From 30a8d158a29cc09ece1a71771a28f7bc1483506b Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 15 Apr 2020 00:09:27 +0000 Subject: Add latest changes from gitlab-org/gitlab@master --- app/controllers/projects/issues_controller.rb | 4 - .../projects/merge_requests_controller.rb | 4 - app/models/namespace.rb | 3 + app/views/projects/issues/show.html.haml | 3 +- .../merge_requests/_awards_block.html.haml | 3 +- ...214218-feature-flag-enable-sort_discussions.yml | 5 + config/pseudonymizer.yml | 1 - doc/api/graphql/reference/gitlab_schema.graphql | 91 ++++++ doc/api/graphql/reference/gitlab_schema.json | 314 +++++++++++++++++++++ doc/api/graphql/reference/index.md | 26 ++ doc/ci/docker/using_docker_build.md | 46 +-- doc/integration/elasticsearch.md | 6 +- doc/user/analytics/value_stream_analytics.md | 8 + .../container_scanning/index.md | 14 +- .../dependency_scanning/index.md | 6 +- doc/user/application_security/sast/index.md | 6 +- doc/user/clusters/applications.md | 16 ++ doc/user/packages/container_registry/index.md | 26 +- lib/gitlab/error_tracking.rb | 38 ++- 19 files changed, 553 insertions(+), 67 deletions(-) create mode 100644 changelogs/unreleased/214218-feature-flag-enable-sort_discussions.yml diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index 96650e2cae9..51ad8edb012 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -50,10 +50,6 @@ class Projects::IssuesController < Projects::ApplicationController push_frontend_feature_flag(:save_issuable_health_status, project.group, default_enabled: true) end - before_action only: :show do - push_frontend_feature_flag(:sort_discussions, @project) - end - around_action :allow_gitaly_ref_name_caching, only: [:discussions] respond_to :html diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index 038b6146bab..89de40006ff 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -31,10 +31,6 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo push_frontend_feature_flag(:vue_issuable_sidebar, @project.group) end - before_action only: :show do - push_frontend_feature_flag(:sort_discussions, @project) - end - around_action :allow_gitaly_ref_name_caching, only: [:index, :show, :discussions] def index diff --git a/app/models/namespace.rb b/app/models/namespace.rb index 260ba9ea4a5..9e7589a1f18 100644 --- a/app/models/namespace.rb +++ b/app/models/namespace.rb @@ -11,6 +11,9 @@ class Namespace < ApplicationRecord include FeatureGate include FromUnion include Gitlab::Utils::StrongMemoize + include IgnorableColumns + + ignore_column :plan_id, remove_with: '13.1', remove_after: '2020-06-22' # Prevent users from creating unreasonably deep level of nesting. # The number 20 was taken based on maximum nesting level of diff --git a/app/views/projects/issues/show.html.haml b/app/views/projects/issues/show.html.haml index 1f499dbd0a2..4fc67884584 100644 --- a/app/views/projects/issues/show.html.haml +++ b/app/views/projects/issues/show.html.haml @@ -87,8 +87,7 @@ .col-md-12.col-lg-6.js-noteable-awards = render 'award_emoji/awards_block', awardable: @issue, inline: true .col-md-12.col-lg-6.new-branch-col - - if Feature.enabled?(:sort_discussions, @project) - #js-vue-sort-issue-discussions + #js-vue-sort-issue-discussions #js-vue-discussion-filter{ data: { default_filter: current_user&.notes_filter_for(@issue), notes_filters: UserPreference.notes_filters.to_json } } = render 'new_branch' if show_new_branch_button? diff --git a/app/views/projects/merge_requests/_awards_block.html.haml b/app/views/projects/merge_requests/_awards_block.html.haml index c1e92e22590..e4a7b9b7e62 100644 --- a/app/views/projects/merge_requests/_awards_block.html.haml +++ b/app/views/projects/merge_requests/_awards_block.html.haml @@ -2,6 +2,5 @@ = render 'award_emoji/awards_block', awardable: @merge_request, inline: true do - if mr_tabs_position_enabled? .ml-auto.mt-auto.mb-auto - - if Feature.enabled?(:sort_discussions, @merge_request.target_project) - #js-vue-sort-issue-discussions + #js-vue-sort-issue-discussions = render "projects/merge_requests/discussion_filter" diff --git a/changelogs/unreleased/214218-feature-flag-enable-sort_discussions.yml b/changelogs/unreleased/214218-feature-flag-enable-sort_discussions.yml new file mode 100644 index 00000000000..4e76379c0fe --- /dev/null +++ b/changelogs/unreleased/214218-feature-flag-enable-sort_discussions.yml @@ -0,0 +1,5 @@ +--- +title: Allow sorting of issue and MR discussions +merge_request: 29492 +author: +type: added diff --git a/config/pseudonymizer.yml b/config/pseudonymizer.yml index 7b5f8aad255..195506ac4a1 100644 --- a/config/pseudonymizer.yml +++ b/config/pseudonymizer.yml @@ -239,7 +239,6 @@ tables: - repository_size_limit - require_two_factor_authentication - two_factor_grace_period - - plan_id - project_creation_level members: whitelist: diff --git a/doc/api/graphql/reference/gitlab_schema.graphql b/doc/api/graphql/reference/gitlab_schema.graphql index 4ce54a1b3fb..eb9b285803d 100644 --- a/doc/api/graphql/reference/gitlab_schema.graphql +++ b/doc/api/graphql/reference/gitlab_schema.graphql @@ -1832,6 +1832,46 @@ type DiscussionEdge { node: Discussion } +""" +Autogenerated input type of DismissVulnerability +""" +input DismissVulnerabilityInput { + """ + A unique identifier for the client performing the mutation. + """ + clientMutationId: String + + """ + Reason why vulnerability should be dismissed + """ + comment: String + + """ + ID of the vulnerability to be dismissed + """ + id: ID! +} + +""" +Autogenerated return type of DismissVulnerability +""" +type DismissVulnerabilityPayload { + """ + A unique identifier for the client performing the mutation. + """ + clientMutationId: String + + """ + Reasons why the mutation failed. + """ + errors: [String!]! + + """ + The vulnerability after dismissal + """ + vulnerability: Vulnerability +} + interface Entry { """ Flat path of the entry @@ -5413,6 +5453,7 @@ type Mutation { designManagementUpload(input: DesignManagementUploadInput!): DesignManagementUploadPayload destroyNote(input: DestroyNoteInput!): DestroyNotePayload destroySnippet(input: DestroySnippetInput!): DestroySnippetPayload + dismissVulnerability(input: DismissVulnerabilityInput!): DismissVulnerabilityPayload epicAddIssue(input: EpicAddIssueInput!): EpicAddIssuePayload epicSetSubscription(input: EpicSetSubscriptionInput!): EpicSetSubscriptionPayload epicTreeReorder(input: EpicTreeReorderInput!): EpicTreeReorderPayload @@ -9534,6 +9575,11 @@ type Vulnerability { """ title: String + """ + Permissions for the current user on the resource + """ + userPermissions: VulnerabilityPermissions! + """ URL to the vulnerability's details page """ @@ -9575,6 +9621,51 @@ type VulnerabilityEdge { node: Vulnerability } +""" +Check permissions for the current user on a vulnerability +""" +type VulnerabilityPermissions { + """ + Indicates the user can perform `admin_vulnerability` on this resource + """ + adminVulnerability: Boolean! + + """ + Indicates the user can perform `admin_vulnerability_issue_link` on this resource + """ + adminVulnerabilityIssueLink: Boolean! + + """ + Indicates the user can perform `create_vulnerability` on this resource + """ + createVulnerability: Boolean! + + """ + Indicates the user can perform `create_vulnerability_export` on this resource + """ + createVulnerabilityExport: Boolean! + + """ + Indicates the user can perform `create_vulnerability_feedback` on this resource + """ + createVulnerabilityFeedback: Boolean! + + """ + Indicates the user can perform `destroy_vulnerability_feedback` on this resource + """ + destroyVulnerabilityFeedback: Boolean! + + """ + Indicates the user can perform `read_vulnerability_feedback` on this resource + """ + readVulnerabilityFeedback: Boolean! + + """ + Indicates the user can perform `update_vulnerability_feedback` on this resource + """ + updateVulnerabilityFeedback: Boolean! +} + """ The type of the security scan that found the vulnerability. """ diff --git a/doc/api/graphql/reference/gitlab_schema.json b/doc/api/graphql/reference/gitlab_schema.json index bf8206e61cc..f6c3510d6dc 100644 --- a/doc/api/graphql/reference/gitlab_schema.json +++ b/doc/api/graphql/reference/gitlab_schema.json @@ -5393,6 +5393,118 @@ "enumValues": null, "possibleTypes": null }, + { + "kind": "INPUT_OBJECT", + "name": "DismissVulnerabilityInput", + "description": "Autogenerated input type of DismissVulnerability", + "fields": null, + "inputFields": [ + { + "name": "id", + "description": "ID of the vulnerability to be dismissed", + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "ID", + "ofType": null + } + }, + "defaultValue": null + }, + { + "name": "comment", + "description": "Reason why vulnerability should be dismissed", + "type": { + "kind": "SCALAR", + "name": "String", + "ofType": null + }, + "defaultValue": null + }, + { + "name": "clientMutationId", + "description": "A unique identifier for the client performing the mutation.", + "type": { + "kind": "SCALAR", + "name": "String", + "ofType": null + }, + "defaultValue": null + } + ], + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, + { + "kind": "OBJECT", + "name": "DismissVulnerabilityPayload", + "description": "Autogenerated return type of DismissVulnerability", + "fields": [ + { + "name": "clientMutationId", + "description": "A unique identifier for the client performing the mutation.", + "args": [ + + ], + "type": { + "kind": "SCALAR", + "name": "String", + "ofType": null + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "errors", + "description": "Reasons why the mutation failed.", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "LIST", + "name": null, + "ofType": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "String", + "ofType": null + } + } + } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "vulnerability", + "description": "The vulnerability after dismissal", + "args": [ + + ], + "type": { + "kind": "OBJECT", + "name": "Vulnerability", + "ofType": null + }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [ + + ], + "enumValues": null, + "possibleTypes": null + }, { "kind": "INTERFACE", "name": "Entry", @@ -15821,6 +15933,33 @@ "isDeprecated": false, "deprecationReason": null }, + { + "name": "dismissVulnerability", + "description": null, + "args": [ + { + "name": "input", + "description": null, + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "INPUT_OBJECT", + "name": "DismissVulnerabilityInput", + "ofType": null + } + }, + "defaultValue": null + } + ], + "type": { + "kind": "OBJECT", + "name": "DismissVulnerabilityPayload", + "ofType": null + }, + "isDeprecated": false, + "deprecationReason": null + }, { "name": "epicAddIssue", "description": null, @@ -28762,6 +28901,24 @@ "isDeprecated": false, "deprecationReason": null }, + { + "name": "userPermissions", + "description": "Permissions for the current user on the resource", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "OBJECT", + "name": "VulnerabilityPermissions", + "ofType": null + } + }, + "isDeprecated": false, + "deprecationReason": null + }, { "name": "vulnerabilityPath", "description": "URL to the vulnerability's details page", @@ -28896,6 +29053,163 @@ "enumValues": null, "possibleTypes": null }, + { + "kind": "OBJECT", + "name": "VulnerabilityPermissions", + "description": "Check permissions for the current user on a vulnerability", + "fields": [ + { + "name": "adminVulnerability", + "description": "Indicates the user can perform `admin_vulnerability` on this resource", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "Boolean", + "ofType": null + } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "adminVulnerabilityIssueLink", + "description": "Indicates the user can perform `admin_vulnerability_issue_link` on this resource", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "Boolean", + "ofType": null + } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "createVulnerability", + "description": "Indicates the user can perform `create_vulnerability` on this resource", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "Boolean", + "ofType": null + } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "createVulnerabilityExport", + "description": "Indicates the user can perform `create_vulnerability_export` on this resource", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "Boolean", + "ofType": null + } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "createVulnerabilityFeedback", + "description": "Indicates the user can perform `create_vulnerability_feedback` on this resource", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "Boolean", + "ofType": null + } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "destroyVulnerabilityFeedback", + "description": "Indicates the user can perform `destroy_vulnerability_feedback` on this resource", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "Boolean", + "ofType": null + } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "readVulnerabilityFeedback", + "description": "Indicates the user can perform `read_vulnerability_feedback` on this resource", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "Boolean", + "ofType": null + } + }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "updateVulnerabilityFeedback", + "description": "Indicates the user can perform `update_vulnerability_feedback` on this resource", + "args": [ + + ], + "type": { + "kind": "NON_NULL", + "name": null, + "ofType": { + "kind": "SCALAR", + "name": "Boolean", + "ofType": null + } + }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [ + + ], + "enumValues": null, + "possibleTypes": null + }, { "kind": "ENUM", "name": "VulnerabilityReportType", diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index e1375530bf4..082d7decbf9 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -317,6 +317,16 @@ Autogenerated return type of DestroySnippet | `id` | ID! | ID of this discussion | | `replyId` | ID! | ID used to reply to this discussion | +## DismissVulnerabilityPayload + +Autogenerated return type of DismissVulnerability + +| Name | Type | Description | +| --- | ---- | ---------- | +| `clientMutationId` | String | A unique identifier for the client performing the mutation. | +| `errors` | String! => Array | Reasons why the mutation failed. | +| `vulnerability` | Vulnerability | The vulnerability after dismissal | + ## Environment Describes where code is deployed for a project @@ -1495,8 +1505,24 @@ Represents a vulnerability. | `severity` | VulnerabilitySeverity | Severity of the vulnerability (INFO, UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL) | | `state` | VulnerabilityState | State of the vulnerability (DETECTED, DISMISSED, RESOLVED, CONFIRMED) | | `title` | String | Title of the vulnerability | +| `userPermissions` | VulnerabilityPermissions! | Permissions for the current user on the resource | | `vulnerabilityPath` | String | URL to the vulnerability's details page | +## VulnerabilityPermissions + +Check permissions for the current user on a vulnerability + +| Name | Type | Description | +| --- | ---- | ---------- | +| `adminVulnerability` | Boolean! | Indicates the user can perform `admin_vulnerability` on this resource | +| `adminVulnerabilityIssueLink` | Boolean! | Indicates the user can perform `admin_vulnerability_issue_link` on this resource | +| `createVulnerability` | Boolean! | Indicates the user can perform `create_vulnerability` on this resource | +| `createVulnerabilityExport` | Boolean! | Indicates the user can perform `create_vulnerability_export` on this resource | +| `createVulnerabilityFeedback` | Boolean! | Indicates the user can perform `create_vulnerability_feedback` on this resource | +| `destroyVulnerabilityFeedback` | Boolean! | Indicates the user can perform `destroy_vulnerability_feedback` on this resource | +| `readVulnerabilityFeedback` | Boolean! | Indicates the user can perform `read_vulnerability_feedback` on this resource | +| `updateVulnerabilityFeedback` | Boolean! | Indicates the user can perform `update_vulnerability_feedback` on this resource | + ## VulnerabilitySeveritiesCount Represents vulnerability counts by severity diff --git a/doc/ci/docker/using_docker_build.md b/doc/ci/docker/using_docker_build.md index 69618cbd218..acdc61d008f 100644 --- a/doc/ci/docker/using_docker_build.md +++ b/doc/ci/docker/using_docker_build.md @@ -120,7 +120,7 @@ not without its own challenges: - By default, Docker 17.09 and higher uses `--storage-driver overlay2` which is the recommended storage driver. See [Using the overlayfs driver](#using-the-overlayfs-driver) for details. -- Since the `docker:19.03.1-dind` container and the Runner container don't share their +- Since the `docker:19.03.8-dind` container and the Runner container don't share their root filesystem, the job's working directory can be used as a mount point for child containers. For example, if you have files you want to share with a child container, you may create a subdirectory under `/builds/$CI_PROJECT_PATH` @@ -139,7 +139,7 @@ not without its own challenges: An example project using this approach can be found here: . In the examples below, we are using Docker images tags to specify a -specific version, such as `docker:19.03.1`. If tags like `docker:stable` +specific version, such as `docker:19.03.8`. If tags like `docker:stable` are used, you have no control over what version is going to be used and this can lead to unpredictable behavior, especially when new versions are released. @@ -150,7 +150,7 @@ NOTE: **Note** This requires GitLab Runner 11.11 or higher. The Docker daemon supports connection over TLS and it's done by default -for Docker 19.03.1 or higher. This is the **suggested** way to use the +for Docker 19.03.8 or higher. This is the **suggested** way to use the docker-in-docker service and [GitLab.com Shared Runners](../../user/gitlab_com/index.md#shared-runners) support this. @@ -166,13 +166,13 @@ support this. --registration-token REGISTRATION_TOKEN \ --executor docker \ --description "My Docker Runner" \ - --docker-image "docker:19.03.1" \ + --docker-image "docker:19.03.8" \ --docker-privileged \ --docker-volumes "/certs/client" ``` The above command will register a new Runner to use the special - `docker:19.03.1` image, which is provided by Docker. **Notice that it's + `docker:19.03.8` image, which is provided by Docker. **Notice that it's using the `privileged` mode to start the build and service containers.** If you want to use [docker-in-docker](https://www.docker.com/blog/docker-can-now-run-within-docker/) mode, you always have to use `privileged = true` in your Docker containers. @@ -191,7 +191,7 @@ support this. executor = "docker" [runners.docker] tls_verify = false - image = "docker:19.03.1" + image = "docker:19.03.8" privileged = true disable_cache = false volumes = ["/certs/client", "/cache"] @@ -201,18 +201,18 @@ support this. ``` 1. You can now use `docker` in the build script (note the inclusion of the - `docker:19.03.1-dind` service): + `docker:19.03.8-dind` service): ```yaml - image: docker:19.03.1 + image: docker:19.03.8 variables: # When using dind service, we need to instruct docker, to talk with # the daemon started inside of the service. The daemon is available # with a network connection instead of the default - # /var/run/docker.sock socket. docker:19.03.1 does this automatically + # /var/run/docker.sock socket. Docker 19.03 does this automatically # by setting the DOCKER_HOST in - # https://github.com/docker-library/docker/blob/d45051476babc297257df490d22cbd806f1b11e4/19.03.1/docker-entrypoint.sh#L23-L29 + # https://github.com/docker-library/docker/blob/d45051476babc297257df490d22cbd806f1b11e4/19.03/docker-entrypoint.sh#L23-L29 # # The 'docker' hostname is the alias of the service container as described at # https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#accessing-the-services. @@ -229,7 +229,7 @@ support this. DOCKER_TLS_CERTDIR: "/certs" services: - - docker:19.03.1-dind + - docker:19.03.8-dind before_script: - docker info @@ -256,7 +256,7 @@ Assuming that the Runner `config.toml` is similar to: executor = "docker" [runners.docker] tls_verify = false - image = "docker:19.03.1" + image = "docker:19.03.8" privileged = true disable_cache = false volumes = ["/cache"] @@ -266,10 +266,10 @@ Assuming that the Runner `config.toml` is similar to: ``` You can now use `docker` in the build script (note the inclusion of the -`docker:19.03.1-dind` service): +`docker:19.03.8-dind` service): ```yaml -image: docker:19.03.1 +image: docker:19.03.8 variables: # When using dind service we need to instruct docker, to talk with the @@ -290,7 +290,7 @@ variables: DOCKER_TLS_CERTDIR: "" services: - - docker:19.03.1-dind + - docker:19.03.8-dind before_script: - docker info @@ -310,7 +310,7 @@ container so that Docker is available in the context of that image. NOTE: **Note:** If you bind the Docker socket [when using GitLab Runner 11.11 or newer](https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/1261), -you can no longer use `docker:19.03.1-dind` as a service because volume bindings +you can no longer use `docker:19.03.8-dind` as a service because volume bindings are done to the services as well, making these incompatible. In order to do that, follow the steps: @@ -325,12 +325,12 @@ In order to do that, follow the steps: --registration-token REGISTRATION_TOKEN \ --executor docker \ --description "My Docker Runner" \ - --docker-image "docker:19.03.1" \ + --docker-image "docker:19.03.8" \ --docker-volumes /var/run/docker.sock:/var/run/docker.sock ``` The above command will register a new Runner to use the special - `docker:19.03.1` image which is provided by Docker. **Notice that it's using + `docker:19.03.8` image which is provided by Docker. **Notice that it's using the Docker daemon of the Runner itself, and any containers spawned by Docker commands will be siblings of the Runner rather than children of the Runner.** This may have complications and limitations that are unsuitable for your workflow. @@ -344,7 +344,7 @@ In order to do that, follow the steps: executor = "docker" [runners.docker] tls_verify = false - image = "docker:19.03.1" + image = "docker:19.03.8" privileged = false disable_cache = false volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"] @@ -353,11 +353,11 @@ In order to do that, follow the steps: ``` 1. You can now use `docker` in the build script (note that you don't need to - include the `docker:19.03.1-dind` service as when using the Docker in Docker + include the `docker:19.03.8-dind` service as when using the Docker in Docker executor): ```yaml - image: docker:19.03.1 + image: docker:19.03.8 before_script: - docker info @@ -411,10 +411,10 @@ any image that's used with the `--cache-from` argument must first be pulled Here's a `.gitlab-ci.yml` file showing how Docker caching can be used: ```yaml -image: docker:19.03.1 +image: docker:19.03.8 services: - - docker:19.03.1-dind + - docker:19.03.8-dind variables: # Use TLS https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#tls-enabled diff --git a/doc/integration/elasticsearch.md b/doc/integration/elasticsearch.md index fe7c3855d9a..fcd1c03a556 100644 --- a/doc/integration/elasticsearch.md +++ b/doc/integration/elasticsearch.md @@ -361,7 +361,7 @@ or creating [extra Sidekiq processes](../administration/operations/extra_sidekiq 1. Enable replication and refreshing again after indexing (only if you previously disabled it): ```shell - curl --request PUT localhost:9200/gitlab-production/_settings --header 'Content-Type: application/json' ---data '{ + curl --request PUT localhost:9200/gitlab-production/_settings --header 'Content-Type: application/json' --data '{ "index" : { "number_of_replicas" : 1, "refresh_interval" : "1s" @@ -373,7 +373,7 @@ or creating [extra Sidekiq processes](../administration/operations/extra_sidekiq For Elasticsearch 6.x, the index should be in read-only mode before proceeding with the force merge: ```shell - curl --request PUT localhost:9200/gitlab-production/_settings ---header 'Content-Type: application/json' --data '{ + curl --request PUT localhost:9200/gitlab-production/_settings --header 'Content-Type: application/json' --data '{ "settings": { "index.blocks.write": true } }' @@ -388,7 +388,7 @@ or creating [extra Sidekiq processes](../administration/operations/extra_sidekiq After this, if your index is in read-only mode, switch back to read-write: ```shell - curl --request PUT localhost:9200/gitlab-production/_settings ---header 'Content-Type: application/json' --data '{ + curl --request PUT localhost:9200/gitlab-production/_settings --header 'Content-Type: application/json' --data '{ "settings": { "index.blocks.write": false } }' diff --git a/doc/user/analytics/value_stream_analytics.md b/doc/user/analytics/value_stream_analytics.md index 22af788b6f5..703b794981f 100644 --- a/doc/user/analytics/value_stream_analytics.md +++ b/doc/user/analytics/value_stream_analytics.md @@ -302,6 +302,14 @@ For Value Stream Analytics functionality introduced in GitLab 12.3 and later: - Features are available only on [Premium or Silver tiers](https://about.gitlab.com/pricing/) and above. +## Troubleshooting + +If you see an error as listed in the following table, try the noted solution: + +| Error | Solution | +|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| There was an error fetching the top labels. | Manually enable tasks by type feature in the [rails console](../../administration/troubleshooting/navigating_gitlab_via_rails_console.md#starting-a-rails-console-session), specifically `Feature.enable(:tasks_by_type_chart)`. | + ## More resources Learn more about Value Stream Analytics in the following resources: diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index 3d6c9e0b0ba..27b22fb925c 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -67,10 +67,10 @@ To enable Container Scanning in your pipeline, you need: ```yaml build: - image: docker:19.03.1 + image: docker:19.03.8 stage: build services: - - docker:19.03.1-dind + - docker:19.03.8-dind variables: IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA script: @@ -118,7 +118,7 @@ variables: DOCKER_DRIVER: overlay2 services: - - docker:19.03.5-dind + - docker:19.03.8-dind stages: - build @@ -158,9 +158,9 @@ variables: The `CLAIR_OUTPUT` variable defined in the main `gitlab-ci.yml` will overwrite what's defined in `Container-Scanning.gitlab-ci.yml`, changing the Container Scanning behavior. -[//]: # "NOTE: The container scanning tool references the following heading in the code, so if you" -[//]: # " make a change to this heading, make sure to update the documentation URLs used in the" -[//]: # " container scanning tool (https://gitlab.com/gitlab-org/security-products/analyzers/klar)" + #### Available variables @@ -240,7 +240,7 @@ It may be worthwhile to set up a [scheduled pipeline](../../../ci/pipelines/sche image: docker:stable services: - - docker:19.03.5-dind + - docker:19.03.8-dind stages: - build diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 799f3e1f629..ae006178945 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -46,7 +46,7 @@ this is enabled by default. CAUTION: **Caution:** If you use your own Runners, make sure that the Docker version you have installed -is **not** `19.03.00`. See [troubleshooting information](#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) for details. +is **not** `19.03.0`. See [troubleshooting information](#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) for details. Privileged mode is not necessary if you've [disabled Docker in Docker for Dependency Scanning](#disabling-docker-in-docker-for-dependency-scanning) @@ -419,7 +419,7 @@ You can also [submit new vulnerabilities](https://gitlab.com/gitlab-org/security ### Error response from daemon: error processing tar file: docker-tar: relocation error -This error occurs when the Docker version used to run the SAST job is `19.03.00`. -You are advised to update to Docker `19.03.01` or greater. Older versions are not +This error occurs when the Docker version used to run the SAST job is `19.03.0`. +You are advised to update to Docker `19.03.1` or greater. Older versions are not affected. Read more in [this issue](https://gitlab.com/gitlab-org/gitlab/issues/13830#note_211354992 "Current SAST container fails"). diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 75afdfb5cf5..011f95c7049 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -58,7 +58,7 @@ CAUTION: **Caution:** Our SAST jobs currently expect a Linux container type. Win CAUTION: **Caution:** If you use your own Runners, make sure that the Docker version you have installed -is **not** `19.03.00`. See [troubleshooting information](#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) for details. +is **not** `19.03.0`. See [troubleshooting information](#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) for details. ## Supported languages and frameworks @@ -582,7 +582,7 @@ security reports without requiring internet access. ### Error response from daemon: error processing tar file: docker-tar: relocation error -This error occurs when the Docker version used to run the SAST job is `19.03.00`. -You are advised to update to Docker `19.03.01` or greater. Older versions are not +This error occurs when the Docker version used to run the SAST job is `19.03.0`. +You are advised to update to Docker `19.03.1` or greater. Older versions are not affected. Read more in [this issue](https://gitlab.com/gitlab-org/gitlab/issues/13830#note_211354992 "Current SAST container fails"). diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 73ef9482e71..cc7b5dcd5fb 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -298,6 +298,22 @@ Ingress with the recent changes. ![Disabling WAF](../../topics/web_application_firewall/img/guide_waf_ingress_save_changes_v12_10.png) +##### Logging and blocking modes + +To help you tune your WAF rules, you can globally set your WAF to either +**Logging** or **Blocking** mode: + +- **Logging mode** - Allows traffic matching the rule to pass, and logs the event. +- **Blocking mode** - Prevents traffic matching the rule from passing, and logs the event. + +To change your WAF's mode: + +1. [Install ModSecurity](../../topics/web_application_firewall/quick_start_guide.md) if you have not already done so. +1. Navigate to **{cloud-gear}** **Operations > Kubernetes**. +1. In **Applications**, scroll to **Ingress**. +1. Under **Global default**, select your desired mode. +1. Click **Save changes**. + ##### Viewing Web Application Firewall traffic > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9. diff --git a/doc/user/packages/container_registry/index.md b/doc/user/packages/container_registry/index.md index d6c6767a8fd..5505a4503ca 100644 --- a/doc/user/packages/container_registry/index.md +++ b/doc/user/packages/container_registry/index.md @@ -240,10 +240,10 @@ should look similar to this: ```yaml build: - image: docker:19.03.1 + image: docker:19.03.8 stage: build services: - - docker:19.03.1-dind + - docker:19.03.8-dind script: - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - docker build -t $CI_REGISTRY/group/project/image:latest . @@ -254,10 +254,10 @@ You can also make use of [other variables](../../../ci/variables/README.md) to a ```yaml build: - image: docker:19.03.1 + image: docker:19.03.8 stage: build services: - - docker:19.03.1-dind + - docker:19.03.8-dind variables: IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG script: @@ -280,9 +280,9 @@ when needed. Changes to `master` also get tagged as `latest` and deployed using an application-specific deploy script: ```yaml -image: docker:19.03.1 +image: docker:19.03.8 services: - - docker:19.03.1-dind + - docker:19.03.8-dind stages: - build @@ -355,9 +355,9 @@ Below is an example of what your `.gitlab-ci.yml` should look like: ```yaml build: - image: $CI_REGISTRY/group/project/docker:19.03.1 + image: $CI_REGISTRY/group/project/docker:19.03.8 services: - - name: $CI_REGISTRY/group/project/docker:19.03.1-dind + - name: $CI_REGISTRY/group/project/docker:19.03.8-dind alias: docker stage: build script: @@ -365,7 +365,7 @@ Below is an example of what your `.gitlab-ci.yml` should look like: - docker run my-docker-image /script/to/run/tests ``` -If you forget to set the service alias, the `docker:19.03.1` image won't find the +If you forget to set the service alias, the `docker:19.03.8` image won't find the `dind` service, and an error like the following will be thrown: ```plaintext @@ -435,10 +435,10 @@ stages: - clean build_image: - image: docker:19.03.1 + image: docker:19.03.8 stage: build services: - - docker:19.03.1-dind + - docker:19.03.8-dind variables: IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG script: @@ -451,10 +451,10 @@ build_image: - master delete_image: - image: docker:19.03.1 + image: docker:19.03.8 stage: clean services: - - docker:19.03.1-dind + - docker:19.03.8-dind variables: IMAGE_TAG: $CI_PROJECT_PATH:$CI_COMMIT_REF_SLUG REG_SHA256: ade837fc5224acd8c34732bf54a94f579b47851cc6a7fd5899a98386b782e228 diff --git a/lib/gitlab/error_tracking.rb b/lib/gitlab/error_tracking.rb index d20324a613e..a6e49825fd0 100644 --- a/lib/gitlab/error_tracking.rb +++ b/lib/gitlab/error_tracking.rb @@ -2,6 +2,21 @@ module Gitlab module ErrorTracking + # Exceptions in this group will receive custom Sentry fingerprinting + CUSTOM_FINGERPRINTING = %w[ + Acme::Client::Error::BadNonce + Acme::Client::Error::NotFound + Acme::Client::Error::RateLimited + Acme::Client::Error::Timeout + Acme::Client::Error::UnsupportedOperation + ActiveRecord::ConnectionTimeoutError + ActiveRecord::QueryCanceled + Gitlab::RequestContext::RequestDeadlineExceeded + GRPC::DeadlineExceeded + JIRA::HTTPError + Rack::Timeout::RequestTimeoutException + ].freeze + class << self def configure Raven.configure do |config| @@ -14,8 +29,7 @@ module Gitlab # Sanitize authentication headers config.sanitize_http_headers = %w[Authorization Private-Token] config.tags = { program: Gitlab.process_name } - # Debugging for https://gitlab.com/gitlab-org/gitlab-foss/issues/57727 - config.before_send = method(:add_context_from_exception_type) + config.before_send = method(:before_send) end end @@ -92,6 +106,13 @@ module Gitlab private + def before_send(event, hint) + event = add_context_from_exception_type(event, hint) + event = custom_fingerprinting(event, hint) + + event + end + def process_exception(exception, sentry: false, logging: true, extra:) exception.try(:sentry_extra_data)&.tap do |data| extra = extra.merge(data) if data.is_a?(Hash) @@ -142,6 +163,7 @@ module Gitlab } end + # Debugging for https://gitlab.com/gitlab-org/gitlab-foss/issues/57727 def add_context_from_exception_type(event, hint) if ActiveModel::MissingAttributeError === hint[:exception] columns_hash = ActiveRecord::Base @@ -156,6 +178,18 @@ module Gitlab event end + + # Group common, mostly non-actionable exceptions by type and message, + # rather than cause + def custom_fingerprinting(event, hint) + ex = hint[:exception] + + return event unless CUSTOM_FINGERPRINTING.include?(ex.class.name) + + event.fingerprint = ['{{ default }}', ex.class.name, ex.message] + + event + end end end end -- cgit v1.2.1