From e91080371b32e69d038b3a94261688c09dbcd641 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 17 May 2023 00:08:30 +0000 Subject: Add latest changes from gitlab-org/gitlab@master --- CHANGELOG.md | 11 ++++ GITALY_SERVER_VERSION | 2 +- Gemfile | 2 +- Gemfile.checksum | 2 +- Gemfile.lock | 4 +- .../components/notes/work_item_note_actions.vue | 67 ++++++++++++++-------- .../projects/ci/pipeline_editor_controller.rb | 2 +- app/models/namespace/root_storage_statistics.rb | 2 - .../root_storage_statistics_calculate_forks.yml | 8 --- data/deprecations/15-9-secure-template-changes.yml | 2 +- .../removals/16_0/16-0-secure-template-changes.yml | 27 +++++++++ data/removals/16_0/16.0-docker-ssh-executors.yml | 9 +++ doc/api/graphql/reference/index.md | 4 +- doc/ci/mobile_devops.md | 5 +- doc/ci/pipelines/cicd_minutes.md | 11 ++-- doc/ci/runners/saas/macos/environment.md | 9 +-- doc/ci/runners/saas/macos_saas_runner.md | 22 ++----- doc/development/feature_flags/index.md | 7 +++ doc/development/secure_coding_guidelines.md | 19 +++++- doc/integration/jira/configure.md | 2 + doc/update/deprecations.md | 2 +- doc/update/removals.md | 37 ++++++++++++ doc/user/application_security/index.md | 1 + lib/feature/shared.rb | 11 ++++ .../notes/work_item_note_actions_spec.js | 13 +++-- .../namespace/root_storage_statistics_spec.rb | 25 -------- 26 files changed, 200 insertions(+), 106 deletions(-) delete mode 100644 config/feature_flags/development/root_storage_statistics_calculate_forks.yml create mode 100644 data/removals/16_0/16-0-secure-template-changes.yml create mode 100644 data/removals/16_0/16.0-docker-ssh-executors.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index e63412615a6..8f6c252abf4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,17 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 15.11.4 (2023-05-16) + +### Fixed (2 changes) + +- [Do not autofocus the description field](gitlab-org/gitlab@978ae42ee723d5bc5235115b8ebfd7c67c8d858b) ([merge request](gitlab-org/gitlab!120306)) +- [Fix group blobs search permission when migration is not complete](gitlab-org/gitlab@c718fc80bf2ae389d63760db0c4aa95ec6c67f7e) ([merge request](gitlab-org/gitlab!120159)) **GitLab Enterprise Edition** + +### Changed (1 change) + +- [Use correct migration finalisation method](gitlab-org/gitlab@db7999c368aa41a155f717206b5b8340c91927f7) ([merge request](gitlab-org/gitlab!120683)) + ## 15.11.3 (2023-05-10) ### Fixed (2 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index e5656a1974e..84cd2d63778 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -161d11edce6a478d5186ec2c92d95d1de0f93a01 +05463be9a1df998a5a02f8b4063bad83040bc649 diff --git a/Gemfile b/Gemfile index f7331961af2..ecf9e31b948 100644 --- a/Gemfile +++ b/Gemfile @@ -290,7 +290,7 @@ gem 'sanitize', '~> 6.0' gem 'babosa', '~> 1.0.4' # Sanitizes SVG input -gem 'loofah', '~> 2.21.0' +gem 'loofah', '~> 2.21.1' # Working with license # Detects the open source license the repository includes diff --git a/Gemfile.checksum b/Gemfile.checksum index 4b24bc11b39..4409e0357fb 100644 --- a/Gemfile.checksum +++ b/Gemfile.checksum @@ -341,7 +341,7 @@ {"name":"locale","version":"2.1.3","platform":"ruby","checksum":"b6ddee011e157817cb98e521b3ce7cb626424d5882f1e844aafdee3e8b212725"}, {"name":"lockbox","version":"1.1.1","platform":"ruby","checksum":"0af16b14c54f791c148615a0115387b51903d868c7fe622f49606c97071c2ac0"}, {"name":"lograge","version":"0.11.2","platform":"ruby","checksum":"4cbd1554b86f545d795eff15a0c24fd25057d2ac4e1caa5fc186168b3da932ef"}, -{"name":"loofah","version":"2.21.0","platform":"ruby","checksum":"ec407f23abdbd3481640c79342a9179320d297b30456df3b46381ba0981f025b"}, +{"name":"loofah","version":"2.21.1","platform":"ruby","checksum":"f8e1584c56195e7b6139d53c50d6d9cf1adbc5997a7f4e60a3e23095c4900765"}, {"name":"lookbook","version":"2.0.1","platform":"ruby","checksum":"0f14729c8c992810de0792a0be865a5792e5765fbaea5950cce74c6e5c73fc4a"}, {"name":"lru_redux","version":"1.1.0","platform":"ruby","checksum":"ee71d0ccab164c51de146c27b480a68b3631d5b4297b8ffe8eda1c72de87affb"}, {"name":"lumberjack","version":"1.2.7","platform":"ruby","checksum":"a5c6aae6b4234f1420dbcd80b23e3bca0817bd239440dde097ebe3fa63c63b1f"}, diff --git a/Gemfile.lock b/Gemfile.lock index cd882fce0f5..3d28928425f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -913,7 +913,7 @@ GEM activesupport (>= 4) railties (>= 4) request_store (~> 1.0) - loofah (2.21.0) + loofah (2.21.1) crass (~> 1.0.2) nokogiri (>= 1.5.9) lookbook (2.0.1) @@ -1810,7 +1810,7 @@ DEPENDENCIES listen (~> 3.7) lockbox (~> 1.1.1) lograge (~> 0.5) - loofah (~> 2.21.0) + loofah (~> 2.21.1) lookbook (~> 2.0, >= 2.0.1) lru_redux mail (= 2.8.1) diff --git a/app/assets/javascripts/work_items/components/notes/work_item_note_actions.vue b/app/assets/javascripts/work_items/components/notes/work_item_note_actions.vue index 93f21f4fad8..835206ee667 100644 --- a/app/assets/javascripts/work_items/components/notes/work_item_note_actions.vue +++ b/app/assets/javascripts/work_items/components/notes/work_item_note_actions.vue @@ -1,5 +1,11 @@ @@ -135,46 +146,54 @@ export default { :aria-label="$options.i18n.editButtonText" @click="$emit('startEditing')" /> - - - {{ $options.i18n.reportAbuseText }} - - + {{ $options.i18n.reportAbuseText }} + + + - {{ $options.i18n.copyLinkText }} - - + {{ $options.i18n.copyLinkText , }} + + + - {{ assignUserActionText }} - - + {{ assignUserActionText }} + + + - {{ $options.i18n.deleteNoteText }} - - + + + diff --git a/app/controllers/projects/ci/pipeline_editor_controller.rb b/app/controllers/projects/ci/pipeline_editor_controller.rb index d874c60daec..01c34a74b84 100644 --- a/app/controllers/projects/ci/pipeline_editor_controller.rb +++ b/app/controllers/projects/ci/pipeline_editor_controller.rb @@ -4,7 +4,7 @@ class Projects::Ci::PipelineEditorController < Projects::ApplicationController before_action :check_can_collaborate! before_action do push_frontend_feature_flag(:ci_job_assistant_drawer, @project) - push_frontend_feature_flag(:ai_ci_config_generator, @project) + push_frontend_feature_flag(:ai_ci_config_generator, @user) end feature_category :pipeline_composition diff --git a/app/models/namespace/root_storage_statistics.rb b/app/models/namespace/root_storage_statistics.rb index 0443e1d9231..c7670351f4b 100644 --- a/app/models/namespace/root_storage_statistics.rb +++ b/app/models/namespace/root_storage_statistics.rb @@ -60,8 +60,6 @@ class Namespace::RootStorageStatistics < ApplicationRecord end def attributes_for_forks_statistics - return {} unless ::Feature.enabled?(:root_storage_statistics_calculate_forks, namespace) - visibility_levels_to_storage_size_columns = { Gitlab::VisibilityLevel::PRIVATE => :private_forks_storage_size, Gitlab::VisibilityLevel::INTERNAL => :internal_forks_storage_size, diff --git a/config/feature_flags/development/root_storage_statistics_calculate_forks.yml b/config/feature_flags/development/root_storage_statistics_calculate_forks.yml deleted file mode 100644 index e1035c8c35f..00000000000 --- a/config/feature_flags/development/root_storage_statistics_calculate_forks.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: root_storage_statistics_calculate_forks -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118105 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/408139 -milestone: '16.0' -type: development -group: group::utilization -default_enabled: false diff --git a/data/deprecations/15-9-secure-template-changes.yml b/data/deprecations/15-9-secure-template-changes.yml index 9129f17b562..390e31a0290 100644 --- a/data/deprecations/15-9-secure-template-changes.yml +++ b/data/deprecations/15-9-secure-template-changes.yml @@ -22,7 +22,7 @@ - Dependency Scanning: [`Dependency-Scanning.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml) - IaC Scanning: [`SAST-IaC.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml) - SAST: [`SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) - - Secret Detection: [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detction.gitlab-ci.yml) + - Secret Detection: [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml) We recommend that you test your pipelines before the 16.0 release if you use one of the templates listed above and you use the `_DISABLED` variables but set a value other than `"true"`. diff --git a/data/removals/16_0/16-0-secure-template-changes.yml b/data/removals/16_0/16-0-secure-template-changes.yml new file mode 100644 index 00000000000..c7ec5a2f894 --- /dev/null +++ b/data/removals/16_0/16-0-secure-template-changes.yml @@ -0,0 +1,27 @@ +- title: Secure scanning `_DISABLED` variables now require the value `"true"` # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters." + announcement_milestone: "15.9" # (required) The milestone when this feature was first announced as deprecated. + removal_milestone: "16.0" # (required) The milestone when this feature is being removed. + breaking_change: true # (required) Change to false if this is not a breaking change. + reporter: connorgilbert # (required) GitLab username of the person reporting the change + stage: secure # (required) String value of the stage that the feature was created in. e.g., Growth + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/391822 # (required) Link to the deprecation issue in GitLab + body: | # (required) Do not modify this line, instead modify the lines below. + In GitLab 16.0, we've changed how values for CI/CD variables like `SAST_DISABLED` and `DEPENDENCY_SCANNING_DISABLED` are handled. + + Now, scanning is disabled only if the value is `"true"`, for example `SAST_DISABLED: "true"`. Previously, even if the value were `"false"`, like `SAST_DISABLED: "false"`, scanning would still be disabled. + + This change was previously released in the Latest versions of the CI/CD templates because of the potential to disrupt customized CI/CD pipeline configurations. + + The following templates have been updated: + + - API Fuzzing: [`API-Fuzzing.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml) + - Container Scanning: [`Container-Scanning.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml) + - Coverage-Guided Fuzzing: [`Coverage-Fuzzing.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml) + - DAST: [`DAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml) + - DAST API: [`DAST-API.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml) + - Dependency Scanning: [`Dependency-Scanning.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml) + - IaC Scanning: [`SAST-IaC.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml) + - SAST: [`SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) + - Secret Detection: [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml) + + If you currently use the `_DISABLED` variables but set a value other than `"true"` to disable scanning, change the value to `"true"`. diff --git a/data/removals/16_0/16.0-docker-ssh-executors.yml b/data/removals/16_0/16.0-docker-ssh-executors.yml new file mode 100644 index 00000000000..ec3650c1d1c --- /dev/null +++ b/data/removals/16_0/16.0-docker-ssh-executors.yml @@ -0,0 +1,9 @@ +- title: "`docker-ssh` and `docker-ssh+machine` executors are removed" # (required) Clearly explain the change. For example, "The `confidential` field for a `Note` is removed" or "CI/CD job names are limited to 250 characters." + announcement_milestone: "10.0" # (required) The milestone when this feature was deprecated. + removal_milestone: "16.0" # (required) The milestone when this feature is being removed. + breaking_change: false # (required) Change to false if this is not a breaking change. + reporter: DarrenEastman # (required) GitLab username of the person reporting the removal + stage: Verify # (required) String value of the stage that the feature was created in. e.g., Growth + issue_url: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29406 # (required) Link to the deprecation issue in GitLab + body: | # (required) Do not modify this line, instead modify the lines below. + In GitLab 16.0 and later, the `docker-ssh` and `docker+machine-ssh` executors for GitLab Runner have been removed from the GitLab Runner [code base](https://gitlab.com/gitlab-org/gitlab-runner). diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index c5668d4ae57..9f6f141a877 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -6594,7 +6594,7 @@ Input type: `VulnerabilityCreateInput` | `detectedAt` | [`Time`](#time) | Timestamp of when the vulnerability was first detected (defaults to creation time). | | `dismissedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to dismissed (defaults to creation time if status is `dismissed`). | | `identifiers` | [`[VulnerabilityIdentifierInput!]!`](#vulnerabilityidentifierinput) | Array of CVE or CWE identifiers for the vulnerability. | -| `message` | [`String`](#string) | Short text section that describes the vulnerability. This may include the finding's specific information. | +| `message` **{warning-solid}** | [`String`](#string) | **Deprecated:** message field has been removed from security reports schema. Deprecated in 16.1. | | `name` | [`String!`](#string) | Name of the vulnerability. | | `project` | [`ProjectID!`](#projectid) | ID of the project to attach the vulnerability to. | | `resolvedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to resolved (defaults to creation time if status is `resolved`). | @@ -22575,7 +22575,7 @@ Represents a vulnerability. | `links` | [`[VulnerabilityLink!]!`](#vulnerabilitylink) | List of links associated with the vulnerability. | | `location` | [`VulnerabilityLocation`](#vulnerabilitylocation) | Location metadata for the vulnerability. Its fields depend on the type of security scan that found the vulnerability. | | `mergeRequest` | [`MergeRequest`](#mergerequest) | Merge request that fixes the vulnerability. | -| `message` | [`String`](#string) | Short text description of the vulnerability. This may include the finding's specific information. | +| `message` **{warning-solid}** | [`String`](#string) | **Deprecated** in 16.1. message field has been removed from security reports schema. | | `notes` | [`NoteConnection!`](#noteconnection) | All notes on this noteable. (see [Connections](#connections)) | | `primaryIdentifier` | [`VulnerabilityIdentifier`](#vulnerabilityidentifier) | Primary identifier of the vulnerability. | | `project` | [`Project`](#project) | Project on which the vulnerability was found. | diff --git a/doc/ci/mobile_devops.md b/doc/ci/mobile_devops.md index 175a63dc3b9..ab8fa0c9e6c 100644 --- a/doc/ci/mobile_devops.md +++ b/doc/ci/mobile_devops.md @@ -41,8 +41,7 @@ test: ### iOS build environments -GitLab SaaS runners on macOS are currently available in beta. Follow the [instructions to request access](../ci/runners/saas/macos_saas_runner.md#access-request-process) -for your project. +[GitLab SaaS runners on macOS](../ci/runners/saas/macos_saas_runner.md) are currently available in beta. After you are granted access to the beta macOS runners, [choose an image](../ci/runners/saas/macos/environment.md#available-images) and add it to your `.gitlab-ci.yml` file. @@ -271,7 +270,7 @@ For example: script: - fastlane build tags: - - shared-macos-amd64 + - saas-macos-medium-m1 ``` ## Distribution diff --git a/doc/ci/pipelines/cicd_minutes.md b/doc/ci/pipelines/cicd_minutes.md index ee3f0d8c539..29d847ecd08 100644 --- a/doc/ci/pipelines/cicd_minutes.md +++ b/doc/ci/pipelines/cicd_minutes.md @@ -261,12 +261,13 @@ GitLab administrators can add a namespace to the reduced cost factor GitLab SaaS runners have different cost factors, depending on the runner type (Linux, Windows, macOS) and the virtual machine configuration. -| GitLab SaaS runner type | Machine Type | CI/CD minutes cost factor | +| GitLab SaaS runner type | Machine Size | CI/CD minutes cost factor | | :--------- | :------------------- | :--------- | -| Linux OS | Small |1| -| Linux OS | Medium |2| -| Linux OS | Large |3| -| Linux OS + GPU-enabled | Medium, GPU Standard |7| +| Linux OS amd64 | small |1| +| Linux OS amd64 | medium |2| +| Linux OS amd64 | large |3| +| Linux OS amd64 + GPU-enabled | medium, GPU standard |7| +| macOS M1 | Medium |6| ### Monthly reset of CI/CD minutes diff --git a/doc/ci/runners/saas/macos/environment.md b/doc/ci/runners/saas/macos/environment.md index 7aa0f33fc59..2fad9bd4af2 100644 --- a/doc/ci/runners/saas/macos/environment.md +++ b/doc/ci/runners/saas/macos/environment.md @@ -17,14 +17,12 @@ Each time you run a job that requires tooling or dependencies not available in t ## VM types -GitLab SaaS provides macOS build machines on Apple servers with Intel x86-64 processors. -The expectation is that virtual machines running on the Apple M1 chip will be available in the second half of 2022. - -At this time there is only one available machine type offered, `shared-macos-amd64`. +GitLab SaaS provides macOS build machines on Apple silicon (M1) chips. +At this time there is only one available machine type offered, `saas-macos-medium-m1`. We deprecated Intel x86 runners in favor of Apple silicon. If you need to build for an x86 target, you can use Rosetta 2 to emulate an Intel x86 build environment. | Instance type | vCPUS | Memory (GB) | | --------- | --- | ------- | -| `shared-macos-amd64` | 4 | 10 | +| `saas-macos-medium-m1` | 6 | 8 | ## VM images @@ -51,7 +49,6 @@ Each image is running a specific version of macOS and Xcode. | VM image | Status | Included software | |---------------------------|--------|--------------------| -| `macos-10.13-xcode-7` | `frozen` | | | `macos-10.13-xcode-8` | `frozen` | | | `macos-10.13-xcode-9` | `frozen` | | | `macos-10.14-xcode-10` | `frozen` | | diff --git a/doc/ci/runners/saas/macos_saas_runner.md b/doc/ci/runners/saas/macos_saas_runner.md index 20be2f2a147..9908495c9b4 100644 --- a/doc/ci/runners/saas/macos_saas_runner.md +++ b/doc/ci/runners/saas/macos_saas_runner.md @@ -12,30 +12,20 @@ SaaS runners on macOS provide an on-demand macOS build environment integrated wi GitLab SaaS [CI/CD](../../../ci/index.md). Use these runners to build, test, and deploy apps for the Apple ecosystem (macOS, iOS, tvOS). You can take advantage of all the capabilities of the GitLab single DevOps platform and not have to manage or operate a -build environment. +build environment. Our [Mobile DevOps solution](../../../ci/mobile_devops.md#ios-build-environments) provides features, documentation, and guidance on building and deploying mobile applications for iOS. Jobs handled by macOS shared runners on GitLab.com **time out after 3 hours**, regardless of the timeout configured in a project. -## Access request process - -While in beta, to run CI jobs on the macOS runners, you must specify the GitLab SaaS customer personal or group [namespaces](../../../user/namespace/index.md) in the macOS `allow-list`. These are the namespaces that use the macOS runners. - -When you specify a personal or group namespace, the top level group is not added unless you specify it. - -After you add your namespace, you can use the macOS runners for any projects under the namespace you included. - -To request access, open an [access request](https://gitlab.com/gitlab-com/runner-saas-macos-limited-availability/-/issues/new). -The expected turnaround for activation is two business days. - ## Quickstart -To start using SaaS runners on macOS, you must be an active GitLab SaaS Premium or Ultimate customer. Participants in the GitLab Open Source program are also eligible to use the service. +To start using SaaS runners on macOS, you must be an active GitLab SaaS Premium or Ultimate customer. ### Configuring your pipeline To start using the SaaS runners on macOS to run your CI jobs, you must configure your `.gitlab-ci.yml` file: 1. Add a `.gitlab-ci.yml` file to your project repository. +1. Specify the tag `saas-macos-medium-m1`. 1. Specify the [image](macos/environment.md#vm-images) you want to use. 1. Commit a change to your repository. @@ -48,8 +38,8 @@ The following sample `.gitlab-ci.yml` file shows how to start using the SaaS run ```yaml .macos_saas_runners: tags: - - shared-macos-amd64 - image: macos-11-xcode-12 + - saas-macos-medium-m1 + image: macos-12-xcode-14 stages: - build @@ -74,7 +64,7 @@ test: ``` NOTE: -You can specify a different Xcode image to run a job. To do so, replace the value for the `image` keyword with the value of the [virtual machine image name](macos/environment.md#vm-images) from the list of available images. +You can specify a different Xcode image to run a job. To do so, replace the value for the `image` keyword with the value of the [virtual machine image name](macos/environment.md#vm-images) from the list of available images. The default value is our latest image. ## SaaS runners on macOS service level objective diff --git a/doc/development/feature_flags/index.md b/doc/development/feature_flags/index.md index 87d2da016d6..c2026ab8966 100644 --- a/doc/development/feature_flags/index.md +++ b/doc/development/feature_flags/index.md @@ -144,6 +144,13 @@ An `experiment` feature flag should conform to the same standards as a `developm although the interface has some differences. An experiment feature flag should have a rollout issue, created using the [Experiment Tracking template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Experiment%20Rollout.md). More information can be found in the [experiment guide](../experiment_guide/index.md). +### `worker` type + +`worker` feature flags are used for controlling Sidekiq workers behavior, such as deferring Sidekiq jobs. + +`worker` feature flags likely do not have any YAML definition as the name could be dynamically generated using +the worker name itself, e.g. `defer_sidekiq_jobs:AuthorizedProjectsWorker`. + ## Feature flag definition and validation > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229161) in GitLab 13.3. diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md index 7a3dc1c01fc..e8fda066ca3 100644 --- a/doc/development/secure_coding_guidelines.md +++ b/doc/development/secure_coding_guidelines.md @@ -344,7 +344,7 @@ Much of the impact is contingent upon the function of the application and the ca For a demonstration of the impact on GitLab with a realistic attack scenario, see [this video on the GitLab Unfiltered channel](https://www.youtube.com/watch?v=t4PzHNycoKo) (internal, it requires being logged in with the GitLab Unfiltered account). -### When to consider? +### When to consider When user submitted data is included in responses to end users, which is just about anywhere. @@ -1395,3 +1395,20 @@ Additional resources: - - - + +## Local Storage + +### Description + +Local storage uses a built-in browser storage feature that caches data in read-only UTF-16 key-value pairs. Unlike `sessionStorage`, this mechanism has no built-in expiration mechanism, which can lead to large troves of potentially sensitive information being stored for indefinite periods. + +### Impact + +Local storage is subject to exfiltration during XSS attacks. These type of attacks highlight the inherent insecurity of storing sensitive information locally. + +### Mitigations + +If circumstances dictate that local storage is the only option, a couple of precautions should be taken. + +- Local storage should only be used for the minimal amount of data possible. Consider alternative storage formats. +- If you have to store sensitive data using local storage, do so for the minimum time possible, calling `localStorage.removeItem` on the item as soon as we're done with it. Another alternative is to call `localStorage.clear()`. diff --git a/doc/integration/jira/configure.md b/doc/integration/jira/configure.md index 3f3511c3838..8223154e223 100644 --- a/doc/integration/jira/configure.md +++ b/doc/integration/jira/configure.md @@ -10,6 +10,8 @@ The Jira issue integration connects one or more GitLab projects to a Jira instan ## Configure the integration +> Authentication with Jira personal access tokens was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/8222) in GitLab 16.0. + Prerequisites: - Your GitLab installation must not use a [relative URL](https://docs.gitlab.com/omnibus/settings/configuration.html#configure-a-relative-url-for-gitlab). diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index 870a344e329..a8af3237702 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -1949,7 +1949,7 @@ The following templates will be updated: - Dependency Scanning: [`Dependency-Scanning.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml) - IaC Scanning: [`SAST-IaC.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml) - SAST: [`SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) -- Secret Detection: [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detction.gitlab-ci.yml) +- Secret Detection: [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml) We recommend that you test your pipelines before the 16.0 release if you use one of the templates listed above and you use the `_DISABLED` variables but set a value other than `"true"`. diff --git a/doc/update/removals.md b/doc/update/removals.md index 5bd6d306fcc..1673fb6bf49 100644 --- a/doc/update/removals.md +++ b/doc/update/removals.md @@ -617,6 +617,34 @@ From GitLab 15.9, all Release links are external. The `external` field of the `R From GitLab 15.9, all Release links are external. The `external` field in the Releases and Release link APIs was deprecated in 15.9, and removed in GitLab 16.0. +### Secure scanning `_DISABLED` variables now require the value `"true"` + +
+- Announced in: GitLab 15.9 +- This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/). Review the details carefully before upgrading. +- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/391822). +
+ +In GitLab 16.0, we've changed how values for CI/CD variables like `SAST_DISABLED` and `DEPENDENCY_SCANNING_DISABLED` are handled. + +Now, scanning is disabled only if the value is `"true"`, for example `SAST_DISABLED: "true"`. Previously, even if the value were `"false"`, like `SAST_DISABLED: "false"`, scanning would still be disabled. + +This change was previously released in the Latest versions of the CI/CD templates because of the potential to disrupt customized CI/CD pipeline configurations. + +The following templates have been updated: + +- API Fuzzing: [`API-Fuzzing.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml) +- Container Scanning: [`Container-Scanning.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml) +- Coverage-Guided Fuzzing: [`Coverage-Fuzzing.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Coverage-Fuzzing.gitlab-ci.yml) +- DAST: [`DAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml) +- DAST API: [`DAST-API.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml) +- Dependency Scanning: [`Dependency-Scanning.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml) +- IaC Scanning: [`SAST-IaC.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml) +- SAST: [`SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) +- Secret Detection: [`Secret-Detection.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml) + +If you currently use the `_DISABLED` variables but set a value other than `"true"` to disable scanning, change the value to `"true"`. + ### Security report schemas version 14.x.x
@@ -786,6 +814,15 @@ The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in G The `POST ci/lint` API endpoint was deprecated in 15.7, and removed in 16.0. This endpoint did not validate the full range of CI/CD configuration options. Instead, use [`POST /projects/:id/ci/lint`](https://docs.gitlab.com/ee/api/lint.html#validate-a-ci-yaml-configuration-with-a-namespace), which properly validates CI/CD configuration. +### `docker-ssh` and `docker-ssh+machine` executors are removed + +
+- Announced in: GitLab 10.0 +- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29406). +
+ +In GitLab 16.0 and later, the `docker-ssh` and `docker+machine-ssh` executors for GitLab Runner have been removed from the GitLab Runner [code base](https://gitlab.com/gitlab-org/gitlab-runner). + ### vulnerabilityFindingDismiss GraphQL mutation
diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md index a3c512a813c..5a3812ee2fb 100644 --- a/doc/user/application_security/index.md +++ b/doc/user/application_security/index.md @@ -104,6 +104,7 @@ The following vulnerability scanners and their databases are regularly updated: | [Container Scanning](container_scanning/index.md) | A job runs on a daily basis to build new images with the latest vulnerability database updates from the upstream scanner. GitLab monitors this job through an internal alert that tells the engineering team when the database becomes more than 48 hours old. For more information, see the [Vulnerabilities database update](container_scanning/index.md#vulnerabilities-database). | | [Dependency Scanning](dependency_scanning/index.md) | Relies on the [GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db). It is updated on a daily basis using [data from NVD, the `ruby-advisory-db` and the GitHub Advisory Database as data sources](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/SOURCES.md). See our [current measurement of time from CVE being issued to our product being updated](https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update). | | [Dynamic Application Security Testing (DAST)](dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/main/Dockerfile#L1). The scanning rules are downloaded at scan runtime. | +| [Secret Detection](secret_detection/index.md#detected-secrets) | GitLab maintains the [detection rules](secret_detection/index.md#detected-secrets) and [accepts community contributions](secret_detection/index.md#adding-new-patterns). The scanning engine is updated at least once per month if a relevant update is available. | | [Static Application Security Testing (SAST)](sast/index.md) | The source of scan rules depends on which [analyzer](sast/analyzers.md) is used for each [supported programming language](sast/index.md#supported-languages-and-frameworks). GitLab maintains a ruleset for the Semgrep-based analyzer and updates it regularly based on internal research and user feedback. For other analyzers, the ruleset is sourced from the upstream open-source scanner. Each analyzer is updated at least once per month if a relevant update is available. | In versions of GitLab that use the same major version of the analyzer, you do not have to update diff --git a/lib/feature/shared.rb b/lib/feature/shared.rb index 6af24451322..d801070ff1a 100644 --- a/lib/feature/shared.rb +++ b/lib/feature/shared.rb @@ -54,6 +54,17 @@ module Feature example: <<-EOS experiment(:my_experiment, project: project, actor: current_user) { ...variant code... } EOS + }, + worker: { + description: "Feature flags for controlling Sidekiq workers behavior (e.g. deferring jobs)", + optional: true, + rollout_issue: false, + ee_only: false, + default_enabled: false, + example: '<<-EOS + Feature.enabled?(:"defer_sidekiq_jobs:AuthorizedProjectsWorker", type: :worker, + default_enabled_if_undefined: false) + EOS' } }.freeze diff --git a/spec/frontend/work_items/components/notes/work_item_note_actions_spec.js b/spec/frontend/work_items/components/notes/work_item_note_actions_spec.js index 99bf391e261..9f796c8663f 100644 --- a/spec/frontend/work_items/components/notes/work_item_note_actions_spec.js +++ b/spec/frontend/work_items/components/notes/work_item_note_actions_spec.js @@ -1,4 +1,4 @@ -import { GlDropdown } from '@gitlab/ui'; +import { GlDisclosureDropdown } from '@gitlab/ui'; import { shallowMount } from '@vue/test-utils'; import Vue from 'vue'; import VueApollo from 'vue-apollo'; @@ -18,7 +18,7 @@ describe('Work Item Note Actions', () => { const findReplyButton = () => wrapper.findComponent(ReplyButton); const findEditButton = () => wrapper.find('[data-testid="edit-work-item-note"]'); const findEmojiButton = () => wrapper.find('[data-testid="note-emoji-button"]'); - const findDropdown = () => wrapper.findComponent(GlDropdown); + const findDropdown = () => wrapper.findComponent(GlDisclosureDropdown); const findDeleteNoteButton = () => wrapper.find('[data-testid="delete-note-action"]'); const findCopyLinkButton = () => wrapper.find('[data-testid="copy-link-action"]'); const findAssignUnassignButton = () => wrapper.find('[data-testid="assign-note-action"]'); @@ -61,6 +61,7 @@ describe('Work Item Note Actions', () => { }, apolloProvider: createMockApollo([[addAwardEmojiMutation, addEmojiMutationResolver]]), }); + wrapper.vm.$refs.dropdown.close = jest.fn(); }; describe('reply button', () => { @@ -152,7 +153,7 @@ describe('Work Item Note Actions', () => { showEdit: true, }); - findDeleteNoteButton().vm.$emit('click'); + findDeleteNoteButton().vm.$emit('action'); expect(wrapper.emitted('deleteNote')).toEqual([[]]); }); @@ -167,7 +168,7 @@ describe('Work Item Note Actions', () => { }); it('should emit `notifyCopyDone` event when copy link note action is clicked', () => { - findCopyLinkButton().vm.$emit('click'); + findCopyLinkButton().vm.$emit('action'); expect(wrapper.emitted('notifyCopyDone')).toEqual([[]]); }); @@ -193,7 +194,7 @@ describe('Work Item Note Actions', () => { showAssignUnassign: true, }); - findAssignUnassignButton().vm.$emit('click'); + findAssignUnassignButton().vm.$emit('action'); expect(wrapper.emitted('assignUser')).toEqual([[]]); }); @@ -219,7 +220,7 @@ describe('Work Item Note Actions', () => { canReportAbuse: true, }); - findReportAbuseToAdminButton().vm.$emit('click'); + findReportAbuseToAdminButton().vm.$emit('action'); expect(wrapper.emitted('reportAbuse')).toEqual([[]]); }); diff --git a/spec/models/namespace/root_storage_statistics_spec.rb b/spec/models/namespace/root_storage_statistics_spec.rb index c2a0c8c8a7c..3b6062c0d8a 100644 --- a/spec/models/namespace/root_storage_statistics_spec.rb +++ b/spec/models/namespace/root_storage_statistics_spec.rb @@ -317,31 +317,6 @@ RSpec.describe Namespace::RootStorageStatistics, type: :model do expect(root_storage_statistics.reload.internal_forks_storage_size).to eq(0) end - - context 'when the feature flag is off' do - before do - stub_feature_flags(root_storage_statistics_calculate_forks: false) - end - - it 'does not aggregate fork storage sizes' do - project = create_project(size_multiplier: 150) - create_fork(project, size_multiplier: 100) - - root_storage_statistics.recalculate! - - expect(root_storage_statistics.reload.private_forks_storage_size).to eq(0) - end - - it 'aggregates fork sizes for enabled namespaces' do - stub_feature_flags(root_storage_statistics_calculate_forks: namespace) - project = create_project(size_multiplier: 150) - project_fork = create_fork(project, size_multiplier: 100) - - root_storage_statistics.recalculate! - - expect(root_storage_statistics.reload.private_forks_storage_size).to eq(project_fork.statistics.storage_size) - end - end end end -- cgit v1.2.1