Automatic merge of gitlab-org/gitlab master

doc/api/graphql/reference/gitlab_schema.graphql

@@ -11641,7 +11641,7 @@ type Mutation {
   pipelineRetry(input: PipelineRetryInput!): PipelineRetryPayload
   removeAwardEmoji(input: RemoveAwardEmojiInput!): RemoveAwardEmojiPayload @deprecated(reason: "Use awardEmojiRemove. Deprecated in 13.2")
   removeProjectFromSecurityDashboard(input: RemoveProjectFromSecurityDashboardInput!): RemoveProjectFromSecurityDashboardPayload
-  revertVulnerabilityToDetected(input: RevertVulnerabilityToDetectedInput!): RevertVulnerabilityToDetectedPayload
+  revertVulnerabilityToDetected(input: RevertVulnerabilityToDetectedInput!): RevertVulnerabilityToDetectedPayload @deprecated(reason: "Use vulnerabilityRevertToDetected. Deprecated in 13.5")
   runDastScan(input: RunDASTScanInput!): RunDASTScanPayload @deprecated(reason: "Use DastOnDemandScanCreate. Deprecated in 13.4")
   todoMarkDone(input: TodoMarkDoneInput!): TodoMarkDonePayload
   todoRestore(input: TodoRestoreInput!): TodoRestorePayload
@@ -11673,6 +11673,7 @@ type Mutation {
   vulnerabilityConfirm(input: VulnerabilityConfirmInput!): VulnerabilityConfirmPayload
   vulnerabilityDismiss(input: VulnerabilityDismissInput!): VulnerabilityDismissPayload
   vulnerabilityResolve(input: VulnerabilityResolveInput!): VulnerabilityResolvePayload
+  vulnerabilityRevertToDetected(input: VulnerabilityRevertToDetectedInput!): VulnerabilityRevertToDetectedPayload
 }
 
 """
@@ -20470,6 +20471,41 @@ type VulnerabilityResolvePayload {
   vulnerability: Vulnerability
 }
 
+"""
+Autogenerated input type of VulnerabilityRevertToDetected
+"""
+input VulnerabilityRevertToDetectedInput {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  ID of the vulnerability to be reverted
+  """
+  id: VulnerabilityID!
+}
+
+"""
+Autogenerated return type of VulnerabilityRevertToDetected
+"""
+type VulnerabilityRevertToDetectedPayload {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  Errors encountered during execution of the mutation.
+  """
+  errors: [String!]!
+
+  """
+  The vulnerability after revert
+  """
+  vulnerability: Vulnerability
+}
+
 """
 Represents a vulnerability scanner
 """

doc/api/graphql/reference/gitlab_schema.json

@@ -33961,8 +33961,8 @@
                 "name": "RevertVulnerabilityToDetectedPayload",
                 "ofType": null
               },
-              "isDeprecated": false,
-              "deprecationReason": null
+              "isDeprecated": true,
+              "deprecationReason": "Use vulnerabilityRevertToDetected. Deprecated in 13.5"
             },
             {
               "name": "runDastScan",
@@ -34503,6 +34503,33 @@
               },
               "isDeprecated": false,
               "deprecationReason": null
+            },
+            {
+              "name": "vulnerabilityRevertToDetected",
+              "description": null,
+              "args": [
+                {
+                  "name": "input",
+                  "description": null,
+                  "type": {
+                    "kind": "NON_NULL",
+                    "name": null,
+                    "ofType": {
+                      "kind": "INPUT_OBJECT",
+                      "name": "VulnerabilityRevertToDetectedInput",
+                      "ofType": null
+                    }
+                  },
+                  "defaultValue": null
+                }
+              ],
+              "type": {
+                "kind": "OBJECT",
+                "name": "VulnerabilityRevertToDetectedPayload",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
             }
           ],
           "inputFields": null,
@@ -59575,6 +59602,108 @@
           "enumValues": null,
           "possibleTypes": null
         },
+        {
+          "kind": "INPUT_OBJECT",
+          "name": "VulnerabilityRevertToDetectedInput",
+          "description": "Autogenerated input type of VulnerabilityRevertToDetected",
+          "fields": null,
+          "inputFields": [
+            {
+              "name": "id",
+              "description": "ID of the vulnerability to be reverted",
+              "type": {
+                "kind": "NON_NULL",
+                "name": null,
+                "ofType": {
+                  "kind": "SCALAR",
+                  "name": "VulnerabilityID",
+                  "ofType": null
+                }
+              },
+              "defaultValue": null
+            },
+            {
+              "name": "clientMutationId",
+              "description": "A unique identifier for the client performing the mutation.",
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "defaultValue": null
+            }
+          ],
+          "interfaces": null,
+          "enumValues": null,
+          "possibleTypes": null
+        },
+        {
+          "kind": "OBJECT",
+          "name": "VulnerabilityRevertToDetectedPayload",
+          "description": "Autogenerated return type of VulnerabilityRevertToDetected",
+          "fields": [
+            {
+              "name": "clientMutationId",
+              "description": "A unique identifier for the client performing the mutation.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "errors",
+              "description": "Errors encountered during execution of the mutation.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "NON_NULL",
+                "name": null,
+                "ofType": {
+                  "kind": "LIST",
+                  "name": null,
+                  "ofType": {
+                    "kind": "NON_NULL",
+                    "name": null,
+                    "ofType": {
+                      "kind": "SCALAR",
+                      "name": "String",
+                      "ofType": null
+                    }
+                  }
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "vulnerability",
+              "description": "The vulnerability after revert",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "OBJECT",
+                "name": "Vulnerability",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "inputFields": null,
+          "interfaces": [
+
+          ],
+          "enumValues": null,
+          "possibleTypes": null
+        },
         {
           "kind": "OBJECT",
           "name": "VulnerabilityScanner",

doc/api/graphql/reference/index.md

@@ -2947,6 +2947,16 @@ Autogenerated return type of VulnerabilityResolve.
 | `errors` | String! => Array | Errors encountered during execution of the mutation. |
 | `vulnerability` | Vulnerability | The vulnerability after state change |
 
+### VulnerabilityRevertToDetectedPayload
+
+Autogenerated return type of VulnerabilityRevertToDetected.
+
+| Field | Type | Description |
+| ----- | ---- | ----------- |
+| `clientMutationId` | String | A unique identifier for the client performing the mutation. |
+| `errors` | String! => Array | Errors encountered during execution of the mutation. |
+| `vulnerability` | Vulnerability | The vulnerability after revert |
+
 ### VulnerabilityScanner
 
 Represents a vulnerability scanner.

doc/topics/autodevops/index.md

@@ -83,9 +83,9 @@ project in a simple and automatic way:
 
 1. [Auto Build](stages.md#auto-build)
 1. [Auto Test](stages.md#auto-test)
-1. [Auto Code Quality](stages.md#auto-code-quality) **(STARTER)**
-1. [Auto SAST (Static Application Security Testing)](stages.md#auto-sast) **(ULTIMATE)**
-1. [Auto Secret Detection](stages.md#auto-secret-detection) **(ULTIMATE)**
+1. [Auto Code Quality](stages.md#auto-code-quality)
+1. [Auto SAST (Static Application Security Testing)](stages.md#auto-sast)
+1. [Auto Secret Detection](stages.md#auto-secret-detection)
 1. [Auto Dependency Scanning](stages.md#auto-dependency-scanning) **(ULTIMATE)**
 1. [Auto License Compliance](stages.md#auto-license-compliance) **(ULTIMATE)**
 1. [Auto Container Scanning](stages.md#auto-container-scanning) **(ULTIMATE)**

doc/topics/autodevops/stages.md

@@ -124,7 +124,10 @@ The supported buildpacks are:
 If your application needs a buildpack that is not in the above list, you
 might want to use a [custom buildpack](customize.md#custom-buildpacks).
 
-## Auto Code Quality **(STARTER)**
+## Auto Code Quality
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/1984) in [GitLab Starter](https://about.gitlab.com/pricing/) 9.3.
+> - Made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/212499) in GitLab 13.2.
 
 Auto Code Quality uses the
 [Code Quality image](https://gitlab.com/gitlab-org/ci-cd/codequality) to run
@@ -133,9 +136,10 @@ report, it's uploaded as an artifact which you can later download and check
 out. The merge request widget also displays any
 [differences between the source and target branches](../../user/project/merge_requests/code_quality.md).
 
-## Auto SAST **(ULTIMATE)**
+## Auto SAST
 
-> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.3.
+> - Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.3.
+> - Select functionality made available in all tiers beginning in 13.1
 
 Static Application Security Testing (SAST) uses the
 [SAST Docker image](https://gitlab.com/gitlab-org/security-products/sast) to run static
@@ -151,9 +155,10 @@ warnings.
 To learn more about [how SAST works](../../user/application_security/sast/index.md),
 see the documentation.
 
-## Auto Secret Detection **(ULTIMATE)**
+## Auto Secret Detection
 
-> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
+> - Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
+> - [Select functionality made available in all tiers](../../user/application_security/secret_detection/#making-secret-detection-available-to-all-gitlab-tiers) in 13.3
 
 Secret Detection uses the
 [Secret Detection Docker image](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) to run Secret Detection on the current code, and checks for leaked secrets. The

ee/app/graphql/ee/types/deprecated_mutations.rb

@@ -10,6 +10,9 @@ module EE
         mount_aliased_mutation 'DismissVulnerability',
                              ::Mutations::Vulnerabilities::Dismiss,
                              deprecated: { reason: 'Use vulnerabilityDismiss', milestone: '13.5' }
+        mount_aliased_mutation 'RevertVulnerabilityToDetected',
+                             ::Mutations::Vulnerabilities::RevertToDetected,
+                             deprecated: { reason: 'Use vulnerabilityRevertToDetected', milestone: '13.5' }
       end
     end
   end

ee/app/graphql/mutations/vulnerabilities/revert_to_detected.rb

@@ -3,7 +3,7 @@
 module Mutations
   module Vulnerabilities
     class RevertToDetected < BaseMutation
-      graphql_name 'RevertVulnerabilityToDetected'
+      graphql_name 'VulnerabilityRevertToDetected'
 
       authorize :admin_vulnerability
 

ee/app/models/sca/license_compliance.rb

@@ -46,7 +46,10 @@ module SCA
         .diff_with(other.license_scan_report)
         .transform_values do |reported_licenses|
           reported_licenses.map do |reported_license|
-            build_policy(reported_license, known_policies[reported_license.canonical_id])
+            matching_license_policy =
+              known_policies[reported_license.canonical_id] ||
+              known_policies[reported_license&.name&.downcase]
+            build_policy(reported_license, matching_license_policy)
           end
         end
     end

ee/changelogs/unreleased/208723-qa-specs.yml

+---
+title: Fallback to matching policies on license name
+merge_request: 43488
+author:
+type: fixed

ee/config/feature_flags/development/buy_storage_link.yml

 ---
 name: buy_storage_link
-introduced_by_url: 
-rollout_issue_url: 
-group: 
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/35360
+rollout_issue_url:
+group: group::fulfillment
 type: development
 default_enabled: false

ee/spec/models/sca/license_compliance_spec.rb

@@ -417,6 +417,18 @@ RSpec.describe SCA::LicenseCompliance do
       specify { expect(subject[:added].count).to eq(3) }
       specify { expect(subject[:removed]).to be_empty }
       specify { expect(subject[:unchanged]).to be_empty }
+
+      context "when a software license record does not have an spdx identifier" do
+        let(:license_name) { 'MIT License' }
+        let!(:policy) { create(:software_license_policy, :allowed, project: project, software_license: create(:software_license, name: license_name)) }
+
+        it "falls back to matching detections based on name rather than spdx id" do
+          mit = subject[:added].find { |item| item.name == license_name }
+
+          expect(mit).to be_present
+          expect(mit.classification).to eql('allowed')
+        end
+      end
     end
   end
 end

qa/qa/ee/fixtures/secure_license_files/gl-license-scanning-report.json

 {
-  "version": "2.0",
+  "version": "2.1",
   "licenses": [
     {
-      "id": "WTFPL",
-      "name": "WTFPL License",
-      "url": "http://www.wtfpl.net/",
-      "count": 1
+      "id": "Apache-2.0",
+      "name": "Apache License 2.0",
+      "url": "http://www.apache.org/licenses/LICENSE-2.0.html"
     }
   ],
   "dependencies": [
     {
-      "name": "wtfpl_init",
-      "licenses": [
-        "WTFPL"
-      ],
-      "url": "https://rubygems.org/gems/wtfpl_init",
-      "description": "Download WTFPL license file and rename to LICENSE.md or something",
-      "paths": [
-        "."
-      ]
+      "name": "test_dependency",
+      "version": "0.1.0",
+      "package_manager": "bundler",
+      "path": "Gemfile.lock",
+      "licenses": ["Apache-2.0"]
     }
   ]
 }

qa/qa/ee/fixtures/secure_premade_reports/gl-license-scanning-report.json

 {
-    "version": "2.0",
-    "licenses": [{
-      "id": "WTFPL",
-      "name": "WTFPL",
-      "url": "http://www.wtfpl.net/",
-      "count": 1
+  "version": "2.1",
+  "licenses": [
+    {
+      "id": "Apache-2.0",
+      "name": "Apache License 2.0",
+      "url": "http://www.apache.org/licenses/LICENSE-2.0.html"
     },
-      {
-        "id": "MIT",
-        "name": "MIT License",
-        "url": "https://opensource.org/licenses/MIT",
-        "count": 1
-      }
-    ],
-    "dependencies": [{
-      "name": "wtfpl_init",
-      "licenses": [
-        "WTFPL"
-      ],
-      "url": "https://rubygems.org/gems/wtfpl_init",
-      "description": "Download WTFPL license file and rename to LICENSE.md or something",
-      "paths": [
-        "."
-      ]
+    {
+      "id": "MIT",
+      "name": "MIT License",
+      "url": "https://opensource.org/licenses/MIT"
+    }
+  ],
+  "dependencies": [
+    {
+      "name": "actioncable",
+      "version": "6.0.3.3",
+      "package_manager": "bundler",
+      "path": "Gemfile.lock",
+      "licenses": ["MIT"]
     },
-      {
-        "name": "actioncable",
-        "licenses": [
-          "MIT"
-        ],
-        "url": "http://rubyonrails.org",
-        "description": "WebSocket framework for Rails.",
-        "paths": [
-          "."
-        ]
-      }
-    ]
-  }
+    {
+      "name": "test_package",
+      "version": "0.1.0",
+      "package_manager": "bundler",
+      "path": "Gemfile.lock",
+      "licenses": ["Apache-2.0"]
+    }
+  ]
+}

qa/qa/specs/features/ee/browser_ui/secure/license_compliance_spec.rb

@@ -5,7 +5,7 @@ require 'pathname'
 module QA
   RSpec.describe 'Secure', :runner do
     let(:approved_license_name) { "MIT License" }
-    let(:denied_license_name) { "WTFPL" }
+    let(:denied_license_name) { "Apache License 2.0" }
 
     describe 'License Compliance page' do
       after(:all) do

qa/qa/specs/features/ee/browser_ui/secure/merge_request_license_widget_spec.rb

@@ -5,8 +5,8 @@ require 'pathname'
 module QA
   RSpec.describe 'Secure', :runner do
     describe 'License merge request widget' do
-      let(:approved_license_name) { "MIT" }
-      let(:denied_license_name) { "Zlib" }
+      let(:approved_license_name) { "MIT License" }
+      let(:denied_license_name) { "zlib License" }
       let(:executor) {"qa-runner-#{Time.now.to_i}"}
 
       after do
@@ -51,9 +51,9 @@ module QA
               "version": "2.1",
               "licenses": [
                 {
-                  "id": "WTFPL",
-                  "name": "Do What The F*ck You Want To Public License",
-                  "url": "http://www.wtfpl.net/about/"
+                  "id": "Apache-2.0",
+                  "name": "Apache License 2.0",
+                  "url": "http://www.apache.org/licenses/LICENSE-2.0.html"
                 },
                 {
                   "id": "MIT",
@@ -75,14 +75,14 @@ module QA
                   "licenses": ["MIT"]
                 },
                 {
-                  "name": "wtfpl_init",
+                  "name": "test_package",
                   "version": "0.1.0",
                   "package_manager": "bundler",
                   "path": "Gemfile.lock",
-                  "licenses": ["WTFPL"]
+                  "licenses": ["Apache-2.0"]
                 },
                 {
-                  "name": "Zlib",
+                  "name": "zlib",
                   "version": "1.2.11",
                   "package_manager": "bundler",
                   "path": "Gemfile.lock",

spec/models/ci/job_artifact_spec.rb

@@ -44,7 +44,7 @@ RSpec.describe Ci::JobArtifact do
       let!(:metrics_report) { create(:ci_job_artifact, :junit) }
       let!(:codequality_report) { create(:ci_job_artifact, :codequality) }
 
-      it { is_expected.to eq([metrics_report, codequality_report]) }
+      it { is_expected.to match_array([metrics_report, codequality_report]) }
     end
   end