From bce6d50b9c9a46521578add31072e282645c0f2c Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 27 Sep 2022 21:12:25 +0000 Subject: Add latest changes from gitlab-org/gitlab@master --- app/assets/stylesheets/page_bundles/profile.scss | 29 ++++++++++ app/assets/stylesheets/pages/profile.scss | 29 ---------- .../application_settings/_help_page.html.haml | 2 +- .../_sidekiq_job_limits.html.haml | 4 +- .../admin/application_settings/_snowplow.html.haml | 2 +- .../_third_party_offers.html.haml | 2 +- .../_users_api_limits.html.haml | 4 +- app/views/profiles/gpg_keys/index.html.haml | 1 + app/views/profiles/keys/index.html.haml | 1 + ...59_ci_templates_total_unique_counts_monthly.yml | 2 + ...es_security_coverage_fuzzing_latest_monthly.yml | 25 +++++++++ ...it_security_coverage_fuzzing_latest_monthly.yml | 25 +++++++++ ...557_ci_templates_total_unique_counts_weekly.yml | 2 + ...tes_security_coverage_fuzzing_latest_weekly.yml | 25 +++++++++ ...cit_security_coverage_fuzzing_latest_weekly.yml | 25 +++++++++ ...920213504_finalize_task_system_note_renaming.rb | 13 +---- ...24_remove_task_system_note_rename_temp_index.rb | 8 +-- ...m_note_metadata_on_attention_request_actions.rb | 17 ++++++ db/schema_migrations/20220923060226 | 1 + db/structure.sql | 2 +- doc/administration/clusters/kas.md | 35 +++++++++++- .../dependency_scanning/index.md | 2 +- .../Security/API-Fuzzing.latest.gitlab-ci.yml | 15 ++++- .../Security/Coverage-Fuzzing.latest.gitlab-ci.yml | 64 ++++++++++++++++++++++ .../Security/DAST-API.latest.gitlab-ci.yml | 13 +++++ .../templates/Security/DAST.latest.gitlab-ci.yml | 13 +++++ .../known_events/ci_templates.yml | 8 +++ .../gitlab/template/template_shared_examples.rb | 44 +++++++++++++++ 28 files changed, 353 insertions(+), 60 deletions(-) create mode 100644 config/metrics/counts_28d/20220913225020_p_ci_templates_security_coverage_fuzzing_latest_monthly.yml create mode 100644 config/metrics/counts_28d/20220913225303_p_ci_templates_implicit_security_coverage_fuzzing_latest_monthly.yml create mode 100644 config/metrics/counts_7d/20220913225013_p_ci_templates_security_coverage_fuzzing_latest_weekly.yml create mode 100644 config/metrics/counts_7d/20220913225257_p_ci_templates_implicit_security_coverage_fuzzing_latest_weekly.yml create mode 100644 db/post_migrate/20220923060226_remove_tmp_index_system_note_metadata_on_attention_request_actions.rb create mode 100644 db/schema_migrations/20220923060226 create mode 100644 lib/gitlab/ci/templates/Security/Coverage-Fuzzing.latest.gitlab-ci.yml diff --git a/app/assets/stylesheets/page_bundles/profile.scss b/app/assets/stylesheets/page_bundles/profile.scss index 356f57678f3..9e4deb16a9d 100644 --- a/app/assets/stylesheets/page_bundles/profile.scss +++ b/app/assets/stylesheets/page_bundles/profile.scss @@ -252,3 +252,32 @@ .twitter-icon { color: $twitter; } + +.key-created-at { + line-height: 42px; +} + +.key-list-item { + .key-list-item-info { + @include media-breakpoint-up(sm) { + float: left; + } + } +} + +.ssh-keys-list { + .last-used-at, + .expires, + .key-created-at { + line-height: 32px; + } +} + +.subkeys-list { + @include basic-list; + + li { + padding: 3px 0; + border: 0; + } +} diff --git a/app/assets/stylesheets/pages/profile.scss b/app/assets/stylesheets/pages/profile.scss index 55b9d749bbb..8e4dd39e498 100644 --- a/app/assets/stylesheets/pages/profile.scss +++ b/app/assets/stylesheets/pages/profile.scss @@ -10,35 +10,6 @@ } } -.subkeys-list { - @include basic-list; - - li { - padding: 3px 0; - border: 0; - } -} - -.key-list-item { - .key-list-item-info { - @include media-breakpoint-up(sm) { - float: left; - } - } -} - -.ssh-keys-list { - .last-used-at, - .expires, - .key-created-at { - line-height: 32px; - } -} - -.key-created-at { - line-height: 42px; -} - .provider-btn-group { display: inline-block; margin-right: 10px; diff --git a/app/views/admin/application_settings/_help_page.html.haml b/app/views/admin/application_settings/_help_page.html.haml index 21eb4caf579..11ebad07e9a 100644 --- a/app/views/admin/application_settings/_help_page.html.haml +++ b/app/views/admin/application_settings/_help_page.html.haml @@ -21,4 +21,4 @@ - docs_link_url = help_page_path('user/admin_area/settings/help_page', anchor: 'destination-requirements') - docs_link_start = ''.html_safe % { url: docs_link_url } %span.form-text.text-muted#support_help_block= html_escape(_('Requests for pages at %{code_start}%{help_text_url}%{code_end} redirect to the URL. The destination must meet certain requirements. %{docs_link_start}Learn more.%{docs_link_end}')) % { code_start: ''.html_safe, help_text_url: help_url, code_end: ''.html_safe, docs_link_start: docs_link_start, docs_link_end: ''.html_safe } - = f.submit _('Save changes'), class: "gl-button btn btn-confirm" + = f.submit _('Save changes'), pajamas_button: true diff --git a/app/views/admin/application_settings/_sidekiq_job_limits.html.haml b/app/views/admin/application_settings/_sidekiq_job_limits.html.haml index eaf4bbf4702..068a8155450 100644 --- a/app/views/admin/application_settings/_sidekiq_job_limits.html.haml +++ b/app/views/admin/application_settings/_sidekiq_job_limits.html.haml @@ -1,4 +1,4 @@ -= form_for @application_setting, url: preferences_admin_application_settings_path(anchor: 'js-sidekiq-job-limits-settings'), html: { class: 'fieldset-form' } do |f| += gitlab_ui_form_for @application_setting, url: preferences_admin_application_settings_path(anchor: 'js-sidekiq-job-limits-settings'), html: { class: 'fieldset-form' } do |f| = form_errors(@application_setting) %fieldset @@ -18,4 +18,4 @@ .form-text.text-muted = _("Threshold in bytes at which to reject Sidekiq jobs. Set this to 0 to if you don't want to limit Sidekiq jobs.") - = f.submit _('Save changes'), class: "gl-button btn btn-confirm" + = f.submit _('Save changes'), pajamas_button: true diff --git a/app/views/admin/application_settings/_snowplow.html.haml b/app/views/admin/application_settings/_snowplow.html.haml index 8684b909853..4e7d9b8ab21 100644 --- a/app/views/admin/application_settings/_snowplow.html.haml +++ b/app/views/admin/application_settings/_snowplow.html.haml @@ -31,4 +31,4 @@ .form-text.text-muted = _('The Snowplow cookie domain.') - = f.submit _('Save changes'), class: 'gl-button btn btn-confirm', data: { qa_selector: 'save_changes_button' } + = f.submit _('Save changes'), data: { qa_selector: 'save_changes_button' }, pajamas_button: true diff --git a/app/views/admin/application_settings/_third_party_offers.html.haml b/app/views/admin/application_settings/_third_party_offers.html.haml index 20a60ac870a..ed809c6db52 100644 --- a/app/views/admin/application_settings/_third_party_offers.html.haml +++ b/app/views/admin/application_settings/_third_party_offers.html.haml @@ -16,4 +16,4 @@ = f.gitlab_ui_checkbox_component :hide_third_party_offers, _('Do not display content for customer experience improvement and offers from third parties') - = f.submit _('Save changes'), class: "gl-button btn btn-confirm" + = f.submit _('Save changes'), pajamas_button: true diff --git a/app/views/admin/application_settings/_users_api_limits.html.haml b/app/views/admin/application_settings/_users_api_limits.html.haml index 3918c76b12c..ca6f1113c4a 100644 --- a/app/views/admin/application_settings/_users_api_limits.html.haml +++ b/app/views/admin/application_settings/_users_api_limits.html.haml @@ -1,4 +1,4 @@ -= form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-users-api-limits-settings'), html: { class: 'fieldset-form' } do |f| += gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-users-api-limits-settings'), html: { class: 'fieldset-form' } do |f| = form_errors(@application_setting) %fieldset @@ -11,4 +11,4 @@ .form-text.text-muted{ id: 'users-api-limit-users-allowlist-field-description' } = _('List of users who are allowed to exceed the rate limit. Example: username1, username2') - = f.submit _('Save changes'), class: "gl-button btn btn-confirm", data: { qa_selector: 'save_changes_button' } + = f.submit _('Save changes'), data: { qa_selector: 'save_changes_button' }, pajamas_button: true diff --git a/app/views/profiles/gpg_keys/index.html.haml b/app/views/profiles/gpg_keys/index.html.haml index d9f0c00ffa9..539a0cd1f0e 100644 --- a/app/views/profiles/gpg_keys/index.html.haml +++ b/app/views/profiles/gpg_keys/index.html.haml @@ -1,4 +1,5 @@ - page_title _('GPG Keys') +- add_page_specific_style 'page_bundles/profile' - @content_class = "limit-container-width" unless fluid_layout .row.gl-mt-3.js-search-settings-section diff --git a/app/views/profiles/keys/index.html.haml b/app/views/profiles/keys/index.html.haml index f8bccb0cf8d..69e92b9e508 100644 --- a/app/views/profiles/keys/index.html.haml +++ b/app/views/profiles/keys/index.html.haml @@ -1,4 +1,5 @@ - page_title _('SSH Keys') +- add_page_specific_style 'page_bundles/profile' - @content_class = "limit-container-width" unless fluid_layout .row.gl-mt-3.js-search-settings-section diff --git a/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml b/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml index 2c6b21b0f6f..52840d9fb4a 100755 --- a/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml +++ b/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml @@ -46,6 +46,7 @@ options: - p_ci_templates_security_secret_detection - p_ci_templates_security_license_scanning - p_ci_templates_security_coverage_fuzzing + - p_ci_templates_security_coverage_fuzzing_latest - p_ci_templates_security_api_fuzzing_latest - p_ci_templates_security_secure_binaries - p_ci_templates_security_dast_api @@ -163,6 +164,7 @@ options: - p_ci_templates_implicit_security_secret_detection - p_ci_templates_implicit_security_license_scanning - p_ci_templates_implicit_security_coverage_fuzzing + - p_ci_templates_implicit_security_coverage_fuzzing_latest - p_ci_templates_implicit_security_api_fuzzing_latest - p_ci_templates_implicit_security_secure_binaries - p_ci_templates_implicit_security_dast_api diff --git a/config/metrics/counts_28d/20220913225020_p_ci_templates_security_coverage_fuzzing_latest_monthly.yml b/config/metrics/counts_28d/20220913225020_p_ci_templates_security_coverage_fuzzing_latest_monthly.yml new file mode 100644 index 00000000000..c4fad8d7545 --- /dev/null +++ b/config/metrics/counts_28d/20220913225020_p_ci_templates_security_coverage_fuzzing_latest_monthly.yml @@ -0,0 +1,25 @@ +--- +key_path: redis_hll_counters.ci_templates.p_ci_templates_security_coverage_fuzzing_latest_monthly +description: Monthly counts for Coverage Fuzzing latest CI template +product_section: sec +product_stage: secure +product_group: dynamic_analysis +product_category: dynamic_application_security_testing +value_type: number +status: active +milestone: "15.5" +introduced_by_url: 'https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886' +time_frame: 28d +data_source: redis_hll +data_category: optional +instrumentation_class: RedisHLLMetric +distribution: +- ce +- ee +tier: +- free +- premium +- ultimate +options: + events: + - p_ci_templates_security_coverage_fuzzing_latest diff --git a/config/metrics/counts_28d/20220913225303_p_ci_templates_implicit_security_coverage_fuzzing_latest_monthly.yml b/config/metrics/counts_28d/20220913225303_p_ci_templates_implicit_security_coverage_fuzzing_latest_monthly.yml new file mode 100644 index 00000000000..57a3bb90808 --- /dev/null +++ b/config/metrics/counts_28d/20220913225303_p_ci_templates_implicit_security_coverage_fuzzing_latest_monthly.yml @@ -0,0 +1,25 @@ +--- +key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_coverage_fuzzing_latest_monthly +description: Monthly counts for implicit Coverage Fuzzing latest CI template +product_section: sec +product_stage: secure +product_group: dynamic_analysis +product_category: dynamic_application_security_testing +value_type: number +status: active +milestone: "15.5" +introduced_by_url: 'https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886' +time_frame: 28d +data_source: redis_hll +data_category: optional +instrumentation_class: RedisHLLMetric +distribution: +- ce +- ee +tier: +- free +- premium +- ultimate +options: + events: + - p_ci_templates_implicit_security_coverage_fuzzing_latest diff --git a/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml b/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml index 16186a412b8..62b2885b86a 100755 --- a/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml +++ b/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml @@ -46,6 +46,7 @@ options: - p_ci_templates_security_secret_detection - p_ci_templates_security_license_scanning - p_ci_templates_security_coverage_fuzzing + - p_ci_templates_security_coverage_fuzzing_latest - p_ci_templates_security_api_fuzzing_latest - p_ci_templates_security_secure_binaries - p_ci_templates_security_dast_api @@ -160,6 +161,7 @@ options: - p_ci_templates_implicit_security_secret_detection - p_ci_templates_implicit_security_license_scanning - p_ci_templates_implicit_security_coverage_fuzzing + - p_ci_templates_implicit_security_coverage_fuzzing_latest - p_ci_templates_implicit_security_api_fuzzing_latest - p_ci_templates_implicit_security_secure_binaries - p_ci_templates_implicit_security_dast_api diff --git a/config/metrics/counts_7d/20220913225013_p_ci_templates_security_coverage_fuzzing_latest_weekly.yml b/config/metrics/counts_7d/20220913225013_p_ci_templates_security_coverage_fuzzing_latest_weekly.yml new file mode 100644 index 00000000000..768390de49d --- /dev/null +++ b/config/metrics/counts_7d/20220913225013_p_ci_templates_security_coverage_fuzzing_latest_weekly.yml @@ -0,0 +1,25 @@ +--- +key_path: redis_hll_counters.ci_templates.p_ci_templates_security_coverage_fuzzing_latest_weekly +description: Weekly counts for Coverage Fuzzing latest CI template +product_section: sec +product_stage: secure +product_group: dynamic_analysis +product_category: dynamic_application_security_testing +value_type: number +status: active +milestone: "15.5" +introduced_by_url: 'https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886' +time_frame: 28d +data_source: redis_hll +data_category: optional +instrumentation_class: RedisHLLMetric +distribution: +- ce +- ee +tier: +- free +- premium +- ultimate +options: + events: + - p_ci_templates_security_coverage_fuzzing_latest diff --git a/config/metrics/counts_7d/20220913225257_p_ci_templates_implicit_security_coverage_fuzzing_latest_weekly.yml b/config/metrics/counts_7d/20220913225257_p_ci_templates_implicit_security_coverage_fuzzing_latest_weekly.yml new file mode 100644 index 00000000000..873ac26f057 --- /dev/null +++ b/config/metrics/counts_7d/20220913225257_p_ci_templates_implicit_security_coverage_fuzzing_latest_weekly.yml @@ -0,0 +1,25 @@ +--- +key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_coverage_fuzzing_latest_weekly +description: Weekly counts for implicit Coverage Fuzzing latest CI template +product_section: sec +product_stage: secure +product_group: dynamic_analysis +product_category: dynamic_application_security_testing +value_type: number +status: active +milestone: "15.5" +introduced_by_url: 'https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97886' +time_frame: 28d +data_source: redis_hll +data_category: optional +instrumentation_class: RedisHLLMetric +distribution: +- ce +- ee +tier: +- free +- premium +- ultimate +options: + events: + - p_ci_templates_implicit_security_coverage_fuzzing_latest diff --git a/db/post_migrate/20220920213504_finalize_task_system_note_renaming.rb b/db/post_migrate/20220920213504_finalize_task_system_note_renaming.rb index e4829e3a692..d9307c14ccb 100644 --- a/db/post_migrate/20220920213504_finalize_task_system_note_renaming.rb +++ b/db/post_migrate/20220920213504_finalize_task_system_note_renaming.rb @@ -1,19 +1,8 @@ # frozen_string_literal: true class FinalizeTaskSystemNoteRenaming < Gitlab::Database::Migration[2.0] - disable_ddl_transaction! - - restrict_gitlab_migration gitlab_schema: :gitlab_main - - MIGRATION = 'RenameTaskSystemNoteToChecklistItem' - def up - ensure_batched_background_migration_is_finished( - job_class_name: MIGRATION, - table_name: :system_note_metadata, - column_name: :id, - job_arguments: [] - ) + # no-op end def down diff --git a/db/post_migrate/20220920214524_remove_task_system_note_rename_temp_index.rb b/db/post_migrate/20220920214524_remove_task_system_note_rename_temp_index.rb index 54277aaa0cc..d3671d24578 100644 --- a/db/post_migrate/20220920214524_remove_task_system_note_rename_temp_index.rb +++ b/db/post_migrate/20220920214524_remove_task_system_note_rename_temp_index.rb @@ -1,15 +1,11 @@ # frozen_string_literal: true class RemoveTaskSystemNoteRenameTempIndex < Gitlab::Database::Migration[2.0] - disable_ddl_transaction! - - INDEX_NAME = 'tmp_index_system_note_metadata_on_id_where_task' - def up - remove_concurrent_index_by_name :system_note_metadata, INDEX_NAME + # no-op end def down - add_concurrent_index :system_note_metadata, [:id, :action], where: "action = 'task'", name: INDEX_NAME + # no-op end end diff --git a/db/post_migrate/20220923060226_remove_tmp_index_system_note_metadata_on_attention_request_actions.rb b/db/post_migrate/20220923060226_remove_tmp_index_system_note_metadata_on_attention_request_actions.rb new file mode 100644 index 00000000000..40e8c1cfdb5 --- /dev/null +++ b/db/post_migrate/20220923060226_remove_tmp_index_system_note_metadata_on_attention_request_actions.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +class RemoveTmpIndexSystemNoteMetadataOnAttentionRequestActions < Gitlab::Database::Migration[2.0] + INDEX_NAME = "tmp_index_system_note_metadata_on_attention_request_actions" + + disable_ddl_transaction! + + def up + remove_concurrent_index_by_name :system_note_metadata, INDEX_NAME + end + + def down + add_concurrent_index :system_note_metadata, [:id], + where: "action IN ('attention_requested', 'attention_request_removed')", + name: INDEX_NAME + end +end diff --git a/db/schema_migrations/20220923060226 b/db/schema_migrations/20220923060226 new file mode 100644 index 00000000000..daaf2407607 --- /dev/null +++ b/db/schema_migrations/20220923060226 @@ -0,0 +1 @@ +19799d51a2b9acc7b1642edebea85ca8a19d2dd8368c4f0814c6c7a4c529ef98 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 5a4b23dee0d..88b767dab77 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -30883,7 +30883,7 @@ CREATE INDEX tmp_index_on_vulnerabilities_non_dismissed ON vulnerabilities USING CREATE INDEX tmp_index_project_statistics_cont_registry_size ON project_statistics USING btree (project_id) WHERE (container_registry_size = 0); -CREATE INDEX tmp_index_system_note_metadata_on_attention_request_actions ON system_note_metadata USING btree (id) WHERE ((action)::text = ANY ((ARRAY['attention_requested'::character varying, 'attention_request_removed'::character varying])::text[])); +CREATE INDEX tmp_index_system_note_metadata_on_id_where_task ON system_note_metadata USING btree (id, action) WHERE ((action)::text = 'task'::text); CREATE INDEX tmp_index_vulnerability_occurrences_on_id_and_scanner_id ON vulnerability_occurrences USING btree (id, scanner_id) WHERE (report_type = ANY (ARRAY[7, 99])); diff --git a/doc/administration/clusters/kas.md b/doc/administration/clusters/kas.md index 1c8e3240c22..d7e1c9af1de 100644 --- a/doc/administration/clusters/kas.md +++ b/doc/administration/clusters/kas.md @@ -28,9 +28,13 @@ Or, you can [use an external agent server](#use-an-external-installation). ### For Omnibus -For [Omnibus](https://docs.gitlab.com/omnibus/) package installations: +You can enable the agent server for [Omnibus](https://docs.gitlab.com/omnibus/) package installations on a single node, or on multiple nodes at once. -1. To enable the agent server, edit `/etc/gitlab/gitlab.rb`: +#### Enable on a single node + +To enable the agent server on a single node: + +1. Edit `/etc/gitlab/gitlab.rb`: ```ruby gitlab_kas['enable'] = true @@ -41,6 +45,33 @@ For [Omnibus](https://docs.gitlab.com/omnibus/) package installations: For additional configuration options, see the **Enable GitLab KAS** section of the [`gitlab.rb.template`](https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/files/gitlab-config-template/gitlab.rb.template). +#### Enable on multiple nodes + +To enable the agent server on multiple nodes: + +1. For each agent server node, edit `/etc/gitlab/gitlab.rb`: + + ```ruby + gitlab_kas['enable'] = true + gitlab_kas['api_secret_key'] = '<32_bytes_long_base64_encoded_value>' + gitlab_kas['private_api_secret_key'] = '<32_bytes_long_base64_encoded_value>' + gitlab_kas['private_api_listen_address'] = '0.0.0.0:8155' + gitlab_kas['env'] = { + 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/", + 'OWN_PRIVATE_API_URL' => 'grpc://:8155' + } + ``` + + In this configuration: + + - `gitlab_kas['private_api_listen_address']` is the address the agent server listens on. You can set it to `0.0.0.0` or an IP address reachable by other nodes in the cluster. + - `OWN_PRIVATE_API_URL` is the environment variable used by the KAS process for service discovery. You can set it to a hostname or IP address of the node you're configuring. The node must be reachable by other nodes in the cluster. + - `gitlab_kas['api_secret_key']` is the shared secret used for authentication between KAS and GitLab. This value must be Base64-encoded and exactly 32 bytes long. + - `gitlab_kas['private_api_secret_key']` is the shared secret used for authentication between different KAS instances. This value must be Base64-encoded and exactly 32 bytes long. + +1. For each application node, follow the steps in: [Use an external installation](../clusters/kas.md#use-an-external-installation). +1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure). + ### For GitLab Helm Chart For GitLab [Helm Chart](https://docs.gitlab.com/charts/) installations: diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 3b57abecc51..67c138f5573 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -1269,6 +1269,6 @@ gemnasium-python-dependency_scanning: - apt-get update && apt-get install -y libpq-dev ``` -### Error: Project has unresolved dependencies +### Error: Project has `` unresolved dependencies The error message `Project has unresolved dependencies` indicates a dependency resolution problem caused by your `gradle.build` or `gradle.build.kts` file. In the current release, `gemnasium-maven` cannot continue processing when an unresolved dependency is encountered. However, There is an [open issue](https://gitlab.com/gitlab-org/gitlab/-/issues/337083) to allow `gemnasium-maven` to recover from unresolved dependency errors and produce a dependency graph. Until this issue has been resolved, you'll need to consult the [Gradle dependency resolution docs](https://docs.gradle.org/current/userguide/dependency_resolution.html) for details on how to fix your `gradle.build` file. diff --git a/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml index 8d6c191edc4..f12efa1db34 100644 --- a/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml @@ -40,6 +40,19 @@ apifuzzer_fuzz: - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH && $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME when: never + + # Add the job to merge request pipelines if there's an open merge request. + - if: $CI_PIPELINE_SOURCE == "merge_request_event" && + $CI_GITLAB_FIPS_MODE == "true" + variables: + DAST_API_IMAGE_SUFFIX: "-fips" + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + + # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. + - if: $CI_OPEN_MERGE_REQUESTS + when: never + + # Add the job to branch pipelines. - if: $CI_COMMIT_BRANCH && $CI_GITLAB_FIPS_MODE == "true" variables: @@ -55,5 +68,3 @@ apifuzzer_fuzz: - gl-*.log reports: api_fuzzing: gl-api-fuzzing-report.json - -# end diff --git a/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.latest.gitlab-ci.yml new file mode 100644 index 00000000000..76a85d461f7 --- /dev/null +++ b/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.latest.gitlab-ci.yml @@ -0,0 +1,64 @@ +# To contribute improvements to CI/CD templates, please follow the Development guide at: +# https://docs.gitlab.com/ee/development/cicd/templates.html +# This specific template is located at: +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml + +# Read more about this feature https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing +# +# Configure coverage fuzzing with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). +# List of available variables: https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing/#available-cicd-variables + +variables: + # Which branch we want to run full fledged long running fuzzing jobs. + # All others will run fuzzing regression + COVFUZZ_BRANCH: "$CI_DEFAULT_BRANCH" + # This is using semantic version and will always download latest v3 gitlab-cov-fuzz release + COVFUZZ_VERSION: v3 + # This is for users who have an offline environment and will have to replicate gitlab-cov-fuzz release binaries + # to their own servers + COVFUZZ_URL_PREFIX: "https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-cov-fuzz/-/raw" + + +coverage_fuzzing_unlicensed: + stage: .pre + allow_failure: true + rules: + - if: $GITLAB_FEATURES !~ /\bcoverage_fuzzing\b/ && $COVFUZZ_DISABLED == null + script: + - echo "ERROR Your GitLab project is missing licensing for Coverage Fuzzing" && exit 1 + +.fuzz_base: + stage: fuzz + allow_failure: true + before_script: + - export COVFUZZ_JOB_TOKEN=$CI_JOB_TOKEN + - export COVFUZZ_PRIVATE_TOKEN=$CI_PRIVATE_TOKEN + - export COVFUZZ_PROJECT_PATH=$CI_PROJECT_PATH + - export COVFUZZ_PROJECT_ID=$CI_PROJECT_ID + - if [ -x "$(command -v apt-get)" ] ; then apt-get update && apt-get install -y wget; fi + - wget -O gitlab-cov-fuzz "${COVFUZZ_URL_PREFIX}"/"${COVFUZZ_VERSION}"/binaries/gitlab-cov-fuzz_Linux_x86_64 + - chmod a+x gitlab-cov-fuzz + - export REGRESSION=true + - if [[ $CI_COMMIT_BRANCH = $COVFUZZ_BRANCH ]]; then REGRESSION=false; fi; + artifacts: + paths: + - corpus + - crashes + - gl-coverage-fuzzing-report.json + reports: + coverage_fuzzing: gl-coverage-fuzzing-report.json + when: always + rules: + - if: $COVFUZZ_DISABLED + when: never + + # Add the job to merge request pipelines if there's an open merge request. + - if: $CI_PIPELINE_SOURCE == "merge_request_event" && + $GITLAB_FEATURES =~ /\bcoverage_fuzzing\b/ + + # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. + - if: $CI_OPEN_MERGE_REQUESTS + when: never + + # Add the job to branch pipelines. + - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bcoverage_fuzzing\b/ diff --git a/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml index 8aabf20c5df..a28914d082f 100644 --- a/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml @@ -40,6 +40,19 @@ dast_api: - if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH && $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME when: never + + # Add the job to merge request pipelines if there's an open merge request. + - if: $CI_PIPELINE_SOURCE == "merge_request_event" && + $CI_GITLAB_FIPS_MODE == "true" + variables: + DAST_API_IMAGE_SUFFIX: "-fips" + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + + # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. + - if: $CI_OPEN_MERGE_REQUESTS + when: never + + # Add the job to branch pipelines. - if: $CI_COMMIT_BRANCH && $CI_GITLAB_FIPS_MODE == "true" variables: diff --git a/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml index 9d3b1f4316e..50e9bb5431d 100644 --- a/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml @@ -52,6 +52,19 @@ dast: - if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME && $REVIEW_DISABLED when: never + + # Add the job to merge request pipelines if there's an open merge request. + - if: $CI_PIPELINE_SOURCE == "merge_request_event" && + ($CI_KUBERNETES_ACTIVE || $KUBECONFIG) && + $GITLAB_FEATURES =~ /\bdast\b/ + - if: $CI_PIPELINE_SOURCE == "merge_request_event" && + $GITLAB_FEATURES =~ /\bdast\b/ + + # Don't add it to a *branch* pipeline if it's already in a merge request pipeline. + - if: $CI_OPEN_MERGE_REQUESTS + when: never + + # Add the job to branch pipelines. - if: $CI_COMMIT_BRANCH && ($CI_KUBERNETES_ACTIVE || $KUBECONFIG) && $GITLAB_FEATURES =~ /\bdast\b/ diff --git a/lib/gitlab/usage_data_counters/known_events/ci_templates.yml b/lib/gitlab/usage_data_counters/known_events/ci_templates.yml index 10e36a75a3a..80aab929373 100644 --- a/lib/gitlab/usage_data_counters/known_events/ci_templates.yml +++ b/lib/gitlab/usage_data_counters/known_events/ci_templates.yml @@ -99,6 +99,10 @@ category: ci_templates redis_slot: ci_templates aggregation: weekly +- name: p_ci_templates_security_coverage_fuzzing_latest + category: ci_templates + redis_slot: ci_templates + aggregation: weekly - name: p_ci_templates_security_dast_on_demand_api_scan category: ci_templates redis_slot: ci_templates @@ -619,6 +623,10 @@ category: ci_templates redis_slot: ci_templates aggregation: weekly +- name: p_ci_templates_implicit_security_coverage_fuzzing_latest + category: ci_templates + redis_slot: ci_templates + aggregation: weekly - name: p_ci_templates_implicit_security_dast_on_demand_api_scan category: ci_templates redis_slot: ci_templates diff --git a/spec/support/shared_examples/lib/gitlab/template/template_shared_examples.rb b/spec/support/shared_examples/lib/gitlab/template/template_shared_examples.rb index 6b6e25ca1dd..4b4a7f4ce9d 100644 --- a/spec/support/shared_examples/lib/gitlab/template/template_shared_examples.rb +++ b/spec/support/shared_examples/lib/gitlab/template/template_shared_examples.rb @@ -47,3 +47,47 @@ RSpec.shared_examples 'file template shared examples' do |filename, file_extensi end end end + +RSpec.shared_examples 'acts as branch pipeline' do |jobs| + context 'when branch pipeline' do + let(:pipeline_branch) { default_branch } + let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch) } + let(:pipeline) { service.execute!(:push).payload } + + it 'includes a job' do + expect(pipeline.builds.pluck(:name)).to match_array(jobs) + end + end +end + +RSpec.shared_examples 'acts as MR pipeline' do |jobs, files| + context 'when MR pipeline' do + let(:pipeline_branch) { 'patch-1' } + let(:service) { MergeRequests::CreatePipelineService.new(project: project, current_user: user) } + let(:pipeline) { service.execute(merge_request).payload } + + let(:merge_request) do + create(:merge_request, + source_project: project, + source_branch: pipeline_branch, + target_project: project, + target_branch: default_branch) + end + + before do + files.each do |filename, contents| + project.repository.create_file( + project.creator, + filename, + contents, + message: "Add #{filename}", + branch_name: pipeline_branch) + end + end + + it 'includes a job' do + expect(pipeline).to be_merge_request_event + expect(pipeline.builds.pluck(:name)).to match_array(jobs) + end + end +end -- cgit v1.2.1