diff options
26 files changed, 201 insertions, 224 deletions
diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml index 3e29e8fea38..e1ddefca99e 100644 --- a/.gitlab/ci/rails.gitlab-ci.yml +++ b/.gitlab/ci/rails.gitlab-ci.yml @@ -6,12 +6,17 @@ - .default-before_script - .rails-cache -.base-script: &base-script - # Only install knapsack after bundle install! Otherwise oddly some native - # gems could not be found under some circumstance. No idea why, hours wasted. - - run_timed_command "gem install knapsack --no-document" - - run_timed_command "scripts/gitaly-test-spawn" - - source ./scripts/rspec_helpers.sh +.minimal-bundle-install: + script: + - run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519" + +.base-script: + script: + # Only install knapsack after bundle install! Otherwise oddly some native + # gems could not be found under some circumstance. No idea why, hours wasted. + - run_timed_command "gem install knapsack --no-document" + - run_timed_command "scripts/gitaly-test-spawn" + - source ./scripts/rspec_helpers.sh .minimal-rspec-tests: variables: @@ -27,7 +32,7 @@ RECORD_DEPRECATIONS: "true" needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets", "detect-tests"] script: - - *base-script + - !reference [.base-script, script] - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag ~level:migration" artifacts: expire_in: 31d @@ -49,7 +54,7 @@ .rspec-base-migration: extends: .rails:rules:ee-and-foss-migration script: - - *base-script + - !reference [.base-script, script] - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag level:migration" .rspec-base-pg11: @@ -82,7 +87,7 @@ .rspec-ee-base-geo: extends: .rspec-base script: - - *base-script + - !reference [.base-script, script] - rspec_paralellized_job "--tag ~quarantine --tag geo" .rspec-ee-base-geo-pg11: @@ -213,7 +218,7 @@ update-coverage-cache: - .shared:rules:update-cache stage: prepare script: - - run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519" + - !reference [.minimal-bundle-install, script] cache: policy: push # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up. @@ -317,7 +322,7 @@ rspec db-library-code pg12: - .rspec-base-pg12 - .rails:rules:ee-and-foss-db-library-code script: - - *base-script + - !reference [.base-script, script] - rspec_db_library_code rspec fast_spec_helper: @@ -406,7 +411,7 @@ gitlab:setup: # db/fixtures/development/04_project.rb thanks to SIZE=1 below - git clone https://gitlab.com/gitlab-org/gitlab-test.git /home/git/repositories/gitlab-org/gitlab-test.git - - *base-script + - !reference [.base-script, script] - force=yes SIZE=1 FIXTURE_PATH="db/fixtures/development" bundle exec rake gitlab:setup artifacts: when: on_failure @@ -486,7 +491,7 @@ rspec:coverage: - memory-static - memory-on-boot script: - - run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519" + - !reference [.minimal-bundle-install, script] - run_timed_command "bundle exec scripts/merge-simplecov" - run_timed_command "bundle exec scripts/gather-test-memory-data" coverage: '/LOC \((\d+\.\d+%)\) covered.$/' @@ -523,7 +528,7 @@ rspec:feature-flags: - memory-static - memory-on-boot script: - - run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519" + - !reference [.minimal-bundle-install, script] - if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then run_timed_command "bundle exec scripts/used-feature-flags" || (scripts/slack master-broken "☠️ \`${CI_JOB_NAME}\` failed! ☠️ See ${CI_JOB_URL}" ci_failing "GitLab Bot" && exit 1); else @@ -763,7 +768,7 @@ rspec fail-fast: stage: test needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets", "detect-tests"] script: - - *base-script + - !reference [.base-script, script] - rspec_fail_fast tmp/matching_tests.txt "--tag ~quarantine" artifacts: expire_in: 7d @@ -776,7 +781,7 @@ rspec foss-impact: - .rails:rules:rspec-foss-impact needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets as-if-foss", "detect-tests as-if-foss"] script: - - *base-script + - !reference [.base-script, script] - rspec_matched_foss_tests tmp/matching_foss_tests.txt "--tag ~quarantine" artifacts: expire_in: 7d diff --git a/changelogs/unreleased/sanddown.yml b/changelogs/unreleased/sanddown.yml new file mode 100644 index 00000000000..2350ec70633 --- /dev/null +++ b/changelogs/unreleased/sanddown.yml @@ -0,0 +1,5 @@ +--- +title: reconcile source installation and upgrade docs +merge_request: 55170 +author: Jörg Behrmann @behrmann +type: fixed diff --git a/doc/development/architecture.md b/doc/development/architecture.md index 7754d9f0b3c..5564d0722b0 100644 --- a/doc/development/architecture.md +++ b/doc/development/architecture.md @@ -322,7 +322,7 @@ Consul is a tool for service discovery and configuration. Consul is distributed, - Configuration: - [Omnibus](https://docs.gitlab.com/omnibus/settings/database.html#disabling-automatic-database-migration) - [Charts](https://docs.gitlab.com/charts/charts/gitlab/migrations/) - - [Source](../update/upgrading_from_source.md#14-install-libraries-migrations-etc) + - [Source](../update/upgrading_from_source.md#10-install-libraries-migrations-etc) - Layer: Core Service (Data) #### Elasticsearch @@ -641,7 +641,7 @@ Redis is packaged to provide a place to store: - [Project page](https://github.com/docker/distribution/blob/master/README.md) - Configuration: - - [Omnibus](../update/upgrading_from_source.md#14-install-libraries-migrations-etc) + - [Omnibus](../update/upgrading_from_source.md#10-install-libraries-migrations-etc) - [Charts](https://docs.gitlab.com/charts/charts/registry/) - [Source](../administration/packages/container_registry.md#enable-the-container-registry) - [GDK](https://gitlab.com/gitlab-org/gitlab-development-kit/blob/master/doc/howto/registry.md) diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md index 9774526e3b5..fda75dad119 100644 --- a/doc/development/integrations/secure.md +++ b/doc/development/integrations/secure.md @@ -548,7 +548,7 @@ of the available SAST Analyzers and what data is currently available. The `remediations` field of the report is an array of remediation objects. Each remediation describes a patch that can be applied to -[automatically fix](../../user/application_security/#automatic-remediation-for-vulnerabilities) +[automatically fix](../../user/application_security/#apply-an-automatic-remediation-for-a-vulnerability) a set of vulnerabilities. Here is an example of a report that contains remediations. diff --git a/doc/development/integrations/secure_partner_integration.md b/doc/development/integrations/secure_partner_integration.md index 9c7dc752e4f..17bce13583c 100644 --- a/doc/development/integrations/secure_partner_integration.md +++ b/doc/development/integrations/secure_partner_integration.md @@ -101,7 +101,7 @@ and complete an integration with the Secure stage. - Users can interact with the findings from your artifact within their workflow. They can dismiss the findings or accept them and create a backlog issue. - To automatically create issues without user interaction, use the [issue API](../../api/issues.md). 1. Optional: Provide auto-remediation steps: - - If you specified `remediations` in your artifact, it is proposed through our [automatic remediation](../../user/application_security/index.md#automatic-remediation-for-vulnerabilities) + - If you specified `remediations` in your artifact, it is proposed through our [automatic remediation](../../user/application_security/index.md#apply-an-automatic-remediation-for-a-vulnerability) interface. 1. Demo the integration to GitLab: - After you have tested and are ready to demo your integration please diff --git a/doc/development/testing_guide/end_to_end/best_practices.md b/doc/development/testing_guide/end_to_end/best_practices.md index a5a2d2a1113..2b4212a0172 100644 --- a/doc/development/testing_guide/end_to_end/best_practices.md +++ b/doc/development/testing_guide/end_to_end/best_practices.md @@ -309,10 +309,10 @@ This action can also unintentionally click other elements, altering the test sta # Clicking another element to blur an input def add_issue_to_epic(issue_url) find_element(:issue_actions_split_button).find('button', text: 'Add an issue').click - fill_element :add_issue_input, issue_url + fill_element(:add_issue_input, issue_url) # Clicking the title blurs the input - click_element :title - click_element :add_issue_button + click_element(:title) + click_element(:add_issue_button) end # Using native mouse click events in the case of a mask/overlay diff --git a/doc/development/testing_guide/end_to_end/dynamic_element_validation.md b/doc/development/testing_guide/end_to_end/dynamic_element_validation.md index 1e7f528f6ff..6c504e6fa28 100644 --- a/doc/development/testing_guide/end_to_end/dynamic_element_validation.md +++ b/doc/development/testing_guide/end_to_end/dynamic_element_validation.md @@ -39,7 +39,7 @@ appear on the webpage, or the test to navigate away from the page entirely. Dynamic element validation is instituted when using ```ruby -click_element :my_element, Some::Page +click_element(:my_element, Some::Page) ``` ### Required Elements @@ -79,7 +79,7 @@ class MyPage < Page::Base end def open_layer - click_element :my_element, Layer::MyLayer + click_element(:my_element, Layer::MyLayer) end end @@ -109,7 +109,7 @@ Given the [source](#examples) ... ```ruby def open_layer - click_element :my_element, Layer::MyLayer + click_element(:my_element, Layer::MyLayer) end ``` diff --git a/doc/development/testing_guide/end_to_end/page_objects.md b/doc/development/testing_guide/end_to_end/page_objects.md index d9309f74e0e..b124ac430f6 100644 --- a/doc/development/testing_guide/end_to_end/page_objects.md +++ b/doc/development/testing_guide/end_to_end/page_objects.md @@ -201,7 +201,7 @@ We can select on that specific issue by matching on the Rails model. ```ruby class Page::Project::Issues::Index < Page::Base def has_issue?(issue) - has_element? :issue, issue_title: issue + has_element?(:issue, issue_title: issue) end end ``` diff --git a/doc/development/testing_guide/end_to_end/style_guide.md b/doc/development/testing_guide/end_to_end/style_guide.md index ac4d26df794..f9c13d5dd67 100644 --- a/doc/development/testing_guide/end_to_end/style_guide.md +++ b/doc/development/testing_guide/end_to_end/style_guide.md @@ -19,7 +19,7 @@ E.g.: ```ruby def click_ci_cd_pipelines within_sidebar do - click_element :link_pipelines + click_element(:link_pipelines) end end ``` diff --git a/doc/install/installation.md b/doc/install/installation.md index 1dcb0901770..8497b2b5269 100644 --- a/doc/install/installation.md +++ b/doc/install/installation.md @@ -570,7 +570,9 @@ Install the gems (if you want to use Kerberos for user authentication, omit `kerberos` in the `--without` option below): ```shell -sudo -u git -H bundle install --deployment --without development test mysql aws kerberos +sudo -u git -H bundle config set deployment 'true' +sudo -u git -H bundle config set without 'development test mysql aws kerberos' +sudo -u git -H bundle install ``` ### Install GitLab Shell diff --git a/doc/update/upgrading_from_ce_to_ee.md b/doc/update/upgrading_from_ce_to_ee.md index 36f0078a4f7..71fd4efb16d 100644 --- a/doc/update/upgrading_from_ce_to_ee.md +++ b/doc/update/upgrading_from_ce_to_ee.md @@ -63,7 +63,9 @@ sudo -u git -H git checkout EE_BRANCH ```shell cd /home/git/gitlab -sudo -u git -H bundle install --deployment --without development test mysql aws kerberos +sudo -u git -H bundle config set deployment 'true' +sudo -u git -H bundle config set without 'development test mysql aws kerberos' +sudo -u git -H bundle install # Optional: clean up old gems sudo -u git -H bundle clean diff --git a/doc/update/upgrading_from_source.md b/doc/update/upgrading_from_source.md index 2b141d87b1b..42acb7552e4 100644 --- a/doc/update/upgrading_from_source.md +++ b/doc/update/upgrading_from_source.md @@ -127,41 +127,30 @@ Git v2.28 is recommended. To check you are running the minimum required Git version, see [Git versions](../install/requirements.md#git-versions). -In Debian or Ubuntu: - -```shell -# Make sure Git is version 2.29.0 or higher -git --version +From GitLab 13.6, we recommend you use the [Git version provided by +Gitaly](https://gitlab.com/gitlab-org/gitaly/-/issues/2729) +that: -# Remove packaged Git -sudo apt-get remove git-core +- Is always at the version required by GitLab. +- May contain custom patches required for proper operation. +```shell # Install dependencies -sudo apt-get install -y libcurl4-openssl-dev libexpat1-dev gettext libz-dev libssl-dev build-essential - -# Download and compile pcre2 from source -curl --silent --show-error --location "https://ftp.pcre.org/pub/pcre/pcre2-10.33.tar.gz" --output pcre2.tar.gz -tar -xzf pcre2.tar.gz -cd pcre2-10.33 -chmod +x configure -./configure --prefix=/usr --enable-jit -make -make install - -# Download and compile from source -cd /tmp -curl --remote-name --location --progress "https://www.kernel.org/pub/software/scm/git/git-2.29.0.tar.gz" -echo 'fa08dc8424ef80c0f9bf307877f9e2e49f1a6049e873530d6747c2be770742ff git-2.29.0.tar.gz' | shasum -a256 -c - && tar -xzf git-2.29.0.tar.gz -cd git-2.29.0/ -./configure --with-libpcre -make prefix=/usr/local all +sudo apt-get install -y libcurl4-openssl-dev libexpat1-dev gettext libz-dev libssl-dev libpcre2-dev build-essential -# Install into /usr/local/bin -sudo make prefix=/usr/local install +# Clone the Gitaly repository +git clone https://gitlab.com/gitlab-org/gitaly.git -b <X-Y-stable> /tmp/gitaly -# You should edit config/gitlab.yml, change the git -> bin_path to /usr/local/bin/git +# Compile and install Git +cd /tmp/gitaly +sudo make git GIT_PREFIX=/usr/local ``` +Replace `<X-Y-stable>` with the stable branch that matches the GitLab version you want to +install. For example, if you want to install GitLab 13.6, use the branch name `13-6-stable`. + +Remember to set `git -> bin_path` to `/usr/local/bin/git` in `config/gitlab.yml`. + ### 7. Update PostgreSQL WARNING: @@ -180,8 +169,7 @@ To upgrade PostgreSQL, refer to its [documentation](https://www.postgresql.org/d cd /home/git/gitlab sudo -u git -H git fetch --all --prune -sudo -u git -H git checkout -- db/structure.sql # local changes will be restored automatically -sudo -u git -H git checkout -- locale +sudo -u git -H git checkout -- Gemfile.lock db/structure.sql locale ``` For GitLab Community Edition: @@ -202,55 +190,7 @@ cd /home/git/gitlab sudo -u git -H git checkout BRANCH-ee ``` -### 9. Update GitLab Shell - -```shell -cd /home/git/gitlab-shell - -sudo -u git -H git fetch --all --tags --prune -sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_SHELL_VERSION) -sudo -u git -H make build -``` - -### 10. Update GitLab Workhorse - -Install and compile GitLab Workhorse. - -```shell -cd /home/git/gitlab - -sudo -u git -H bundle exec rake "gitlab:workhorse:install[/home/git/gitlab-workhorse]" RAILS_ENV=production -``` - -### 11. Update Gitaly - -#### Compile Gitaly - -```shell -cd /home/git/gitaly -sudo -u git -H git fetch --all --tags --prune -sudo -u git -H git checkout v$(</home/git/gitlab/GITALY_SERVER_VERSION) -sudo -u git -H make -``` - -### 12. Update GitLab Pages - -#### Only needed if you use GitLab Pages - -Install and compile GitLab Pages. GitLab Pages uses -[GNU Make](https://www.gnu.org/software/make/). -If you are not using Linux you may have to run `gmake` instead of -`make` below. - -```shell -cd /home/git/gitlab-pages - -sudo -u git -H git fetch --all --tags --prune -sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_PAGES_VERSION) -sudo -u git -H make -``` - -### 13. Update configuration files +### 9. Update configuration files #### New configuration options for `gitlab.yml` @@ -323,12 +263,17 @@ For Ubuntu 16.04.1 LTS: sudo systemctl daemon-reload ``` -### 14. Install libraries, migrations, etc +### 10. Install libraries, migrations, etc ```shell cd /home/git/gitlab -sudo -u git -H bundle install --deployment --without development test mysql aws kerberos +# If you haven't done so during installation or a previous upgrade already +sudo -u git -H bundle config set deployment 'true' +sudo -u git -H bundle config set without 'development test mysql aws kerberos' + +# Update gems +sudo -u git -H bundle install # Optional: clean up old gems sudo -u git -H bundle clean @@ -337,7 +282,6 @@ sudo -u git -H bundle clean sudo -u git -H bundle exec rake db:migrate RAILS_ENV=production # Compile GetText PO files - sudo -u git -H bundle exec rake gettext:compile RAILS_ENV=production # Update node dependencies and recompile assets @@ -347,6 +291,54 @@ sudo -u git -H bundle exec rake yarn:install gitlab:assets:clean gitlab:assets:c sudo -u git -H bundle exec rake cache:clear RAILS_ENV=production ``` +### 11. Update GitLab Shell + +```shell +cd /home/git/gitlab-shell + +sudo -u git -H git fetch --all --tags --prune +sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_SHELL_VERSION) +sudo -u git -H make build +``` + +### 12. Update GitLab Workhorse + +Install and compile GitLab Workhorse. + +```shell +cd /home/git/gitlab + +sudo -u git -H bundle exec rake "gitlab:workhorse:install[/home/git/gitlab-workhorse]" RAILS_ENV=production +``` + +### 13. Update Gitaly + +#### Compile Gitaly + +```shell +cd /home/git/gitaly +sudo -u git -H git fetch --all --tags --prune +sudo -u git -H git checkout v$(</home/git/gitlab/GITALY_SERVER_VERSION) +sudo -u git -H make +``` + +### 14. Update GitLab Pages + +#### Only needed if you use GitLab Pages + +Install and compile GitLab Pages. GitLab Pages uses +[GNU Make](https://www.gnu.org/software/make/). +If you are not using Linux you may have to run `gmake` instead of +`make` below. + +```shell +cd /home/git/gitlab-pages + +sudo -u git -H git fetch --all --tags --prune +sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_PAGES_VERSION) +sudo -u git -H make +``` + ### 15. Start application ```shell diff --git a/doc/user/application_security/api_fuzzing/index.md b/doc/user/application_security/api_fuzzing/index.md index a7415f289f4..f2b43e0abd9 100644 --- a/doc/user/application_security/api_fuzzing/index.md +++ b/doc/user/application_security/api_fuzzing/index.md @@ -944,7 +944,7 @@ pipelines. For more information, see the [Security Dashboard documentation](../s Fuzzing faults show up as vulnerabilities with a severity of Unknown. Once a fault is found, you can interact with it. Read more on how to -[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities). +[address the vulnerabilities](../index.md#addressing-vulnerabilities). ## Handling False Positives diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index 98aea2f6642..909065d7907 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -455,7 +455,7 @@ For more information about the vulnerabilities database update, check the ## Interacting with the vulnerabilities -After a vulnerability is found, you can [interact with it](../index.md#interacting-with-the-vulnerabilities). +After a vulnerability is found, you can [address it](../index.md#addressing-vulnerabilities). ## Solutions for vulnerabilities (auto-remediation) @@ -469,7 +469,7 @@ file, it's necessary to set [`GIT_STRATEGY: fetch`](../../../ci/runners/README.m your `.gitlab-ci.yml` file by following the instructions described in this document's [overriding the container scanning template](#overriding-the-container-scanning-template) section. -Read more about the [solutions for vulnerabilities](../index.md#automatic-remediation-for-vulnerabilities). +Read more about the [solutions for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability). ## Troubleshooting diff --git a/doc/user/application_security/coverage_fuzzing/index.md b/doc/user/application_security/coverage_fuzzing/index.md index 9e42b3e403a..94a7d5268b7 100644 --- a/doc/user/application_security/coverage_fuzzing/index.md +++ b/doc/user/application_security/coverage_fuzzing/index.md @@ -237,7 +237,7 @@ The `covfuzz-ci.yml` is the same as that in the [original synchronous example](h ## Interacting with the vulnerabilities -After a vulnerability is found, you can [interact with it](../index.md#interacting-with-the-vulnerabilities). +After a vulnerability is found, you can [address it](../index.md#addressing-vulnerabilities). The merge request widget lists the vulnerability and contains a button for downloading the fuzzing artifacts. By clicking one of the detected vulnerabilities, you can see its details. diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md index dcd4d8002ec..209dd7ad251 100644 --- a/doc/user/application_security/dast/index.md +++ b/doc/user/application_security/dast/index.md @@ -1170,7 +1170,7 @@ variables: ## Interacting with the vulnerabilities Once a vulnerability is found, you can interact with it. Read more on how to -[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities). +[address the vulnerabilities](../index.md#addressing-vulnerabilities). ## Vulnerabilities database update diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 53e65649a25..f87ea8edc7b 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -226,13 +226,13 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m ## Interacting with the vulnerabilities Once a vulnerability is found, you can interact with it. Read more on how to -[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities). +[address the vulnerabilities](../index.md#addressing-vulnerabilities). ## Solutions for vulnerabilities (auto-remediation) Some vulnerabilities can be fixed by applying the solution that GitLab automatically generates. Read more about the -[solutions for vulnerabilities](../index.md#automatic-remediation-for-vulnerabilities). +[solutions for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability). ## Security Dashboard diff --git a/doc/user/application_security/img/create_mr_from_vulnerability_v13_4.png b/doc/user/application_security/img/create_mr_from_vulnerability_v13_4.png Binary files differindex a914c2996f7..54ccfa24374 100644 --- a/doc/user/application_security/img/create_mr_from_vulnerability_v13_4.png +++ b/doc/user/application_security/img/create_mr_from_vulnerability_v13_4.png diff --git a/doc/user/application_security/img/vulnerability_page_merge_request_button_v13_1.png b/doc/user/application_security/img/vulnerability_page_merge_request_button_v13_1.png Binary files differdeleted file mode 100644 index a3034a7db04..00000000000 --- a/doc/user/application_security/img/vulnerability_page_merge_request_button_v13_1.png +++ /dev/null diff --git a/doc/user/application_security/img/vulnerability_related_issues_add_button_v13_2.png b/doc/user/application_security/img/vulnerability_related_issues_add_button_v13_2.png Binary files differdeleted file mode 100644 index 10d9effb811..00000000000 --- a/doc/user/application_security/img/vulnerability_related_issues_add_button_v13_2.png +++ /dev/null diff --git a/doc/user/application_security/img/vulnerability_related_issues_remove_v13_2.gif b/doc/user/application_security/img/vulnerability_related_issues_remove_v13_2.gif Binary files differdeleted file mode 100644 index 22acba5fe1e..00000000000 --- a/doc/user/application_security/img/vulnerability_related_issues_remove_v13_2.gif +++ /dev/null diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md index 4a23cd874be..b0457ec0690 100644 --- a/doc/user/application_security/index.md +++ b/doc/user/application_security/index.md @@ -5,17 +5,20 @@ info: To determine the technical writer assigned to the Stage/Group associated w type: reference, howto --- -# GitLab Secure **(ULTIMATE)** +# Application security **(ULTIMATE)** GitLab can check your application for security vulnerabilities that may lead to unauthorized access, data leaks, denial of services, and more. GitLab reports vulnerabilities in the merge request so you -can fix them before merging. The [Security Dashboard](security_dashboard/index.md) provides a -high-level view of vulnerabilities detected in your projects, pipeline, and groups. The [Threat Monitoring](threat_monitoring/index.md) -page provides runtime security metrics for application environments. With the information provided, -you can immediately begin risk analysis and remediation. +can fix them before you merge. + +- The [Security Dashboard](security_dashboard/index.md) provides a + high-level view of vulnerabilities detected in your projects, pipeline, and groups. +- The [Threat Monitoring](threat_monitoring/index.md) page provides runtime security metrics + for application environments. With the information provided, + you can immediately begin risk analysis and remediation. <i class="fa fa-youtube-play youtube" aria-hidden="true"></i> -For an overview of application security with GitLab, see +For an overview of GitLab application security, see [Security Deep Dive](https://www.youtube.com/watch?v=k4vEJnGYy84). ## Quick start @@ -123,7 +126,7 @@ latest versions of the scanning tools without having to do anything. There are s with this approach, however, and there is a [plan to resolve them](https://gitlab.com/gitlab-org/gitlab/-/issues/9725). -## Viewing security scan information in merge requests **(FREE)** +## View security scan information in merge requests **(FREE)** > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4393) in GitLab Free 13.5. > - Made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/273205) in 13.6. @@ -136,25 +139,7 @@ reports are available to download. To download a report, click on the  -## Interacting with the vulnerabilities - -> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.8. - -Each security vulnerability in the merge request report or the -[Vulnerability Report](vulnerability_report/index.md) is actionable. Click an entry to view detailed -information with several options: - -- [Dismiss vulnerability](#dismissing-a-vulnerability): Dismissing a vulnerability styles it in - strikethrough. -- [Create issue](vulnerabilities/index.md#create-a-gitlab-issue-for-a-vulnerability): Create a new issue with the title and - description pre-populated with information from the vulnerability report. By default, such issues - are [confidential](../project/issues/confidential_issues.md). -- [Automatic Remediation](#automatic-remediation-for-vulnerabilities): For some vulnerabilities, - a solution is provided for how to fix the vulnerability. - - - -### View details of a DAST vulnerability +## View details of a DAST vulnerability > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36332) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1. @@ -165,11 +150,10 @@ investigate and rectify the underlying cause. To view details of DAST vulnerabilities: 1. To see all vulnerabilities detected: - - In a project, go to the project's **{shield}** **Security & Compliance** page. - Only in a merge request, go the merge request's **Security** tab. -1. Click on the vulnerability's description. The following details are provided: +1. Select the vulnerability's description. The following details are provided: | Field | Description | |:-----------------|:------------------------------------------------------------------ | @@ -187,14 +171,14 @@ To view details of DAST vulnerabilities: | Links | Links to further details of the detected vulnerability. | | Solution | Details of a recommended solution to the vulnerability (optional). | -#### Hide sensitive information in headers +### Hide sensitive information in headers HTTP request and response headers may contain sensitive information, including cookies and authorization credentials. By default, content of specific headers are masked in DAST vulnerability reports. You can specify the list of all headers to be masked. For details, see [Hide sensitive information](dast/index.md#hide-sensitive-information). -### View details of an API Fuzzing vulnerability +## View details of an API Fuzzing vulnerability > Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.7. @@ -231,65 +215,79 @@ Follow these steps to view details of a fuzzing fault: | Severity | Severity of the finding is always Unknown. | | Scanner Type | Scanner used to perform testing. | -### Dismissing a vulnerability +## Addressing vulnerabilities -To dismiss a vulnerability, you must set its status to Dismissed. This dismisses the vulnerability -for the entire project. Follow these steps to do so: +> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.8. -1. Select the vulnerability in the Security Dashboard. -1. Select **Dismissed** from the **Status** selector menu at the top-right. +For each security vulnerability in a merge request or [Vulnerability Report](vulnerability_report/index.md), +you can: + +- [Dismiss the vulnerability](#dismiss-a-vulnerability). +- Create a [confidential](../project/issues/confidential_issues.md) + [issue](vulnerabilities/index.md#create-a-gitlab-issue-for-a-vulnerability). +- Apply an [automatically remediation](#apply-an-automatic-remediation-for-a-vulnerability). -You can undo this action by selecting a different status from the same menu. +### Dismiss a vulnerability -#### Adding a dismissal reason +> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0, a dismissal reason. -> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0. +You can dismiss a vulnerability for the entire project. -When dismissing a vulnerability, it's often helpful to provide a reason for doing so. Upon setting a -vulnerability's status to Dismissed, a text box appears for you to add a comment with your -dismissal. Once added, you can edit or delete it. This allows you to add and update context for a -vulnerability as you learn more over time. +1. Select the vulnerability in the Security Dashboard. +1. In the top-right, from the **Status** selector menu, select **Dismissed**. +1. Optional. Add a reason for the dismissal and select **Save comment**. - +To undo this action, select a different status from the same menu. -#### Dismissing multiple vulnerabilities +#### Dismiss multiple vulnerabilities > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9. -You can dismiss multiple vulnerabilities at once, providing an optional reason. -Selecting the checkboxes on the side of each vulnerability in the list selects that individual vulnerability. -Alternatively, you can select all the vulnerabilities in the list by selecting the checkbox in the table header. -Deselecting the checkbox in the header deselects all the vulnerabilities in the list. -After you have selected some vulnerabilities, a menu appears at the top of the table that allows you to select a dismissal reason. -Pressing the "Dismiss Selected" button dismisses all the selected vulnerabilities at once, with the reason you chose. +You can dismiss multiple vulnerabilities at once. - +1. In the list of vulnerabilities, select the checkbox for each vulnerability you want to dismiss. + To select all, select the checkbox in the table header. +1. Above the table, select a dismissal reason. +1. Select **Dismiss Selected**. ### Create an issue for a vulnerability -You can create a GitLab issue, or a Jira issue (if it's enabled) for a vulnerability. For more -details, see [Vulnerability Pages](vulnerabilities/index.md). +You can create a GitLab or Jira issue for a vulnerability. For details, see [Vulnerability Pages](vulnerabilities/index.md). + +#### Link to an existing issue + +If you already have an open issue, you can link to it from the vulnerability. + +- The vulnerability page shows related issues, but the issue page doesn't show the vulnerability it's related to. +- An issue can only be related to one vulnerability at a time. +- Issues can be linked across groups and projects. + +To link to an existing issue: + +1. Open the vulnerability. +1. In the **Related Issues** section, select the plus (**{plus}**) icon. +1. In the text box that appears, type an issue number or paste an issue link. + - Type `#` followed by a number to show an autocomplete menu. + - You can enter multiple issues at once. Press the space bar after each issue number or link to converts them to tags. +1. Select **Add**. -### Automatic remediation for vulnerabilities +To remove an issue, to the right of the issue number, select **{close}**. + + + +### Apply an automatic remediation for a vulnerability > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5656) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.7. Some vulnerabilities can be fixed by applying the solution that GitLab automatically generates. -Although the feature name is Automatic Remediation, this feature is also commonly called -Auto-Remediation, Auto Remediation, or Suggested Solutions. The following scanners are supported: +The following scanners are supported: -- [Dependency Scanning](dependency_scanning/index.md): +- [Dependency Scanning](dependency_scanning/index.md). Automatic Patch creation is only available for Node.js projects managed with `yarn`. -- [Container Scanning](container_scanning/index.md) - -When an automatic solution is available, the button in the header shows **Resolve with merge request**: +- [Container Scanning](container_scanning/index.md). - - -Selecting the button creates a merge request with the solution. - -#### Manually applying the suggested patch +#### Manually apply the suggested patch To manually apply the patch that GitLab generated for a vulnerability: @@ -301,49 +299,22 @@ To manually apply the patch that GitLab generated for a vulnerability: 1. Run `git apply remediation.patch`. 1. Verify and commit the changes to your branch. -#### Creating a merge request from a vulnerability +#### Create a merge request with the suggested patch > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9224) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.9. -In certain cases, GitLab allows you to create a merge request that automatically remediates the +In some cases, you can create a merge request that automatically remediates the vulnerability. Any vulnerability that has a -[solution](#automatic-remediation-for-vulnerabilities) can have a merge +[solution](#apply-an-automatic-remediation-for-a-vulnerability) can have a merge request created to automatically solve the issue. -If this action is available, the vulnerability page or modal contains a **Create merge request** button. -Click this button to create a merge request to apply the solution onto the source branch. - - - -### Managing related issues for a vulnerability - -Issues can be linked to a vulnerability using the related issues block on the vulnerability page. -The relationship is uni-directional. The vulnerability page shows related issues, but the issue page -doesn't show the vulnerability it's related to. An issue can only be related to one vulnerability at -a time. Issues can be linked across groups and projects. - -#### Adding a related issue - -You can link an issue by clicking the **{plus}** button in the **Related Issues** block. - - - -A text box appears that lets you type an issue number or paste an issue link. You can enter multiple -issues at once. Pressing the space bar after each issue number or link converts them to tags that -you can remove by clicking the **{close}** icon to the tag's right. Typing `#` followed by a number -shows an autocomplete menu. Click an issue in the menu to add it as a tag. When you're finished -entering issues, click the **Add** button to link the issues to the vulnerability. Alternatively, -click **Cancel** to exit without linking any issues. - - - -### Removing a related issue +If this action is available: -Click the **{close}** icon to right of an issue to remove it as a related issue. Note that this only -removes it as a related issue of the vulnerability; it doesn't modify or remove the issue itself. -You can link it to the vulnerability again if desired. +1. Select the **Resolve with merge request** dropdown, then select **Resolve with merge request**. + +  - +A merge request is created. It that applies the solution to the source branch. ## Security approvals in merge requests diff --git a/doc/user/application_security/offline_deployments/index.md b/doc/user/application_security/offline_deployments/index.md index 9d16fb75410..7c013a2a9de 100644 --- a/doc/user/application_security/offline_deployments/index.md +++ b/doc/user/application_security/offline_deployments/index.md @@ -59,14 +59,14 @@ mirroring the packages inside your own offline network. ### Interacting with the vulnerabilities Once a vulnerability is found, you can interact with it. Read more on how to -[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities). +[address the vulnerabilities](../index.md#addressing-vulnerabilities). Please note that in some cases the reported vulnerabilities provide metadata that can contain external links exposed in the UI. These links might not be accessible within an offline environment. ### Automatic remediation for vulnerabilities -The [automatic remediation for vulnerabilities](../index.md#automatic-remediation-for-vulnerabilities) feature is available for offline Dependency Scanning and Container Scanning, but may not work +The [automatic remediation for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability) feature is available for offline Dependency Scanning and Container Scanning, but may not work depending on your instance's configuration. We can only suggest solutions, which are generally more current versions that have been patched, when we are able to access up-to-date registry services hosting the latest versions of that dependency or image. diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 4b008e11650..091dc2f5d36 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -137,7 +137,7 @@ as shown in the following table: | [Customize SAST Settings](#customizing-the-sast-settings) | **{check-circle}** | **{check-circle}** | | View [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** | | Presentation of JSON Report in Merge Request | **{dotted-circle}** | **{check-circle}** | -| [Interaction with Vulnerabilities](../../application_security/index.md#interacting-with-the-vulnerabilities) | **{dotted-circle}** | **{check-circle}** | +| [Address vulnerabilities](../../application_security/index.md#addressing-vulnerabilities) | **{dotted-circle}** | **{check-circle}** | | [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** | | [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** | | [Customize SAST Rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** | diff --git a/doc/user/application_security/security_dashboard/index.md b/doc/user/application_security/security_dashboard/index.md index 007581c5d26..a708f72b6fc 100644 --- a/doc/user/application_security/security_dashboard/index.md +++ b/doc/user/application_security/security_dashboard/index.md @@ -196,4 +196,4 @@ Each scenario can be a third-level heading, e.g. `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> -Read more on how to [interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities). +Read more on how to [address the vulnerabilities](../index.md#addressing-vulnerabilities). diff --git a/doc/user/application_security/vulnerabilities/index.md b/doc/user/application_security/vulnerabilities/index.md index 79a17554394..416db5b07fc 100644 --- a/doc/user/application_security/vulnerabilities/index.md +++ b/doc/user/application_security/vulnerabilities/index.md @@ -123,4 +123,4 @@ Linked issues are shown in the Vulnerability Report and the vulnerability's page ## Automatically remediate the vulnerability You can fix some vulnerabilities by applying the solution that GitLab automatically -generates for you. [Read more about the automatic remediation for vulnerabilities feature](../index.md#automatic-remediation-for-vulnerabilities). +generates for you. [Read more about the automatic remediation for vulnerabilities feature](../index.md#apply-an-automatic-remediation-for-a-vulnerability). |
