From 495c22d1245b6212b21b7379a542df73dfa77206 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 6 Apr 2020 18:09:37 +0000 Subject: Add latest changes from gitlab-org/gitlab@master --- .../dependency_scanning/index.md | 35 ++++++++-------------- doc/user/application_security/index.md | 29 ++++++++++++++++++ doc/user/application_security/sast/index.md | 23 +++++++------- 3 files changed, 53 insertions(+), 34 deletions(-) (limited to 'doc/user/application_security') diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index c83e69ed6c4..651a7730cdb 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -167,7 +167,7 @@ The following variables are used for configuring specific analyzers (used for a | `DS_PIP_VERSION` | `gemnasium-python` | | Force the install of a specific pip version (example: `"19.3"`), otherwise the pip installed in the Docker image is used. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12811) in GitLab 12.7) | | `DS_PIP_DEPENDENCY_PATH` | `gemnasium-python` | | Path to load Python pip dependencies from. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12412) in GitLab 12.2) | | `DS_PYTHON_VERSION` | `retire.js` | | Version of Python. If set to 2, dependencies are installed using Python 2.7 instead of Python 3.6. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12296) in GitLab 12.1)| -| `MAVEN_CLI_OPTS` | `gemnasium-maven` | `"-DskipTests --batch-mode"` | List of command line arguments that will be passed to `maven` by the analyzer. See an example for [using private repos](#using-private-maven-repos). | +| `MAVEN_CLI_OPTS` | `gemnasium-maven` | `"-DskipTests --batch-mode"` | List of command line arguments that will be passed to `maven` by the analyzer. See an example for [using private repos](../index.md#using-private-maven-repos). | | `BUNDLER_AUDIT_UPDATE_DISABLED` | `bundler-audit` | `"false"` | Disable automatic updates for the `bundler-audit` analyzer. Useful if you're running Dependency Scanning in an offline, air-gapped environment.| | `BUNDLER_AUDIT_ADVISORY_DB_URL` | `bundler-audit` | `https://github.com/rubysec/ruby-advisory-db` | URL of the advisory database used by bundler-audit. | | `BUNDLER_AUDIT_ADVISORY_DB_REF_NAME` | `bundler-audit` | `master` | Git ref for the advisory database specified by `BUNDLER_AUDIT_ADVISORY_DB_URL`. | @@ -177,28 +177,9 @@ The following variables are used for configuring specific analyzers (used for a ### Using private Maven repos If you have a private Maven repository which requires login credentials, -you can use the `MAVEN_CLI_OPTS` environment variable to pass variables -specified in your settings (e.g., username, password, etc.). - -For example, if you have a settings file in your project source (e.g., `mysettings.xml`) -that looks like the following, you can specify the variables -[by adding an entry under your project's settings](../../../ci/variables/README.md#via-the-ui), -so that you don't have to expose your private data in `.gitlab-ci.yml` (e.g., adding -`MAVEN_CLI_OPTS` with value `--settings mysettings.xml -Dprivate.username=foo -Dprivate.password=bar`). - -```xml - - - ... - - - private_server - ${private.username} - ${private.password} - - - -``` +you can use the `MAVEN_CLI_OPTS` environment variable. + +Read more on [how to use private Maven repos](../index.md#using-private-maven-repos). ### Disabling Docker in Docker for Dependency Scanning @@ -217,6 +198,14 @@ variables: This will create individual `-dependency_scanning` jobs for each analyzer that runs in your CI/CD pipeline. +By removing Docker-in-Docker (DIND), GitLab relies on [Linguist](https://github.com/github/linguist) +to start relevant analyzers depending on the detected repository language(s) instead of the +[orchestrator](https://gitlab.com/gitlab-org/security-products/dependency-scanning/). However, there +are some differences in the way repository languages are detected between DIND and non-DIND. You can +observe these differences by checking both Linguist and the common library. For instance, Linguist +looks for `*.java` files to spin up the [gemnasium-maven](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven) +image, while orchestrator only looks for the existence of `pom.xml` or `build.gradle`. + ## Interacting with the vulnerabilities Once a vulnerability is found, you can interact with it. Read more on how to diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md index 299507ff6c4..dadff8583db 100644 --- a/doc/user/application_security/index.md +++ b/doc/user/application_security/index.md @@ -251,6 +251,35 @@ environment. Read how to [operate the Secure scanners in an offline environment](offline_deployments/index.md). +## Using private Maven repos + +If you have a private Apache Maven repository that requires login credentials, +you can use the `MAVEN_CLI_OPTS` environment variable +to pass a username and password. You can set it under your project's settings +so that your credentials aren't exposed in `.gitlab-ci.yml`. + +If the username is `myuser` and the password is `verysecret` then you would +[set the following variable](../../ci/variables/README.md#via-the-ui) +under your project's settings: + +| Type | Key | Value | +| ---- | --- | ----- | +| Variable | `MAVEN_CLI_OPTS` | `--settings mysettings.xml -Drepository.password=verysecret -Drepository.user=myuser` | + +```xml + + + ... + + + private_server + ${private.username} + ${private.password} + + + +``` + ## Outdated security reports > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/4913) in GitLab 12.7. diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 64a8b1b40dd..9c6098e4e04 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -166,18 +166,10 @@ it via [custom environment variables](#custom-environment-variables). #### Using a variable to pass username and password to a private Maven repository -If you have a private Apache Maven repository that requires login credentials, -you can use the `MAVEN_CLI_OPTS` [environment variable](#available-variables) -to pass a username and password. You can set it under your project's settings -so that your credentials aren't exposed in `.gitlab-ci.yml`. +If you have a private Maven repository which requires login credentials, +you can use the `MAVEN_CLI_OPTS` environment variable. -If the username is `myuser` and the password is `verysecret` then you would -[set the following variable](../../../ci/variables/README.md#via-the-ui) -under your project's settings: - -| Type | Key | Value | -| ---- | --- | ----- | -| Variable | `MAVEN_CLI_OPTS` | `-Drepository.password=verysecret -Drepository.user=myuser` | +Read more on [how to use private Maven repos](../index.md#using-private-maven-repos). ### Disabling Docker in Docker for SAST @@ -194,6 +186,15 @@ variables: This will create individual `-sast` jobs for each analyzer that runs in your CI/CD pipeline. +By removing Docker-in-Docker (DIND), GitLab relies on [Linguist](https://github.com/github/linguist) +to start relevant analyzers depending on the detected repository language(s) instead of the +[orchestrator](https://gitlab.com/gitlab-org/security-products/dependency-scanning/). However, there +are some differences in the way repository languages are detected between DIND and non-DIND. You can +observe these differences by checking both Linguist and the common library. For instance, Linguist +looks for `*.java` files to spin up the [spotbugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) +image, while orchestrator only looks for the existence of `pom.xml`, `build.xml`, `gradlew`, +`grailsw`, or `mvnw`. + #### Enabling kubesec analyzer > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12752) in GitLab Ultimate 12.6. -- cgit v1.2.3