diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-11-18 16:16:36 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-11-18 16:16:36 +0300 |
| commit | 311b0269b4eb9839fa63f80c8d7a58f32b8138a0 (patch) | |
| tree | 07e7870bca8aed6d61fdcc810731c50d2c40af47 /doc/user/application_security | |
| parent | 27909cef6c4170ed9205afa7426b8d3de47cbb0c (diff) | |
Add latest changes from gitlab-org/gitlab@14-5-stable-eev14.5.0-rc42
Diffstat (limited to 'doc/user/application_security')
36 files changed, 939 insertions, 295 deletions
diff --git a/doc/user/application_security/api_fuzzing/index.md b/doc/user/application_security/api_fuzzing/index.md index e32989c2915..5cef0040ac3 100644 --- a/doc/user/application_security/api_fuzzing/index.md +++ b/doc/user/application_security/api_fuzzing/index.md @@ -111,12 +111,9 @@ To generate an API Fuzzing configuration snippet: ### OpenAPI Specification -> Support for OpenAPI Specification v3.1 was -> [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327268) in GitLab 14.2. -> Support for OpenAPI Specification using YAML format was -> [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330583) in GitLab 14.0. -> Support for OpenAPI Specification v3.0 was -> [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/228652) in GitLab 13.9. +> - Support for OpenAPI Specification v3.0 was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/228652) in GitLab 13.9. +> - Support for OpenAPI Specification using YAML format was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330583) in GitLab 14.0. +> - Support for OpenAPI Specification v3.1 was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327268) in GitLab 14.2. The [OpenAPI Specification](https://www.openapis.org/) (formerly the Swagger Specification) is an API description format for REST APIs. This section shows you how to configure API fuzzing using an OpenAPI Specification to provide information about the target API to test. @@ -214,7 +211,7 @@ To configure API fuzzing to use a HAR file: ``` 1. Provide the location of the HAR specification. You can provide the specification as a file - or URL. [URL support was introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285020) + or URL. URL support was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285020) in GitLab 13.10 and later. Specify the location by adding the `FUZZAPI_HAR` variable. 1. The target API instance's base URL is also required. Provide it by using the `FUZZAPI_TARGET_URL` @@ -285,7 +282,7 @@ To configure API fuzzing to use a Postman Collection file: ``` 1. Provide the location of the Postman Collection specification. You can provide the specification - as a file or URL. [URL support was introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285020) + as a file or URL. URL support was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285020) in GitLab 13.10 and later. Specify the location by adding the `FUZZAPI_POSTMAN_COLLECTION` variable. @@ -613,15 +610,15 @@ Overrides use a JSON document, where each type of override is represented by a J }, "body-form": { "form-param1": "value", - "form-param1": "value", + "form-param2": "value" }, "body-json": { "json-path1": "value", - "json-path2": "value", + "json-path2": "value" }, "body-xml" : { "xpath1": "value", - "xpath2": "value", + "xpath2": "value" } } ``` @@ -975,7 +972,7 @@ reported. ### View details of an API Fuzzing vulnerability -> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.7. +> Introduced in GitLab 13.7. Faults detected by API Fuzzing occur in the live web application, and require manual investigation to determine if they are vulnerabilities. Fuzzing faults are included as vulnerabilities with a @@ -1156,12 +1153,41 @@ Profiles: ## Running API fuzzing in an offline environment -For self-managed GitLab instances in an environment with limited, restricted, or intermittent access -to external resources through the internet, some adjustments are required for the Web API Fuzz testing job to -successfully run. For more information, see [Offline environments](../offline_deployments/index.md). +For self-managed GitLab instances in an environment with limited, restricted, or intermittent access to external resources through the internet, some adjustments are required for the Web API Fuzz testing job to successfully run. + +Steps: + +1. Host the Docker image in a local container registry. +1. Set the `SECURE_ANALYZERS_PREFIX` to the local container registry. + +The Docker image for API Fuzzing must be pulled (downloaded) from the public registry and then pushed (imported) into a local registry. The GitLab container registry can be used to locally host the Docker image. This process can be performed using a special template. See [loading Docker images onto your offline host](../offline_deployments/index.md#loading-docker-images-onto-your-offline-host) for instructions. + +Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-fuzzing:1` results in a valid image location. + +For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`: + +`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"` + +NOTE: +Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates. + +For more information, see [Offline environments](../offline_deployments/index.md). ## Troubleshooting +### Error waiting for API Security 'http://127.0.0.1:5000' to become available + +A bug exists in versions of the API Fuzzing analyzer prior to v1.6.196 that can cause a background process to fail under certain conditions. The solution is to update to a newer version of the DAST API analyzer. + +The version information can be found in the job details for the `apifuzzer_fuzz` job. + +If the issue is occuring with versions v1.6.196 or greater, please contact Support and provide the following information: + +1. Reference this troubleshooting section and ask for the issue to be escalated to the Dynamic Analysis Team. +1. The full console output of the job. +1. The `gl-api-security-scanner.log` file available as a job artifact. In the right-hand panel of the job details page, select the **Browse** button. +1. The `apifuzzer_fuzz` job definition from your `.gitlab-ci.yml` file. + ### Error, the OpenAPI document is not valid. Errors were found during validation of the document using the published OpenAPI schema At the start of an API Fuzzing job the OpenAPI Specification is validated against the [published schema](https://github.com/OAI/OpenAPI-Specification/tree/master/schemas). This error is shown when the provided OpenAPI Specification has validation errors. Errors can be introduced when creating an OpenAPI Specification manually, and also when the schema is generated. diff --git a/doc/user/application_security/cluster_image_scanning/index.md b/doc/user/application_security/cluster_image_scanning/index.md index abbe00a85ab..790b428bac9 100644 --- a/doc/user/application_security/cluster_image_scanning/index.md +++ b/doc/user/application_security/cluster_image_scanning/index.md @@ -7,7 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Cluster Image Scanning **(ULTIMATE)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 14.1. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/) in GitLab 14.1. WARNING: This analyzer is in [Alpha](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha) @@ -26,10 +26,18 @@ GitLab provides integration with open-source tools for vulnerability analysis in To integrate GitLab with security scanners other than those listed here, see [Security scanner integration](../../../development/integrations/secure.md). -You can enable cluster image scanning by [including the CI job](#configuration) +You can use cluster image scanning through the following methods: + +- [The cluster image scanning analyzer](#use-the-cluster-image-scanning-analyzer) +- [The GitLab Kubernetes agent](#cluster-image-scanning-with-the-gitlab-kubernetes-agent) + +## Use the cluster image scanning analyzer + +You can use the cluster image scanning analyzer to run cluster image scanning with [GitLab CI/CD](../../../ci/index.md). +To enable the cluster image scanning analyzer, [include the CI job](#configuration) in your existing `.gitlab-ci.yml` file. -## Prerequisites +### Prerequisites To enable cluster image scanning in your pipeline, you need the following: @@ -45,7 +53,7 @@ To enable cluster image scanning in your pipeline, you need the following: [configuration variable](#cicd-variables-for-cluster-image-scanning) with the type set to `File` (see [Configuring the cluster](#configuring-the-cluster)). -## Configuring the cluster +### Configuring the cluster 1. Create a new service account. @@ -128,7 +136,7 @@ only. You can apply additional protection to your cluster by and [configuring Starboard Operator](https://aquasecurity.github.io/starboard/v0.10.3/operator/configuration/#install-modes) to install in restricted mode. -## Configuration +### Configuration To include the `Cluster-Image-Scanning.gitlab-ci.yml` template (GitLab 14.1 and later), add the following to your `.gitlab-ci.yml` file: @@ -149,7 +157,7 @@ GitLab saves the results as a that you can download and analyze later. When downloading, you always receive the most recent artifact. -### Customize the cluster image scanning settings +#### Customize the cluster image scanning settings You can customize how GitLab scans your cluster. For example, to restrict the analyzer to get results for only a certain workload, use the [`variables`](../../../ci/yaml/index.md#variables) @@ -157,7 +165,7 @@ parameter in your `.gitlab-ci.yml` to set [CI/CD variables](#cicd-variables-for- The variables you set in your `.gitlab-ci.yml` overwrite those in `Cluster-Image-Scanning.gitlab-ci.yml`. -#### CI/CD variables for cluster image scanning +##### CI/CD variables for cluster image scanning You can [configure](#customize-the-cluster-image-scanning-settings) analyzers by using the following CI/CD variables: @@ -168,8 +176,9 @@ You can [configure](#customize-the-cluster-image-scanning-settings) analyzers by | `CIS_RESOURCE_NAME` | `""` | Name of the Kubernetes resource you want to filter vulnerabilities for. For example, `nginx`. | | `CIS_RESOURCE_NAMESPACE` | `""` | Namespace of the Kubernetes resource you want to filter vulnerabilities for. For example, `production`. | | `CIS_RESOURCE_KIND` | `""` | Kind of the Kubernetes resource you want to filter vulnerabilities for. For example, `deployment`. | +| `CIS_CLUSTER_IDENTIFIER` | `""` | ID of the Kubernetes cluster integrated with GitLab. This is used to map vulnerabilities to the cluster so they can be filtered in the Vulnerability Report page. | -### Override the cluster image scanning template +#### Override the cluster image scanning template If you want to override the job definition (for example, to change properties like `variables`), you must declare and override a job after the template inclusion, and then @@ -186,7 +195,7 @@ cluster_image_scanning: CIS_RESOURCE_NAME: nginx ``` -### Connect with Kubernetes cluster associated to the project +#### Connect with Kubernetes cluster associated to the project If you want to connect to the Kubernetes cluster associated with the project and run Cluster Image Scanning jobs without configuring the `CIS_KUBECONFIG` variable, you must extend `cluster_image_scanning` and specify the environment you want to scan. @@ -200,7 +209,7 @@ cluster_image_scanning: action: prepare ``` -## Reports JSON format +### Reports JSON format The cluster image scanning tool emits a JSON report file. For more information, see the [schema for this report](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json). @@ -208,7 +217,7 @@ The cluster image scanning tool emits a JSON report file. For more information, Here's an example cluster image scanning report: ```json-doc -{{ +{ "version": "14.0.2", "scan": { "scanner": { @@ -265,6 +274,27 @@ Here's an example cluster image scanning report: } ``` +## Cluster image scanning with the GitLab Kubernetes Agent + +You can use the [GitLab Kubernetes Agent](../../clusters/agent/index.md) to +scan images from within your Kubernetes cluster and record the vulnerabilities in GitLab. + +### Prerequisites + +- [Starboard Operator](https://aquasecurity.github.io/starboard/v0.10.3/operator/installation/kubectl/) + installed and configured in your cluster. +- [GitLab Kubernetes Agent](../../clusters/agent/install/index.md) + set up in GitLab, installed in your cluster, and configured using a configuration repository. + +### Configuration + +The GitLab Kubernetes agent begins to run cluster image scanning once the `cluster_image_scanning` +directive is added to your Kubernetes Agent configuration repository. + +See the [Kubernetes agent configuration repository](../../clusters/agent/repository.md#scan-your-container-images-for-vulnerabilities) +reference to learn more about the cluster image scanning configuration options for the +GitLab Kubernetes agent. + ## Security Dashboard The [Security Dashboard](../security_dashboard/index.md) shows you an overview of all diff --git a/doc/user/application_security/configuration/index.md b/doc/user/application_security/configuration/index.md index 674eee5e80a..a913d5fba92 100644 --- a/doc/user/application_security/configuration/index.md +++ b/doc/user/application_security/configuration/index.md @@ -7,9 +7,9 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Security Configuration **(FREE)** -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. **(ULTIMATE)** -> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)** -> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)** +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in GitLab 12.6. +> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. +> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. > - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.10. > - [Redesigned](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.2. @@ -38,31 +38,31 @@ Select **Configuration history** to see the `.gitlab-ci.yml` file's history. You can configure the following security controls: -- Static Application Security Testing (SAST) **(FREE)** +- [Static Application Security Testing](../sast/index.md) (SAST) - Select **Enable SAST** to configure SAST for the current project. For more details, read [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui). -- Dynamic Application Security Testing (DAST) **(ULTIMATE)** +- [Dynamic Application Security Testing](../dast/index.md) (DAST) - Select **Enable DAST** to configure DAST for the current project. - Select **Manage scans** to manage the saved DAST scans, site profiles, and scanner profiles. For more details, read [DAST on-demand scans](../dast/index.md#on-demand-scans). -- Dependency Scanning **(ULTIMATE)** +- [Dependency Scanning](../dependency_scanning/index.md) - Select **Configure via Merge Request** to create a merge request with the changes required to enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request). -- Container Scanning **(ULTIMATE)** +- [Container Scanning](../container_scanning/index.md) - Can be configured with `.gitlab-ci.yml`. For more details, read [Container Scanning](../../../user/application_security/container_scanning/index.md#configuration). -- Cluster Image Scanning **(ULTIMATE)** +- [Cluster Image Scanning](../cluster_image_scanning/index.md) - Can be configured with `.gitlab-ci.yml`. For more details, read [Cluster Image Scanning](../../../user/application_security/cluster_image_scanning/#configuration). -- Secret Detection +- [Secret Detection](../secret_detection/index.md) - Select **Configure via Merge Request** to create a merge request with the changes required to enable Secret Detection. For more details, read [Enable Secret Detection via an automatic merge request](../secret_detection/index.md#enable-secret-detection-via-an-automatic-merge-request). -- API Fuzzing **(ULTIMATE)** +- [API Fuzzing](../api_fuzzing/index.md) - Select **Enable API Fuzzing** to use API Fuzzing for the current project. For more details, read [API Fuzzing](../../../user/application_security/api_fuzzing/index.md#enable-web-api-fuzzing). -- Coverage Fuzzing **(ULTIMATE)** +- [Coverage Fuzzing](../coverage_fuzzing/index.md) - Can be configured with `.gitlab-ci.yml`. For more details, read [Coverage Fuzzing](../../../user/application_security/coverage_fuzzing/index.md#configuration). ## Compliance **(ULTIMATE)** You can configure the following security controls: -- License Compliance **(ULTIMATE)** +- [License Compliance](../../../user/compliance/license_compliance/index.md) - Can be configured with `.gitlab-ci.yml`. For more details, read [License Compliance](../../../user/compliance/license_compliance/index.md#configuration). diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index 22b54bf019c..da2816ab6ed 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -7,7 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Container Scanning **(ULTIMATE)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3672) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.4. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3672) in GitLab 10.4. Your application's Docker image may itself be based on Docker images that contain known vulnerabilities. By including an extra job in your pipeline that scans for those vulnerabilities and @@ -148,7 +148,7 @@ Support depends on the scanner: #### UBI-based images -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5775) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 14.1. +> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5775) in GitLab 14.1. GitLab also offers [Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image) versions of the container-scanning images. You can therefore replace standard images with UBI-based diff --git a/doc/user/application_security/coverage_fuzzing/index.md b/doc/user/application_security/coverage_fuzzing/index.md index cdb2e7109bf..9bb13d26d90 100644 --- a/doc/user/application_security/coverage_fuzzing/index.md +++ b/doc/user/application_security/coverage_fuzzing/index.md @@ -70,7 +70,7 @@ my_fuzz_target: - ./gitlab-cov-fuzz run --regression=$REGRESSION -- <your fuzz target> ``` -The included template makes available the [hidden job](../../../ci/yaml/index.md#hide-jobs) +The included template makes available the [hidden job](../../../ci/jobs/index.md#hide-jobs) `.fuzz_base`, which you must [extend](../../../ci/yaml/index.md#extends) for each of your fuzz targets. Each fuzz target **must** have a separate job. For example, the [go-fuzzing-example project](https://gitlab.com/gitlab-org/security-products/demos/go-fuzzing-example) @@ -146,7 +146,7 @@ corpus. ### Reports JSON format -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/220062) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.3 as an [Alpha feature](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha). +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/220062) in GitLab 13.3 as an [Alpha feature](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha). The `gitlab-cov-fuzz` tool emits a JSON report file. For more information, see the [schema for this report](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/coverage-fuzzing-report-format.json). diff --git a/doc/user/application_security/dast/browser_based.md b/doc/user/application_security/dast/browser_based.md index 9c5b84f4f36..10ca3430b48 100644 --- a/doc/user/application_security/dast/browser_based.md +++ b/doc/user/application_security/dast/browser_based.md @@ -54,6 +54,7 @@ The browser-based crawler can be configured using CI/CD variables. | `DAST_BROWSER_SCAN` | boolean | `true` | Configures DAST to use the browser-based crawler engine. | | `DAST_BROWSER_ALLOWED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are considered in scope when crawled. By default the `DAST_WEBSITE` hostname is included in the allowed hosts list. | | `DAST_BROWSER_EXCLUDED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are considered excluded and connections are forcibly dropped. | +| `DAST_BROWSER_EXCLUDED_ELEMENTS` | selector | `a[href='2.html'],css:.no-follow` | Comma-separated list of selectors that are ignored when scanning. | | `DAST_BROWSER_IGNORED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are accessed but not reported against. | | `DAST_BROWSER_MAX_ACTIONS` | number | `10000` | The maximum number of actions that the crawler performs. For example, clicking a link, or filling a form. | | `DAST_BROWSER_MAX_DEPTH` | number | `10` | The maximum number of chained actions that the crawler takes. For example, `Click -> Form Fill -> Click` is a depth of three. | @@ -127,7 +128,6 @@ dast: DAST_BROWSER_ACTION_TIMEOUT: "10s" DAST_BROWSER_STABILITY_TIMEOUT: "15s" DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT: "15s" - DAST_BROWSER_ACTION_TIMEOUT: "10s" DAST_BROWSER_ACTION_STABILITY_TIMEOUT: "3s" ``` diff --git a/doc/user/application_security/dast/checks/1004.1.md b/doc/user/application_security/dast/checks/1004.1.md new file mode 100644 index 00000000000..cbbcea1d34d --- /dev/null +++ b/doc/user/application_security/dast/checks/1004.1.md @@ -0,0 +1,41 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Sensitive cookie without `HttpOnly` attribute + +## Description + +The {cookie_name} cookie was transmitted in a `Set-Cookie` header without the `HttpOnly` attribute set. +To prevent JavaScript being able to access the cookie value - usually via `document.cookies` - all +cookies that are used for authorization or contain sensitive information should have the `HttpOnly` attribute +set. + +## Remediation + +Most web application frameworks allow configuring how cookies are sent to user-agents. Consult your framework's +documentation for more information on how to enable various security directives when assigning cookies to clients. + +If the application is assigning cookies via writing to the response headers directly, ensure all responses include +the `HttpOnly` attribute. By enabling this protection, the application is able to mitigate the impact of +certain Cross-Site Scripting (XSS) attacks. + +Example: + +```http +Set-Cookie: {cookie_name}=<random secure value>; HttpOnly +``` + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 1004.1 | false | 1004 | Passive | Low | + +## Links + +- [owasp](https://owasp.org/www-community/HttpOnly) +- [cwe](https://cwe.mitre.org/data/definitions/1004.html) +- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) diff --git a/doc/user/application_security/dast/checks/16.1.md b/doc/user/application_security/dast/checks/16.1.md new file mode 100644 index 00000000000..bb030d2f9c4 --- /dev/null +++ b/doc/user/application_security/dast/checks/16.1.md @@ -0,0 +1,33 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Missing Content-Type header + +## Description + +The `Content-Type` header ensures that user agents correctly interpret the data being received. Without this header +being sent, the browser may misinterpret the data, leading to MIME confusion attacks. If an attacker were able +to upload files that are accessible by using a browser, they could upload files that may be interpreted as +HTML and so execute Cross-Site Scripting (XSS) attacks. + +## Remediation + +Ensure all resources return a proper `Content-Type` header that matches their format. As an example, +when returning JavaScript files, the response header should be: `Content-Type: application/javascript` + +For added protection, we recommend that all resources return the `X-Content-Type-Options: nosniff` +header to disable user agents from mis-interpreting resources. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.1 | true | 16 | Passive | Low | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) +- [Mozilla Blog on MIME Confusion attacks](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/) diff --git a/doc/user/application_security/dast/checks/16.2.md b/doc/user/application_security/dast/checks/16.2.md new file mode 100644 index 00000000000..95461e8677d --- /dev/null +++ b/doc/user/application_security/dast/checks/16.2.md @@ -0,0 +1,44 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Server header exposes version information + +## Description + +The target website returns the `Server` header and version information of this website. By +exposing these values, attackers may attempt to identify if the target software is vulnerable to known +vulnerabilities, or catalog known sites running particular versions to exploit in the future when a +vulnerability is identified in the particular version. + +## Remediation + +We recommend that the version information be removed from the `Server` header. + +Apache: +For Apache based web sites, set the `ServerTokens` to `Prod` in the `httpd.conf` configuration file. + +NGINX: +For NGINX based websites, set the `server_tokens` configuration value to `off` in the `nginx.conf` file. + +IIS: +For IIS based websites version 10 and above you can use the `removeServerHeader` element to the `requestFiltering` +section of the `Web.config` file. + +For all other server types, please consult your product's documentation on how to redact the version information from +the `Server` header. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.2 | true | 16 | Passive | Low | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) +- [Apache ServerTokens](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/) +- [NGINX server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) +- [IIS 10 Remove Server Header](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes) diff --git a/doc/user/application_security/dast/checks/16.3.md b/doc/user/application_security/dast/checks/16.3.md new file mode 100644 index 00000000000..e4dcf3ece4b --- /dev/null +++ b/doc/user/application_security/dast/checks/16.3.md @@ -0,0 +1,35 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# X-Powered-By header exposes version information + +## Description + +The target website returns the `X-Powered-By` header and version information of this website. By +exposing these values, attackers may attempt to identify if the target software is vulnerable to known +vulnerabilities, or catalog known sites running particular versions to exploit in the future when a +vulnerability is identified in the particular version. + +## Remediation + +We recommend that the version information be removed from the `X-Powered-By` header. + +PHP: +For PHP based web sites, set the `expose_php` option to `off` in the `php.ini` configuration file. + +For all other server types, please consult your product's documentation on how to redact the version +information from the `X-Powered-By` header. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.3 | true | 16 | Passive | Low | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) +- [PHP expose_php](https://www.php.net/manual/en/ini.core.php#ini.expose-php) diff --git a/doc/user/application_security/dast/checks/16.4.md b/doc/user/application_security/dast/checks/16.4.md new file mode 100644 index 00000000000..c0161c910b0 --- /dev/null +++ b/doc/user/application_security/dast/checks/16.4.md @@ -0,0 +1,28 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# X-Backend-Server header exposes server information + +## Description + +The target website returns the `X-Backend-Server` header which includes potentially internal/hidden IP addresses +or hostnames. By exposing these values, attackers may attempt to circumvent security proxies and access these +hosts directly. + +## Remediation + +Consult your proxy/load balancer documentation or provider on how to disable revealing the +`X-Backend-Server` header value. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.4 | true | 16 | Passive | Info | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) diff --git a/doc/user/application_security/dast/checks/16.5.md b/doc/user/application_security/dast/checks/16.5.md new file mode 100644 index 00000000000..8a6f3cd8b6a --- /dev/null +++ b/doc/user/application_security/dast/checks/16.5.md @@ -0,0 +1,30 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# AspNet Header(s) exposes version information + +## Description + +The target website returns AspNet header(s) and version information of this website. By +exposing these values attackers may attempt to identify if the target software is vulnerable to known +vulnerabilities, or catalog known sites running particular versions to exploit in the future when a +vulnerability is identified in the particular version. + +## Remediation + +To remove the `X-AspNet-Version` header set `<httpRuntime enableVersionHeader="false" />` in the `<system.Web>` +section of the `Web.config` file. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.5 | true | 16 | Passive | Low | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) +- [IIS Remove Unwanted Headers](https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710) diff --git a/doc/user/application_security/dast/checks/614.1.md b/doc/user/application_security/dast/checks/614.1.md new file mode 100644 index 00000000000..74ac73935f1 --- /dev/null +++ b/doc/user/application_security/dast/checks/614.1.md @@ -0,0 +1,40 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Sensitive cookie without `Secure` attribute + +## Description + +The {cookie_name} cookie was transmitted in a `Set-Cookie` response without the `Secure` attribute set. +To prevent sensitive cookie values being accidentally transmitted over clear-text HTTP we +recommended that cookies are declared with the `Secure` attribute. + +## Remediation + +Most web application frameworks allow configuring how cookies are sent to user agents. Consult your framework's +documentation for more information on how to enable various security attributes when assigning cookies to clients. + +If the application is assigning cookies via writing to the response headers directly, ensure all responses include +the `Secure` attribute. By enabling this protection, the application will no longer send sensitive cookies over +HTTP. + +Example: + +```http +Set-Cookie: {cookie_name}=<random secure value>; Secure +``` + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 614.1 | false | 614 | Passive | Low | + +## Links + +- [owasp](https://owasp.org/www-community/controls/SecureCookieAttribute) +- [cwe](https://cwe.mitre.org/data/definitions/614.html) +- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) diff --git a/doc/user/application_security/dast/checks/693.1.md b/doc/user/application_security/dast/checks/693.1.md new file mode 100644 index 00000000000..07cb368b39a --- /dev/null +++ b/doc/user/application_security/dast/checks/693.1.md @@ -0,0 +1,36 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Missing X-Content-Type-Options: nosniff + +## Description + +The `X-Content-Type-Options` header with the value `nosniff` ensures that user agents do not attempt to +guess the format of the data being received. User Agents such as browsers, commonly attempt to guess +what the resource type being requested is, through a process called MIME type sniffing. + +Without this header being sent, the browser may misinterpret the data, leading to MIME confusion attacks. +If an attacker were able to upload files that are accessible by using a browser, they could upload files +that could be interpreted as HTML and execute Cross-Site Scripting (XSS) attacks. + +## Remediation + +We recommend that the header and value of `X-Content-Type-Options: nosniff` be set server wide. +This ensures any resources that are mistakenly missing a `Content-Type` value are not +misinterpreted. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 693.1 | true | 693 | Passive | Low | + +## Links + +- [owasp](https://owasp.org/www-project-secure-headers/#x-content-type-options) +- [cwe](https://cwe.mitre.org/data/definitions/693.html) +- [Mozilla Blog on MIME Confusion attacks](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/) +- [Mozilla MDN on X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md new file mode 100644 index 00000000000..f1a68387eb1 --- /dev/null +++ b/doc/user/application_security/dast/checks/index.md @@ -0,0 +1,20 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# DAST browser-based crawler vulnerability checks **(ULTIMATE)** + +The [DAST browser-based crawler](../browser_based.md) provides a number of vulnerability checks that are used to scan for vulnerabilities in the site under test. + +| ID | Check | Severity | Type | +|:---|:------|:---------|:-----| +| [1004.1](1004.1.md) | Sensitive cookie without `HttpOnly` attribute | Low | Passive | +| [16.1](16.1.md) | Missing Content-Type header | Low | Passive | +| [16.2](16.2.md) | Server header exposes version information | Low | Passive | +| [16.3](16.3.md) | X-Powered-By header exposes version information | Low | Passive | +| [16.4](16.4.md) | X-Backend-Server header exposes server information | Info | Passive | +| [16.5](16.5.md) | AspNet Header(s) exposes version information | Low | Passive | +| [614.1](614.1.md) | Sensitive cookie without `Secure` attribute | Low | Passive | +| [693.1](693.1.md) | Missing X-Content-Type-Options: nosniff | Low | Passive | diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md index 09b55e7b395..0d8b55a92a9 100644 --- a/doc/user/application_security/dast/index.md +++ b/doc/user/application_security/dast/index.md @@ -320,8 +320,8 @@ tips for optimizing DAST scans in a [blog post](https://about.gitlab.com/blog/20 ### API scan -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10928) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.10. -> - A new DAST API scanning engine was introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.10. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10928) in GitLab 12.10. +> - A new DAST API scanning engine was introduced in GitLab 13.10. Using an API specification as a scan's target is a useful way to seed URLs for scanning an API. Vulnerability rules in an API scan are different than those in a normal website scan. @@ -416,7 +416,7 @@ variables: ### URL scan -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214120) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.4. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214120) in GitLab 13.4. > - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/273141) in GitLab 13.11. A URL scan allows you to specify which parts of a website are scanned by DAST. @@ -492,7 +492,7 @@ Click **View details** to view the web console output which includes the list of ### View details of a vulnerability detected by DAST -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36332) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36332) in GitLab 13.1. Vulnerabilities detected by DAST occur in the live web application. Addressing these types of vulnerabilities requires specific information. DAST provides the information required to @@ -954,6 +954,11 @@ An on-demand scan can be run in active or passive mode: minimize the risk of accidental damage, running an active scan requires a [validated site profile](#site-profile-validation). +### View on-demand DAST scans + +To view running and completed on-demand DAST scans for a project, go to +**Security & Compliance > On-demand Scans** in the left sidebar. + ### Run an on-demand DAST scan Prerequisites: @@ -987,6 +992,7 @@ To run an on-demand scan either at a scheduled date or frequency, read 1. From your project's home page, go to **Security & Compliance > On-demand Scans** in the left sidebar. +1. Select **New DAST scan**. 1. Complete the **Scan name** and **Description** fields. 1. In GitLab 13.10 and later, select the desired branch from the **Branch** dropdown. 1. In **Scanner profile**, select a scanner profile from the dropdown. @@ -1017,17 +1023,13 @@ The on-demand DAST scan runs, and the project's dashboard shows the results. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328749) in GitLab 14.3. [Deployed behind the `dast_on_demand_scans_scheduler` flag](../../../administration/feature_flags.md), disabled by default. > - [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/328749) in GitLab 14.4. > - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/328749) in GitLab 14.4. - -FLAG: -On self-managed GitLab, by default this feature is available. To hide the feature, ask an -administrator to [disable the feature flag](../../../administration/feature_flags.md) named -`dast_on_demand_scans_scheduler`. -On GitLab.com, this feature is available. +> - [Feature flag dast_on_demand_scans_scheduler removed](https://gitlab.com/gitlab-org/gitlab/-/issues/328749) in GitLab 14.5. To schedule a scan: 1. On the top bar, select **Menu > Projects** and find your project. 1. On the left sidebar, select **Security & Compliance > On-demand Scans**. +1. Select **New DAST scan**. 1. Complete the **Scan name** and **Description** text boxes. 1. In GitLab 13.10 and later, from the **Branch** dropdown list, select the desired branch. 1. In the **Scanner profile** section, from the dropdown list, select a scanner profile. diff --git a/doc/user/application_security/dast/run_dast_offline.md b/doc/user/application_security/dast/run_dast_offline.md index 39747a5cbe5..86621d73524 100644 --- a/doc/user/application_security/dast/run_dast_offline.md +++ b/doc/user/application_security/dast/run_dast_offline.md @@ -5,7 +5,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w type: reference, howto --- -# Run DAST in an offline environment +# Run DAST in an offline environment **(ULTIMATE)** For self-managed GitLab instances in an environment with limited, restricted, or intermittent access to external resources through the internet, some adjustments are required for the DAST job to diff --git a/doc/user/application_security/dast_api/index.md b/doc/user/application_security/dast_api/index.md index 3b1c91b0be4..f3ab25ccffa 100644 --- a/doc/user/application_security/dast_api/index.md +++ b/doc/user/application_security/dast_api/index.md @@ -681,15 +681,15 @@ Overrides use a JSON document, where each type of override is represented by a J }, "body-form": { "form-param1": "value", - "form-param1": "value", + "form-param2": "value" }, "body-json": { "json-path1": "value", - "json-path2": "value", + "json-path2": "value" }, "body-xml" : { "xpath1": "value", - "xpath2": "value", + "xpath2": "value" } } ``` @@ -968,16 +968,16 @@ Follow these steps to view details of a vulnerability: | Field | Description | |:--------------------|:----------------------------------------------------------------------------------------| - | Description | Description of the vulnerability including what was modified. | + | Description | Description of the vulnerability including what was modified. | | Project | Namespace and project in which the vulnerability was detected. | | Method | HTTP method used to detect the vulnerability. | | URL | URL at which the vulnerability was detected. | - | Request | The HTTP request that caused the vulnerability. | + | Request | The HTTP request that caused the vulnerability. | | Unmodified Response | Response from an unmodified request. This is what a normal working response looks like. | - | Actual Response | Response received from test request. | - | Evidence | How we determined a vulnerability occurred. | - | Identifiers | The DAST API check used to find this vulnerability. | - | Severity | Severity of the vulnerability. | + | Actual Response | Response received from test request. | + | Evidence | How we determined a vulnerability occurred. | + | Identifiers | The DAST API check used to find this vulnerability. | + | Severity | Severity of the vulnerability. | | Scanner Type | Scanner used to perform testing. | ### Security Dashboard @@ -1105,8 +1105,46 @@ Profiles: - Name: XmlInjectionCheck ``` +## Running DAST API in an offline environment + +For self-managed GitLab instances in an environment with limited, restricted, or intermittent access to external resources through the internet, some adjustments are required for the DAST API testing job to successfully run. + +Steps: + +1. Host the Docker image in a local container registry. +1. Set the `SECURE_ANALYZERS_PREFIX` to the local container registry. + +The Docker image for DAST API must be pulled (downloaded) from the public registry and then pushed (imported) into a local registry. The GitLab container registry can be used to locally host the Docker image. This process can be performed using a special template. See [loading Docker images onto your offline host](../offline_deployments/index.md#loading-docker-images-onto-your-offline-host) for instructions. + +Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-fuzzing:1` results in a valid image location. + +NOTE: +DAST API and API Fuzzing both use the same underlying Docker image `api-fuzzing:1`. + +For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`: + +`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"` + +NOTE: +Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates. + +For more information, see [Offline environments](../offline_deployments/index.md). + ## Troubleshooting +### Error waiting for API Security 'http://127.0.0.1:5000' to become available + +A bug exists in versions of the DAST API analyzer prior to v1.6.196 that can cause a background process to fail under certain conditions. The solution is to update to a newer version of the DAST API analyzer. + +The version information can be found in the job details for the `dast_api` job. + +If the issue is occuring with versions v1.6.196 or greater, please contact Support and provide the following information: + +1. Reference this troubleshooting section and ask for the issue to be escalated to the Dynamic Analysis Team. +1. The full console output of the job. +1. The `gl-api-security-scanner.log` file available as a job artifact. In the right-hand panel of the job details page, select the **Browse** button. +1. The `dast_api` job definition from your `.gitlab-ci.yml` file. + ### Failed to start scanner session (version header not found) The DAST API engine outputs an error message when it cannot establish a connection with the scanner application component. The error message is shown in the job output window of the `dast_api` job. A common cause of this issue is changing the `DAST_API_API` variable from its default. @@ -1114,7 +1152,7 @@ The DAST API engine outputs an error message when it cannot establish a connecti **Error message** - In [GitLab 13.11 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/323939), `Failed to start scanner session (version header not found).` -- In GitLab 13.10 and earlier, `API Security version header not found. Are you sure that you are connecting to the API Security server?`. +- In GitLab 13.10 and earlier, `API Security version header not found. Are you sure that you are connecting to the API Security server?`. **Solution** diff --git a/doc/user/application_security/dependency_list/index.md b/doc/user/application_security/dependency_list/index.md index edfd0333d54..b0d8af2606f 100644 --- a/doc/user/application_security/dependency_list/index.md +++ b/doc/user/application_security/dependency_list/index.md @@ -7,7 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Dependency list **(ULTIMATE)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10075) in GitLab Ultimate 12.0. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10075) in GitLab 12.0. Use the dependency list to review your project's dependencies and key details about those dependencies, including their known vulnerabilities. It is a collection of dependencies in your project, including existing and new findings. @@ -66,7 +66,7 @@ Dependency paths are supported for the following package managers: ## Licenses -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10536) in GitLab Ultimate 12.3. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10536) in GitLab 12.3. If the [License Compliance](../../compliance/license_compliance/index.md) CI job is configured, [discovered licenses](../../compliance/license_compliance/index.md#supported-languages-and-package-managers) are displayed on this page. diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 1f840c96663..3c6db8c3ee9 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -89,12 +89,13 @@ table.supported-languages ul { } </style> +<!-- markdownlint-disable MD044 --> <table class="supported-languages"> <thead> <tr> <th>Language</th> + <th>Language Versions</th> <th>Package Manager</th> - <th>Package Manager Versions</th> <th>Supported files</th> <th>Analyzer</th> <th><a href="#how-multiple-files-are-processed">Processes multiple files?</a></th> @@ -103,8 +104,8 @@ table.supported-languages ul { <tbody> <tr> <td rowspan="2">Ruby</td> + <td rowspan="2">N/A</td> <td rowspan="2"><a href="https://bundler.io/">Bundler</a></td> - <td rowspan="2">Any</td> <td> <ul> <li><code>Gemfile.lock</code></li> @@ -121,16 +122,16 @@ table.supported-languages ul { </tr> <tr> <td>PHP</td> + <td>N/A</td> <td><a href="https://getcomposer.org/">Composer</a></td> - <td>Any</td> <td><code>composer.lock</code></td> <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td> <td>Y</td> </tr> <tr> <td>C</td> + <td rowspan="2">N/A</td> <td rowspan="2"><a href="https://conan.io/">Conan</a></td> - <td rowspan="2">Any</td> <td rowspan="2"><a href="https://docs.conan.io/en/latest/versioning/lockfiles.html"><code>conan.lock</code></a></td> <td rowspan="2"><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td> <td rowspan="2">Y</td> @@ -140,16 +141,16 @@ table.supported-languages ul { </tr> <tr> <td>Go</td> - <td><a href="https://golang.org/">Golang</a></td> - <td>Any</td> + <td>N/A</td> + <td><a href="https://golang.org/">Go</a></td> <td><code>go.sum</code></td> <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td> <td>Y</td> </tr> <tr> <td rowspan="2">Java</td> - <td><a href="https://gradle.org/">Gradle</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers">1</a></b></sup></td> - <td>Any</td> + <td rowspan="2">8, 11, 13, 14, 15, or 16</td> + <td><a href="https://gradle.org/">Gradle</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup></td> <td> <ul> <li><code>build.gradle</code></li> @@ -161,15 +162,14 @@ table.supported-languages ul { </tr> <tr> <td><a href="https://maven.apache.org/">Maven</a></td> - <td>Any</td> <td><code>pom.xml</code></td> <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td> <td>N</td> </tr> <tr> <td rowspan="3">JavaScript</td> + <td rowspan="2">N/A</td> <td rowspan="2"><a href="https://www.npmjs.com/">npm</a></td> - <td rowspan="2">Any</td> <td> <ul> <li><code>package-lock.json</code></li> @@ -185,16 +185,16 @@ table.supported-languages ul { <td>N</td> </tr> <tr> + <td>N/A</td> <td><a href="https://classic.yarnpkg.com/en/">yarn</a></td> - <td>1.x</td> <td><code>yarn.lock</code></td> <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td> <td>Y</td> </tr> <tr> <td>.NET</td> + <td rowspan="2">N/A</td> <td rowspan="2"><a href="https://www.nuget.org/">NuGet</a></td> - <td rowspan="2">>= 4.9</td> <td rowspan="2"><a href="https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file"><code>packages.lock.json</code></a></td> <td rowspan="2"><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td> <td rowspan="2">Y</td> @@ -204,15 +204,14 @@ table.supported-languages ul { </tr> <tr> <td rowspan="3">Python</td> + <td rowspan="3">3.6</td> <td><a href="https://setuptools.readthedocs.io/en/latest/">setuptools</a></td> - <td>Any</td> <td><code>setup.py</code></td> <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td> <td>N</td> </tr> <tr> <td><a href="https://pip.pypa.io/en/stable/">pip</a></td> - <td>Any</td> <td> <ul> <li><code>requirements.txt</code></li> @@ -225,11 +224,10 @@ table.supported-languages ul { </tr> <tr> <td><a href="https://pipenv.pypa.io/en/latest/">Pipenv</a></td> - <td>Any</td> <td> <ul> <li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile</code></a></li> - <li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile.lock</code></a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers">2</a></b></sup></li> + <li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile.lock</code></a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-2">2</a></b></sup></li> </ul> </td> <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td> @@ -237,8 +235,8 @@ table.supported-languages ul { </tr> <tr> <td>Scala</td> - <td><a href="https://www.scala-sbt.org/">sbt</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers">3</a></b></sup></td> - <td>Any</td> + <td>N/A</td> + <td><a href="https://www.scala-sbt.org/">sbt</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-3">3</a></b></sup></td> <td><code>build.sbt</code></td> <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td> <td>N</td> @@ -246,18 +244,91 @@ table.supported-languages ul { </tbody> </table> -### Notes regarding supported languages and package managers - -1. Although Gradle with Java 8 is supported, there are other issues such that Android project builds are not supported at this time. Please see the backlog issue [Android support for Dependency Scanning (gemnasium-maven)](https://gitlab.com/gitlab-org/gitlab/-/issues/336866) for more details. - -1. The presence of a `Pipfile.lock` file alone will _not_ trigger the analyzer; the presence of a `Pipfile` is still required in order -for the analyzer to be executed. However, if a `Pipfile.lock` file is found, it will be used by `Gemnasium` to scan the exact package -versions listed in this file. - - Support for `Pipfile.lock` files without requiring the presence of a `Pipfile` will be implemented in the following upcoming issue: - [Dependency Scanning of Pipfile.lock without installing project dependencies](https://gitlab.com/gitlab-org/gitlab/-/issues/299294). - -1. Support for [sbt](https://www.scala-sbt.org/) 1.3 and above was added in GitLab 13.9. +<ol> + <li> + <a id="notes-regarding-supported-languages-and-package-managers-1"></a> + <p> + Although Gradle with Java 8 is supported, there are other issues such that Android project builds are not supported at this time. + Please see the backlog issue <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/336866">Android support for Dependency + Scanning (gemnasium-maven)</a> for more details. + </p> + </li> + <li> + <a id="notes-regarding-supported-languages-and-package-managers-2"></a> + <p> + The presence of a <code>Pipfile.lock</code> file alone will <i>not</i> trigger the analyzer; the presence of a <code>Pipfile</code> is + still required in order for the analyzer to be executed. However, if a <code>Pipfile.lock</code> file is found, it will be used by + <code>Gemnasium</code> to scan the exact package versions listed in this file. + </p> + <p> + Support for <code>Pipfile.lock</code> files without requiring the presence of a <code>Pipfile</code> is tracked in + issue: <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/299294">Dependency Scanning of Pipfile.lock without + installing project dependencies</a>. + </p> + </li> + <li> + <a id="notes-regarding-supported-languages-and-package-managers-3"></a> + <p> + Support for <a href="https://www.scala-sbt.org/">sbt</a> 1.3 and above was added in GitLab 13.9. + </p> + </li> +</ol> +<!-- markdownlint-enable MD044 --> + +### How analyzers obtain dependency information + +GitLab analyzers obtain dependency information using one of the following two methods: + +1. [Parsing lockfiles directly.](#obtaining-dependendency-information-by-parsing-lockfiles) +1. [Running a package manager or build tool to generate a dependency information file which is then parsed.](#obtaining-dependendency-information-by-running-a-package-manager-to-generate-a-parsable-file) + +#### Obtaining dependendency information by parsing lockfiles + +The following package managers use lockfiles that GitLab analyzers are capable of parsing directly: + +| Package Manager | Supported File Format Versions | Tested Versions | +| ------ | ------ | ------ | +| Bundler | N/A | [1.17.3](https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/blob/master/Gemfile.lock#L118), [2.1.4](https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/blob/bundler2-FREEZE/Gemfile.lock#L118) | +| Composer | N/A | [1.x](https://gitlab.com/gitlab-org/security-products/tests/php-composer/-/blob/master/composer.lock) | +| Conan | 0.4 | [1.x](https://gitlab.com/gitlab-org/security-products/tests/c-conan/-/blob/master/conan.lock) | +| Go | N/A | [1.x](https://gitlab.com/gitlab-org/security-products/tests/go-modules/-/blob/master/go.mod) | +| NuGet | v1 | [4.9](https://gitlab.com/gitlab-org/security-products/tests/csharp-nuget-dotnetcore/-/blob/master/src/web.api/packages.lock.json#L2) | +| npm | v1, v2 | [6.x](https://gitlab.com/gitlab-org/security-products/tests/js-npm/-/blob/master/package-lock.json#L4), [7.x](https://gitlab.com/gitlab-org/security-products/tests/js-npm/-/blob/lockfile-v2-FREEZE/package-lock.json#L4) | +| yarn | v1 | [1.x](https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/blob/master/yarn.lock) | + +#### Obtaining dependendency information by running a package manager to generate a parsable file + +To support the following package managers, the GitLab analyzers proceed in two steps: + +1. Execute the package manager or a specific task, to export the dependency information. +1. Parse the exported dependency information. + +| Package Manager | Preinstalled Versions | Tested Versions | +| ------ | ------ | ------ | +| Bundler | [2.1.4](https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit/-/blob/v2.11.3/Dockerfile#L15)<sup><b><a href="#exported-dependency-information-notes-1">1</a></b></sup> | [1.17.3](https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/blob/master/Gemfile.lock#L118), [2.1.4](https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/blob/bundler2-FREEZE/Gemfile.lock#L118) | +| sbt | [1.3.8](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/v2.23.0/config/.tool-versions#L4) | [1.0.4](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/master/.gitlab-ci.yml#L263), [1.1.4](https://gitlab.com/gitlab-org/security-products/tests/scala-sbt-multiproject/-/blob/main/project/build.properties#L1), [1.1.6](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/master/.gitlab-ci.yml#L272), [1.2.8](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/master/.gitlab-ci.yml#L281), [1.3.12](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/master/.gitlab-ci.yml#L290), [1.4.6](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/master/.gitlab-ci.yml#L299) | +| Maven | [3.6.3](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/v2.23.0/config/.tool-versions#L3) | [3.6.3](https://gitlab.com/gitlab-org/security-products/tests/java-maven/-/blob/master/pom.xml#L3) | +| Gradle | [6.7.1](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/v2.23.0/config/.tool-versions#L5) | [5.6.4](https://gitlab.com/gitlab-org/security-products/tests/java-gradle/-/blob/master/gradle/wrapper/gradle-wrapper.properties#L3), [6.5](https://gitlab.com/gitlab-org/security-products/tests/java-gradle/-/blob/java-14/gradle/wrapper/gradle-wrapper.properties#L3), [6.7-rc-1](https://gitlab.com/gitlab-org/security-products/tests/java-gradle/-/blob/java-15/gradle/wrapper/gradle-wrapper.properties#L3), [6.9](https://gitlab.com/gitlab-org/security-products/tests/java-gradle/-/blob/java-14-gradle-6-9/gradle/wrapper/gradle-wrapper.properties#L3), [7.0-rc-2](https://gitlab.com/gitlab-org/security-products/tests/java-gradle/-/blob/java-16/gradle/wrapper/gradle-wrapper.properties#L3) | +| setuptools | [50.3.2](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/v2.29.9/Dockerfile#L27) | | +| pip | [20.2.4](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/v2.29.9/Dockerfile#L26) | [20.x](https://gitlab.com/gitlab-org/security-products/tests/python-pip/-/blob/master/requirements.txt) | +| Pipenv | [2018.11.26](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/-/blob/v2.18.4/requirements.txt#L13) | [2018.11.26](https://gitlab.com/gitlab-org/security-products/tests/python-pipenv/-/blob/pipfile-lock-FREEZE/Pipfile.lock#L6)<sup><b><a href="#exported-dependency-information-notes-2">2</a></b></sup>, [2018.11.26](https://gitlab.com/gitlab-org/security-products/tests/python-pipenv/-/blob/master/Pipfile) | + +<!-- markdownlint-disable MD044 --> +<ol> + <li> + <a id="exported-dependency-information-notes-1"></a> + <p> + The installed version of <code>Bundler</code> is only used for the <a href="https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit">bundler-audit</a> analyzer, and is not used for <a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">gemnasium</a> + </p> + </li> + <li> + <a id="exported-dependency-information-notes-2"></a> + <p> + This test confirms that if a <code>Pipfile.lock</code> file is found, it will be used by <a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a> to scan the exact package versions listed in this file. + </p> + </li> +</ol> +<!-- markdownlint-enable MD044 --> ### How analyzers are triggered @@ -321,15 +392,16 @@ We execute both analyzers because they use different sources of vulnerability da The analyzer for these languages supports multiple lockfiles. -### Future support for additional languages +### Support for additional languages -Plans are underway for supporting the following languages, dependency managers, and dependency files. For details, see the issue link for each. -For workarounds, see the [Troubleshooting section](#troubleshooting) +Support for additional languages, dependency managers, and dependency files are tracked in the following issues: | Package Managers | Languages | Supported files | Scan tools | Issue | | ------------------- | --------- | --------------- | ---------- | ----- | | [Poetry](https://python-poetry.org/) | Python | `poetry.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) | [GitLab#7006](https://gitlab.com/gitlab-org/gitlab/-/issues/7006) | +For workarounds, see the [Troubleshooting section](#troubleshooting). + ## Contribute your scanner The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate other security scanners into GitLab. @@ -359,8 +431,8 @@ always take the latest dependency scanning artifact available. ### Enable Dependency Scanning via an automatic merge request -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4908) in GitLab 14.1. -> - [Enabled with `sec_dependency_scanning_ui_enable` flag](https://gitlab.com/gitlab-org/gitlab/-/issues/282533) for self-managed GitLab in GitLab 14.1 and is ready for production use. +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4908) in GitLab 14.1 [with a flag](../../../administration/feature_flags.md) named `sec_dependency_scanning_ui_enable`. Enabled by default. +> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/282533) in GitLab 14.1. > - [Feature flag sec_dependency_scanning_ui_enable removed](https://gitlab.com/gitlab-org/gitlab/-/issues/326005) in GitLab 14.2. To enable Dependency Scanning in a project, you can create a merge request diff --git a/doc/user/application_security/iac_scanning/index.md b/doc/user/application_security/iac_scanning/index.md new file mode 100644 index 00000000000..a58a00a869b --- /dev/null +++ b/doc/user/application_security/iac_scanning/index.md @@ -0,0 +1,98 @@ +--- +stage: Secure +group: Static Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Infrastructure as Code (IaC) Scanning + +> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6655) in GitLab 14.5. + +Infrastructure as Code (IaC) Scanning scans your IaC configuration files for known vulnerabilities. + +Currently, IaC scanning supports configuration files for Terraform, Ansible, AWS CloudFormation, and Kubernetes. + +## Requirements + +To run IaC scanning jobs, by default, you need GitLab Runner with the +[`docker`](https://docs.gitlab.com/runner/executors/docker.html) or +[`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor. +If you're using the shared runners on GitLab.com, this is enabled by default. + +WARNING: +Our IaC scanning jobs require a Linux container type. Windows containers are not yet supported. + +WARNING: +If you use your own runners, make sure the Docker version installed +is **not** `19.03.0`. See [troubleshooting information](../sast/index.md#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) for details. + +## Supported languages and frameworks + +GitLab IaC scanning supports a variety of IaC configuration files. Our IaC security scanners also feature automatic language detection which works even for mixed-language projects. If any supported configuration files are detected in project source code we automatically run the appropriate IaC analyzers. + +| Configuration File Type | Scan tool | Introduced in GitLab Version | +|------------------------------------------|----------------------------------|-------------------------------| +| Ansible | [kics](https://kics.io/) | 14.5 | +| AWS CloudFormation | [kics](https://kics.io/) | 14.5 | +| Kubernetes | [kics](https://kics.io/) | 14.5 | +| Terraform | [kics](https://kics.io/) | 14.5 | + +### Making IaC analyzers available to all GitLab tiers + +All open source (OSS) analyzers are availibile with the GitLab Free tier. Future propietary analyzers may be restricted to higher tiers. + +#### Summary of features per tier + +Different features are available in different [GitLab tiers](https://about.gitlab.com/pricing/), +as shown in the following table: + +| Capability | In Free | In Ultimate | +|:---------------------------------------------------------------------------------------|:--------------------|:-------------------| +| [Configure IaC Scanners](#configuration) v | **{check-circle}** | **{check-circle}** | +| View [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** | +| Presentation of JSON Report in Merge Request | **{dotted-circle}** | **{check-circle}** | +| [Address vulnerabilities](../../application_security/vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** | +| [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** | + +## Contribute your scanner + +The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate other security scanners into GitLab. + +## Configuration + +To configure IaC Scanning for a project you can: + +- [Configure IaC Scanning manually](#configure-iac-scanning-manually) +- [Enable IaC Scanning via an automatic merge request](#enable-iac-scanning-via-an-automatic-merge-request) + +### Configure IaC Scanning manually + +To enable IaC Scanning you must [include](../../../ci/yaml/index.md#includetemplate) the +[`SAST-IaC.latest.gitlab-ci.yml template`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST-IaC.latest.gitlab-ci.yml) provided as part of your GitLab installation. + +The included template creates IaC scanning jobs in your CI/CD pipeline and scans +your project's configuration files for possible vulnerabilities. + +The results are saved as a +[SAST report artifact](../../../ci/yaml/index.md#artifactsreportssast) +that you can download and analyze. + +### Enable IaC Scanning via an automatic merge request + +To enable IaC Scanning in a project, you can create a merge request +from the Security Configuration page: + +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Security & Compliance > Configuration**. +1. In the **Infrastructure as Code (IaC) Scanning** row, select **Configure via Merge Request**. + +This automatically creates a merge request with the changes necessary to enable IaC Scanning +that you can review and merge to complete the configuration. + +## Reports JSON format + +The IaC tool emits a JSON report file in the existing SAST report format. For more information, see the +[schema for this report](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json). + +The JSON report file can be downloaded from the CI pipelines page, or the +pipelines tab on merge requests by [setting `artifacts: paths`](../../../ci/yaml/index.md#artifactspaths) to `gl-sast-report.json`. For more information see [Downloading artifacts](../../../ci/pipelines/job_artifacts.md). diff --git a/doc/user/application_security/img/vulnerability-check_v14_2.png b/doc/user/application_security/img/vulnerability-check_v14_2.png Binary files differdeleted file mode 100644 index 655e43221c7..00000000000 --- a/doc/user/application_security/img/vulnerability-check_v14_2.png +++ /dev/null diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md index 7b95769a81f..d5e801ced9c 100644 --- a/doc/user/application_security/index.md +++ b/doc/user/application_security/index.md @@ -31,19 +31,20 @@ For an overview of GitLab application security, see [Shifting Security Left](htt GitLab uses the following tools to scan and report known vulnerabilities found in your project. -| Secure scanning tool | Description | -|:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------| -| [Container Scanning](container_scanning/index.md) **(ULTIMATE)** | Scan Docker containers for known vulnerabilities. | -| [Dependency List](dependency_list/index.md) **(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. | -| [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. | -| [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. | -| [DAST API](dast_api/index.md) **(ULTIMATE)** | Analyze running web APIs for known vulnerabilities. | -| [API fuzzing](api_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities in web APIs with fuzzing. | -| [Secret Detection](secret_detection/index.md) | Analyze Git history for leaked secrets. | -| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all your projects and groups. | -| [Static Application Security Testing (SAST)](sast/index.md) | Analyze source code for known vulnerabilities. | -| [Coverage fuzzing](coverage_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. | -| [Cluster Image Scanning](cluster_image_scanning/index.md) **(ULTIMATE)** | Scan Kubernetes clusters for known vulnerabilities. | +| Secure scanning tool | Description | +| :------------------------------------------------------------- | :------------------------------------------------------------------ | +| [Container Scanning](container_scanning/index.md) | Scan Docker containers for known vulnerabilities. | +| [Dependency List](dependency_list/index.md) | View your project's dependencies and their known vulnerabilities. | +| [Dependency Scanning](dependency_scanning/index.md) | Analyze your dependencies for known vulnerabilities. | +| [Dynamic Application Security Testing (DAST)](dast/index.md) | Analyze running web applications for known vulnerabilities. | +| [DAST API](dast_api/index.md) | Analyze running web APIs for known vulnerabilities. | +| [API fuzzing](api_fuzzing/index.md) | Find unknown bugs and vulnerabilities in web APIs with fuzzing. | +| [Secret Detection](secret_detection/index.md) | Analyze Git history for leaked secrets. | +| [Security Dashboard](security_dashboard/index.md) | View vulnerabilities in all your projects and groups. | +| [Static Application Security Testing (SAST)](sast/index.md) | Analyze source code for known vulnerabilities. | +| [Infrastructure as Code (IaC) Scanning](iac_scanning/index.md) | Analyze your IaC coniguration files for known vulnerabilities. | +| [Coverage fuzzing](coverage_fuzzing/index.md) | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. | +| [Cluster Image Scanning](cluster_image_scanning/index.md) | Scan Kubernetes clusters for known vulnerabilities. | ## Security scanning with Auto DevOps @@ -185,61 +186,51 @@ By default, the vulnerability report does not show vulnerabilities of `dismissed ## Security approvals in merge requests -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9928) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.2. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9928) in GitLab 12.2. -You can implement merge request approvals to require approval by selected users or a group when a -merge request would introduce one of the following security issues: +You can enforce an additional approval for merge requests that would introduce one of the following +security issues: -- A security vulnerability -- A software license compliance violation +- A security vulnerability. For more details, read + [Vulnerability-Check rule](#vulnerability-check-rule). +- A software license compliance violation. For more details, read + [Enabling license approvals within a project](../compliance/license_compliance/index.md#enabling-license-approvals-within-a-project). -When the Vulnerability-Check merge request rule is enabled, additional merge request approval +### Vulnerability-Check rule + +To prevent a merge request introducing a security vulnerability in a project, enable the +Vulnerability-Check rule. While this rule is enabled, additional merge request approval by +[eligible approvers](../project/merge_requests/approvals/rules.md#eligible-approvers) is required when the latest security report in a merge request: -- Contains vulnerabilities that are not present in the - target branch. Note that approval is still required for dismissed vulnerabilities. +- Contains vulnerabilities with states (for example, `previously detected`, `dismissed`) matching the rule's vulnerability states. Only `newly detected` will be considered if the target branch differs from the project default branch. - Contains vulnerabilities with severity levels (for example, `high`, `critical`, or `unknown`) matching the rule's severity levels. - Contains a vulnerability count higher than the rule allows. -- Is not generated during pipeline execution. +- Is not yet generated (until pipeline completion). An approval is optional when the security report: -- Contains no new vulnerabilities when compared to the target branch. +- Contains only vulnerabilities with states (for example, `newly detected`, `resolved`) **NOT** matching the rule's vulnerability states. - Contains only vulnerabilities with severity levels (for example, `low`, `medium`) **NOT** matching the rule's severity levels. - Contains a vulnerability count equal to or less than what the rule allows. -When the License-Check merge request rule is enabled, additional approval is required if a merge -request contains a denied license. For more details, see [Enabling license approvals within a project](../compliance/license_compliance/index.md#enabling-license-approvals-within-a-project). - -### Enable the Vulnerability-Check rule - -Prerequisites: - -- Maintainer or Owner [role](../permissions.md#project-members-permissions). +Project members assigned [at least the Maintainer role](../permissions.md#project-members-permissions) can enable or edit +the Vulnerability-Check rule. -For this approval group, you must set the number of approvals required to greater than zero. +#### Enable the Vulnerability-Check rule -Follow these steps to enable `Vulnerability-Check`: +To enable or edit the Vulnerability-Check rule: 1. On the top bar, select **Menu > Projects** and find your project. 1. On the left sidebar, select **Settings > General**. 1. Expand **Merge request approvals**. -1. Select **Enable** or **Edit**. -1. Set the **Security scanners** that the rule applies to. -1. Select the **Target branch**. -1. Set the **Vulnerabilities allowed** to the number of vulnerabilities allowed before the rule is - triggered. -1. Set the **Severity levels** to the severity levels that the rule applies to. -1. Set the **Approvals required** to the number of approvals that the rule requires. -1. Select the users or groups to provide approval. +1. Select **Activate** or **Edit** of the Vulnerability-Check. +1. Complete the fields. **Approvals required** must be at least 1. 1. Select **Add approval rule**. -Once this group is added to your project, the approval rule is enabled for all merge requests. -Any code changes cause the approvals required to reset. - - +The approval rule is enabled for all merge requests. Any code changes reset the approvals required. ## Using private Maven repositories @@ -270,28 +261,44 @@ under your project's settings: </settings> ``` -## DAST On-Demand Scans +## Using a custom scanning stage -If you don't want scans running in your normal DevOps process you can use on-demand scans instead. For more details, see [on-demand scans](dast/index.md#on-demand-scans). This feature is only available for DAST. If you run an on-demand scan against the default branch, it is reported as a "successful pipeline" and these results are included in the security dashboard and vulnerability report. +When security scanning is enabled by including CI/CD templates as described in the +[Security scanning without Auto DevOps](#security-scanning-without-auto-devops) section, the scanning jobs +use the predefined `test` stage by default. If you specify a custom stage in your `.gitlab-ci.yml` file without +including a `test` stage, an error occurs. -## Security report validation +For example, the following attempts to use a `unit-tests` stage: -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/321918) in GitLab 13.11. -> - Schema validation message [added](https://gitlab.com/gitlab-org/gitlab/-/issues/321730) in GitLab 14.0. +```yaml +include: + - template: Security/Dependency-Scanning.gitlab-ci.yml + - template: Security/License-Scanning.gitlab-ci.yml + - template: Security/SAST.gitlab-ci.yml + - template: Security/Secret-Detection.gitlab-ci.yml -You can optionally enable validation of the security report artifacts based on the -[report schemas](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/tree/master/dist). -If you enable validation, GitLab validates the report artifacts before ingesting the vulnerabilities. -This prevents ingestion of broken vulnerability data into the database. +stages: + - unit-tests -In GitLab 14.0 and later, the pipeline's **Security** tab lists any report artifacts -that failed validation. Security report validation must first be enabled. +custom job: + stage: unit-tests + script: + - echo "custom job" +``` -### Enable security report validation +The above `.gitlab-ci.yml` causes a linting error: -To enable report artifacts validation, set the `VALIDATE_SCHEMA` environment variable to `"true"` for the jobs in the `.gitlab-ci.yml` file. +```plaintext +Found errors in your .gitlab-ci.yml: +- dependency_scanning job: chosen stage does not exist; available stages are .pre +- unit-tests +- .post +``` + +This error appears because the `test` stage used by the security scanning jobs isn't declared in the `.gitlab-ci.yml` file. +To fix this issue, you can either: -For example, the configuration below enables validation for only the `sast` job: +- Add a `test` stage in your `.gitlab-ci.yml`: ```yaml include: @@ -301,26 +308,98 @@ For example, the configuration below enables validation for only the `sast` job: - template: Security/Secret-Detection.gitlab-ci.yml stages: - - security-scan + - test + - unit-tests + + custom job: + stage: unit-tests + script: + - echo "custom job" + ``` + +- Override the default stage of each security job. For example, to use a pre-defined stage named `unit-tests`: + + ```yaml + include: + - template: Security/Dependency-Scanning.gitlab-ci.yml + - template: Security/License-Scanning.gitlab-ci.yml + - template: Security/SAST.gitlab-ci.yml + - template: Security/Secret-Detection.gitlab-ci.yml + + stages: + - unit-tests dependency_scanning: - stage: security-scan + stage: unit-tests license_scanning: - stage: security-scan + stage: unit-tests sast: - stage: security-scan - variables: - VALIDATE_SCHEMA: "true" + stage: unit-tests .secret-analyzer: - stage: security-scan + stage: unit-tests + + custom job: + stage: unit-tests + script: + - echo "custom job" ``` -## Interacting with findings and vulnerabilities +Learn more on overriding security jobs: + +- [Overriding SAST jobs](sast/index.md#overriding-sast-jobs). +- [Overriding Dependency Scanning jobs](dependency_scanning/index.md#overriding-dependency-scanning-jobs). +- [Overriding Container Scanning jobs](container_scanning/index.md#overriding-the-container-scanning-template). +- [Overriding Secret Detection jobs](secret_detection/index.md#customizing-settings). +- [Overriding DAST jobs](dast/index.md#customize-dast-settings). +- [Overriding License Compliance jobs](../compliance/license_compliance/index.md#overriding-the-template). + +All the security scanning tools define their stage, so this error can occur with all of them. + +## Security report validation + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/321918) in GitLab 13.11. +> - Schema validation message [added](https://gitlab.com/gitlab-org/gitlab/-/issues/321730) in GitLab 14.0. + +You can enforce validation of the security report artifacts before ingesting the vulnerabilities. +This prevents ingestion of broken vulnerability data into the database. GitLab validates the +artifacts based on the [report schemas](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/tree/master/dist). + +In GitLab 14.0 and later, when artifact validation is enabled, the pipeline's **Security** tab lists +any report artifacts that failed validation. + +### Enable security report validation + +To enable report artifacts validation, set the `VALIDATE_SCHEMA` environment variable to `"true"` +for the desired jobs in the `.gitlab-ci.yml` file. -There are a variety of locations and ways to interact with the results of the security scanning tools: +For example, to enable validation for only the `sast` job: + +```yaml +include: + - template: Security/Dependency-Scanning.gitlab-ci.yml + - template: Security/License-Scanning.gitlab-ci.yml + - template: Security/SAST.gitlab-ci.yml + - template: Security/Secret-Detection.gitlab-ci.yml +stages: + - security-scan +dependency_scanning: + stage: security-scan +license_scanning: + stage: security-scan +sast: + stage: security-scan + variables: + VALIDATE_SCHEMA: "true" +.secret-analyzer: + stage: security-scan +``` + +## Interact with findings and vulnerabilities + +You can interact with the results of the security scanning tools in several locations: - [Scan information in merge requests](#view-security-scan-information-in-merge-requests) - [Project Security Dashboard](security_dashboard/#project-security-dashboard) @@ -331,13 +410,33 @@ There are a variety of locations and ways to interact with the results of the se - [Vulnerability Pages](vulnerabilities/index.md) - [Dependency List](dependency_list/index.md) -For more details about which findings or vulnerabilities you can view in each of those locations, select the respective link. Each page details the ways in which you can interact with the findings and vulnerabilities. As an example, in most cases findings start out as _detected_ status. You have the option to: +For more details about which findings or vulnerabilities you can view in each of those locations, +select the respective link. Each page details the ways in which you can interact with the findings +and vulnerabilities. As an example, in most cases findings start out as _detected_ status. + +You have the option to: - Change the status. - Create an issue. - Link it to an existing issue. - [Resolve the vulnerability](vulnerabilities/index.md#resolve-a-vulnerability), if a solution is known. +## Security scanning configuration tips + +Each GitLab security scanning tool has a default +[CI/CD configuration file](https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates/Security), +also known as a _template_. + +When customizing the configuration: + +- [Include](../../ci/yaml/index.md#include) the scanning tool's CI/CD template. Don't _copy_ the content + of the template. +- Use the [stable](../../development/cicd/templates.md#stable-version) version of each template + for production workflows. The stable version changes less often, and breaking changes are only + made between major GitLab versions. The [latest](../../development/cicd/templates.md#latest-version) + version contains the most recent changes, but may have significant changes between minor GitLab versions. +- Only override values in the template as needed. All other values are inherited from the template. + ## Troubleshooting ### Secure job failing with exit code 1 @@ -352,8 +451,8 @@ variables: ### Outdated security reports -When a security report generated for a merge request becomes outdated, the merge request shows a warning -message in the security widget and prompts you to take an appropriate action. +When a security report generated for a merge request becomes outdated, the merge request shows a +warning message in the security widget and prompts you to take an appropriate action. This can happen in two scenarios: @@ -362,73 +461,28 @@ This can happen in two scenarios: #### Source branch is behind the target branch -This means the most recent common ancestor commit between the target branch and the source branch is -not the most recent commit on the target branch. This is by far the most common situation. +A security report can be out of date when the most recent common ancestor commit between the +target branch and the source branch is not the most recent commit on the target branch. -In this case you must rebase or merge to incorporate the changes from the target branch. +To fix this issue, rebase or merge to incorporate the changes from the target branch.  #### Target branch security report is out of date -This can happen for many reasons, including failed jobs or new advisories. When the merge request shows that a -security report is out of date, you must run a new pipeline on the target branch. -You can do it quickly by following the hyperlink given to run a new pipeline. +This can happen for many reasons, including failed jobs or new advisories. When the merge request +shows that a security report is out of date, you must run a new pipeline on the target branch. +Select **new pipeline** to run a new pipeline.  -### Getting error message `sast job: stage parameter should be [some stage name here]` - -When [including](../../ci/yaml/index.md#includetemplate) a `.gitlab-ci.yml` template -like [`SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml), -the following error may occur, depending on your GitLab CI/CD configuration: - -```plaintext -Found errors in your .gitlab-ci.yml: - -* sast job: stage parameter should be unit-tests -``` - -This error appears when the included job's stage (named `test`) isn't declared in `.gitlab-ci.yml`. -To fix this issue, you can either: - -- Add a `test` stage in your `.gitlab-ci.yml`. -- Override the default stage of each security job. For example, to use a pre-defined stage name `unit-tests`: - - ```yaml - include: - - template: Security/Dependency-Scanning.gitlab-ci.yml - - template: Security/License-Scanning.gitlab-ci.yml - - template: Security/SAST.gitlab-ci.yml - - template: Security/Secret-Detection.gitlab-ci.yml - - stages: - - unit-tests - - dependency_scanning: - stage: unit-tests - - license_scanning: - stage: unit-tests - - sast: - stage: unit-tests - - .secret-analyzer: - stage: unit-tests - ``` - -[Learn more on overriding SAST jobs](sast/index.md#overriding-sast-jobs). -All the security scanning tools define their stage, so this error can occur with all of them. - ### Getting warning messages `… report.json: no matching files` -This is often followed by the [error `No files to upload`](../../ci/pipelines/job_artifacts.md#error-message-no-files-to-upload), -and preceded by other errors or warnings that indicate why the JSON report wasn't generated. Please -check the entire job log for such messages. If you don't find these messages, retry the failed job -after setting `SECURE_LOG_LEVEL: "debug"` as a -[custom CI/CD variable](../../ci/variables/index.md#custom-cicd-variables). -This provides useful information to investigate further. +This message is often followed by the [error `No files to upload`](../../ci/pipelines/job_artifacts.md#error-message-no-files-to-upload), +and preceded by other errors or warnings that indicate why the JSON report wasn't generated. Check +the entire job log for such messages. If you don't find these messages, retry the failed job after +setting `SECURE_LOG_LEVEL: "debug"` as a [custom CI/CD variable](../../ci/variables/index.md#custom-cicd-variables). +This provides extra information to investigate further. ### Getting error message `sast job: config key may not be used with 'rules': only/except` @@ -526,23 +580,24 @@ involve pinning to the previous template versions, for example: ``` Additionally, we provide a dedicated project containing the versioned legacy templates. -This can be useful for offline setups or anyone wishing to use [Auto DevOps](../../topics/autodevops/index.md). +This can be used for offline setups or anyone wishing to use [Auto DevOps](../../topics/autodevops/index.md). Instructions are available in the [legacy template project](https://gitlab.com/gitlab-org/auto-devops-v12-10). #### Vulnerabilities are found, but the job succeeds. How can I have a pipeline fail instead? -This is the current default behavior, because the job's status indicates success or failure of the analyzer itself. -Analyzer results are displayed in the [job logs](../../ci/jobs/index.md#expand-and-collapse-job-log-sections), -[Merge Request widget](#view-security-scan-information-in-merge-requests) -or [Security Dashboard](security_dashboard/index.md). +In these circumstances, that the job succeeds is the default behavior. The job's status indicates +success or failure of the analyzer itself. Analyzer results are displayed in the +[job logs](../../ci/jobs/index.md#expand-and-collapse-job-log-sections), +[Merge Request widget](#view-security-scan-information-in-merge-requests) or +[Security Dashboard](security_dashboard/index.md). ### Error: job `is used for configuration only, and its script should not be executed` [Changes made in GitLab 13.4](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41260) to the `Security/Dependency-Scanning.gitlab-ci.yml` and `Security/SAST.gitlab-ci.yml` templates mean that if you enable the `sast` or `dependency_scanning` jobs by setting the `rules` attribute, -they will fail with the error `(job) is used for configuration only, and its script should not be executed`. +they fail with the error `(job) is used for configuration only, and its script should not be executed`. The `sast` or `dependency_scanning` stanzas can be used to make changes to all SAST or Dependency Scanning, such as changing `variables` or the `stage`, but they cannot be used to define shared `rules`. diff --git a/doc/user/application_security/offline_deployments/index.md b/doc/user/application_security/offline_deployments/index.md index cdf54070d69..915e43d0fa5 100644 --- a/doc/user/application_security/offline_deployments/index.md +++ b/doc/user/application_security/offline_deployments/index.md @@ -87,7 +87,9 @@ above. You can find more information at each of the pages below: - [Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-environment) - [SAST offline directions](../sast/index.md#running-sast-in-an-offline-environment) +- [Secret Detection offline directions](../secret_detection/#running-secret-detection-in-an-offline-environment) - [DAST offline directions](../dast/run_dast_offline.md#run-dast-in-an-offline-environment) +- [API Fuzzing offline directions](../api_fuzzing/#running-api-fuzzing-in-an-offline-environment) - [License Compliance offline directions](../../compliance/license_compliance/index.md#running-license-compliance-in-an-offline-environment) - [Dependency Scanning offline directions](../dependency_scanning/index.md#running-dependency-scanning-in-an-offline-environment) diff --git a/doc/user/application_security/policies/index.md b/doc/user/application_security/policies/index.md index e1ddb3167ff..4d8be411dc5 100644 --- a/doc/user/application_security/policies/index.md +++ b/doc/user/application_security/policies/index.md @@ -6,8 +6,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Policies **(ULTIMATE)** -> - Introduced in GitLab Ultimate 13.10 [with a flag](https://gitlab.com/groups/gitlab-org/-/epics/5329) named `security_orchestration_policies_configuration`. Disabled by default. -> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in GitLab Ultimate 14.3. +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5329) in GitLab 13.10 with a flag named `security_orchestration_policies_configuration`. Disabled by default. +> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in GitLab 14.3. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in GitLab 14.4. Policies in GitLab provide security teams a way to require scans of their choice to be run @@ -49,7 +49,7 @@ users must make changes by following the ## Policy editor -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3403) in GitLab Ultimate 13.4. +> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3403) in GitLab 13.4. You can use the policy editor to create, edit, and delete policies: @@ -79,7 +79,7 @@ mode to fix your policy before Rule mode is available again. ## Container Network Policy -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/32365) in GitLab Ultimate 12.9. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/32365) in GitLab 12.9. The **Container Network Policy** section provides packet flow metrics for your application's Kubernetes namespace. This section has the following @@ -118,9 +118,9 @@ examining the Cilium logs: kubectl -n gitlab-managed-apps logs -l k8s-app=cilium -c cilium-monitor ``` -### Change the enforcement status +### Change the status -To change a network policy's enforcement status: +To change a network policy's status: - Select the network policy you want to update. - Select **Edit policy**. @@ -154,12 +154,12 @@ at the bottom of the editor. ### Configure a Network Policy Alert -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3438) and [enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/287676) in GitLab Ultimate 13.9. +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3438) and [enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/287676) in GitLab 13.9. > - The feature flag was removed and the Threat Monitoring Alerts Project was [made generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/287676) in GitLab 14.0. You can use policy alerts to track your policy's impact. Alerts are only available if you've [installed](../../clusters/agent/repository.md) -and [configured](../../clusters/agent/index.md#create-an-agent-record-in-gitlab) +and [configured](../../clusters/agent/install/index.md#create-an-agent-record-in-gitlab) a Kubernetes Agent for this project. There are two ways to create policy alerts: diff --git a/doc/user/application_security/sast/analyzers.md b/doc/user/application_security/sast/analyzers.md index d399dcaf4a9..06c57e68121 100644 --- a/doc/user/application_security/sast/analyzers.md +++ b/doc/user/application_security/sast/analyzers.md @@ -6,8 +6,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w # SAST Analyzers **(FREE)** -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3775) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.3. -> - [Moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to GitLab Free in 13.3. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3775) in GitLab 10.3. +> - [Moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) from GitLab Ultimate to GitLab Free in 13.3. SAST relies on underlying third party tools that are wrapped into what we call "Analyzers". An analyzer is a diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 7ffefd34e40..af8585c6a18 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -7,8 +7,8 @@ type: reference, howto # Static Application Security Testing (SAST) **(FREE)** -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3775) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.3. -> - All open source (OSS) analyzers were moved to GitLab Free in GitLab 13.3. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3775) in GitLab 10.3. +> - All open source (OSS) analyzers were moved from GitLab Ultimate to GitLab Free in GitLab 13.3. NOTE: The whitepaper ["A Seismic Shift in Application Security"](https://about.gitlab.com/resources/whitepaper-seismic-shift-application-security/) @@ -16,11 +16,10 @@ explains how 4 of the top 6 attacks were application based. Download it to learn organization. If you're using [GitLab CI/CD](../../../ci/index.md), you can use Static Application Security -Testing (SAST) to check your source code for known vulnerabilities. When a pipeline completes, -the results of the SAST analysis are processed and shown in the pipeline's Security tab. If the -pipeline is associated with a merge request, the SAST analysis is compared with the results of +Testing (SAST) to check your source code for known vulnerabilities. +If the pipeline is associated with a merge request, the SAST analysis is compared with the results of the target branch's analysis (if available). The results of that comparison are shown in the merge -request. **(ULTIMATE)** If the pipeline is running from the default branch, the results of the SAST +request. If the pipeline is running from the default branch, the results of the SAST analysis are available in the [security dashboards](../security_dashboard/index.md).  @@ -197,7 +196,7 @@ Use the method that best meets your needs. - [Configure SAST in the UI with default settings](#configure-sast-in-the-ui-with-default-settings) - [Configure SAST in the UI with customizations](#configure-sast-in-the-ui-with-customizations) -### Configure SAST in the UI with default settings **(FREE)** +### Configure SAST in the UI with default settings > [Introduced](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#security-configuration-page-for-all-users) in GitLab 13.9 @@ -217,9 +216,9 @@ successfully, and an error may occur. ### Configure SAST in the UI with customizations **(ULTIMATE)** -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3659) in GitLab Ultimate 13.3. -> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in GitLab Ultimate 13.4. -> - [Improved](https://gitlab.com/groups/gitlab-org/-/epics/3635) in GitLab Ultimate 13.5. +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3659) in GitLab 13.3. +> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in GitLab 13.4. +> - [Improved](https://gitlab.com/groups/gitlab-org/-/epics/3635) in GitLab 13.5. To enable and configure SAST with customizations: @@ -402,7 +401,7 @@ To create a custom ruleset: ### False Positive Detection **(ULTIMATE)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/292686) in GitLab 14.2. +> Introduced in GitLab 14.2. Vulnerabilities that have been detected and are false positives will be flagged as false positives in the security dashboard. @@ -423,7 +422,7 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m ### Enabling Kubesec analyzer -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12752) in GitLab Ultimate 12.6. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12752) in GitLab 12.6. You need to set `SCAN_KUBERNETES_MANIFESTS` to `"true"` to enable the Kubesec analyzer. In `.gitlab-ci.yml`, define: @@ -569,7 +568,7 @@ Some analyzers can be customized with CI/CD variables. #### Custom CI/CD variables -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/18193) in GitLab Ultimate 12.5. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/18193) in GitLab 12.5. In addition to the aforementioned SAST configuration CI/CD variables, all [custom variables](../../../ci/variables/index.md#custom-cicd-variables) are propagated diff --git a/doc/user/application_security/secret_detection/index.md b/doc/user/application_security/secret_detection/index.md index 5933496ea00..140f660d729 100644 --- a/doc/user/application_security/secret_detection/index.md +++ b/doc/user/application_security/secret_detection/index.md @@ -7,8 +7,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Secret Detection **(FREE)** -> - [Introduced](https://about.gitlab.com/releases/2019/03/22/gitlab-11-9-released/#detect-secrets-and-credentials-in-the-repository) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.9. -> - Made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/222788) in 13.3. +> - [Introduced](https://about.gitlab.com/releases/2019/03/22/gitlab-11-9-released/#detect-secrets-and-credentials-in-the-repository) in GitLab 11.9. +> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/222788) from GitLab Ultimate to GitLab Free in 13.3. A recurring problem when developing applications is that developers may unintentionally commit secrets and credentials to their remote repositories. If other people have access to the source, @@ -138,9 +138,9 @@ The results are saved as a that you can later download and analyze. Due to implementation limitations, we always take the latest Secret Detection artifact available. -### Enable Secret Detection via an automatic merge request **(FREE)** +### Enable Secret Detection via an automatic merge request -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, behind a feature flag, enabled by default. +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/329886) in GitLab 14.1. To enable Secret Detection in a project, you can create a merge request @@ -165,7 +165,7 @@ by using the [`variables`](../../../ci/yaml/index.md#variables) parameter in `.gitlab-ci.yml`. To override a job definition, (for example, change properties like `variables` or `dependencies`), -declare a job with the same name as the SAST job to override. Place this new job after the template +declare a job with the same name as the secret detection job to override. Place this new job after the template inclusion and specify any additional keys under it. WARNING: @@ -202,8 +202,9 @@ Secret Detection can be customized by defining available CI/CD variables: | CI/CD variable | Default value | Description | |-----------------------------------|---------------|-------------| -| `SECRET_DETECTION_COMMIT_FROM` | - | The commit a Gitleaks scan starts at. | -| `SECRET_DETECTION_COMMIT_TO` | - | The commit a Gitleaks scan ends at. | +| `SECRET_DETECTION_COMMIT_FROM` | - | The commit a Gitleaks scan starts at. [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/243564) in GitLab 13.5. Replaced with `SECRET_DETECTION_COMMITS`. | +| `SECRET_DETECTION_COMMIT_TO` | - | The commit a Gitleaks scan ends at. [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/243564) in GitLab 13.5. Replaced with `SECRET_DETECTION_COMMITS`. | +| `SECRET_DETECTION_COMMITS` | - | The list of commits that Gitleaks should scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/243564) in GitLab 13.5. | | `SECRET_DETECTION_EXCLUDED_PATHS` | "" | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories also match patterns. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225273) in GitLab 13.3. | | `SECRET_DETECTION_HISTORIC_SCAN` | false | Flag to enable a historic Gitleaks scan. | @@ -348,6 +349,22 @@ For details on saving and transporting Docker images as a file, see Docker's doc [`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/), [`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and [`docker import`](https://docs.docker.com/engine/reference/commandline/import/). +### Set Secret Detection CI/CD variables to use the local Secret Detection analyzer container image + +Add the following configuration to your `.gitlab-ci.yml` file. You must replace +`SECURE_ANALYZERS_PREFIX` to refer to your local Docker container registry: + +```yaml +include: + - template: Security/Secret-Detection.gitlab-ci.yml + +variables: + SECURE_ANALYZERS_PREFIX: "localhost:5000/analyzers" +``` + +The Secret Detection job should now use the local copy of the Secret Detection analyzer Docker image to scan your code and generate +security reports without requiring internet access. + #### If support for Custom Certificate Authorities are needed Support for custom certificate authorities was introduced in the following versions. @@ -371,22 +388,6 @@ variables: The `ADDITIONAL_CA_CERT_BUNDLE` value can also be configured as a [custom variable in the UI](../../../ci/variables/index.md#custom-cicd-variables), either as a `file`, which requires the path to the certificate, or as a variable, which requires the text representation of the certificate. -### Set Secret Detection CI/CD variables to use local Secret Detection analyzer - -Add the following configuration to your `.gitlab-ci.yml` file. You must replace -`SECURE_ANALYZERS_PREFIX` to refer to your local Docker container registry: - -```yaml -include: - - template: Security/Secret-Detection.gitlab-ci.yml - -variables: - SECURE_ANALYZERS_PREFIX: "localhost:5000/analyzers" -``` - -The Secret Detection job should now use local copies of the Secret Detection analyzer to scan your code and generate -security reports without requiring internet access. - ## Troubleshooting ### Getting warning message `gl-secret-detection-report.json: no matching files` diff --git a/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_2.png b/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_2.png Binary files differdeleted file mode 100644 index 52249cef343..00000000000 --- a/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_2.png +++ /dev/null diff --git a/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_4.png b/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_4.png Binary files differnew file mode 100644 index 00000000000..ac123d2b528 --- /dev/null +++ b/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_4.png diff --git a/doc/user/application_security/security_dashboard/index.md b/doc/user/application_security/security_dashboard/index.md index c78179e9693..87875ec15ba 100644 --- a/doc/user/application_security/security_dashboard/index.md +++ b/doc/user/application_security/security_dashboard/index.md @@ -51,7 +51,7 @@ The security dashboard and vulnerability report displays information about vulne At the pipeline level, the Security section displays the vulnerabilities present in the branch of the project the pipeline ran against. - + Visit the page for any pipeline that ran any of the [supported reports](#supported-reports). To view the pipeline's security findings, select the **Security** tab when viewing the pipeline. @@ -64,11 +64,15 @@ the analyzer outputs an ### Scan details -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3728) in GitLab 13.10. +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3728) in GitLab 13.10. +> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/333660) in GitLab 14.2. -The **Scan details** section lists the scans run in the pipeline and the total number of -vulnerabilities per scan. For the DAST scan, select **Download scanned resources** to download a -CSV file containing details of the resources scanned. +The **Scan details** section lists the scans run in the pipeline and the total number of vulnerabilities +per scan. + +You can download the JSON artifacts from each security scan. Select **Download results** then +select the JSON artifact. Additionally for the DAST scan, from the **Download results** dropdown select +**Download scanned resources** to download a CSV file containing details of the resources scanned. ## Project Security Dashboard diff --git a/doc/user/application_security/threat_monitoring/index.md b/doc/user/application_security/threat_monitoring/index.md index 79f202a6edb..ae5f6ba0fe1 100644 --- a/doc/user/application_security/threat_monitoring/index.md +++ b/doc/user/application_security/threat_monitoring/index.md @@ -7,7 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Threat Monitoring **(ULTIMATE)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14707) in GitLab 12.9. The **Threat Monitoring** page provides alerts and metrics for the GitLab application runtime security features. You can access @@ -20,7 +20,7 @@ GitLab supports statistics for the following security features: ## Container Network Policy Alert list -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3438) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.9. +> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3438) in GitLab 13.9. The policy alert list displays your policy's alert activity. You can sort the list by these columns: @@ -44,5 +44,3 @@ Clicking an alert's row opens the alert drawer, which shows more information abo can also create an incident from the alert and update the alert status in the alert drawer. Clicking an alert's name takes the user to the [alert details page](../../../operations/incident_management/alerts.md#alert-details-page). - -For information on work in progress for the alerts dashboard, see [this epic](https://gitlab.com/groups/gitlab-org/-/epics/5041). diff --git a/doc/user/application_security/vulnerabilities/index.md b/doc/user/application_security/vulnerabilities/index.md index 9ebecc67704..7bdc8cc8479 100644 --- a/doc/user/application_security/vulnerabilities/index.md +++ b/doc/user/application_security/vulnerabilities/index.md @@ -7,7 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Vulnerability Pages **(ULTIMATE)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/13561) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.0. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/13561) in GitLab 13.0. Each vulnerability in a project has a Vulnerability Page. This page contains details of the vulnerability. The details included vary according to the type of vulnerability. Details of each @@ -20,6 +20,9 @@ vulnerability include: - Linked issues - Actions log +In GitLab 14.3 and later, if the scanner determined the vulnerability to be a false positive, an +alert message is included at the top of the vulnerability's page. + On the vulnerability's page, you can: - [Change the vulnerability's status](#change-vulnerability-status). diff --git a/doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v14_2.png b/doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v14_2.png Binary files differdeleted file mode 100644 index 44c689eda3e..00000000000 --- a/doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v14_2.png +++ /dev/null diff --git a/doc/user/application_security/vulnerability_report/img/project_level_vulnerability_report_v14_5.png b/doc/user/application_security/vulnerability_report/img/project_level_vulnerability_report_v14_5.png Binary files differnew file mode 100644 index 00000000000..ac996fa32db --- /dev/null +++ b/doc/user/application_security/vulnerability_report/img/project_level_vulnerability_report_v14_5.png diff --git a/doc/user/application_security/vulnerability_report/index.md b/doc/user/application_security/vulnerability_report/index.md index f5b0194c320..d13647937a2 100644 --- a/doc/user/application_security/vulnerability_report/index.md +++ b/doc/user/application_security/vulnerability_report/index.md @@ -16,7 +16,16 @@ At all levels, the Vulnerability Report contains: - Filters for common vulnerability attributes. - Details of each vulnerability, presented in tabular layout. - +The **Activity** column contains icons to indicate the activity, if any, taken on the vulnerability +in that row: + +- Issues **{issues}**: Links to issues created for the vulnerability. For more details, read + [Create an issue for a vulnerability](../vulnerabilities/index.md#create-an-issue-for-a-vulnerability). +- Wrench **{admin}**: The vulnerability has been remediated. +- False positive **{false-positive}**: The scanner determined this vulnerability to be a false + positive. + + ## Project-level Vulnerability Report @@ -151,7 +160,7 @@ To change the status of vulnerabilities in the table: ### Change status of multiple vulnerabilities -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in GitLab 12.9. You can change the status of multiple vulnerabilities at once: @@ -162,8 +171,8 @@ You can change the status of multiple vulnerabilities at once: ## Export vulnerability details -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213014) in the Security Center (previously known as the Instance Security Dashboard) and project-level Vulnerability Report (previously known as the Project Security Dashboard) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.0. -> - [Added](https://gitlab.com/gitlab-org/gitlab/-/issues/213013) to the group-level Vulnerability Report in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213014) in the Security Center (previously known as the Instance Security Dashboard) and project-level Vulnerability Report (previously known as the Project Security Dashboard) in GitLab 13.0. +> - [Added](https://gitlab.com/gitlab-org/gitlab/-/issues/213013) to the group-level Vulnerability Report in GitLab 13.1. You can export details of the vulnerabilities listed in the Vulnerability Report. The export format is CSV (comma separated values). Note that all vulnerabilities are included because filters don't @@ -197,7 +206,7 @@ thousands of vulnerabilities. Don't close the page until the download finishes. ## Dismiss a vulnerability -> The option of adding a dismissal reason was introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0. +> The option of adding a dismissal reason was introduced in GitLab 12.0. You can dismiss a vulnerability for the entire project: |
