins ||= User.admins.active
-        end
-
-        def members_to_add(group)
-          # Exclude admins who are already members of group because
-          # `group.add_members(users)` returns an error if the users parameter contains
-          # users who are already members of the group.
-          instance_admins - group.members.collect(&:user)
-        end
-
-        def create_group_params
-          {
-            name: NAME,
-            visibility_level: VISIBILITY_LEVEL,
-
-            # The 8 random characters at the end are so that the path does not
-            # clash with any existing group that the user might have created.
-            path: "#{PATH_PREFIX}-#{SecureRandom.hex(4)}"
-          }
-        end
-      end
-    end
-  end
-end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-05-10 06:09:43 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-05-10 06:09:43 +0000
commit	213da19cda5309148952ab770e2a9e122fe32e22 (patch)
tree	80a48af510839497fa83625a34530543d255a957 /lib
parent	3591ecba91126089ebf916f9bd95fe497609920c (diff)
download	gitlab-ce-213da19cda5309148952ab770e2a9e122fe32e22.tar.gz