diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-21 03:13:46 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-21 03:13:46 +0300 |
commit | 4aa6fba6d825b88d23ff37668e78c851bec102b0 (patch) | |
tree | 2588fec6fc68f27fbfc23e89daf9b9af34d5466b /lib | |
parent | faf60c19a9a1a29ce07d1b51ea3a69466e7129f3 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/entities/group.rb | 1 | ||||
-rw-r--r-- | lib/api/groups.rb | 6 | ||||
-rw-r--r-- | lib/api/helpers.rb | 23 | ||||
-rw-r--r-- | lib/gitlab/ci/parsers/sbom/cyclonedx.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb | 37 | ||||
-rw-r--r-- | lib/gitlab/ci/parsers/sbom/source/trivy.rb | 19 | ||||
-rw-r--r-- | lib/gitlab/ci/reports/sbom/component.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/database/migrations/batched_background_migration_helpers.rb | 2 |
8 files changed, 81 insertions, 13 deletions
diff --git a/lib/api/entities/group.rb b/lib/api/entities/group.rb index 1a1765c2e0a..14491c2396a 100644 --- a/lib/api/entities/group.rb +++ b/lib/api/entities/group.rb @@ -23,6 +23,7 @@ module API expose :full_name, :full_path expose :created_at expose :parent_id + expose :organization_id expose :shared_runners_setting expose :custom_attributes, using: 'API::Entities::CustomAttribute', if: :with_custom_attributes diff --git a/lib/api/groups.rb b/lib/api/groups.rb index 1ff64cd2ffd..bc93a91b277 100644 --- a/lib/api/groups.rb +++ b/lib/api/groups.rb @@ -213,11 +213,15 @@ module API requires :name, type: String, desc: 'The name of the group' requires :path, type: String, desc: 'The path of the group' optional :parent_id, type: Integer, desc: 'The parent group id for creating nested group' + optional :organization_id, type: Integer, desc: 'The organization id for the group' use :optional_params end post feature_category: :groups_and_projects, urgency: :low do - parent_group = find_group!(params[:parent_id]) if params[:parent_id].present? + organization = find_organization!(params[:organization_id]) if params[:organization_id].present? + authorize! :create_group, organization if organization + + parent_group = find_group!(params[:parent_id], organization) if params[:parent_id].present? if parent_group authorize! :create_subgroup, parent_group else diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 6cb9d19a2ad..3489a4b21b3 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -211,18 +211,25 @@ module API not_found!('Pipeline') end + def find_organization!(id) + organization = Organizations::Organization.find_by_id(id) + check_organization_access(organization) + end + # rubocop: disable CodeReuse/ActiveRecord - def find_group(id) + def find_group(id, organization = nil) + collection = organization.present? ? Group.in_organization(organization) : Group.all + if id.to_s =~ INTEGER_ID_REGEX - Group.find_by(id: id) + collection.find_by(id: id) else - Group.find_by_full_path(id) + collection.find_by_full_path(id) end end # rubocop: enable CodeReuse/ActiveRecord - def find_group!(id) - group = find_group(id) + def find_group!(id, organization = nil) + group = find_group(id, organization) check_group_access(group) end @@ -835,6 +842,12 @@ module API @sudo_identifier ||= params[SUDO_PARAM] || env[SUDO_HEADER] end + def check_organization_access(organization) + return organization if can?(current_user, :read_organization, organization) + + not_found!('Organization') + end + def secret_token Gitlab::Shell.secret_token end diff --git a/lib/gitlab/ci/parsers/sbom/cyclonedx.rb b/lib/gitlab/ci/parsers/sbom/cyclonedx.rb index 79c1c14dc4e..62cd322e141 100644 --- a/lib/gitlab/ci/parsers/sbom/cyclonedx.rb +++ b/lib/gitlab/ci/parsers/sbom/cyclonedx.rb @@ -58,6 +58,7 @@ module Gitlab def parse_components data['components']&.each_with_index do |component_data, index| + properties = component_data['properties'] component = ::Gitlab::Ci::Reports::Sbom::Component.new( type: component_data['type'], name: component_data['name'], @@ -65,6 +66,7 @@ module Gitlab version: component_data['version'] ) + component.properties = CyclonedxProperties.parse_trivy_source(properties) if properties report.add_component(component) if component.ingestible? rescue ::Sbom::PackageUrl::InvalidPackageUrl report.add_error("/components/#{index}/purl is invalid") diff --git a/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb b/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb index 35548358c57..7069e784934 100644 --- a/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb +++ b/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb @@ -5,7 +5,7 @@ module Gitlab module Parsers module Sbom # Parses GitLab CycloneDX metadata properties which are defined by the taxonomy at - # https://gitlab.com/gitlab-org/security-products/gitlab-cyclonedx-property-taxonomy + # https://docs.gitlab.com/ee/development/sec/cyclonedx_property_taxonomy.html # # This parser knows how to process schema version 1 and will not attempt to parse # later versions. Each source type has it's own namespace in the property schema, @@ -14,10 +14,13 @@ module Gitlab class CyclonedxProperties SUPPORTED_SCHEMA_VERSION = '1' GITLAB_PREFIX = 'gitlab:' + AQUASECURITY_PREFIX = 'aquasecurity:' SOURCE_PARSERS = { 'dependency_scanning' => ::Gitlab::Ci::Parsers::Sbom::Source::DependencyScanning, - 'container_scanning' => ::Gitlab::Ci::Parsers::Sbom::Source::ContainerScanning + 'container_scanning' => ::Gitlab::Ci::Parsers::Sbom::Source::ContainerScanning, + 'trivy' => ::Gitlab::Ci::Parsers::Sbom::Source::Trivy }.freeze + SUPPORTED_PROPERTIES = %w[ meta:schema_version dependency_scanning:category @@ -29,12 +32,26 @@ module Gitlab container_scanning:image:tag container_scanning:operating_system:name container_scanning:operating_system:version + trivy:PkgID + trivy:PkgType + trivy:SrcName + trivy:SrcVersion + trivy:SrcRelease + trivy:SrcEpoch + trivy:Modularitylabel + trivy:FilePath + trivy:LayerDigest + trivy:LayerDiffID ].freeze def self.parse_source(...) new(...).parse_source end + def self.parse_trivy_source(...) + new(...).parse_trivy_source + end + def initialize(properties) @properties = properties end @@ -46,6 +63,12 @@ module Gitlab source end + def parse_trivy_source + return unless properties.present? + + source + end + private attr_reader :properties @@ -61,11 +84,15 @@ module Gitlab # The specification permits the name or value to be absent. return unless name.present? && value.present? - return unless name.start_with?(GITLAB_PREFIX) - namespaced_name = name.delete_prefix(GITLAB_PREFIX) + namespaced_name = + if name.start_with?(GITLAB_PREFIX) + name.delete_prefix(GITLAB_PREFIX) + elsif name.start_with?(AQUASECURITY_PREFIX) + name.delete_prefix(AQUASECURITY_PREFIX) + end - return unless SUPPORTED_PROPERTIES.include?(namespaced_name) + return unless namespaced_name && SUPPORTED_PROPERTIES.include?(namespaced_name) parse_name_value_pair(namespaced_name, value, data) end diff --git a/lib/gitlab/ci/parsers/sbom/source/trivy.rb b/lib/gitlab/ci/parsers/sbom/source/trivy.rb new file mode 100644 index 00000000000..0218b19e931 --- /dev/null +++ b/lib/gitlab/ci/parsers/sbom/source/trivy.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +module Gitlab + module Ci + module Parsers + module Sbom + module Source + class Trivy < BaseSource + private + + def type + :trivy + end + end + end + end + end + end +end diff --git a/lib/gitlab/ci/reports/sbom/component.rb b/lib/gitlab/ci/reports/sbom/component.rb index 59816e75b2c..1a3f689c1d7 100644 --- a/lib/gitlab/ci/reports/sbom/component.rb +++ b/lib/gitlab/ci/reports/sbom/component.rb @@ -8,12 +8,14 @@ module Gitlab include Gitlab::Utils::StrongMemoize attr_reader :component_type, :version, :path + attr_accessor :properties - def initialize(type:, name:, purl:, version:) + def initialize(type:, name:, purl:, version:, properties: nil) @component_type = type @name = name @raw_purl = purl @version = version + @properties = properties end def <=>(other) diff --git a/lib/gitlab/database/migrations/batched_background_migration_helpers.rb b/lib/gitlab/database/migrations/batched_background_migration_helpers.rb index 39706582e3c..5599c65b84e 100644 --- a/lib/gitlab/database/migrations/batched_background_migration_helpers.rb +++ b/lib/gitlab/database/migrations/batched_background_migration_helpers.rb @@ -199,7 +199,7 @@ module Gitlab Gitlab::Database::BackgroundMigration::BatchedMigration.reset_column_information migration = Gitlab::Database::BackgroundMigration::BatchedMigration.find_for_configuration( - Gitlab::Database.gitlab_schemas_for_connection(connection), + gitlab_schema_from_context, job_class_name, table_name, column_name, job_arguments ) |