Commit 98692a8d authored by GitLab Bot's avatar GitLab Bot

Add latest changes from gitlab-org/gitlab@master

parent ed5add1c
---
title: Improve SAST NO_DIND file detection with proper boundary conditions
merge_request: 28036
author:
type: fixed
---
title: Refactor projects/:id/packages API to supply only necessary params to PackagesFinder
merge_request: 29052
author: Sashi Kumar
type: other
...@@ -62,8 +62,8 @@ puts Readline::HISTORY.to_a ...@@ -62,8 +62,8 @@ puts Readline::HISTORY.to_a
## Using the Rails Runner ## Using the Rails Runner
If you need to run some Ruby code in thex context of your GitLab production If you need to run some Ruby code in the context of your GitLab production
environment, you can do so using the [Rails Runner](https://guides.rubyonrails.org/command_line.html#rails-runner). environment, you can do so using the [Rails Runner](https://guides.rubyonrails.org/command_line.html#rails-runner). When executing a script file, the script must be accessible by the `git` user.
**For Omnibus installations** **For Omnibus installations**
...@@ -72,6 +72,9 @@ sudo gitlab-rails runner "RAILS_COMMAND" ...@@ -72,6 +72,9 @@ sudo gitlab-rails runner "RAILS_COMMAND"
# Example with a two-line Ruby script # Example with a two-line Ruby script
sudo gitlab-rails runner "user = User.first; puts user.username" sudo gitlab-rails runner "user = User.first; puts user.username"
# Example with a ruby script file
sudo gitlab-rails runner /path/to/script.rb
``` ```
**For installations from source** **For installations from source**
...@@ -81,6 +84,9 @@ sudo -u git -H bundle exec rails runner -e production "RAILS_COMMAND" ...@@ -81,6 +84,9 @@ sudo -u git -H bundle exec rails runner -e production "RAILS_COMMAND"
# Example with a two-line Ruby script # Example with a two-line Ruby script
sudo -u git -H bundle exec rails runner -e production "user = User.first; puts user.username" sudo -u git -H bundle exec rails runner -e production "user = User.first; puts user.username"
# Example with a ruby script file
sudo -u git -H bundle exec rails runner -e production /path/to/script.rb
``` ```
## Mail not working ## Mail not working
......
...@@ -7174,6 +7174,51 @@ type Query { ...@@ -7174,6 +7174,51 @@ type Query {
""" """
visibility: VisibilityScopesEnum visibility: VisibilityScopesEnum
): SnippetConnection ): SnippetConnection
"""
Vulnerabilities reported on projects on the current user's instance security dashboard
"""
vulnerabilities(
"""
Returns the elements in the list that come after the specified cursor.
"""
after: String
"""
Returns the elements in the list that come before the specified cursor.
"""
before: String
"""
Returns the first _n_ elements from the list.
"""
first: Int
"""
Returns the last _n_ elements from the list.
"""
last: Int
"""
Filter vulnerabilities by project
"""
projectId: [ID!]
"""
Filter vulnerabilities by report type
"""
reportType: [VulnerabilityReportType!]
"""
Filter vulnerabilities by severity
"""
severity: [VulnerabilitySeverity!]
"""
Filter vulnerabilities by state
"""
state: [VulnerabilityState!]
): VulnerabilityConnection
} }
""" """
......
...@@ -21480,6 +21480,131 @@ ...@@ -21480,6 +21480,131 @@
}, },
"isDeprecated": false, "isDeprecated": false,
"deprecationReason": null "deprecationReason": null
},
{
"name": "vulnerabilities",
"description": "Vulnerabilities reported on projects on the current user's instance security dashboard",
"args": [
{
"name": "projectId",
"description": "Filter vulnerabilities by project",
"type": {
"kind": "LIST",
"name": null,
"ofType": {
"kind": "NON_NULL",
"name": null,
"ofType": {
"kind": "SCALAR",
"name": "ID",
"ofType": null
}
}
},
"defaultValue": null
},
{
"name": "reportType",
"description": "Filter vulnerabilities by report type",
"type": {
"kind": "LIST",
"name": null,
"ofType": {
"kind": "NON_NULL",
"name": null,
"ofType": {
"kind": "ENUM",
"name": "VulnerabilityReportType",
"ofType": null
}
}
},
"defaultValue": null
},
{
"name": "severity",
"description": "Filter vulnerabilities by severity",
"type": {
"kind": "LIST",
"name": null,
"ofType": {
"kind": "NON_NULL",
"name": null,
"ofType": {
"kind": "ENUM",
"name": "VulnerabilitySeverity",
"ofType": null
}
}
},
"defaultValue": null
},
{
"name": "state",
"description": "Filter vulnerabilities by state",
"type": {
"kind": "LIST",
"name": null,
"ofType": {
"kind": "NON_NULL",
"name": null,
"ofType": {
"kind": "ENUM",
"name": "VulnerabilityState",
"ofType": null
}
}
},
"defaultValue": null
},
{
"name": "after",
"description": "Returns the elements in the list that come after the specified cursor.",
"type": {
"kind": "SCALAR",
"name": "String",
"ofType": null
},
"defaultValue": null
},
{
"name": "before",
"description": "Returns the elements in the list that come before the specified cursor.",
"type": {
"kind": "SCALAR",
"name": "String",
"ofType": null
},
"defaultValue": null
},
{
"name": "first",
"description": "Returns the first _n_ elements from the list.",
"type": {
"kind": "SCALAR",
"name": "Int",
"ofType": null
},
"defaultValue": null
},
{
"name": "last",
"description": "Returns the last _n_ elements from the list.",
"type": {
"kind": "SCALAR",
"name": "Int",
"ofType": null
},
"defaultValue": null
}
],
"type": {
"kind": "OBJECT",
"name": "VulnerabilityConnection",
"ofType": null
},
"isDeprecated": false,
"deprecationReason": null
} }
], ],
"inputFields": null, "inputFields": null,
......
...@@ -449,7 +449,7 @@ It's common to discover technical debt during development of a new feature. In ...@@ -449,7 +449,7 @@ It's common to discover technical debt during development of a new feature. In
the spirit of "minimum viable change", resolution is often deferred to a the spirit of "minimum viable change", resolution is often deferred to a
follow-up issue. However, this cannot be used as an excuse to merge poor-quality follow-up issue. However, this cannot be used as an excuse to merge poor-quality
code that would otherwise not pass review, or to overlook trivial matters that code that would otherwise not pass review, or to overlook trivial matters that
don't deserve the be scheduled independently, and would be best resolved in the don't deserve to be scheduled independently, and would be best resolved in the
original merge request - or not tracked at all! original merge request - or not tracked at all!
The overheads of scheduling, and rate of change in the GitLab codebase, mean The overheads of scheduling, and rate of change in the GitLab codebase, mean
......
...@@ -76,6 +76,6 @@ Each individual scanner may be slightly different than the steps described ...@@ -76,6 +76,6 @@ Each individual scanner may be slightly different than the steps described
above. You can find more information at each of the pages below: above. You can find more information at each of the pages below:
- [Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-environment) - [Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-environment)
- [SAST offline directions](../sast/index.md#gitlab-sast-in-an-offline-environment) - [SAST offline directions](../sast/index.md#running-sast-in-an-offline-environment)
- [DAST offline directions](../dast/index.md#running-dast-in-an-offline-environment) - [DAST offline directions](../dast/index.md#running-dast-in-an-offline-environment)
- [License Compliance offline directions](../../compliance/license_compliance/index.md#running-license-compliance-in-an-offline-environment) - [License Compliance offline directions](../../compliance/license_compliance/index.md#running-license-compliance-in-an-offline-environment)
...@@ -504,16 +504,17 @@ Once a vulnerability is found, you can interact with it. Read more on how to ...@@ -504,16 +504,17 @@ Once a vulnerability is found, you can interact with it. Read more on how to
For more information about the vulnerabilities database update, check the For more information about the vulnerabilities database update, check the
[maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database). [maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database).
## GitLab SAST in an offline environment ## Running SAST in an offline environment
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
to external resources through the internet, some adjustments are required for the SAST job to to external resources through the internet, some adjustments are required for the SAST job to
successfully run. successfully run. For more information, see [Offline environments](../offline_deployments/index.md).
### Requirements for offline SAST ### Requirements for offline SAST
To use SAST in an offline environment, you need: To use SAST in an offline environment, you need:
- [Disable Docker-In-Docker](#disabling-docker-in-docker-for-sast)
- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements). - GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
- Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images. - Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
......
...@@ -65,7 +65,7 @@ bandit-sast: ...@@ -65,7 +65,7 @@ bandit-sast:
variables: variables:
- $GITLAB_FEATURES =~ /\bsast\b/ && - $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/&& $SAST_DEFAULT_ANALYZERS =~ /bandit/&&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bpython\b/
brakeman-sast: brakeman-sast:
extends: .sast-analyzer extends: .sast-analyzer
...@@ -75,7 +75,7 @@ brakeman-sast: ...@@ -75,7 +75,7 @@ brakeman-sast:
variables: variables:
- $GITLAB_FEATURES =~ /\bsast\b/ && - $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/ && $SAST_DEFAULT_ANALYZERS =~ /brakeman/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bruby\b/
eslint-sast: eslint-sast:
extends: .sast-analyzer extends: .sast-analyzer
...@@ -85,7 +85,7 @@ eslint-sast: ...@@ -85,7 +85,7 @@ eslint-sast:
variables: variables:
- $GITLAB_FEATURES =~ /\bsast\b/ && - $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/ && $SAST_DEFAULT_ANALYZERS =~ /eslint/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
flawfinder-sast: flawfinder-sast:
extends: .sast-analyzer extends: .sast-analyzer
...@@ -95,7 +95,7 @@ flawfinder-sast: ...@@ -95,7 +95,7 @@ flawfinder-sast:
variables: variables:
- $GITLAB_FEATURES =~ /\bsast\b/ && - $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/ && $SAST_DEFAULT_ANALYZERS =~ /flawfinder/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c)\b/ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /(c(\+\+)?,)|(c(\+\+)?$)/
kubesec-sast: kubesec-sast:
extends: .sast-analyzer extends: .sast-analyzer
...@@ -125,7 +125,7 @@ nodejs-scan-sast: ...@@ -125,7 +125,7 @@ nodejs-scan-sast:
variables: variables:
- $GITLAB_FEATURES =~ /\bsast\b/ && - $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ && $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
phpcs-security-audit-sast: phpcs-security-audit-sast:
extends: .sast-analyzer extends: .sast-analyzer
...@@ -135,7 +135,7 @@ phpcs-security-audit-sast: ...@@ -135,7 +135,7 @@ phpcs-security-audit-sast:
variables: variables:
- $GITLAB_FEATURES =~ /\bsast\b/ && - $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ && $SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /php/ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bphp\b/
pmd-apex-sast: pmd-apex-sast:
extends: .sast-analyzer extends: .sast-analyzer
...@@ -145,7 +145,7 @@ pmd-apex-sast: ...@@ -145,7 +145,7 @@ pmd-apex-sast:
variables: variables:
- $GITLAB_FEATURES =~ /\bsast\b/ && - $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ && $SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /apex/ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bapex\b/
secrets-sast: secrets-sast:
extends: .sast-analyzer extends: .sast-analyzer
...@@ -174,7 +174,7 @@ sobelow-sast: ...@@ -174,7 +174,7 @@ sobelow-sast:
variables: variables:
- $GITLAB_FEATURES =~ /\bsast\b/ && - $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/ && $SAST_DEFAULT_ANALYZERS =~ /sobelow/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /elixir/ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\belixir\b/
spotbugs-sast: spotbugs-sast:
extends: .sast-analyzer extends: .sast-analyzer
...@@ -194,4 +194,4 @@ tslint-sast: ...@@ -194,4 +194,4 @@ tslint-sast:
variables: variables:
- $GITLAB_FEATURES =~ /\bsast\b/ && - $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /tslint/ && $SAST_DEFAULT_ANALYZERS =~ /tslint/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /typescript/ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\btypescript\b/
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment