summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml5
-rw-r--r--changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml5
-rw-r--r--doc/administration/troubleshooting/debug.md10
-rw-r--r--doc/api/graphql/reference/gitlab_schema.graphql45
-rw-r--r--doc/api/graphql/reference/gitlab_schema.json125
-rw-r--r--doc/development/contributing/issue_workflow.md2
-rw-r--r--doc/user/application_security/offline_deployments/index.md2
-rw-r--r--doc/user/application_security/sast/index.md5
-rw-r--r--lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml18
9 files changed, 202 insertions, 15 deletions
diff --git a/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml b/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml
new file mode 100644
index 00000000000..461a2fda6cd
--- /dev/null
+++ b/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml
@@ -0,0 +1,5 @@
+---
+title: Improve SAST NO_DIND file detection with proper boundary conditions
+merge_request: 28036
+author:
+type: fixed
diff --git a/changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml b/changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml
new file mode 100644
index 00000000000..2587ed0f05d
--- /dev/null
+++ b/changelogs/unreleased/sk-project-packages-api-filter-necessary-params.yml
@@ -0,0 +1,5 @@
+---
+title: Refactor projects/:id/packages API to supply only necessary params to PackagesFinder
+merge_request: 29052
+author: Sashi Kumar
+type: other
diff --git a/doc/administration/troubleshooting/debug.md b/doc/administration/troubleshooting/debug.md
index d0c1f3fa0ff..1e1b2ad8378 100644
--- a/doc/administration/troubleshooting/debug.md
+++ b/doc/administration/troubleshooting/debug.md
@@ -62,8 +62,8 @@ puts Readline::HISTORY.to_a
## Using the Rails Runner
-If you need to run some Ruby code in thex context of your GitLab production
-environment, you can do so using the [Rails Runner](https://guides.rubyonrails.org/command_line.html#rails-runner).
+If you need to run some Ruby code in the context of your GitLab production
+environment, you can do so using the [Rails Runner](https://guides.rubyonrails.org/command_line.html#rails-runner). When executing a script file, the script must be accessible by the `git` user.
**For Omnibus installations**
@@ -72,6 +72,9 @@ sudo gitlab-rails runner "RAILS_COMMAND"
# Example with a two-line Ruby script
sudo gitlab-rails runner "user = User.first; puts user.username"
+
+# Example with a ruby script file
+sudo gitlab-rails runner /path/to/script.rb
```
**For installations from source**
@@ -81,6 +84,9 @@ sudo -u git -H bundle exec rails runner -e production "RAILS_COMMAND"
# Example with a two-line Ruby script
sudo -u git -H bundle exec rails runner -e production "user = User.first; puts user.username"
+
+# Example with a ruby script file
+sudo -u git -H bundle exec rails runner -e production /path/to/script.rb
```
## Mail not working
diff --git a/doc/api/graphql/reference/gitlab_schema.graphql b/doc/api/graphql/reference/gitlab_schema.graphql
index 22ca25e45d3..4ce54a1b3fb 100644
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -7174,6 +7174,51 @@ type Query {
"""
visibility: VisibilityScopesEnum
): SnippetConnection
+
+ """
+ Vulnerabilities reported on projects on the current user's instance security dashboard
+ """
+ vulnerabilities(
+ """
+ Returns the elements in the list that come after the specified cursor.
+ """
+ after: String
+
+ """
+ Returns the elements in the list that come before the specified cursor.
+ """
+ before: String
+
+ """
+ Returns the first _n_ elements from the list.
+ """
+ first: Int
+
+ """
+ Returns the last _n_ elements from the list.
+ """
+ last: Int
+
+ """
+ Filter vulnerabilities by project
+ """
+ projectId: [ID!]
+
+ """
+ Filter vulnerabilities by report type
+ """
+ reportType: [VulnerabilityReportType!]
+
+ """
+ Filter vulnerabilities by severity
+ """
+ severity: [VulnerabilitySeverity!]
+
+ """
+ Filter vulnerabilities by state
+ """
+ state: [VulnerabilityState!]
+ ): VulnerabilityConnection
}
"""
diff --git a/doc/api/graphql/reference/gitlab_schema.json b/doc/api/graphql/reference/gitlab_schema.json
index 40bd27062b3..bf8206e61cc 100644
--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -21480,6 +21480,131 @@
},
"isDeprecated": false,
"deprecationReason": null
+ },
+ {
+ "name": "vulnerabilities",
+ "description": "Vulnerabilities reported on projects on the current user's instance security dashboard",
+ "args": [
+ {
+ "name": "projectId",
+ "description": "Filter vulnerabilities by project",
+ "type": {
+ "kind": "LIST",
+ "name": null,
+ "ofType": {
+ "kind": "NON_NULL",
+ "name": null,
+ "ofType": {
+ "kind": "SCALAR",
+ "name": "ID",
+ "ofType": null
+ }
+ }
+ },
+ "defaultValue": null
+ },
+ {
+ "name": "reportType",
+ "description": "Filter vulnerabilities by report type",
+ "type": {
+ "kind": "LIST",
+ "name": null,
+ "ofType": {
+ "kind": "NON_NULL",
+ "name": null,
+ "ofType": {
+ "kind": "ENUM",
+ "name": "VulnerabilityReportType",
+ "ofType": null
+ }
+ }
+ },
+ "defaultValue": null
+ },
+ {
+ "name": "severity",
+ "description": "Filter vulnerabilities by severity",
+ "type": {
+ "kind": "LIST",
+ "name": null,
+ "ofType": {
+ "kind": "NON_NULL",
+ "name": null,
+ "ofType": {
+ "kind": "ENUM",
+ "name": "VulnerabilitySeverity",
+ "ofType": null
+ }
+ }
+ },
+ "defaultValue": null
+ },
+ {
+ "name": "state",
+ "description": "Filter vulnerabilities by state",
+ "type": {
+ "kind": "LIST",
+ "name": null,
+ "ofType": {
+ "kind": "NON_NULL",
+ "name": null,
+ "ofType": {
+ "kind": "ENUM",
+ "name": "VulnerabilityState",
+ "ofType": null
+ }
+ }
+ },
+ "defaultValue": null
+ },
+ {
+ "name": "after",
+ "description": "Returns the elements in the list that come after the specified cursor.",
+ "type": {
+ "kind": "SCALAR",
+ "name": "String",
+ "ofType": null
+ },
+ "defaultValue": null
+ },
+ {
+ "name": "before",
+ "description": "Returns the elements in the list that come before the specified cursor.",
+ "type": {
+ "kind": "SCALAR",
+ "name": "String",
+ "ofType": null
+ },
+ "defaultValue": null
+ },
+ {
+ "name": "first",
+ "description": "Returns the first _n_ elements from the list.",
+ "type": {
+ "kind": "SCALAR",
+ "name": "Int",
+ "ofType": null
+ },
+ "defaultValue": null
+ },
+ {
+ "name": "last",
+ "description": "Returns the last _n_ elements from the list.",
+ "type": {
+ "kind": "SCALAR",
+ "name": "Int",
+ "ofType": null
+ },
+ "defaultValue": null
+ }
+ ],
+ "type": {
+ "kind": "OBJECT",
+ "name": "VulnerabilityConnection",
+ "ofType": null
+ },
+ "isDeprecated": false,
+ "deprecationReason": null
}
],
"inputFields": null,
diff --git a/doc/development/contributing/issue_workflow.md b/doc/development/contributing/issue_workflow.md
index a4c55cdbd1b..5df357eee9e 100644
--- a/doc/development/contributing/issue_workflow.md
+++ b/doc/development/contributing/issue_workflow.md
@@ -449,7 +449,7 @@ It's common to discover technical debt during development of a new feature. In
the spirit of "minimum viable change", resolution is often deferred to a
follow-up issue. However, this cannot be used as an excuse to merge poor-quality
code that would otherwise not pass review, or to overlook trivial matters that
-don't deserve the be scheduled independently, and would be best resolved in the
+don't deserve to be scheduled independently, and would be best resolved in the
original merge request - or not tracked at all!
The overheads of scheduling, and rate of change in the GitLab codebase, mean
diff --git a/doc/user/application_security/offline_deployments/index.md b/doc/user/application_security/offline_deployments/index.md
index 5a5f149a3bf..61b34901849 100644
--- a/doc/user/application_security/offline_deployments/index.md
+++ b/doc/user/application_security/offline_deployments/index.md
@@ -76,6 +76,6 @@ Each individual scanner may be slightly different than the steps described
above. You can find more information at each of the pages below:
- [Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-environment)
-- [SAST offline directions](../sast/index.md#gitlab-sast-in-an-offline-environment)
+- [SAST offline directions](../sast/index.md#running-sast-in-an-offline-environment)
- [DAST offline directions](../dast/index.md#running-dast-in-an-offline-environment)
- [License Compliance offline directions](../../compliance/license_compliance/index.md#running-license-compliance-in-an-offline-environment)
diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md
index 3a711138a76..75afdfb5cf5 100644
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -504,16 +504,17 @@ Once a vulnerability is found, you can interact with it. Read more on how to
For more information about the vulnerabilities database update, check the
[maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database).
-## GitLab SAST in an offline environment
+## Running SAST in an offline environment
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
to external resources through the internet, some adjustments are required for the SAST job to
-successfully run.
+successfully run. For more information, see [Offline environments](../offline_deployments/index.md).
### Requirements for offline SAST
To use SAST in an offline environment, you need:
+- [Disable Docker-In-Docker](#disabling-docker-in-docker-for-sast)
- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
- Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
diff --git a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
index b710ad3d0db..03b9720747d 100644
--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -65,7 +65,7 @@ bandit-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/&&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bpython\b/
brakeman-sast:
extends: .sast-analyzer
@@ -75,7 +75,7 @@ brakeman-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/ &&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bruby\b/
eslint-sast:
extends: .sast-analyzer
@@ -85,7 +85,7 @@ eslint-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/ &&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
flawfinder-sast:
extends: .sast-analyzer
@@ -95,7 +95,7 @@ flawfinder-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/ &&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c)\b/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /(c(\+\+)?,)|(c(\+\+)?$)/
kubesec-sast:
extends: .sast-analyzer
@@ -125,7 +125,7 @@ nodejs-scan-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ &&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
phpcs-security-audit-sast:
extends: .sast-analyzer
@@ -135,7 +135,7 @@ phpcs-security-audit-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ &&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /php/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bphp\b/
pmd-apex-sast:
extends: .sast-analyzer
@@ -145,7 +145,7 @@ pmd-apex-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ &&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /apex/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bapex\b/
secrets-sast:
extends: .sast-analyzer
@@ -174,7 +174,7 @@ sobelow-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/ &&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /elixir/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\belixir\b/
spotbugs-sast:
extends: .sast-analyzer
@@ -194,4 +194,4 @@ tslint-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /tslint/ &&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /typescript/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\btypescript\b/