Add latest changes from gitlab-org/gitlab@master

8 files changed, 81 insertions, 13 deletions

diff --git a/lib/api/entities/group.rb b/lib/api/entities/group.rb
index 1a1765c2e0a..14491c2396a 100644
--- a/lib/api/entities/group.rb
+++ b/lib/api/entities/group.rb
@@ -23,6 +23,7 @@ module API
       expose :full_name, :full_path
       expose :created_at
       expose :parent_id
+      expose :organization_id
       expose :shared_runners_setting
 
       expose :custom_attributes, using: 'API::Entities::CustomAttribute', if: :with_custom_attributes
diff --git a/lib/api/groups.rb b/lib/api/groups.rb
index 1ff64cd2ffd..bc93a91b277 100644
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -213,11 +213,15 @@ module API
         requires :name, type: String, desc: 'The name of the group'
         requires :path, type: String, desc: 'The path of the group'
         optional :parent_id, type: Integer, desc: 'The parent group id for creating nested group'
+        optional :organization_id, type: Integer, desc: 'The organization id for the group'
 
         use :optional_params
       end
       post feature_category: :groups_and_projects, urgency: :low do
-        parent_group = find_group!(params[:parent_id]) if params[:parent_id].present?
+        organization = find_organization!(params[:organization_id]) if params[:organization_id].present?
+        authorize! :create_group, organization if organization
+
+        parent_group = find_group!(params[:parent_id], organization) if params[:parent_id].present?
         if parent_group
           authorize! :create_subgroup, parent_group
         else
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 6cb9d19a2ad..3489a4b21b3 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -211,18 +211,25 @@ module API
       not_found!('Pipeline')
     end
 
+    def find_organization!(id)
+      organization = Organizations::Organization.find_by_id(id)
+      check_organization_access(organization)
+    end
+
     # rubocop: disable CodeReuse/ActiveRecord
-    def find_group(id)
+    def find_group(id, organization = nil)
+      collection = organization.present? ? Group.in_organization(organization) : Group.all
+
       if id.to_s =~ INTEGER_ID_REGEX
-        Group.find_by(id: id)
+        collection.find_by(id: id)
       else
-        Group.find_by_full_path(id)
+        collection.find_by_full_path(id)
       end
     end
     # rubocop: enable CodeReuse/ActiveRecord
 
-    def find_group!(id)
-      group = find_group(id)
+    def find_group!(id, organization = nil)
+      group = find_group(id, organization)
       check_group_access(group)
     end
 
@@ -835,6 +842,12 @@ module API
       @sudo_identifier ||= params[SUDO_PARAM] || env[SUDO_HEADER]
     end
 
+    def check_organization_access(organization)
+      return organization if can?(current_user, :read_organization, organization)
+
+      not_found!('Organization')
+    end
+
     def secret_token
       Gitlab::Shell.secret_token
     end
diff --git a/lib/gitlab/ci/parsers/sbom/cyclonedx.rb b/lib/gitlab/ci/parsers/sbom/cyclonedx.rb
index 79c1c14dc4e..62cd322e141 100644
--- a/lib/gitlab/ci/parsers/sbom/cyclonedx.rb
+++ b/lib/gitlab/ci/parsers/sbom/cyclonedx.rb
@@ -58,6 +58,7 @@ module Gitlab
 
           def parse_components
             data['components']&.each_with_index do |component_data, index|
+              properties = component_data['properties']
               component = ::Gitlab::Ci::Reports::Sbom::Component.new(
                 type: component_data['type'],
                 name: component_data['name'],
@@ -65,6 +66,7 @@ module Gitlab
                 version: component_data['version']
               )
 
+              component.properties = CyclonedxProperties.parse_trivy_source(properties) if properties
               report.add_component(component) if component.ingestible?
             rescue ::Sbom::PackageUrl::InvalidPackageUrl
               report.add_error("/components/#{index}/purl is invalid")
diff --git a/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb b/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb
index 35548358c57..7069e784934 100644
--- a/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb
+++ b/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb
@@ -5,7 +5,7 @@ module Gitlab
     module Parsers
       module Sbom
         # Parses GitLab CycloneDX metadata properties which are defined by the taxonomy at
-        # https://gitlab.com/gitlab-org/security-products/gitlab-cyclonedx-property-taxonomy
+        # https://docs.gitlab.com/ee/development/sec/cyclonedx_property_taxonomy.html
         #
         # This parser knows how to process schema version 1 and will not attempt to parse
         # later versions. Each source type has it's own namespace in the property schema,
@@ -14,10 +14,13 @@ module Gitlab
         class CyclonedxProperties
           SUPPORTED_SCHEMA_VERSION = '1'
           GITLAB_PREFIX = 'gitlab:'
+          AQUASECURITY_PREFIX = 'aquasecurity:'
           SOURCE_PARSERS = {
             'dependency_scanning' => ::Gitlab::Ci::Parsers::Sbom::Source::DependencyScanning,
-            'container_scanning' => ::Gitlab::Ci::Parsers::Sbom::Source::ContainerScanning
+            'container_scanning' => ::Gitlab::Ci::Parsers::Sbom::Source::ContainerScanning,
+            'trivy' => ::Gitlab::Ci::Parsers::Sbom::Source::Trivy
           }.freeze
+
           SUPPORTED_PROPERTIES = %w[
             meta:schema_version
             dependency_scanning:category
@@ -29,12 +32,26 @@ module Gitlab
             container_scanning:image:tag
             container_scanning:operating_system:name
             container_scanning:operating_system:version
+            trivy:PkgID
+            trivy:PkgType
+            trivy:SrcName
+            trivy:SrcVersion
+            trivy:SrcRelease
+            trivy:SrcEpoch
+            trivy:Modularitylabel
+            trivy:FilePath
+            trivy:LayerDigest
+            trivy:LayerDiffID
           ].freeze
 
           def self.parse_source(...)
             new(...).parse_source
           end
 
+          def self.parse_trivy_source(...)
+            new(...).parse_trivy_source
+          end
+
           def initialize(properties)
             @properties = properties
           end
@@ -46,6 +63,12 @@ module Gitlab
             source
           end
 
+          def parse_trivy_source
+            return unless properties.present?
+
+            source
+          end
+
           private
 
           attr_reader :properties
@@ -61,11 +84,15 @@ module Gitlab
 
             # The specification permits the name or value to be absent.
             return unless name.present? && value.present?
-            return unless name.start_with?(GITLAB_PREFIX)
 
-            namespaced_name = name.delete_prefix(GITLAB_PREFIX)
+            namespaced_name =
+              if name.start_with?(GITLAB_PREFIX)
+                name.delete_prefix(GITLAB_PREFIX)
+              elsif name.start_with?(AQUASECURITY_PREFIX)
+                name.delete_prefix(AQUASECURITY_PREFIX)
+              end
 
-            return unless SUPPORTED_PROPERTIES.include?(namespaced_name)
+            return unless namespaced_name && SUPPORTED_PROPERTIES.include?(namespaced_name)
 
             parse_name_value_pair(namespaced_name, value, data)
           end
diff --git a/lib/gitlab/ci/parsers/sbom/source/trivy.rb b/lib/gitlab/ci/parsers/sbom/source/trivy.rb
new file mode 100644
index 00000000000..0218b19e931
--- /dev/null
+++ b/lib/gitlab/ci/parsers/sbom/source/trivy.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Ci
+    module Parsers
+      module Sbom
+        module Source
+          class Trivy < BaseSource
+            private
+
+            def type
+              :trivy
+            end
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/ci/reports/sbom/component.rb b/lib/gitlab/ci/reports/sbom/component.rb
index 59816e75b2c..1a3f689c1d7 100644
--- a/lib/gitlab/ci/reports/sbom/component.rb
+++ b/lib/gitlab/ci/reports/sbom/component.rb
@@ -8,12 +8,14 @@ module Gitlab
           include Gitlab::Utils::StrongMemoize
 
           attr_reader :component_type, :version, :path
+          attr_accessor :properties
 
-          def initialize(type:, name:, purl:, version:)
+          def initialize(type:, name:, purl:, version:, properties: nil)
             @component_type = type
             @name = name
             @raw_purl = purl
             @version = version
+            @properties = properties
           end
 
           def <=>(other)
diff --git a/lib/gitlab/database/migrations/batched_background_migration_helpers.rb b/lib/gitlab/database/migrations/batched_background_migration_helpers.rb
index 39706582e3c..5599c65b84e 100644
--- a/lib/gitlab/database/migrations/batched_background_migration_helpers.rb
+++ b/lib/gitlab/database/migrations/batched_background_migration_helpers.rb
@@ -199,7 +199,7 @@ module Gitlab
 
           Gitlab::Database::BackgroundMigration::BatchedMigration.reset_column_information
           migration = Gitlab::Database::BackgroundMigration::BatchedMigration.find_for_configuration(
-            Gitlab::Database.gitlab_schemas_for_connection(connection),
+            gitlab_schema_from_context,
             job_class_name, table_name, column_name, job_arguments
           )