diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-10 00:09:19 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-10 00:09:19 +0300 |
| commit | 254ec28f5448f6f353cd98f637985de3d1405854 (patch) | |
| tree | 1c84ed7b7dd32db96454af034cd6c7e90699e76d /doc | |
| parent | 141902c04943d5fb43c014b8cf42af60a3bc0cdf (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/administration/gitaly/praefect.md | 40 | ||||
| -rw-r--r-- | doc/administration/logs.md | 37 | ||||
| -rw-r--r-- | doc/api/epics.md | 5 | ||||
| -rw-r--r-- | doc/development/pipelines.md | 12 | ||||
| -rw-r--r-- | doc/user/application_security/container_scanning/index.md | 13 | ||||
| -rw-r--r-- | doc/user/application_security/dependency_scanning/analyzers.md | 31 | ||||
| -rw-r--r-- | doc/user/application_security/dependency_scanning/index.md | 12 | ||||
| -rw-r--r-- | doc/user/application_security/sast/analyzers.md | 28 | ||||
| -rw-r--r-- | doc/user/application_security/sast/index.md | 7 | ||||
| -rw-r--r-- | doc/user/clusters/applications.md | 2 | ||||
| -rw-r--r-- | doc/user/project/integrations/prometheus_library/nginx.md | 1 |
11 files changed, 159 insertions, 29 deletions
diff --git a/doc/administration/gitaly/praefect.md b/doc/administration/gitaly/praefect.md index 0a0e193658e..737deaa7f4e 100644 --- a/doc/administration/gitaly/praefect.md +++ b/doc/administration/gitaly/praefect.md @@ -60,12 +60,18 @@ GitLab](https://about.gitlab.com/install/). - 1 Praefect node (minimal storage required) - 3 Gitaly nodes (high CPU, high memory, fast storage) +- 1 GitLab server You will need the IP/host address for each node. 1. `POSTGRESQL_SERVER_ADDRESS`: the IP/host address of the PostgreSQL server -1. `PRAEFECT_SERVER_ADDRESS`: the IP/host address of the Praefect server -1. `GITALY_SERVER_ADDRESS`: the IP/host address of each Gitaly node +1. `PRAEFECT_HOST`: the IP/host address of the Praefect server +1. `GITALY_HOST`: the IP/host address of each Gitaly server +1. `GITLAB_HOST`: the IP/host address of the GitLab server + +If you are using a cloud provider, you can look up the addresses for each server through your cloud provider's management console. + +If you are using Google Cloud Platform, SoftLayer, or any other vendor that provides a virtual private cloud (VPC) you can use the private addresses for each cloud instance (corresponds to “internal address” for Google Cloud Platform) for `PRAEFECT_HOST`, `GITALY_HOST`, and `GITLAB_HOST`. #### Secrets @@ -183,14 +189,18 @@ application server, or a Gitaly node. 1. Configure **Praefect** to listen on network interfaces by editing `/etc/gitlab/gitlab.rb`: + You will need to replace: + + - `PRAEFECT_HOST` with the IP address or hostname of the Praefect node + ```ruby # Make Praefect accept connections on all network interfaces. # Use firewalls to restrict access to this address/port. - praefect['listen_addr'] = '0.0.0.0:2305' + praefect['listen_addr'] = 'PRAEFECT_HOST:2305' # Enable Prometheus metrics access to Praefect. You must use firewalls # to restrict access to this address/port. - praefect['prometheus_listen_addr'] = '0.0.0.0:9652' + praefect['prometheus_listen_addr'] = 'PRAEFECT_HOST:9652' ``` 1. Configure a strong `auth_token` for **Praefect** by editing @@ -357,14 +367,18 @@ documentation](index.md#3-gitaly-server-configuration). 1. Configure **Gitaly** to listen on network interfaces by editing `/etc/gitlab/gitlab.rb`: + You will need to replace: + + - `GITALY_HOST` with the IP address or hostname of the Gitaly node + ```ruby # Make Gitaly accept connections on all network interfaces. # Use firewalls to restrict access to this address/port. - gitaly['listen_addr'] = '0.0.0.0:8075' + gitaly['listen_addr'] = 'GITALY_HOST:8075' # Enable Prometheus metrics access to Gitaly. You must use firewalls # to restrict access to this address/port. - gitaly['prometheus_listen_addr'] = '0.0.0.0:9236' + gitaly['prometheus_listen_addr'] = 'GITALY_HOST:9236' ``` 1. Configure a strong `auth_token` for **Gitaly** by editing @@ -387,7 +401,7 @@ documentation](index.md#3-gitaly-server-configuration). # Configure the gitlab-shell API callback URL. Without this, `git push` will # fail. This can be your front door GitLab URL or an internal load balancer. # Examples: 'https://example.gitlab.com', 'http://1.2.3.4' - gitlab_rails['internal_api_url'] = 'GITLAB_SERVER_URL' + gitlab_rails['internal_api_url'] = 'http://GITLAB_HOST' ``` 1. Configure the storage location for Git data by setting `git_data_dirs` in @@ -499,12 +513,13 @@ Particular attention should be shown to: You will need to replace: - `PRAEFECT_HOST` with the IP address or hostname of the Praefect node + - `GITLAB_HOST` with the IP address or hostname of the GitLab server - `PRAEFECT_EXTERNAL_TOKEN` with the real secret ```ruby git_data_dirs({ "default" => { - "path" => "/var/opt/gitlab/git-data" + "gitaly_address" => "tcp://GITLAB_HOST:8075" }, "praefect" => { "gitaly_address" => "tcp://PRAEFECT_HOST:2305", @@ -513,6 +528,13 @@ Particular attention should be shown to: }) ``` +1. Allow Gitaly to listen on a tcp port by editing + `/etc/gitlab/gitlab.rb` + + ```ruby + gitaly['listen_addr'] = 'tcp://GITLAB_HOST:8075' + ``` + 1. Configure the `gitlab_shell['secret_token']` so that callbacks from Gitaly nodes during a `git push` are properly authenticated by editing `/etc/gitlab/gitlab.rb`: @@ -526,7 +548,7 @@ Particular attention should be shown to: 1. Configure the `external_url` so that files could be served by GitLab by proper endpoint access by editing `/etc/gitlab/gitlab.rb`: - You will need to replace `GITLAB_SERVER_URL` with the real URL on which + You will need to replace `GITLAB_SERVER_URL` with the real external facing URL on which current GitLab instance is serving: ```ruby diff --git a/doc/administration/logs.md b/doc/administration/logs.md index 889a8b2d6b0..c43406fb647 100644 --- a/doc/administration/logs.md +++ b/doc/administration/logs.md @@ -635,6 +635,43 @@ Each line contains a JSON line that can be ingested by Elasticsearch. For exampl } ``` +## `geo.log` + +> Introduced in 9.5. + +Geo stores structured log messages in a `geo.log` file. For Omnibus installations, this file is at `/var/log/gitlab/gitlab-rails/geo.log`. + +This file contains information about when Geo attempts to sync repositories and files. Each line in the file contains a separate JSON entry that can be ingested into. For example, Elasticsearch or Splunk. + +For example: + +```json +{"severity":"INFO","time":"2017-08-06T05:40:16.104Z","message":"Repository update","project_id":1,"source":"repository","resync_repository":true,"resync_wiki":true,"class":"Gitlab::Geo::LogCursor::Daemon","cursor_delay_s":0.038} +``` + +This message shows that Geo detected that a repository update was needed for project `1`. + +## Registry Logs + +For Omnibus installations, Container Registry logs reside in `/var/log/gitlab/registry/current`. + +## NGINX Logs + +For Omnibus installations, NGINX logs reside in: + +- `/var/log/gitlab/nginx/gitlab_access.log` contains a log of requests made to GitLab. +- `/var/log/gitlab/nginx/gitlab_error.log` contains a log of NGINX errors for GitLab. +- `/var/log/gitlab/nginx/gitlab_pages_access.log` contains a log of requests made to Pages static sites. +- `/var/log/gitlab/nginx/gitlab_pages_error.log` contains a log of NGINX errors for Pages static sites. +- `/var/log/gitlab/nginx/gitlab_registry_access.log` contains a log of requests made to the Container Registry. +- `/var/log/gitlab/nginx/gitlab_registry_error.log` contains a log of NGINX errors for the Container Regsitry. + +Below is the default GitLab NGINX access log format: + +```plaintext +$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" +``` + [repocheck]: repository_checks.md [Rack Attack]: ../security/rack_attack.md [Rate Limit]: ../user/admin_area/settings/rate_limits_on_raw_endpoints.md diff --git a/doc/api/epics.md b/doc/api/epics.md index a0261aab605..bf6a18fcedc 100644 --- a/doc/api/epics.md +++ b/doc/api/epics.md @@ -81,6 +81,7 @@ Example response: "title": "Accusamus iste et ullam ratione voluptatem omnis debitis dolor est.", "description": "Molestias dolorem eos vitae expedita impedit necessitatibus quo voluptatum.", "state": "opened", + "confidential": "false", "web_url": "http://localhost:3001/groups/test/-/epics/4", "reference": "&4", "references": { @@ -240,6 +241,7 @@ POST /groups/:id/epics | `title` | string | yes | The title of the epic | | `labels` | string | no | The comma separated list of labels | | `description` | string | no | The description of the epic. Limited to 1,048,576 characters. | +| `confidential` | boolean | no | Whether the epic should be confidential. Will be ignored if `confidential_epics` feature flag is disabled. | | `start_date_is_fixed` | boolean | no | Whether start date should be sourced from `start_date_fixed` or from milestones (since 11.3) | | `start_date_fixed` | string | no | The fixed start date of an epic (since 11.3) | | `due_date_is_fixed` | boolean | no | Whether due date should be sourced from `due_date_fixed` or from milestones (since 11.3) | @@ -260,6 +262,7 @@ Example response: "title": "Epic", "description": "Epic description", "state": "opened", + "confidential": "false", "web_url": "http://localhost:3001/groups/test/-/epics/6", "reference": "&6", "references": { @@ -314,6 +317,7 @@ PUT /groups/:id/epics/:epic_iid | `epic_iid` | integer/string | yes | The internal ID of the epic | | `title` | string | no | The title of an epic | | `description` | string | no | The description of an epic. Limited to 1,048,576 characters. | +| `confidential` | boolean | no | Whether the epic should be confidential. Will be ignored if `confidential_epics` feature flag is disabled. | | `labels` | string | no | The comma separated list of labels | | `start_date_is_fixed` | boolean | no | Whether start date should be sourced from `start_date_fixed` or from milestones (since 11.3) | | `start_date_fixed` | string | no | The fixed start date of an epic (since 11.3) | @@ -335,6 +339,7 @@ Example response: "title": "New Title", "description": "Epic description", "state": "opened", + "confidential": "false", "web_url": "http://localhost:3001/groups/test/-/epics/6", "reference": "&6", "references": { diff --git a/doc/development/pipelines.md b/doc/development/pipelines.md index c123722dc4e..aecfe3af9c4 100644 --- a/doc/development/pipelines.md +++ b/doc/development/pipelines.md @@ -149,6 +149,18 @@ otherwise. If you want a running pipeline to finish even if you push new commits to a merge request, be sure to start the `dont-interrupt-me` job before pushing. +## PostgreSQL versions testing + +We follow [the PostgreSQL versions Omnibus support policy](https://gitlab.com/groups/gitlab-org/-/epics/2184#proposal): + +| | 12.10 (April 2020) | 13.0 (May 2020) | 13.1 (June 2020) | 13.2 (July 2020) | 13.3 (August 2020) | 13.4, 13.5 | 13.6 (November 2020) | 14.0 (May 2021?) | +| ------ | ------------------ | --------------- | ---------------- | ---------------- | ------------------ | ------------ | -------------------- | -------------------- | +| PG9.6 | nightly | - | - | - | - | - | - | - | +| PG10 | `master` | - | - | - | - | - | - | - | +| PG11 | MRs/`master` | MRs/`master` | MRs/`master` | MRs/`master` | MRs/`master` | MRs/`master` | nightly | - | +| PG12 | - | - | - | - | `master` | `master` | MRs/`master` | `master` | +| PG13 | - | - | - | - | - | - | - | MRs/`master` | + ## Directed acyclic graph We're using the [`needs:`](../ci/yaml/README.md#needs) keyword to diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index 5b755916fd8..3d6c9e0b0ba 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -303,10 +303,10 @@ it highlighted: "version": "2.3", "vulnerabilities": [ { + "id": "ac0997ad-1006-4c81-81fb-ee2bbe6e78e3", "category": "container_scanning", "message": "CVE-2019-3462 in apt", "description": "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.", - "cve": "debian:9:apt:CVE-2019-3462", "severity": "High", "confidence": "Unknown", "solution": "Upgrade apt from 1.4.8 to 1.4.9", @@ -343,7 +343,7 @@ it highlighted: { "fixes": [ { - "cve": "debian:9:apt:CVE-2019-3462" + "id": "c0997ad-1006-4c81-81fb-ee2bbe6e78e3" } ], "summary": "Upgrade apt from 1.4.8 to 1.4.9", @@ -363,10 +363,11 @@ the report JSON unless stated otherwise. Presence of optional fields depends on |------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `version` | Report syntax version used to generate this JSON. | | `vulnerabilities` | Array of vulnerability objects. | +| `vulnerabilities[].id` | Unique identifier of the vulnerability. | | `vulnerabilities[].category` | Where this vulnerability belongs (for example, SAST or Container Scanning). For Container Scanning, it will always be `container_scanning`. | | `vulnerabilities[].message` | A short text that describes the vulnerability, it may include occurrence's specific information. Optional. | | `vulnerabilities[].description` | A long text that describes the vulnerability. Optional. | -| `vulnerabilities[].cve` | A fingerprint string value that represents a concrete occurrence of the vulnerability. It's used to determine whether two vulnerability occurrences are same or different. May not be 100% accurate. **This is NOT a [CVE](https://cve.mitre.org/)**. | +| `vulnerabilities[].cve` | (**DEPRECATED - use `vulnerabilities[].id` instead**) A fingerprint string value that represents a concrete occurrence of the vulnerability. It's used to determine whether two vulnerability occurrences are same or different. May not be 100% accurate. **This is NOT a [CVE](https://cve.mitre.org/)**. | | `vulnerabilities[].severity` | How much the vulnerability impacts the software. Possible values: `Undefined` (an analyzer has not provided this information), `Info`, `Unknown`, `Low`, `Medium`, `High`, `Critical`. **Note:** Our current container scanning tool based on [klar](https://github.com/optiopay/klar) only provides the following levels: `Unknown`, `Low`, `Medium`, `High`, `Critical`. | | `vulnerabilities[].confidence` | How reliable the vulnerability's assessment is. Possible values: `Undefined` (an analyzer has not provided this information), `Ignore`, `Unknown`, `Experimental`, `Low`, `Medium`, `High`, `Confirmed`. **Note:** Our current container scanning tool based on [klar](https://github.com/optiopay/klar) does not provide a confidence level, so this value is currently hardcoded to `Unknown`. | | `vulnerabilities[].solution` | Explanation of how to fix the vulnerability. Optional. | @@ -390,7 +391,8 @@ the report JSON unless stated otherwise. Presence of optional fields depends on | `vulnerabilities[].links[].url` | URL of the vulnerability details document. Optional. | | `remediations` | An array of objects containing information on cured vulnerabilities along with patch diffs to apply. Empty if no remediations provided by an underlying analyzer. | | `remediations[].fixes` | An array of strings that represent references to vulnerabilities fixed by this particular remediation. | -| `remediations[].fixes[].cve` | A string value that describes a fixed vulnerability occurrence in the same format as `vulnerabilities[].cve`. | +| `remediations[].fixes[].id` | The id of a fixed vulnerability. | +| `remediations[].fixes[].cve` | (**DEPRECATED - use `remediations[].fixes[].id` instead**) A string value that describes a fixed vulnerability in the same format as `vulnerabilities[].cve`. | | `remediations[].summary` | Overview of how the vulnerabilities have been fixed. | | `remediations[].diff` | base64-encoded remediation code diff, compatible with [`git apply`](https://git-scm.com/docs/git-format-patch#_discussion). | @@ -414,7 +416,8 @@ Some vulnerabilities can be fixed by applying the solution that GitLab automatically generates. To enable remediation support, the scanning tool _must_ have access to the `Dockerfile` specified by -the `DOCKERFILE_PATH` environment variable. To ensure that the scanning tool has access to this +the [`DOCKERFILE_PATH`](#available-variables) environment variable. To ensure that the scanning tool +has access to this file, it's necessary to set [`GIT_STRATEGY: fetch`](../../../ci/yaml/README.md#git-strategy) in your `.gitlab-ci.yml` file by following the instructions described in this document's [overriding the Container Scanning template](#overriding-the-container-scanning-template) section. diff --git a/doc/user/application_security/dependency_scanning/analyzers.md b/doc/user/application_security/dependency_scanning/analyzers.md index 3b4b341739b..26352f21cfb 100644 --- a/doc/user/application_security/dependency_scanning/analyzers.md +++ b/doc/user/application_security/dependency_scanning/analyzers.md @@ -83,8 +83,11 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers). ## Custom analyzers -You can provide your own analyzers as a comma separated list of Docker images. -Here's how to add `analyzers/nugget` and `analyzers/perl` to the default images. +### Custom analyzers with Docker-in-Docker + +When Docker-in-Docker for Dependency Scanning is enabled, +you can provide your own analyzers as a comma-separated list of Docker images. +Here's how to add `analyzers/nuget` and `analyzers/perl` to the default images. In `.gitlab-ci.yml` define: ```yaml @@ -92,7 +95,7 @@ include: template: Dependency-Scanning.gitlab-ci.yml variables: - DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nugget,amy-docker-registry/nalyzers/perl" + DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nuget,amy-docker-registry/analyzers/perl" ``` The values must be the full path to the container registry images, @@ -103,6 +106,28 @@ This configuration doesn't benefit from the integrated detection step. Dependenc Scanning has to fetch and spawn each Docker image to establish whether the custom analyzer can scan the source code. +### Custom analyzers without Docker-in-Docker + +When Docker-in-Docker for Dependency Scanning is disabled, you can provide your own analyzers by +defining CI jobs in your CI configuration. For consistency, you should suffix your custom Dependency +Scanning jobs with `-dependency_scanning`. Here's how to add a scanning job that's based on the +Docker image `my-docker-registry/analyzers/nuget` and generates a Dependency Scanning report +`gl-dependency-scanning-report.json` when `/analyzer run` is executed. Define the following in +`.gitlab-ci.yml`: + +```yaml +nuget-dependency_scanning: + image: + name: "my-docker-registry/analyzers/nuget" + script: + - /analyzer run + artifacts: + reports: + dependency_scanning: gl-dependency-scanning-report.json +``` + +The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab. + ## Analyzers data The following table lists the data available for each official analyzer. diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 7032ec8c75e..781bda47a43 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -259,11 +259,11 @@ it highlighted: "version": "2.0", "vulnerabilities": [ { + "id": "51e83874-0ff6-4677-a4c5-249060554eae", "category": "dependency_scanning", "name": "Regular Expression Denial of Service", "message": "Regular Expression Denial of Service in debug", "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", - "cve": "yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a", "severity": "Unknown", "solution": "Upgrade to latest versions.", "scanner": { @@ -300,11 +300,11 @@ it highlighted: ] }, { + "id": "5d681b13-e8fa-4668-957e-8d88f932ddc7", "category": "dependency_scanning", "name": "Authentication bypass via incorrect DOM traversal and canonicalization", "message": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js", "description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.", - "cve": "yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98", "severity": "Unknown", "solution": "Upgrade to fixed version.\r\n", "scanner": { @@ -351,7 +351,7 @@ it highlighted: { "fixes": [ { - "cve": "yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98" + "id": "5d681b13-e8fa-4668-957e-8d88f932ddc7", } ], "summary": "Upgrade saml2-js", @@ -371,11 +371,12 @@ the report JSON unless stated otherwise. Presence of optional fields depends on |------------------------------------------------------|-------------| | `version` | Report syntax version used to generate this JSON. | | `vulnerabilities` | Array of vulnerability objects. | +| `vulnerabilities[].id` | Unique identifier of the vulnerability. | | `vulnerabilities[].category` | Where this vulnerability belongs (SAST, Dependency Scanning etc.). For Dependency Scanning, it will always be `dependency_scanning`. | | `vulnerabilities[].name` | Name of the vulnerability, this must not include the occurrence's specific information. Optional. | | `vulnerabilities[].message` | A short text that describes the vulnerability, it may include occurrence's specific information. Optional. | | `vulnerabilities[].description` | A long text that describes the vulnerability. Optional. | -| `vulnerabilities[].cve` | A fingerprint string value that represents a concrete occurrence of the vulnerability. It's used to determine whether two vulnerability occurrences are same or different. May not be 100% accurate. **This is NOT a [CVE](https://cve.mitre.org/)**. | +| `vulnerabilities[].cve` | (**DEPRECATED - use `vulnerabilities[].id` instead**) A fingerprint string value that represents a concrete occurrence of the vulnerability. It's used to determine whether two vulnerability occurrences are same or different. May not be 100% accurate. **This is NOT a [CVE](https://cve.mitre.org/)**. | | `vulnerabilities[].severity` | How much the vulnerability impacts the software. Possible values: `Undefined` (an analyzer has not provided this information), `Info`, `Unknown`, `Low`, `Medium`, `High`, `Critical`. | | `vulnerabilities[].confidence` | How reliable the vulnerability's assessment is. Possible values: `Undefined` (an analyzer has not provided this information), `Ignore`, `Unknown`, `Experimental`, `Low`, `Medium`, `High`, `Confirmed`. | | `vulnerabilities[].solution` | Explanation of how to fix the vulnerability. Optional. | @@ -398,7 +399,8 @@ the report JSON unless stated otherwise. Presence of optional fields depends on | `vulnerabilities[].links[].url` | URL of the vulnerability details document. Optional. | | `remediations` | An array of objects containing information on cured vulnerabilities along with patch diffs to apply. Empty if no remediations provided by an underlying analyzer. | | `remediations[].fixes` | An array of strings that represent references to vulnerabilities fixed by this particular remediation. | -| `remediations[].fixes[].cve` | A string value that describes a fixed vulnerability occurrence in the same format as `vulnerabilities[].cve`. | +| `remediations[].fixes[].id` | The id of a fixed vulnerability. | +| `remediations[].fixes[].cve` | (**DEPRECATED - use `remediations[].fixes[].id` instead**) A string value that describes a fixed vulnerability in the same format as `vulnerabilities[].cve`. | | `remediations[].summary` | Overview of how the vulnerabilities have been fixed. | | `remediations[].diff` | base64-encoded remediation code diff, compatible with [`git apply`](https://git-scm.com/docs/git-format-patch#_discussion). | diff --git a/doc/user/application_security/sast/analyzers.md b/doc/user/application_security/sast/analyzers.md index c27c61a52e2..3ce52a024bd 100644 --- a/doc/user/application_security/sast/analyzers.md +++ b/doc/user/application_security/sast/analyzers.md @@ -92,7 +92,10 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers). ## Custom Analyzers -You can provide your own analyzers as a comma separated list of Docker images. +### Custom analyzers with Docker-in-Docker + +When Docker-in-Docker for SAST is enabled, +you can provide your own analyzers as a comma-separated list of Docker images. Here's how to add `analyzers/csharp` and `analyzers/perl` to the default images: In `.gitlab-ci.yml` define: @@ -112,8 +115,27 @@ This configuration doesn't benefit from the integrated detection step. SAST has to fetch and spawn each Docker image to establish whether the custom analyzer can scan the source code. -CAUTION: **Caution:** -Custom analyzers are not spawned automatically when [Docker In Docker](index.md#disabling-docker-in-docker-for-sast) is disabled. +### Custom analyzers without Docker-in-Docker + +When Docker-in-Docker for SAST is disabled, you can provide your own analyzers by +defining CI jobs in your CI configuration. For consistency, you should suffix your custom +SAST jobs with `-sast`. Here's how to add a scanning job that's based on the +Docker image `my-docker-registry/analyzers/csharp` and generates a SAST report +`gl-sast-report.json` when `/analyzer run` is executed. Define the following in +`.gitlab-ci.yml`: + +```yaml +csharp-sast: + image: + name: "my-docker-registry/analyzers/csharp" + script: + - /analyzer run + artifacts: + reports: + sast: gl-sast-report.json +``` + +The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab. ## Analyzers Data diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 3f172285014..3a711138a76 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -368,11 +368,11 @@ it highlighted: "version": "2.0", "vulnerabilities": [ { + "id": "9e96e0ab-23da-4d7d-a09e-0acbaa5e83ca", "category": "sast", "name": "Predictable pseudorandom number generator", "message": "Predictable pseudorandom number generator", "description": "The use of java.util.Random is predictable", - "cve": "818bf5dacb291e15d9e6dc3c5ac32178:PREDICTABLE_RANDOM", "severity": "Medium", "confidence": "Medium", "scanner": { @@ -405,9 +405,9 @@ it highlighted: ] }, { + "id": "e6dbf91f-4c07-46f7-a365-0169489c27d1", "category": "sast", "message": "Probable insecure usage of temp file/directory.", - "cve": "python/hardcoded/hardcoded-tmp.py:4ad6d4c40a8c263fc265f3384724014e0a4f8dd6200af83e51ff120420038031:B108", "severity": "Medium", "confidence": "Medium", "scanner": { @@ -446,11 +446,12 @@ the report JSON unless stated otherwise. Presence of optional fields depends on |-----------------------------------------|----------| | `version` | Report syntax version used to generate this JSON. | | `vulnerabilities` | Array of vulnerability objects. | +| `vulnerabilities[].id` | Unique identifier of the vulnerability. | | `vulnerabilities[].category` | Where this vulnerability belongs (SAST, Dependency Scanning etc.). For SAST, it will always be `sast`. | | `vulnerabilities[].name` | Name of the vulnerability, this must not include the occurrence's specific information. Optional. | | `vulnerabilities[].message` | A short text that describes the vulnerability, it may include the occurrence's specific information. Optional. | | `vulnerabilities[].description` | A long text that describes the vulnerability. Optional. | -| `vulnerabilities[].cve` | A fingerprint string value that represents a concrete occurrence of the vulnerability. Is used to determine whether two vulnerability occurrences are same or different. May not be 100% accurate. **This is NOT a [CVE](https://cve.mitre.org/)**. | +| `vulnerabilities[].cve` | (**DEPRECATED - use `vulnerabilities[].id` instead**) A fingerprint string value that represents a concrete occurrence of the vulnerability. It's used to determine whether two vulnerability occurrences are same or different. May not be 100% accurate. **This is NOT a [CVE](https://cve.mitre.org/)**. | | `vulnerabilities[].severity` | How much the vulnerability impacts the software. Possible values: `Undefined` (an analyzer has not provided this information), `Info`, `Unknown`, `Low`, `Medium`, `High`, `Critical`. | | `vulnerabilities[].confidence` | How reliable the vulnerability's assessment is. Possible values: `Undefined` (an analyzer has not provided this information), `Ignore`, `Unknown`, `Experimental`, `Low`, `Medium`, `High`, `Confirmed`. | | `vulnerabilities[].solution` | Explanation of how to fix the vulnerability. Optional. | diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 1adbbf51397..f8fd07276c5 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -312,7 +312,7 @@ From there, you can see tracked over time: If a significant percentage of traffic is anomalous, it should be investigated for potential threats, which can be done by -[examining the application logs](#web-application-firewall-modsecurity). +[examining the Web Application Firewall logs](#web-application-firewall-modsecurity).  diff --git a/doc/user/project/integrations/prometheus_library/nginx.md b/doc/user/project/integrations/prometheus_library/nginx.md index fc8abc47c4c..d5f078f3ddf 100644 --- a/doc/user/project/integrations/prometheus_library/nginx.md +++ b/doc/user/project/integrations/prometheus_library/nginx.md @@ -17,6 +17,7 @@ NGINX server metrics are detected, which tracks the pages and content directly s | Throughput (req/sec) | `sum(rate(nginx_server_requests{server_zone!="*", server_zone!="_", %{environment_filter}}[2m])) by (code)` | | Latency (ms) | `avg(nginx_server_requestMsec{%{environment_filter}})` | | HTTP Error Rate (HTTP Errors / sec) | `sum(rate(nginx_server_requests{code="5xx", %{environment_filter}}[2m]))` | +| HTTP Error (%)| `sum(rate(nginx_server_requests{code=~"5.*", host="*", %{environment_filter}}[2m])) / sum(rate(nginx_server_requests{code="total", host="*", %{environment_filter}}[2m])) * 100` | ## Configuring Prometheus to monitor for NGINX metrics |