diff options
9 files changed, 202 insertions, 15 deletions
diff --git a/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml b/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml new file mode 100644 index 00000000000..461a2fda6cd --- /dev/null +++ b/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml @@ -0,0 +1,5 @@ +--- +title: Improve SAST NO_DIND file detection with proper boundary conditions +merge_request: 28036 +author: +type: fixed diff --git a/changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml b/changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml new file mode 100644 index 00000000000..2587ed0f05d --- /dev/null +++ b/changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml @@ -0,0 +1,5 @@ +--- +title: Refactor projects/:id/packages API to supply only necessary params to PackagesFinder +merge_request: 29052 +author: Sashi Kumar +type: other diff --git a/doc/administration/troubleshooting/debug.md b/doc/administration/troubleshooting/debug.md index d0c1f3fa0ff..1e1b2ad8378 100644 --- a/doc/administration/troubleshooting/debug.md +++ b/doc/administration/troubleshooting/debug.md @@ -62,8 +62,8 @@ puts Readline::HISTORY.to_a ## Using the Rails Runner -If you need to run some Ruby code in thex context of your GitLab production -environment, you can do so using the [Rails Runner](https://guides.rubyonrails.org/command_line.html#rails-runner). +If you need to run some Ruby code in the context of your GitLab production +environment, you can do so using the [Rails Runner](https://guides.rubyonrails.org/command_line.html#rails-runner). When executing a script file, the script must be accessible by the `git` user. **For Omnibus installations** @@ -72,6 +72,9 @@ sudo gitlab-rails runner "RAILS_COMMAND" # Example with a two-line Ruby script sudo gitlab-rails runner "user = User.first; puts user.username" + +# Example with a ruby script file +sudo gitlab-rails runner /path/to/script.rb ``` **For installations from source** @@ -81,6 +84,9 @@ sudo -u git -H bundle exec rails runner -e production "RAILS_COMMAND" # Example with a two-line Ruby script sudo -u git -H bundle exec rails runner -e production "user = User.first; puts user.username" + +# Example with a ruby script file +sudo -u git -H bundle exec rails runner -e production /path/to/script.rb ``` ## Mail not working diff --git a/doc/api/graphql/reference/gitlab_schema.graphql b/doc/api/graphql/reference/gitlab_schema.graphql index 22ca25e45d3..4ce54a1b3fb 100644 --- a/doc/api/graphql/reference/gitlab_schema.graphql +++ b/doc/api/graphql/reference/gitlab_schema.graphql @@ -7174,6 +7174,51 @@ type Query { """ visibility: VisibilityScopesEnum ): SnippetConnection + + """ + Vulnerabilities reported on projects on the current user's instance security dashboard + """ + vulnerabilities( + """ + Returns the elements in the list that come after the specified cursor. + """ + after: String + + """ + Returns the elements in the list that come before the specified cursor. + """ + before: String + + """ + Returns the first _n_ elements from the list. + """ + first: Int + + """ + Returns the last _n_ elements from the list. + """ + last: Int + + """ + Filter vulnerabilities by project + """ + projectId: [ID!] + + """ + Filter vulnerabilities by report type + """ + reportType: [VulnerabilityReportType!] + + """ + Filter vulnerabilities by severity + """ + severity: [VulnerabilitySeverity!] + + """ + Filter vulnerabilities by state + """ + state: [VulnerabilityState!] + ): VulnerabilityConnection } """ diff --git a/doc/api/graphql/reference/gitlab_schema.json b/doc/api/graphql/reference/gitlab_schema.json index 40bd27062b3..bf8206e61cc 100644 --- a/doc/api/graphql/reference/gitlab_schema.json +++ b/doc/api/graphql/reference/gitlab_schema.json @@ -21480,6 +21480,131 @@ }, "isDeprecated": false, "deprecationReason": null + }, + { + "name": "vulnerabilities", + "description": "Vulnerabilities reported on projects on the current user's instance security dashboard", + "args": [ + { + "name": "projectId", + "description": "Filter vulnerabilities by project", + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "ID", + "ofType": null + } + } + }, + "defaultValue": null + }, + { + "name": "reportType", + "description": "Filter vulnerabilities by report type", + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "ENUM", + "name": "VulnerabilityReportType", + "ofType": null + } + } + }, + "defaultValue": null + }, + { + "name": "severity", + "description": "Filter vulnerabilities by severity", + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "ENUM", + "name": "VulnerabilitySeverity", + "ofType": null + } + } + }, + "defaultValue": null + }, + { + "name": "state", + "description": "Filter vulnerabilities by state", + "type": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "ENUM", + "name": "VulnerabilityState", + "ofType": null + } + } + }, + "defaultValue": null + }, + { + "name": "after", + "description": "Returns the elements in the list that come after the specified cursor.", + "type": { + "kind": "SCALAR", + "name": "String", + "ofType": null + }, + "defaultValue": null + }, + { + "name": "before", + "description": "Returns the elements in the list that come before the specified cursor.", + "type": { + "kind": "SCALAR", + "name": "String", + "ofType": null + }, + "defaultValue": null + }, + { + "name": "first", + "description": "Returns the first _n_ elements from the list.", + "type": { + "kind": "SCALAR", + "name": "Int", + "ofType": null + }, + "defaultValue": null + }, + { + "name": "last", + "description": "Returns the last _n_ elements from the list.", + "type": { + "kind": "SCALAR", + "name": "Int", + "ofType": null + }, + "defaultValue": null + } + ], + "type": { + "kind": "OBJECT", + "name": "VulnerabilityConnection", + "ofType": null + }, + "isDeprecated": false, + "deprecationReason": null } ], "inputFields": null, diff --git a/doc/development/contributing/issue_workflow.md b/doc/development/contributing/issue_workflow.md index a4c55cdbd1b..5df357eee9e 100644 --- a/doc/development/contributing/issue_workflow.md +++ b/doc/development/contributing/issue_workflow.md @@ -449,7 +449,7 @@ It's common to discover technical debt during development of a new feature. In the spirit of "minimum viable change", resolution is often deferred to a follow-up issue. However, this cannot be used as an excuse to merge poor-quality code that would otherwise not pass review, or to overlook trivial matters that -don't deserve the be scheduled independently, and would be best resolved in the +don't deserve to be scheduled independently, and would be best resolved in the original merge request - or not tracked at all! The overheads of scheduling, and rate of change in the GitLab codebase, mean diff --git a/doc/user/application_security/offline_deployments/index.md b/doc/user/application_security/offline_deployments/index.md index 5a5f149a3bf..61b34901849 100644 --- a/doc/user/application_security/offline_deployments/index.md +++ b/doc/user/application_security/offline_deployments/index.md @@ -76,6 +76,6 @@ Each individual scanner may be slightly different than the steps described above. You can find more information at each of the pages below: - [Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-environment) -- [SAST offline directions](../sast/index.md#gitlab-sast-in-an-offline-environment) +- [SAST offline directions](../sast/index.md#running-sast-in-an-offline-environment) - [DAST offline directions](../dast/index.md#running-dast-in-an-offline-environment) - [License Compliance offline directions](../../compliance/license_compliance/index.md#running-license-compliance-in-an-offline-environment) diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 3a711138a76..75afdfb5cf5 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -504,16 +504,17 @@ Once a vulnerability is found, you can interact with it. Read more on how to For more information about the vulnerabilities database update, check the [maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database). -## GitLab SAST in an offline environment +## Running SAST in an offline environment For self-managed GitLab instances in an environment with limited, restricted, or intermittent access to external resources through the internet, some adjustments are required for the SAST job to -successfully run. +successfully run. For more information, see [Offline environments](../offline_deployments/index.md). ### Requirements for offline SAST To use SAST in an offline environment, you need: +- [Disable Docker-In-Docker](#disabling-docker-in-docker-for-sast) - GitLab Runner with the [`docker` or `kubernetes` executor](#requirements). - Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images. diff --git a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml index b710ad3d0db..03b9720747d 100644 --- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml @@ -65,7 +65,7 @@ bandit-sast: variables: - $GITLAB_FEATURES =~ /\bsast\b/ && $SAST_DEFAULT_ANALYZERS =~ /bandit/&& - $CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/ + $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bpython\b/ brakeman-sast: extends: .sast-analyzer @@ -75,7 +75,7 @@ brakeman-sast: variables: - $GITLAB_FEATURES =~ /\bsast\b/ && $SAST_DEFAULT_ANALYZERS =~ /brakeman/ && - $CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/ + $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bruby\b/ eslint-sast: extends: .sast-analyzer @@ -85,7 +85,7 @@ eslint-sast: variables: - $GITLAB_FEATURES =~ /\bsast\b/ && $SAST_DEFAULT_ANALYZERS =~ /eslint/ && - $CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/ + $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/ flawfinder-sast: extends: .sast-analyzer @@ -95,7 +95,7 @@ flawfinder-sast: variables: - $GITLAB_FEATURES =~ /\bsast\b/ && $SAST_DEFAULT_ANALYZERS =~ /flawfinder/ && - $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c)\b/ + $CI_PROJECT_REPOSITORY_LANGUAGES =~ /(c(\+\+)?,)|(c(\+\+)?$)/ kubesec-sast: extends: .sast-analyzer @@ -125,7 +125,7 @@ nodejs-scan-sast: variables: - $GITLAB_FEATURES =~ /\bsast\b/ && $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ && - $CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/ + $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/ phpcs-security-audit-sast: extends: .sast-analyzer @@ -135,7 +135,7 @@ phpcs-security-audit-sast: variables: - $GITLAB_FEATURES =~ /\bsast\b/ && $SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ && - $CI_PROJECT_REPOSITORY_LANGUAGES =~ /php/ + $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bphp\b/ pmd-apex-sast: extends: .sast-analyzer @@ -145,7 +145,7 @@ pmd-apex-sast: variables: - $GITLAB_FEATURES =~ /\bsast\b/ && $SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ && - $CI_PROJECT_REPOSITORY_LANGUAGES =~ /apex/ + $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bapex\b/ secrets-sast: extends: .sast-analyzer @@ -174,7 +174,7 @@ sobelow-sast: variables: - $GITLAB_FEATURES =~ /\bsast\b/ && $SAST_DEFAULT_ANALYZERS =~ /sobelow/ && - $CI_PROJECT_REPOSITORY_LANGUAGES =~ /elixir/ + $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\belixir\b/ spotbugs-sast: extends: .sast-analyzer @@ -194,4 +194,4 @@ tslint-sast: variables: - $GITLAB_FEATURES =~ /\bsast\b/ && $SAST_DEFAULT_ANALYZERS =~ /tslint/ && - $CI_PROJECT_REPOSITORY_LANGUAGES =~ /typescript/ + $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\btypescript\b/ |