diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-08 09:10:43 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-08 09:10:43 +0300 |
commit | 0812feb16adcf8da1d3555f1d736e7b154fcd046 (patch) | |
tree | 543721481f8ea698152182710380faf9fbf08e7c /doc | |
parent | d8b3ba4b19f12a88a2aa6881bf770f9713a68d32 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
-rw-r--r-- | doc/administration/instance_limits.md | 1 | ||||
-rw-r--r-- | doc/ci/yaml/artifacts_reports.md | 13 | ||||
-rw-r--r-- | doc/development/integrations/secure.md | 52 | ||||
-rw-r--r-- | doc/topics/autodevops/cicd_variables.md | 1 | ||||
-rw-r--r-- | doc/update/deprecations.md | 14 | ||||
-rw-r--r-- | doc/user/application_security/policies/scan-execution-policies.md | 2 | ||||
-rw-r--r-- | doc/user/application_security/terminology/index.md | 1 |
7 files changed, 15 insertions, 69 deletions
diff --git a/doc/administration/instance_limits.md b/doc/administration/instance_limits.md index 8cdf27b58e8..e4f4b234a15 100644 --- a/doc/administration/instance_limits.md +++ b/doc/administration/instance_limits.md @@ -655,7 +655,6 @@ setting is used: | `ci_max_artifact_size_archive` | 0 | | `ci_max_artifact_size_browser_performance` | 0 | | `ci_max_artifact_size_cluster_applications` | 0 | -| `ci_max_artifact_size_cluster_image_scanning` | 0 | | `ci_max_artifact_size_cobertura` | 0 | | `ci_max_artifact_size_codequality` | 0 | | `ci_max_artifact_size_container_scanning` | 0 | diff --git a/doc/ci/yaml/artifacts_reports.md b/doc/ci/yaml/artifacts_reports.md index ced620195b4..6b15f90cbc7 100644 --- a/doc/ci/yaml/artifacts_reports.md +++ b/doc/ci/yaml/artifacts_reports.md @@ -67,19 +67,6 @@ GitLab can display the results of one report in the merge request GitLab cannot display the combined results of multiple `browser_performance` reports. -## `artifacts:reports:cluster_image_scanning` **(ULTIMATE)** - -> - Introduced in GitLab 14.1. -> - Requires GitLab Runner 14.1 and above. - -The `cluster_image_scanning` report collects `CLUSTER_IMAGE_SCANNING` vulnerabilities. The collected -`CLUSTER_IMAGE_SCANNING` report uploads to GitLab as an artifact. - -GitLab can display the results of one or more reports in: - -- The [security dashboard](../../user/application_security/security_dashboard/index.md). -- The [Project Vulnerability report](../../user/application_security/vulnerability_report/index.md). - ## `artifacts:reports:coverage_report` > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/344533) in GitLab 14.10. diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md index bf1a3bfab08..002579d9b83 100644 --- a/doc/development/integrations/secure.md +++ b/doc/development/integrations/secure.md @@ -31,7 +31,6 @@ For consistency, scanning jobs should be named after the scanner, in lower case. The job name is suffixed after the type of scanning: - `_dependency_scanning` -- `_cluster_image_scanning` - `_container_scanning` - `_dast` - `_sast` @@ -79,7 +78,6 @@ Valid reports are: - `dependency_scanning` - `container_scanning` -- `cluster_image_scanning` - `dast` - `api_fuzzing` - `coverage_fuzzing` @@ -108,7 +106,6 @@ for variables such as: - `DEPENDENCY_SCANNING_DISABLED` - `CONTAINER_SCANNING_DISABLED` -- `CLUSTER_IMAGE_SCANNING_DISABLED` - `SAST_DISABLED` - `DAST_DISABLED` @@ -214,19 +211,6 @@ using the variables `DOCKER_USER` and `DOCKER_PASSWORD`. If these are not defined, then the scanner should use `CI_REGISTRY_USER` and `CI_REGISTRY_PASSWORD` as default values. -#### Cluster Image Scanning - -To be consistent with the official `cluster_image_scanning` for GitLab, scanners must scan the -Kubernetes cluster whose configuration is given by `KUBECONFIG`. - -If you use the `CIS_KUBECONFIG` CI/CD variable, then the -`KUBECONFIG` variable is ignored and the cluster specified in the -`CIS_KUBECONFIG` variable is scanned instead. If you don't provide -the `CIS_KUBECONFIG` CI/CD variable, the value defaults to the value of -`$KUBECONFIG`. `$KUBECONFIG` is a predefined CI/CD variable configured when the project is assigned to a -Kubernetes cluster. When multiple contexts are provided in the `KUBECONFIG` variable, the context -selected as `current-context` is used to fetch vulnerabilities. - #### Configuration files While scanners may use `CI_PROJECT_DIR` to load specific configuration files, @@ -320,7 +304,6 @@ and [Container Scanning](../../user/application_security/container_scanning/inde You can find the schemas for these scanners here: -- [Cluster Image Scanning](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/cluster-image-scanning-report-format.json) - [Container Scanning](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json) - [Coverage Fuzzing](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/coverage-fuzzing-report-format.json) - [DAST](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/dast-report-format.json) @@ -414,7 +397,6 @@ We recommend that you generate a UUID and use it as the `id` field's value. The value of the `category` field matches the report type: - `dependency_scanning` -- `cluster_image_scanning` - `container_scanning` - `sast` - `dast` @@ -604,40 +586,6 @@ so these attributes are mandatory. The `image` is also mandatory. All other attributes are optional. -##### Cluster Image Scanning - -The `location` of a `cluster_image_scanning` vulnerability has a `dependency` field. It also has -an `operating_system` field. For example, here is the `location` object for a vulnerability -affecting version `2.50.3-2+deb9u1` of Debian package `glib2.0`: - -```json -{ - "dependency": { - "package": { - "name": "glib2.0" - }, - }, - "version": "2.50.3-2+deb9u1", - "operating_system": "debian:9", - "image": "index.docker.io/library/nginx:1.18", - "kubernetes_resource": { - "namespace": "production", - "kind": "Deployment", - "name": "nginx-ingress", - "container_name": "nginx", - "agent_id": "1" - } -} -``` - -The affected package is found when scanning a deployment using the `index.docker.io/library/nginx:1.18` image. - -The location fingerprint of a Cluster Image Scanning vulnerability combines the -`namespace`, `kind`, `name`, and `container_name` fields from the `kubernetes_resource`, -as well as the package `name`, so these fields are required. The `image` field is also mandatory. -The `cluster_id` and `agent_id` are mutually exclusive, and one of them must be present. -All other fields are optional. - ##### SAST The `location` of a SAST vulnerability must have a `file` and a `start_line` field, diff --git a/doc/topics/autodevops/cicd_variables.md b/doc/topics/autodevops/cicd_variables.md index 169d34aad77..b22b4677f24 100644 --- a/doc/topics/autodevops/cicd_variables.md +++ b/doc/topics/autodevops/cicd_variables.md @@ -94,7 +94,6 @@ Use these variables to disable CI/CD jobs. | `bandit-sast` | `SAST_DISABLED` | | If the variable is present, the job isn't created. | | `brakeman-sast` | `SAST_DISABLED` | | If the variable is present, the job isn't created. | | `canary` | `CANARY_ENABLED` | | This manual job is created if the variable is present. | -| `cluster_image_scanning` | `CLUSTER_IMAGE_SCANNING_DISABLED` | | If the variable is present, the job isn't created. | | `code_intelligence` | `CODE_INTELLIGENCE_DISABLED` | From GitLab 13.6 | If the variable is present, the job isn't created. | | `code_quality` | `CODE_QUALITY_DISABLED` | | If the variable is present, the job isn't created. | | `container_scanning` | `CONTAINER_SCANNING_DISABLED` | | If the variable is present, the job isn't created. | diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index 1a272e4a609..e2ac52929e0 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -94,6 +94,20 @@ When using the native HashiCorp Vault integration, CI/CD jobs will fail when no <div class="deprecation removal-160 breaking-change"> +### Development dependencies reported for PHP and Python + +Planned removal: GitLab <span class="removal-milestone">16.0</span> <span class="removal-date"></span> + +WARNING: +This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/). +Review the details carefully before upgrading. + +In GitLab 16.0 the GitLab Dependency Scanning analyzer will begin reporting development dependencies for both Python/pipenv and PHP/composer projects. Users who do not wish to have these development dependencies reported should set `DS_INCLUDE_DEV_DEPENDENCIES: false` in their CI/CD file. + +</div> + +<div class="deprecation removal-160 breaking-change"> + ### Embedding Grafana panels in Markdown is deprecated Planned removal: GitLab <span class="removal-milestone">16.0</span> <span class="removal-date"></span> diff --git a/doc/user/application_security/policies/scan-execution-policies.md b/doc/user/application_security/policies/scan-execution-policies.md index e679ed907e9..f624bc95036 100644 --- a/doc/user/application_security/policies/scan-execution-policies.md +++ b/doc/user/application_security/policies/scan-execution-policies.md @@ -89,7 +89,7 @@ This rule enforces the defined actions and schedules a scan on the provided date | `type` | `string` | `schedule` | The rule's type. | | `branches` | `array` of `string` | `*` or the branch's name | The branch the given policy applies to (supports wildcard). This field is required if the `agents` field is not set. | | `cadence` | `string` | CRON expression (for example, `0 0 * * *`) | A whitespace-separated string containing five fields that represents the scheduled time. | -| `agents` | `object` | | The name of the [GitLab agents](../../clusters/agent/index.md) where [cluster image scanning](../../clusters/agent/vulnerabilities.md) runs. The object key is the name of the Kubernetes agent configured for your project in GitLab. This field is required if the `branches` field is not set. | +| `agents` | `object` | | The name of the [GitLab agents](../../clusters/agent/index.md) where [Operational Container Scanning](../../clusters/agent/vulnerabilities.md) runs. The object key is the name of the Kubernetes agent configured for your project in GitLab. This field is required if the `branches` field is not set. | GitLab supports the following types of CRON syntax for the `cadence` field: diff --git a/doc/user/application_security/terminology/index.md b/doc/user/application_security/terminology/index.md index 1ce5d58c73b..772a7d17e1e 100644 --- a/doc/user/application_security/terminology/index.md +++ b/doc/user/application_security/terminology/index.md @@ -257,7 +257,6 @@ once it's imported into the database. Describes the type of scan. This must be one of the following: - `api_fuzzing` -- `cluster_image_scanning` - `container_scanning` - `coverage_fuzzing` - `dast` |