Commit 835b633a authored by Nick Gaskill's avatar Nick Gaskill

Merge branch 'russell/move-vulnerability-docs' into 'master'

Moved some vulnerability docs

See merge request gitlab-org/gitlab!59122
parents 9f75979c 5dcf5d47
......@@ -548,7 +548,7 @@ of the available SAST Analyzers and what data is currently available.
The `remediations` field of the report is an array of remediation objects.
Each remediation describes a patch that can be applied to
[automatically fix](../../user/application_security/#apply-an-automatic-remediation-for-a-vulnerability)
[automatically fix](../../user/application_security/vulnerabilities/index.md#remediate-a-vulnerability-automatically)
a set of vulnerabilities.
Here is an example of a report that contains remediations.
......
......@@ -101,7 +101,7 @@ and complete an integration with the Secure stage.
- Users can interact with the findings from your artifact within their workflow. They can dismiss the findings or accept them and create a backlog issue.
- To automatically create issues without user interaction, use the [issue API](../../api/issues.md).
1. Optional: Provide auto-remediation steps:
- If you specified `remediations` in your artifact, it is proposed through our [automatic remediation](../../user/application_security/index.md#apply-an-automatic-remediation-for-a-vulnerability)
- If you specified `remediations` in your artifact, it is proposed through our [automatic remediation](../../user/application_security/vulnerabilities/index.md#remediate-a-vulnerability-automatically)
interface.
1. Demo the integration to GitLab:
- After you have tested and are ready to demo your integration please
......
......@@ -996,7 +996,7 @@ pipelines. For more information, see the [Security Dashboard documentation](../s
Fuzzing faults show up as vulnerabilities with a severity of Unknown.
Once a fault is found, you can interact with it. Read more on how to
[address the vulnerabilities](../index.md#addressing-vulnerabilities).
[address the vulnerabilities](../vulnerabilities/index.md).
## Handling False Positives
......
......@@ -694,7 +694,7 @@ If you're using Klar and want more information about the vulnerabilities databas
## Interacting with the vulnerabilities
After a vulnerability is found, you can [address it](../index.md#addressing-vulnerabilities).
After a vulnerability is found, you can [address it](../vulnerabilities/index.md).
## Solutions for vulnerabilities (auto-remediation)
......@@ -708,7 +708,7 @@ file, it's necessary to set [`GIT_STRATEGY: fetch`](../../../ci/runners/README.m
your `.gitlab-ci.yml` file by following the instructions described in this document's
[overriding the container scanning template](#overriding-the-container-scanning-template) section.
Read more about the [solutions for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability).
Read more about the [solutions for vulnerabilities](../vulnerabilities/index.md#remediate-a-vulnerability-automatically).
## Troubleshooting
......
......@@ -237,7 +237,7 @@ The `covfuzz-ci.yml` is the same as that in the [original synchronous example](h
## Interacting with the vulnerabilities
After a vulnerability is found, you can [address it](../index.md#addressing-vulnerabilities).
After a vulnerability is found, you can [address it](../vulnerabilities/index.md).
The merge request widget lists the vulnerability and contains a button for downloading the fuzzing
artifacts. By clicking one of the detected vulnerabilities, you can see its details.
......
......@@ -228,13 +228,13 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m
## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to
[address the vulnerabilities](../index.md#addressing-vulnerabilities).
[address the vulnerabilities](../vulnerabilities/index.md).
## Solutions for vulnerabilities (auto-remediation)
Some vulnerabilities can be fixed by applying the solution that GitLab
automatically generates. Read more about the
[solutions for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability).
[solutions for vulnerabilities](../vulnerabilities/index.md#remediate-a-vulnerability-automatically).
## Security Dashboard
......
......@@ -119,99 +119,6 @@ reports are available to download. To download a report, click on the
![Security widget](img/security_widget_v13_7.png)
## Addressing vulnerabilities
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.8.
For each security vulnerability in a merge request or [Vulnerability Report](vulnerability_report/index.md),
you can:
- [Dismiss the vulnerability](#dismiss-a-vulnerability).
- Create a [confidential](../project/issues/confidential_issues.md)
[issue](vulnerabilities/index.md#create-a-gitlab-issue-for-a-vulnerability).
- Apply an [automatically remediation](#apply-an-automatic-remediation-for-a-vulnerability).
### Dismiss a vulnerability
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0, a dismissal reason.
You can dismiss a vulnerability for the entire project.
1. Select the vulnerability in the Security Dashboard.
1. In the top-right, from the **Status** selector menu, select **Dismissed**.
1. Optional. Add a reason for the dismissal and select **Save comment**.
To undo this action, select a different status from the same menu.
#### Dismiss multiple vulnerabilities
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
You can dismiss multiple vulnerabilities at once.
1. In the list of vulnerabilities, select the checkbox for each vulnerability you want to dismiss.
To select all, select the checkbox in the table header.
1. Above the table, select a dismissal reason.
1. Select **Dismiss Selected**.
### Create an issue for a vulnerability
You can create a GitLab or Jira issue for a vulnerability. For details, see [Vulnerability Pages](vulnerabilities/index.md).
#### Link to an existing issue
If you already have an open issue, you can link to it from the vulnerability.
- The vulnerability page shows related issues, but the issue page doesn't show the vulnerability it's related to.
- An issue can only be related to one vulnerability at a time.
- Issues can be linked across groups and projects.
To link to an existing issue:
1. Open the vulnerability.
1. [Add a linked issue](../project/issues/related_issues.md).
### Apply an automatic remediation for a vulnerability
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5656) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.7.
Some vulnerabilities can be fixed by applying the solution that GitLab automatically generates.
The following scanners are supported:
- [Dependency Scanning](dependency_scanning/index.md).
Automatic Patch creation is only available for Node.js projects managed with
`yarn`.
- [Container Scanning](container_scanning/index.md).
#### Manually apply the suggested patch
To manually apply the patch that GitLab generated for a vulnerability:
1. Select the **Resolve with merge request** dropdown, then select **Download patch to resolve**:
![Resolve with Merge Request button dropdown](img/vulnerability_page_merge_request_button_dropdown_v13_1.png)
1. Ensure your local project has the same commit checked out that was used to generate the patch.
1. Run `git apply remediation.patch`.
1. Verify and commit the changes to your branch.
#### Create a merge request with the suggested patch
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9224) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.9.
In some cases, you can create a merge request that automatically remediates the
vulnerability. Any vulnerability that has a
[solution](#apply-an-automatic-remediation-for-a-vulnerability) can have a merge
request created to automatically solve the issue.
If this action is available:
1. Select the **Resolve with merge request** dropdown, then select **Resolve with merge request**.
![Create merge request from vulnerability](img/create_mr_from_vulnerability_v13_4.png)
A merge request is created. It that applies the solution to the source branch.
## Security approvals in merge requests
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9928) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.2.
......
......@@ -59,14 +59,14 @@ mirroring the packages inside your own offline network.
### Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to
[address the vulnerabilities](../index.md#addressing-vulnerabilities).
[address the vulnerabilities](../vulnerabilities/index.md).
Please note that in some cases the reported vulnerabilities provide metadata that can contain
external links exposed in the UI. These links might not be accessible within an offline environment.
### Automatic remediation for vulnerabilities
The [automatic remediation for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability) feature is available for offline Dependency Scanning and Container Scanning, but may not work
The [automatic remediation for vulnerabilities](../vulnerabilities/index.md#remediate-a-vulnerability-automatically) feature is available for offline Dependency Scanning and Container Scanning, but may not work
depending on your instance's configuration. We can only suggest solutions, which are generally more
current versions that have been patched, when we are able to access up-to-date registry services
hosting the latest versions of that dependency or image.
......
......@@ -134,16 +134,16 @@ All open source (OSS) analyzers have been moved to the GitLab Free tier as of Gi
Different features are available in different [GitLab tiers](https://about.gitlab.com/pricing/),
as shown in the following table:
| Capability | In Free | In Ultimate |
|:-------------------------------------------------------------------------------------------------------------|:--------------------|:-------------------|
| [Configure SAST Scanners](#configuration) | **{check-circle}** | **{check-circle}** |
| [Customize SAST Settings](#customizing-the-sast-settings) | **{check-circle}** | **{check-circle}** |
| View [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** |
| Presentation of JSON Report in Merge Request | **{dotted-circle}** | **{check-circle}** |
| [Address vulnerabilities](../../application_security/index.md#addressing-vulnerabilities) | **{dotted-circle}** | **{check-circle}** |
| [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** |
| [Customize SAST Rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** |
| Capability | In Free | In Ultimate |
|:---------------------------------------------------------------------------------------|:--------------------|:-------------------|
| [Configure SAST Scanners](#configuration) | **{check-circle}** | **{check-circle}** |
| [Customize SAST Settings](#customizing-the-sast-settings) | **{check-circle}** | **{check-circle}** |
| View [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** |
| Presentation of JSON Report in Merge Request | **{dotted-circle}** | **{check-circle}** |
| [Address vulnerabilities](../../application_security/vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** |
| [Customize SAST Rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** |
## Contribute your scanner
......
......@@ -211,4 +211,4 @@ Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
Read more on how to [address the vulnerabilities](../index.md#addressing-vulnerabilities).
Read more on how to [address the vulnerabilities](../vulnerabilities/index.md).
......@@ -12,7 +12,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
Each security vulnerability in a project's [Vulnerability Report](../vulnerability_report/index.md) has an individual page which includes:
- Details of the vulnerability.
- The status of the vulnerability within the project.
- The status of the vulnerability in the project.
- Available actions for the vulnerability.
- Any issues related to the vulnerability.
......@@ -21,8 +21,10 @@ On the vulnerability's page, you can:
- [Change the vulnerability's status](#change-vulnerability-status).
- [Create an issue](#create-an-issue-for-a-vulnerability).
- [Link issues to the vulnerability](#link-gitlab-issues-to-the-vulnerability).
- [Automatically remediate the vulnerability](#automatically-remediate-the-vulnerability), if an
- [Remediate a vulnerability automatically](#remediate-a-vulnerability-automatically), if an
automatic solution is available.
- [Remediate a vulnerability manually](#remediate-a-vulnerability-manually), if a solution is
available.
## Change vulnerability status
......@@ -60,7 +62,7 @@ To create a GitLab issue for a vulnerability:
1. In GitLab, go to the vulnerability's page.
1. Select **Create issue**.
An issue is created in the project, prepopulated with information from the vulnerability report.
An issue is created in the project, pre-populated with information from the vulnerability report.
The issue is then opened so you can take further action.
### Create a Jira issue for a vulnerability
......@@ -120,10 +122,59 @@ that the resolution of one issue would resolve multiple vulnerabilities.
Linked issues are shown in the Vulnerability Report and the vulnerability's page.
## Automatically remediate the vulnerability
## Link to an existing issue
You can fix some vulnerabilities by applying the solution that GitLab automatically
generates for you. [Read more about the automatic remediation for vulnerabilities feature](../index.md#apply-an-automatic-remediation-for-a-vulnerability).
If you already have an open issue, you can link to it from the vulnerability.
- The vulnerability page shows related issues, but the issue page doesn't show the vulnerability it's related to.
- An issue can only be related to one vulnerability at a time.
- Issues can be linked across groups and projects.
To link to an existing issue:
1. Open the vulnerability.
1. [Add a linked issue](../../project/issues/related_issues.md).
## Remediate a vulnerability automatically
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5656) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.7.
Some vulnerabilities can be fixed by applying the solution that GitLab automatically generates.
The following scanners are supported:
- [Dependency Scanning](../dependency_scanning/index.md).
Automatic Patch creation is only available for Node.js projects managed with
`yarn`.
- [Container Scanning](../container_scanning/index.md).
### Remediate a vulnerability manually
To manually apply the patch that GitLab generated for a vulnerability:
1. Select the **Resolve with merge request** dropdown, then select **Download patch to resolve**:
![Resolve with Merge Request button dropdown](img/vulnerability_page_merge_request_button_dropdown_v13_1.png)
1. Ensure your local project has the same commit checked out that was used to generate the patch.
1. Run `git apply remediation.patch`.
1. Verify and commit the changes to your branch.
### Create a merge request with the suggested patch
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9224) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.9.
In some cases, you can create a merge request that automatically remediates the
vulnerability. Any vulnerability that has a
[solution](#remediate-a-vulnerability-automatically) can have a merge
request created to automatically solve the issue.
If this action is available:
1. Select the **Resolve with merge request** dropdown, then select **Resolve with merge request**.
![Create merge request from vulnerability](img/create_mr_from_vulnerability_v13_4.png)
A merge request is created. It applies the solution to the source branch.
## Vulnerability scanner maintenance
......
......@@ -162,3 +162,26 @@ computer.
NOTE:
It may take several minutes for the download to start if your project contains
thousands of vulnerabilities. Don't close the page until the download finishes.
## Dismiss a vulnerability
> The option of adding a dismissal reason was introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0.
You can dismiss a vulnerability for the entire project:
1. Select the vulnerability in the Security Dashboard.
1. In the top-right, from the **Status** selector menu, select **Dismissed**.
1. Optional. Add a reason for the dismissal and select **Save comment**.
To undo this action, select a different status from the same menu.
### Dismiss multiple vulnerabilities
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
You can dismiss multiple vulnerabilities at once:
1. In the list of vulnerabilities, select the checkbox for each vulnerability you want to dismiss.
To select all, select the checkbox in the table header.
1. Above the table, select a dismissal reason.
1. Select **Dismiss Selected**.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment