diff options
Diffstat (limited to 'doc/user/application_security/vulnerabilities/index.md')
-rw-r--r-- | doc/user/application_security/vulnerabilities/index.md | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/doc/user/application_security/vulnerabilities/index.md b/doc/user/application_security/vulnerabilities/index.md new file mode 100644 index 00000000000..5cb4f16e0d8 --- /dev/null +++ b/doc/user/application_security/vulnerabilities/index.md @@ -0,0 +1,69 @@ +--- +type: reference, howto +--- + +# Standalone Vulnerability pages + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/13561) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.10. + +CAUTION: **Warning:** +This feature is currently [Alpha](https://about.gitlab.com/handbook/product/#alpha-beta-ga). +You can begin using it, but it may receive important changes in the future. + +Each security vulnerability in the [Vulnerability List](../dependency_list/index.md) has its own standalone +page. + +![Standalone vulnerability page](img/standalone_vulnerability_page_v12_10.png) + +On the standalone vulnerability page, you can interact with the vulnerability in +several different ways: + +- [Change the Vulnerability Status](#changing-vulnerability-status) - You can change the + status of a vulnerability to **Detected**, **Confirmed**, **Dismissed**, or **Resolved**. +- [Create issue](#creating-an-issue-for-a-vulnerability) - Create a new issue with the + title and description prepopulated with information from the vulnerability report. + By default, such issues are [confidential](../../project/issues/confidential_issues.md). +- [Solution](#automatic-remediation-solutions-for-vulnerabilities) - For some vulnerabilities, + a solution is provided for how to fix the vulnerability. + +## Changing vulnerability status + +You can switch the status of a vulnerability using the **Status** dropdown to one of +the following values: + +| State | Description | +|-----------|-------------------------------------------------------------------| +| Detected | The default state for a newly discovered vulnerability | +| Confirmed | A user has seen this vulnerability and confirmed it to be real | +| Dismissed | A user has seen this vulnerability and dismissed it | +| Resolved | The vulnerability has been fixed and is no longer in the codebase | + +## Creating an issue for a vulnerability + +You can create an issue for a vulnerability by selecting the **Create issue** button. + +This creates a [confidential issue](../../project/issues/confidential_issues.md) in the +project the vulnerability came from, and prepopulates it with useful information from +the vulnerability report. After the issue is created, GitLab redirects you to the +issue page so you can edit, assign, or comment on the issue. + +## Automatic remediation solutions for vulnerabilities + +You can fix some vulnerabilities by applying the solution that GitLab automatically +generates for you. GitLab supports the following scanners: + +- [Dependency Scanning](../dependency_scanning/index.md): Automatic Patch creation + is only available for Node.js projects managed with `yarn`. +- [Container Scanning](../container_scanning/index.md). + +### Manually applying a suggested patch + +To apply a patch automatically generated by GitLab to fix a vulnerability: + +1. Open the issue created in [Create issue](#creating-an-issue-for-a-vulnerability). +1. In the **Issue description**, scroll to **Solution** and download the linked patch file. +1. Ensure your local project has the same commit checked out that was used to generate the patch. +1. Run `git apply remediation.patch` to apply the patch. +1. Verify and commit the changes to your branch. + +![Apply patch for dependency scanning](../img/vulnerability_solution.png) |