23 files changed, 200 insertions, 75 deletions

diff --git a/app/views/shared/milestones/_top.html.haml b/app/views/shared/milestones/_top.html.haml
index 43503e1d08a..fd3317341f6 100644
--- a/app/views/shared/milestones/_top.html.haml
+++ b/app/views/shared/milestones/_top.html.haml
@@ -53,7 +53,7 @@
     - close_msg = group ? 'You may close the milestone now.' : 'Navigate to the project to close the milestone.'
     %span All issues for this milestone are closed. #{close_msg}
 
-= render_if_exists 'shared/milestones/burndown', milestone: @milestone, project: @project
+= render_if_exists 'shared/milestones/burndown', milestone: milestone, project: @project
 
 - if is_dynamic_milestone
   .table-holder
diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md
index 31f0b5a050c..4dcb416c110 100644
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -148,6 +148,38 @@ Clicking on this button will create a merge request to apply the solution onto t
 
 ![Create merge request from vulnerability](img/create_issue_with_list_hover.png)
 
+## Security approvals in merge requests **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/9928) in [GitLab Ultimate](https://about.gitlab.com/pricing) 12.2.
+
+Merge Request Approvals can be configured to require approval from a member 
+of your security team when a vulnerability would be introduced by a merge request.
+
+This threshold is defined as `high`, `critical`, or `unknown`
+severity. When any vulnerabilities are present within a merge request, an
+approval will be required from the `Vulnerability-Check` approver group.
+
+### Enabling Security Approvals within a project
+
+To enable Security Approvals, a [project approval rule](../project/merge_requests/merge_request_approvals.md#multiple-approval-rules-premium)
+must be created with the case-sensitive name `Vulnerability-Check`. This approval
+group must be set with an "Approvals required" count greater than zero.
+
+Once this group has been added to your project, the approval rule will be enabled
+for all Merge Requests.
+
+Any code changes made will cause the count of approvals required to reset.
+
+An approval will be required when a security report:
+
+- Contains a new vulnerability of `high`, `critical`, or `unknown` severity.
+- Is not generated during pipeline execution.
+
+An approval will be optional when a security report:
+
+- Contains no new vulnerabilities.
+- Contains only new vulnerabilities of `low` or `medium` severity.
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/doc/user/project/merge_requests/merge_request_approvals.md b/doc/user/project/merge_requests/merge_request_approvals.md
index 220795d6f15..656459b3b03 100644
--- a/doc/user/project/merge_requests/merge_request_approvals.md
+++ b/doc/user/project/merge_requests/merge_request_approvals.md
@@ -331,6 +331,16 @@ the dropdown) `approver` and select the user.
 
 ![Filter MRs by an approver](img/filter_approver_merge_requests.png)
 
+## Security approvals in merge requests **(ULTIMATE)**
+
+> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing) 12.2.
+
+Merge Request Approvals can be configured to require approval from a member
+of your security team when a vulnerability would be introduced by a merge request.
+
+For more information, see 
+[Security approvals in merge requests](../../application_security/index.md#security-approvals-in-merge-requests-ultimate).
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/package.json b/package.json
index 056f7616cde..f0a7f3e47af 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,6 @@
     "diff": "^3.4.0",
     "document-register-element": "1.13.1",
     "dropzone": "^4.2.0",
-    "echarts": "^4.2.0-rc.2",
     "emoji-regex": "^7.0.3",
     "emoji-unicode-version": "^0.2.1",
     "exports-loader": "^0.7.0",
diff --git a/rubocop/cop/rspec/top_level_describe_path.rb b/rubocop/cop/rspec/top_level_describe_path.rb
new file mode 100644
index 00000000000..61796e23af0
--- /dev/null
+++ b/rubocop/cop/rspec/top_level_describe_path.rb
@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'rubocop/rspec/top_level_describe'
+
+module RuboCop
+  module Cop
+    module RSpec
+      class TopLevelDescribePath < RuboCop::Cop::Cop
+        include RuboCop::RSpec::TopLevelDescribe
+
+        MESSAGE = 'A file with a top-level `describe` must end in _spec.rb.'
+        SHARED_EXAMPLES = %i[shared_examples shared_examples_for].freeze
+
+        def on_top_level_describe(node, args)
+          return if acceptable_file_path?(processed_source.buffer.name)
+          return if shared_example?(node)
+
+          add_offense(node, message: MESSAGE)
+        end
+
+        private
+
+        def acceptable_file_path?(path)
+          File.fnmatch?('*_spec.rb', path) || File.fnmatch?('*/frontend/fixtures/*', path)
+        end
+
+        def shared_example?(node)
+          node.ancestors.any? do |node|
+            node.respond_to?(:method_name) && SHARED_EXAMPLES.include?(node.method_name)
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/rubocop/rubocop.rb b/rubocop/rubocop.rb
index ba61a634d97..58a7ead6f13 100644
--- a/rubocop/rubocop.rb
+++ b/rubocop/rubocop.rb
@@ -32,6 +32,7 @@ require_relative 'cop/migration/update_large_table'
 require_relative 'cop/project_path_helper'
 require_relative 'cop/rspec/env_assignment'
 require_relative 'cop/rspec/factories_in_migration_specs'
+require_relative 'cop/rspec/top_level_describe_path'
 require_relative 'cop/qa/element_with_pattern'
 require_relative 'cop/sidekiq_options_queue'
 require_relative 'cop/destroy_all'
diff --git a/spec/features/groups/labels/user_sees_links_to_issuables.rb b/spec/features/groups/labels/user_sees_links_to_issuables_spec.rb
index e636f625b31..6199b566ebc 100644
--- a/spec/features/groups/labels/user_sees_links_to_issuables.rb
+++ b/spec/features/groups/labels/user_sees_links_to_issuables_spec.rb
@@ -11,7 +11,9 @@ describe 'Groups > Labels > User sees links to issuables' do
   end
 
   it 'shows links to MRs and issues' do
-    expect(page).to have_link('view merge requests')
-    expect(page).to have_link('view open issues')
+    page.within('.labels-container') do
+      expect(page).to have_link('Merge requests')
+      expect(page).to have_link('Issues')
+    end
   end
 end
diff --git a/spec/features/instance_statistics/instance_statistics.rb b/spec/features/instance_statistics/instance_statistics_spec.rb
index 40d0f1db207..40d0f1db207 100644
--- a/spec/features/instance_statistics/instance_statistics.rb
+++ b/spec/features/instance_statistics/instance_statistics_spec.rb
diff --git a/spec/features/projects/files/user_browses_a_tree_with_a_folder_containing_only_a_folder.rb b/spec/features/projects/files/user_browses_a_tree_with_a_folder_containing_only_a_folder_spec.rb
index 934de2fde8f..c19e46da913 100644
--- a/spec/features/projects/files/user_browses_a_tree_with_a_folder_containing_only_a_folder.rb
+++ b/spec/features/projects/files/user_browses_a_tree_with_a_folder_containing_only_a_folder_spec.rb
@@ -3,7 +3,8 @@
 require 'spec_helper'
 
 # This is a regression test for https://gitlab.com/gitlab-org/gitlab-ce/issues/37569
-describe 'Projects > Files > User browses a tree with a folder containing only a folder' do
+# Quarantine: https://gitlab.com/gitlab-org/gitlab-ce/issues/65329
+describe 'Projects > Files > User browses a tree with a folder containing only a folder', :quarantine do
   let(:project) { create(:project, :empty_repo) }
   let(:user) { project.owner }
 
diff --git a/spec/features/projects/labels/user_sees_links_to_issuables.rb b/spec/features/projects/labels/user_sees_links_to_issuables_spec.rb
index fd2151a1f8e..7a9b9e6eac2 100644
--- a/spec/features/projects/labels/user_sees_links_to_issuables.rb
+++ b/spec/features/projects/labels/user_sees_links_to_issuables_spec.rb
@@ -19,8 +19,10 @@ describe 'Projects > Labels > User sees links to issuables' do
       let(:project) { create(:project, :public) }
 
       it 'shows links to MRs and issues' do
-        expect(page).to have_link('view merge requests')
-        expect(page).to have_link('view open issues')
+        page.within('.labels-container') do
+          expect(page).to have_link('Merge requests')
+          expect(page).to have_link('Issues')
+        end
       end
     end
 
@@ -28,8 +30,10 @@ describe 'Projects > Labels > User sees links to issuables' do
       let(:project) { create(:project, :public, issues_access_level: ProjectFeature::DISABLED) }
 
       it 'shows links to MRs but not to issues' do
-        expect(page).to have_link('view merge requests')
-        expect(page).not_to have_link('view open issues')
+        page.within('.labels-container') do
+          expect(page).to have_link('Merge requests')
+          expect(page).not_to have_link('Issues')
+        end
       end
     end
 
@@ -37,8 +41,10 @@ describe 'Projects > Labels > User sees links to issuables' do
       let(:project) { create(:project, :public, merge_requests_access_level: ProjectFeature::DISABLED) }
 
       it 'shows links to issues but not to MRs' do
-        expect(page).not_to have_link('view merge requests')
-        expect(page).to have_link('view open issues')
+        page.within('.labels-container') do
+          expect(page).not_to have_link('Merge requests')
+          expect(page).to have_link('Issues')
+        end
       end
     end
   end
@@ -51,8 +57,10 @@ describe 'Projects > Labels > User sees links to issuables' do
       let(:project) { create(:project, :public, namespace: group) }
 
       it 'shows links to MRs and issues' do
-        expect(page).to have_link('view merge requests')
-        expect(page).to have_link('view open issues')
+        page.within('.labels-container') do
+          expect(page).to have_link('Merge requests')
+          expect(page).to have_link('Issues')
+        end
       end
     end
 
@@ -60,8 +68,10 @@ describe 'Projects > Labels > User sees links to issuables' do
       let(:project) { create(:project, :public, namespace: group, issues_access_level: ProjectFeature::DISABLED) }
 
       it 'shows links to MRs and issues' do
-        expect(page).to have_link('view merge requests')
-        expect(page).to have_link('view open issues')
+        page.within('.labels-container') do
+          expect(page).to have_link('Merge requests')
+          expect(page).to have_link('Issues')
+        end
       end
     end
 
@@ -69,8 +79,10 @@ describe 'Projects > Labels > User sees links to issuables' do
       let(:project) { create(:project, :public, namespace: group, merge_requests_access_level: ProjectFeature::DISABLED) }
 
       it 'shows links to MRs and issues' do
-        expect(page).to have_link('view merge requests')
-        expect(page).to have_link('view open issues')
+        page.within('.labels-container') do
+          expect(page).to have_link('Merge requests')
+          expect(page).to have_link('Issues')
+        end
       end
     end
   end
diff --git a/spec/features/snippets/user_sees_breadcrumb_links.rb b/spec/features/snippets/user_sees_breadcrumb_links.rb
deleted file mode 100644
index 5b10984ce1d..00000000000
--- a/spec/features/snippets/user_sees_breadcrumb_links.rb
+++ /dev/null
@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-require 'rails_helper'
-
-describe 'New user snippet breadcrumbs' do
-  let(:user) { create(:user) }
-
-  before do
-    sign_in(user)
-    visit new_snippet_path
-  end
-
-  it 'display a link to user snippets and new user snippet pages' do
-    page.within '.breadcrumbs' do
-      expect(find_link('Snippets')[:href]).to end_with(dashboard_snippets_path)
-      expect(find_link('New')[:href]).to end_with(new_snippet_path)
-    end
-  end
-end
diff --git a/spec/features/user_opens_link_to_comment.rb b/spec/features/user_opens_link_to_comment_spec.rb
index f1e07e55799..f1e07e55799 100644
--- a/spec/features/user_opens_link_to_comment.rb
+++ b/spec/features/user_opens_link_to_comment_spec.rb
diff --git a/spec/features/users/add_email_to_existing_account.rb b/spec/features/users/add_email_to_existing_account_spec.rb
index 42e352399a8..42e352399a8 100644
--- a/spec/features/users/add_email_to_existing_account.rb
+++ b/spec/features/users/add_email_to_existing_account_spec.rb
diff --git a/spec/rubocop/cop/rspec/top_level_describe_path_spec.rb b/spec/rubocop/cop/rspec/top_level_describe_path_spec.rb
new file mode 100644
index 00000000000..258144d4000
--- /dev/null
+++ b/spec/rubocop/cop/rspec/top_level_describe_path_spec.rb
@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+
+require 'rubocop'
+require 'rubocop/rspec/support'
+
+require_relative '../../../../rubocop/cop/rspec/top_level_describe_path'
+
+describe RuboCop::Cop::RSpec::TopLevelDescribePath do
+  include RuboCop::RSpec::ExpectOffense
+  include CopHelper
+
+  subject(:cop) { described_class.new }
+
+  context 'when the file ends in _spec.rb' do
+    it 'registers no offenses' do
+      expect_no_offenses(<<~SOURCE.strip_indent, 'spec/foo_spec.rb')
+        describe 'Foo' do
+        end
+      SOURCE
+    end
+  end
+
+  context 'when the file is a frontend fixture' do
+    it 'registers no offenses' do
+      expect_no_offenses(<<~SOURCE.strip_indent, 'spec/frontend/fixtures/foo.rb')
+        describe 'Foo' do
+        end
+      SOURCE
+    end
+  end
+
+  context 'when the describe is in a shared example' do
+    context 'with shared_examples' do
+      it 'registers no offenses' do
+        expect_no_offenses(<<~SOURCE.strip_indent, 'spec/foo.rb')
+          shared_examples 'Foo' do
+            describe '#bar' do
+            end
+          end
+        SOURCE
+      end
+    end
+
+    context 'with shared_examples_for' do
+      it 'registers no offenses' do
+        expect_no_offenses(<<~SOURCE.strip_indent, 'spec/foo.rb')
+          shared_examples_for 'Foo' do
+            describe '#bar' do
+            end
+          end
+        SOURCE
+      end
+    end
+  end
+
+  context 'when the describe is at the top level' do
+    it 'marks the describe as offending' do
+      expect_offense(<<~SOURCE.strip_indent, 'spec/foo.rb')
+        describe 'Foo' do
+        ^^^^^^^^^^^^^^ #{described_class::MESSAGE}
+        end
+      SOURCE
+    end
+  end
+end
diff --git a/spec/tasks/gitlab/mail_google_schema_whitelisting.rb b/spec/tasks/gitlab/mail_google_schema_whitelisting.rb
deleted file mode 100644
index 8d1cff7a261..00000000000
--- a/spec/tasks/gitlab/mail_google_schema_whitelisting.rb
+++ /dev/null
@@ -1,27 +0,0 @@
-require 'spec_helper'
-require 'rake'
-
-describe 'gitlab:mail_google_schema_whitelisting rake task' do
-  before :all do
-    Rake.application.rake_require "tasks/gitlab/helpers"
-    Rake.application.rake_require "tasks/gitlab/mail_google_schema_whitelisting"
-    # empty task as env is already loaded
-    Rake::Task.define_task :environment
-  end
-
-  describe 'call' do
-    before do
-      # avoid writing task output to spec progress
-      allow($stdout).to receive :write
-    end
-
-    let :run_rake_task do
-      Rake::Task["gitlab:mail_google_schema_whitelisting"].reenable
-      Rake.application.invoke_task "gitlab:mail_google_schema_whitelisting"
-    end
-
-    it 'runs the task without errors' do
-      expect { run_rake_task }.not_to raise_error
-    end
-  end
-end
diff --git a/spec/views/dashboard/projects/_blank_state_admin_welcome.haml.rb b/spec/views/dashboard/projects/_blank_state_admin_welcome.haml_spec.rb
index 2f58eec86dc..2f58eec86dc 100644
--- a/spec/views/dashboard/projects/_blank_state_admin_welcome.haml.rb
+++ b/spec/views/dashboard/projects/_blank_state_admin_welcome.haml_spec.rb
diff --git a/spec/views/dashboard/projects/_nav.html.haml.rb b/spec/views/dashboard/projects/_nav.html.haml_spec.rb
index f6a8ca13040..cbdd3c0acc3 100644
--- a/spec/views/dashboard/projects/_nav.html.haml.rb
+++ b/spec/views/dashboard/projects/_nav.html.haml_spec.rb
@@ -4,7 +4,7 @@ describe 'dashboard/projects/_nav.html.haml' do
   it 'highlights All tab by default' do
     render
 
-    expect(rendered).to have_css('li.active a', text: 'All')
+    expect(rendered).to have_css('a.active', text: 'All')
   end
 
   it 'highlights Personal tab personal param is present' do
@@ -12,6 +12,6 @@ describe 'dashboard/projects/_nav.html.haml' do
 
     render
 
-    expect(rendered).to have_css('li.active a', text: 'Personal')
+    expect(rendered).to have_css('a.active', text: 'Personal')
   end
 end
diff --git a/spec/views/projects/deployments/_confirm_rollback_modal_spec.html.rb b/spec/views/projects/deployments/_confirm_rollback_modal_spec.html_spec.rb
index 54ec4f32856..54ec4f32856 100644
--- a/spec/views/projects/deployments/_confirm_rollback_modal_spec.html.rb
+++ b/spec/views/projects/deployments/_confirm_rollback_modal_spec.html_spec.rb
diff --git a/spec/views/shared/_label_row.html.haml.rb b/spec/views/shared/_label_row.html.haml_spec.rb
index a58d5efc1e3..4cce13aa37c 100644
--- a/spec/views/shared/_label_row.html.haml.rb
+++ b/spec/views/shared/_label_row.html.haml_spec.rb
@@ -7,9 +7,20 @@ describe 'shared/_label_row.html.haml' do
   }
 
   label_types.each do |label_type, label_factory|
-    let!(:label) { create(label_factory) }
+    let!(:label) do
+      label_record = create(label_factory)
+      label_record.present(issuable_subject: label_record.subject)
+    end
 
     context "for a #{label_type}" do
+      before do
+        if label.project_label?
+          @project = label.project
+        else
+          @group = label.group
+        end
+      end
+
       it 'has a non-linked label title' do
         render 'shared/label_row', label: label
 
diff --git a/spec/views/shared/milestones/_issuable.html.haml.rb b/spec/views/shared/milestones/_issuable.html.haml_spec.rb
index 0a3f877cae0..0a3f877cae0 100644
--- a/spec/views/shared/milestones/_issuable.html.haml.rb
+++ b/spec/views/shared/milestones/_issuable.html.haml_spec.rb
diff --git a/spec/views/shared/milestones/_issuables.html.haml.rb b/spec/views/shared/milestones/_issuables.html.haml_spec.rb
index cbbb984935f..24b55338db3 100644
--- a/spec/views/shared/milestones/_issuables.html.haml.rb
+++ b/spec/views/shared/milestones/_issuables.html.haml_spec.rb
@@ -6,7 +6,7 @@ describe 'shared/milestones/_issuables.html.haml' do
   before do
     allow(view).to receive_messages(title: nil, id: nil, show_project_name: nil,
                                     show_full_project_name: nil, dom_class: '',
-                                    issuables: double(size: issuables_size).as_null_object)
+                                    issuables: double(length: issuables_size).as_null_object)
 
     stub_template 'shared/milestones/_issuable.html.haml' => ''
   end
diff --git a/spec/views/shared/milestones/_top.html.haml.rb b/spec/views/shared/milestones/_top.html.haml_spec.rb
index 516d81c87ac..f2ee8be5857 100644
--- a/spec/views/shared/milestones/_top.html.haml.rb
+++ b/spec/views/shared/milestones/_top.html.haml_spec.rb
@@ -7,6 +7,7 @@ describe 'shared/milestones/_top.html.haml' do
 
   before do
     allow(milestone).to receive(:milestones) { [] }
+    allow(milestone).to receive(:milestone) { milestone }
   end
 
   it 'renders a deprecation message for a legacy milestone' do
diff --git a/yarn.lock b/yarn.lock
index 22145f5a5af..221ffa27f6c 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4310,11 +4310,11 @@ ecc-jsbn@~0.1.1:
     safer-buffer "^2.1.0"
 
 echarts@^4.2.0-rc.2:
-  version "4.2.0-rc.2"
-  resolved "https://registry.yarnpkg.com/echarts/-/echarts-4.2.0-rc.2.tgz#6a98397aafa81b65cbf0bc15d9afdbfb244df91e"
-  integrity sha512-5Y4Kyi4eNsRM9Cnl7Q8C6PFVjznBJv1VIiMm/VSQ9zyqeo+ce1695GqUd9v4zfVx+Ow1gnwMJX67h0FNvarScw==
+  version "4.2.1"
+  resolved "https://registry.yarnpkg.com/echarts/-/echarts-4.2.1.tgz#9a8ea3b03354f86f824d97625c334cf16965ef03"
+  integrity sha512-pw4xScRPsLegD/cqEcoXRKeA2SD4+s+Kyo0Na166NamOWhzNl2yI5RZ2rE97tBlAopNmhyMeBVpAeD5qb+ee1A==
   dependencies:
-    zrender "4.0.5"
+    zrender "4.0.7"
 
 editions@^1.3.3:
   version "1.3.4"
@@ -13217,7 +13217,7 @@ zen-observable@^0.8.0:
   resolved "https://registry.yarnpkg.com/zen-observable/-/zen-observable-0.8.11.tgz#d3415885eeeb42ee5abb9821c95bb518fcd6d199"
   integrity sha512-N3xXQVr4L61rZvGMpWe8XoCGX8vhU35dPyQ4fm5CY/KDlG0F75un14hjbckPXTDuKUY6V0dqR2giT6xN8Y4GEQ==
 
-zrender@4.0.5:
-  version "4.0.5"
-  resolved "https://registry.yarnpkg.com/zrender/-/zrender-4.0.5.tgz#6e8f738971ce2cd624aac82b2156729b1c0e5a82"
-  integrity sha512-SintgipGEJPT9Sz2ABRoE4ZD7Yzy7oR7j7KP6H+C9FlbHWnLUfGVK7E8UV27pGwlxAMB0EsnrqhXx5XjAfv/KA==
+zrender@4.0.7:
+  version "4.0.7"
+  resolved "https://registry.yarnpkg.com/zrender/-/zrender-4.0.7.tgz#15ae960822f5efed410995d37e5107fe3de10e6d"
+  integrity sha512-TNloHe0ums6zxbHfnaCryM61J4IWDajZwNq6dHk9vfWhhysO/OeFvvR0drBs/nbXha2YxSzfQj2FiCd6RVBe+Q==