diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-27 09:09:03 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-27 09:09:03 +0300 |
| commit | 8ebab6079e4d9c834435e8241cada4122d32673f (patch) | |
| tree | c8379e21afb8150d5d9f9b8598df2d3f0c47565f | |
| parent | 729e66ee8e5790eefb3771040839155c499faab3 (diff) | |
Add latest changes from gitlab-org/gitlab@master
| -rw-r--r-- | app/views/admin/application_settings/_signin.html.haml | 2 | ||||
| -rw-r--r-- | doc/administration/geo/replication/troubleshooting.md | 16 | ||||
| -rw-r--r-- | doc/api/project_snippets.md | 72 | ||||
| -rw-r--r-- | doc/user/application_security/api_fuzzing/index.md | 26 | ||||
| -rw-r--r-- | doc/user/application_security/index.md | 10 | ||||
| -rw-r--r-- | spec/frontend/filtered_search/visual_token_value_spec.js | 2 |
6 files changed, 64 insertions, 64 deletions
diff --git a/app/views/admin/application_settings/_signin.html.haml b/app/views/admin/application_settings/_signin.html.haml index 5b19716a0bc..50b5e797559 100644 --- a/app/views/admin/application_settings/_signin.html.haml +++ b/app/views/admin/application_settings/_signin.html.haml @@ -39,7 +39,7 @@ .form-group = f.label :unknown_sign_in, _('Email notification for unknown sign-ins'), class: 'label-bold' - help_text = _('Notify users by email when sign-in location is not recognized.') - - help_link = link_to _('Learn more.'), help_page_path('user/profile/notifications.md'), target: '_blank', rel: 'noopener noreferrer' + - help_link = link_to _('Learn more.'), help_page_path('user/profile/notifications.md', anchor: 'notifications-for-unknown-sign-ins'), target: '_blank', rel: 'noopener noreferrer' = f.gitlab_ui_checkbox_component :notify_on_unknown_sign_in, _('Enable email notification'), help_text: '%{help_text} %{help_link}'.html_safe % { help_text: help_text, help_link: help_link } diff --git a/doc/administration/geo/replication/troubleshooting.md b/doc/administration/geo/replication/troubleshooting.md index 9f095c797fb..36b37418230 100644 --- a/doc/administration/geo/replication/troubleshooting.md +++ b/doc/administration/geo/replication/troubleshooting.md @@ -235,7 +235,7 @@ Commands that change data can cause damage if not run correctly or under the rig end ``` -1. This will cause the primary to start checksumming all Uploads. +1. This causes the primary to start checksumming all Uploads. 1. When a primary successfully checksums a record, then all secondaries recalculate the checksum as well, and they compare the values. A similar thing can be done for all Models handled by the [Geo Self-Service Framework](../../../development/geo/framework.md) which have implemented verification: @@ -378,7 +378,7 @@ sudo gitlab-rake gitlab:geo:check Checking Geo ... Finished ``` - When performing a PostgreSQL major version (9 > 10) update this is expected. Follow + When performing a PostgreSQL major version (9 > 10), update this is expected. Follow the [initiate-the-replication-process](../setup/database.md#step-3-initiate-the-replication-process). ### Message: Machine clock is synchronized ... Exception @@ -386,7 +386,7 @@ sudo gitlab-rake gitlab:geo:check The Rake task attempts to verify that the server clock is synchronized with NTP. Synchronized clocks are required for Geo to function correctly. As an example, for security, when the server time on the primary site and secondary site differ by about a minute or more, requests between Geo sites -will fail. If this check task fails to complete due to a reason other than mismatching times, it +fail. If this check task fails to complete due to a reason other than mismatching times, it does not necessarily mean that Geo will not work. The Ruby gem which performs the check is hard coded with `pool.ntp.org` as its reference time source. @@ -405,7 +405,7 @@ In GitLab 15.6 and older, use one of the following workarounds: - Add entries in `/etc/hosts` for `pool.ntp.org` to direct the request to valid local time servers. This fixes the long timeout and the timeout error. -- Direct the check to any valid IP address. This resolves the timeout issue, but the check will fail +- Direct the check to any valid IP address. This resolves the timeout issue, but the check fails with the `No route to host` error, as noted above. [Cloud native GitLab deployments](https://docs.gitlab.com/charts/advanced/geo/#set-the-geo-primary-site) @@ -524,7 +524,7 @@ Slots where `active` is `f` are not active. ### Message: "ERROR: canceling statement due to conflict with recovery" -This error message occurs infrequently under normal usage, and the system is resilient +This error message occurs infrequently under typical usage, and the system is resilient enough to recover. However, under certain conditions, some database queries on secondaries may run @@ -1307,7 +1307,7 @@ To fix this issue, set the primary site's internal URL to a URL that is: If you notice replication failures in `Admin > Geo > Sites` or the [Sync status Rake task](#sync-status-rake-task), you can try to resolve the failures with the following general steps: -1. Geo will automatically retry failures. If the failures are new and few in number, or if you suspect the root cause is already resolved, then you can wait to see if the failures go away. +1. Geo automatically retries failures. If the failures are new and few in number, or if you suspect the root cause is already resolved, then you can wait to see if the failures go away. 1. If failures were present for a long time, then many retries have already occurred, and the interval between automatic retries has increased to up to 4 hours depending on the type of failure. If you suspect the root cause is already resolved, you can [manually retry replication or verification](#manually-retry-replication-or-verification). 1. If the failures persist, use the following sections to try to resolve them. @@ -1415,7 +1415,7 @@ status end ``` -1. This will cause the primary to start checksumming all Uploads. +1. This causes the primary to start checksumming all Uploads. 1. When a primary successfully checksums a record, then all secondaries recalculate the checksum as well, and they compare the values. For other SSF data types replace `Upload` in the command above with the desired model class. @@ -1596,7 +1596,7 @@ On all hosts running PostgreSQL, across all Geo sites, run the following shell c ( echo "1-1"; echo "11" ) | LC_COLLATE=en_US.UTF-8 sort ``` -The output will either look like: +The output looks like either: ```plaintext 1-1 diff --git a/doc/api/project_snippets.md b/doc/api/project_snippets.md index c53118578d5..242edf7d768 100644 --- a/doc/api/project_snippets.md +++ b/doc/api/project_snippets.md @@ -8,16 +8,16 @@ info: To determine the technical writer assigned to the Stage/Group associated w ## Snippet visibility level -Snippets in GitLab can be either private, internal or public. +[Snippets](../api/project_snippets.md) in GitLab can be either private, internal or public. You can set it with the `visibility` field in the snippet. Constants for snippet visibility levels are: | visibility | Description | | ---------- | ----------- | -| `private` | The snippet is visible only to project members | -| `internal` | The snippet is visible for any authenticated user except [external users](../user/admin_area/external_users.md) | -| `public` | The snippet can be accessed without any authentication | +| `private` | The snippet is visible only to project members. | +| `internal` | The snippet is visible for any authenticated user except [external users](../user/admin_area/external_users.md). | +| `public` | The snippet can be accessed without any authentication. | NOTE: From July 2019, the `Internal` visibility setting is disabled for new projects, groups, @@ -37,7 +37,7 @@ Parameters: | Attribute | Type | Required | Description | |-----------|----------------|----------|-----------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. | ## Single snippet @@ -51,8 +51,8 @@ Parameters: | Attribute | Type | Required | Description | |--------------|----------------|----------|-----------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user | -| `snippet_id` | integer | yes | The ID of a project's snippet | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. | +| `snippet_id` | integer | yes | The ID of a project's snippet. | ```json { @@ -88,15 +88,15 @@ Parameters: | Attribute | Type | Required | Description | |:------------------|:----------------|:---------|:----------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user | -| `title` | string | yes | Title of a snippet | -| `file_name` | string | no | Deprecated: Use `files` instead. Name of a snippet file | -| `content` | string | no | Deprecated: Use `files` instead. Content of a snippet | -| `description` | string | no | Description of a snippet | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. | +| `title` | string | yes | Title of a snippet. | +| `file_name` | string | no | Deprecated: Use `files` instead. Name of a snippet file. | +| `content` | string | no | Deprecated: Use `files` instead. Content of a snippet. | +| `description` | string | no | Description of a snippet. | | `visibility` | string | no | Snippet's [visibility](#snippet-visibility-level) | -| `files` | array of hashes | no | An array of snippet files | -| `files:file_path` | string | yes | File path of the snippet file | -| `files:content` | string | yes | Content of the snippet file | +| `files` | array of hashes | no | An array of snippet files. | +| `files:file_path` | string | yes | File path of the snippet file. | +| `files:content` | string | yes | Content of the snippet file. | Example request: @@ -127,6 +127,8 @@ curl --request POST "https://gitlab.com/api/v4/projects/:id/snippets" \ Updates an existing project snippet. The user must have permission to change an existing snippet. +Updates to snippets with multiple files *must* use the `files` attribute. + ```plaintext PUT /projects/:id/snippets/:snippet_id ``` @@ -135,20 +137,18 @@ Parameters: | Attribute | Type | Required | Description | |:----------------------|:----------------|:---------|:----------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user | -| `snippet_id` | integer | yes | The ID of a project's snippet | -| `title` | string | no | Title of a snippet | -| `file_name` | string | no | Deprecated: Use `files` instead. Name of a snippet file | -| `content` | string | no | Deprecated: Use `files` instead. Content of a snippet | -| `description` | string | no | Description of a snippet | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. | +| `snippet_id` | integer | yes | The ID of a project's snippet. | +| `title` | string | no | Title of a snippet. | +| `file_name` | string | no | Deprecated: Use `files` instead. Name of a snippet file. | +| `content` | string | no | Deprecated: Use `files` instead. Content of a snippet. | +| `description` | string | no | Description of a snippet. | | `visibility` | string | no | Snippet's [visibility](#snippet-visibility-level) | -| `files` | array of hashes | no | An array of snippet files | +| `files` | array of hashes | no | An array of snippet files. | | `files:action` | string | yes | Type of action to perform on the file, one of: `create`, `update`, `delete`, `move` | -| `files:file_path` | string | no | File path of the snippet file | -| `files:previous_path` | string | no | Previous path of the snippet file | -| `files:content` | string | no | Content of the snippet file | - -Updates to snippets with multiple files *must* use the `files` attribute. +| `files:file_path` | string | no | File path of the snippet file. | +| `files:previous_path` | string | no | Previous path of the snippet file. | +| `files:content` | string | no | Content of the snippet file. | Example request: @@ -188,8 +188,8 @@ Parameters: | Attribute | Type | Required | Description | |:-------------|:---------------|:---------|:----------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user | -| `snippet_id` | integer | yes | The ID of a project's snippet | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. | +| `snippet_id` | integer | yes | The ID of a project's snippet. | Example request: @@ -210,8 +210,8 @@ Parameters: | Attribute | Type | Required | Description | |:-------------|:---------------|:---------|:----------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user | -| `snippet_id` | integer | yes | The ID of a project's snippet | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. | +| `snippet_id` | integer | yes | The ID of a project's snippet. | Example request: @@ -233,9 +233,9 @@ Parameters: | Attribute | Type | Required | Description | |:-------------|:---------------|:---------|:----------------------------------------------------------------------------------------------------------------| | `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user | -| `snippet_id` | integer | yes | The ID of a project's snippet | -| `ref` | string | yes | The name of a branch, tag or commit, for example, main | -| `file_path` | string | yes | The URL-encoded path to the file, for example, snippet%2Erb | +| `snippet_id` | integer | yes | The ID of a project's snippet. | +| `ref` | string | yes | The name of a branch, tag or commit, for example, main. | +| `file_path` | string | yes | The URL-encoded path to the file, for example, snippet%2Erb. | Example request: @@ -254,8 +254,8 @@ GET /projects/:id/snippets/:snippet_id/user_agent_detail | Attribute | Type | Required | Description | |--------------|----------------|----------|-----------------------------------------------------------------------------------------------------------------| -| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user | -| `snippet_id` | Integer | yes | The ID of a snippet | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. | +| `snippet_id` | Integer | yes | The ID of a snippet. | Example request: diff --git a/doc/user/application_security/api_fuzzing/index.md b/doc/user/application_security/api_fuzzing/index.md index 31322419902..0c05afac65f 100644 --- a/doc/user/application_security/api_fuzzing/index.md +++ b/doc/user/application_security/api_fuzzing/index.md @@ -26,7 +26,7 @@ Note the following changes have been made to the API fuzzing template: - In GitLab 14.0 and later, you must define a `fuzz` stage in your `.gitlab-ci.yml` file. - In GitLab 13.12 and earlier, the API fuzzing template defines `build`, `test`, `deploy`, and - `fuzz` stages. The `fuzz` stage runs last by default. The predefined stages were deprecated, and removed from the `API-Fuzzing.latest.gitlab-ci.yml` template. They will be removed in a future GitLab + `fuzz` stages. The `fuzz` stage runs last by default. The predefined stages were deprecated, and removed from the `API-Fuzzing.latest.gitlab-ci.yml` template. We plan to remove them in a future GitLab version. If your pipeline is configured to deploy to the same web server on each run, running a @@ -142,11 +142,11 @@ OpenAPI 2.x lets you specify the accepted media types globally or per operation, - In GitLab 14.9 and earlier, the default behavior is to perform testing using all supported media types. This means if two media types are listed (for example, `application/json` and `application/xml`), tests are performed using JSON, and then the same tests using XML. Testing the same operation (for example, `POST /user`) using different media types (for example, `application/json` and `application/xml`) is not always desirable. -For example, if the target application executes the same code regardless of the request content type, it will take longer to finish the test session, and it may report duplicate vulnerabilities related to the request body depending on the target app. +For example, if the target application executes the same code regardless of the request content type, it takes longer to finish the test session, and it may report duplicate vulnerabilities related to the request body depending on the target app. -The environment variable `FUZZAPI_OPENAPI_ALL_MEDIA_TYPES` lets you specify whether or not to use all supported media types instead of one when generating requests for a given operation. When the environmental variable `FUZZAPI_OPENAPI_ALL_MEDIA_TYPES` is set to any value, API Fuzzing will try to generate requests for all supported media types instead of one in a given operation. This will cause testing to take longer as testing is repeated for each provided media type. +The environment variable `FUZZAPI_OPENAPI_ALL_MEDIA_TYPES` lets you specify whether or not to use all supported media types instead of one when generating requests for a given operation. When the environmental variable `FUZZAPI_OPENAPI_ALL_MEDIA_TYPES` is set to any value, API Fuzzing tries to generate requests for all supported media types instead of one in a given operation. This causes testing to take longer as testing is repeated for each provided media type. -Alternatively, the variable `FUZZAPI_OPENAPI_MEDIA_TYPES` is used to provide a list of media types that will each be tested. Providing more than one media type causes testing to take longer, as testing is performed for each media type selected. When the environment variable `FUZZAPI_OPENAPI_MEDIA_TYPES` is set to a list of media types, only the listed media types are included when creating requests. +Alternatively, the variable `FUZZAPI_OPENAPI_MEDIA_TYPES` is used to provide a list of media types that each is tested. Providing more than one media type causes testing to take longer, as testing is performed for each media type selected. When the environment variable `FUZZAPI_OPENAPI_MEDIA_TYPES` is set to a list of media types, only the listed media types are included when creating requests. Multiple media types in `FUZZAPI_OPENAPI_MEDIA_TYPES` must separated by a colon (`:`). For example, to limit request generation to the media types `application/x-www-form-urlencoded` and `multipart/form-data`, set the environment variable `FUZZAPI_OPENAPI_MEDIA_TYPES` to `application/x-www-form-urlencoded:multipart/form-data`. Only supported media types in this list are included when creating requests, though unsupported media types are always skipped. A media type text may contain different sections. For example, `application/vnd.api+json; charset=UTF-8` is a compound of `type "/" [tree "."] subtype ["+" suffix]* [";" parameter]`. Parameters are not taken into account when filtering media types on request generation. @@ -1390,7 +1390,7 @@ By default the output of the overrides command is hidden. If the overrides comma It is also possible to write messages from your script to a log file that is collected when the job completes or fails. The log file must be created in a specific location and follow a naming convention. -Adding some basic logging to your overrides script is useful in case the script fails unexpectedly during normal running of the job. The log file is automatically included as an artifact of the job, allowing you to download it after the job has finished. +Adding some basic logging to your overrides script is useful in case the script fails unexpectedly during typical running of the job. The log file is automatically included as an artifact of the job, allowing you to download it after the job has finished. Following our example, we provided `renew_token.py` in the environmental variable `FUZZAPI_OVERRIDES_CMD`. Notice two things in the script: @@ -1499,7 +1499,7 @@ logging.info("Override file has been updated") # end ``` -In the overrides command example, the Python script depends on the `backoff` library. To make sure the library is installed before executing the Python script, the `FUZZAPI_PRE_SCRIPT` is set to a script that will install the dependencies of your overrides command. +In the overrides command example, the Python script depends on the `backoff` library. To make sure the library is installed before executing the Python script, the `FUZZAPI_PRE_SCRIPT` is set to a script that installs the dependencies of your overrides command. As for example, the following script `user-pre-scan-set-up.sh`: ```shell @@ -1589,7 +1589,7 @@ variables: While testing an API you may might want to exclude a parameter (query string, header, or body element) from testing. This may be needed because a parameter always causes a failure, slows down testing, or for other reasons. To exclude parameters you can use one of the following variables: `FUZZAPI_EXCLUDE_PARAMETER_ENV` or `FUZZAPI_EXCLUDE_PARAMETER_FILE`. -The `FUZZAPI_EXCLUDE_PARAMETER_ENV` allows providing a JSON string containing excluded parameters. This is a good option if the JSON is short and will not often change. Another option is the variable `FUZZAPI_EXCLUDE_PARAMETER_FILE`. This variable is set to a file path that can be checked into the repository, created by another job as an artifact, or generated at runtime from a pre-script using `FUZZAPI_PRE_SCRIPT`. +The `FUZZAPI_EXCLUDE_PARAMETER_ENV` allows providing a JSON string containing excluded parameters. This is a good option if the JSON is short and can not often change. Another option is the variable `FUZZAPI_EXCLUDE_PARAMETER_FILE`. This variable is set to a file path that can be checked into the repository, created by another job as an artifact, or generated at runtime from a pre-script using `FUZZAPI_PRE_SCRIPT`. #### Exclude parameters using a JSON document @@ -1991,7 +1991,7 @@ Repeat this configuration for each profile as needed. When configured correctly, a CI/CD pipeline contains a `fuzz` stage and an `apifuzzer_fuzz` or `apifuzzer_fuzz_dnd` job. The job only fails when an invalid configuration is provided. During -normal operation, the job always succeeds even if faults are identified during fuzz testing. +typical operation, the job always succeeds even if faults are identified during fuzz testing. Faults are displayed on the **Security** pipeline tab with the suite name. When testing against the repositories default branch, the fuzzing faults are also shown on the Security & Compliance's @@ -2042,7 +2042,7 @@ Follow these steps to view details of a fuzzing fault: | Method | HTTP method used to detect the vulnerability. | | URL | URL at which the vulnerability was detected. | | Request | The HTTP request that caused the fault. | - | Unmodified Response | Response from an unmodified request. This is what a normal working response looks like. | + | Unmodified Response | Response from an unmodified request. This is what a typical working response looks like. | | Actual Response | Response received from fuzzed request. | | Evidence | How we determined a fault occurred. | | Identifiers | The fuzzing check used to find this fault. | @@ -2377,7 +2377,7 @@ apifuzzer_v2: In the case of one or two slow operations, the team might decide to skip testing the operations, or exclude them from feature branch tests, but include them for default branch tests. Excluding the operation is done using the `FUZZAPI_EXCLUDE_PATHS` configuration [variable as explained in this section.](#exclude-paths) -In this example, we have an operation that returns a large amount of data. The operation is `GET http://target:7777/api/large_response_json`. To exclude it we provide the `FUZZAPI_EXCLUDE_PATHS` configuration variable with the path portion of our operation URL `/api/large_response_json`. Our configuration disables the main `apifuzzer_fuzz` job and creates two new jobs `apifuzzer_main` and `apifuzzer_branch`. The `apifuzzer_branch` is set up to exclude the long operation and only run on non-default branches (e.g. feature branches). The `apifuzzer_main` branch is set up to only execute on the default branch (`main` in this example). The `apifuzzer_branch` jobs run faster, allowing for quick development cycles, while the `apifuzzer_main` job which only runs on default branch builds, takes longer to run. +In this example, we have an operation that returns a large amount of data. The operation is `GET http://target:7777/api/large_response_json`. To exclude it we provide the `FUZZAPI_EXCLUDE_PATHS` configuration variable with the path portion of our operation URL `/api/large_response_json`. Our configuration disables the main `apifuzzer_fuzz` job and creates two new jobs `apifuzzer_main` and `apifuzzer_branch`. The `apifuzzer_branch` is set up to exclude the long operation and only run on non-default branches (for example, feature branches). The `apifuzzer_main` branch is set up to only execute on the default branch (`main` in this example). The `apifuzzer_branch` jobs run faster, allowing for quick development cycles, while the `apifuzzer_main` job which only runs on default branch builds, takes longer to run. To verify the operation is excluded, run the API Fuzzing job and review the job console output. It includes a list of included and excluded operations at the end of the test. @@ -2538,14 +2538,14 @@ The API Fuzzing engine outputs an error message when it cannot establish a conne **Solution** -- Remove the `FUZZAPI_API` variable from the `.gitlab-ci.yml` file. The value will be inherited from the API Fuzzing CI/CD template. We recommend this method instead of manually setting a value. +- Remove the `FUZZAPI_API` variable from the `.gitlab-ci.yml` file. The value is inherited from the API Fuzzing CI/CD template. We recommend this method instead of manually setting a value. - If removing the variable is not possible, check to see if this value has changed in the latest version of the [API Fuzzing CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml). If so, update the value in the `.gitlab-ci.yml` file. ### `Application cannot determine the base URL for the target API` The API Fuzzing analyzer outputs an error message when it cannot determine the target API after inspecting the OpenAPI document. This error message is shown when the target API has not been set in the `.gitlab-ci.yml`file, it is not available in the `environment_url.txt` file, and it could not be computed using the OpenAPI document. -There is an order of precedence in which the API Fuzzing analyzer tries to get the target API when checking the different sources. First, it will try to use the `FUZZAPI_TARGET_URL`. If the environment variable has not been set, then the API Fuzzing analyzer will attempt to use the `environment_url.txt` file. If there is no file `environment_url.txt`, the API Fuzzing analyzer will then use the OpenAPI document contents and the URL provided in `FUZZAPI_OPENAPI` (if a URL is provided) to try to compute the target API. +There is an order of precedence in which the API Fuzzing analyzer tries to get the target API when checking the different sources. First, it tries to use the `FUZZAPI_TARGET_URL`. If the environment variable has not been set, then the API Fuzzing analyzer attempts to use the `environment_url.txt` file. If there is no file `environment_url.txt`, the API Fuzzing analyzer now uses the OpenAPI document contents and the URL provided in `FUZZAPI_OPENAPI` (if a URL is provided) to try to compute the target API. The best-suited solution depends on whether or not your target API changes for each deployment: @@ -2642,7 +2642,7 @@ variables: ### `No operation in the OpenAPI document is consuming any supported media type` -API Fuzzing uses the specified media types in the OpenAPI document to generate requests. If no request can be created due to the lack of supported media types, then an error will be thrown. +API Fuzzing uses the specified media types in the OpenAPI document to generate requests. If no request can be created due to the lack of supported media types, then an error is thrown. **Error message** diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md index 3b2ae3ae280..3b1c800856a 100644 --- a/doc/user/application_security/index.md +++ b/doc/user/application_security/index.md @@ -107,7 +107,7 @@ The following vulnerability scanners and their databases are regularly updated: | [Static Application Security Testing (SAST)](sast/index.md) | The source of scan rules depends on which [analyzer](sast/analyzers.md) is used for each [supported programming language](sast/index.md#supported-languages-and-frameworks). GitLab maintains a ruleset for the Semgrep-based analyzer and updates it regularly based on internal research and user feedback. For other analyzers, the ruleset is sourced from the upstream open-source scanner. Each analyzer is updated at least once per month if a relevant update is available. | In versions of GitLab that use the same major version of the analyzer, you do not have to update -GitLab to benefit from the latest vulnerabilities definitions. The security tools are released as +them to benefit from the latest vulnerabilities definitions. The security tools are released as Docker images. The vendored job definitions that enable them use major release tags according to [semantic versioning](https://semver.org/). Each new release of the tools overrides these tags. Although in a major analyzer version you automatically get the latest versions of the scanning @@ -130,7 +130,7 @@ While you cannot directly customize Auto DevOps, you can [include the Auto DevOp ## Security scanning without Auto DevOps -To enable all GitLab security scanning tools, with the option of customizing settings, add the +To enable all GitLab security scanning tools with the option of customizing settings, add the GitLab CI/CD templates to your `.gitlab-ci.yml` file. WARNING: @@ -164,7 +164,7 @@ variables: By default, GitLab security scanners use `registry.gitlab.com/security-products` as the base address for Docker images. You can override this for most scanners by setting the CI/CD variable -`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once. +`SECURE_ANALYZERS_PREFIX` to another location. This affects all scanners at once. The [Container Scanning](container_scanning/index.md) analyzer is an exception, and it does not use the `SECURE_ANALYZERS_PREFIX` variable. To override its Docker image, see @@ -179,7 +179,7 @@ you must reference the [`latest` templates](../../development/cicd/templates.md) All `latest` security templates support merge request pipelines. -For example, to run both SAST and Dependency Scanning: +For example, to run both SAST and Dependency Scanning, the following template is used: ```yaml include: @@ -205,7 +205,7 @@ that rely on this scan data only show results from pipelines on the default bran Our language and package manager specific jobs attempt to assess which analyzers they should run for your project so that you can do less configuration. -If you want to override this to increase the pipeline speed you may choose which analyzers to exclude if you know they are not applicable (languages or package managers not contained in your project) by following variable customization directions for that specific tool. +If you want to override this to increase the pipeline speed, you may choose which analyzers to exclude if you know they are not applicable (languages or package managers not contained in your project) by following variable customization directions for that specific tool. ### Secure job status diff --git a/spec/frontend/filtered_search/visual_token_value_spec.js b/spec/frontend/filtered_search/visual_token_value_spec.js index 43c10090739..d3fa8fae9ab 100644 --- a/spec/frontend/filtered_search/visual_token_value_spec.js +++ b/spec/frontend/filtered_search/visual_token_value_spec.js @@ -79,7 +79,7 @@ describe('Filtered Search Visual Tokens', () => { it('replaces author token with avatar and display name', async () => { const dummyUser = { name: 'Important Person', - avatar_url: 'https://host.invalid/mypics/avatar.png', + avatar_url: `${TEST_HOST}/mypics/avatar.png`, }; const { subject, tokenValueContainer, tokenValueElement } = findElements(authorToken); const tokenValue = tokenValueElement.innerText; |