From 0399a25cdd5c90c1e005567ec2c36371fa18b664 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Fri, 14 Feb 2025 21:07:15 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- Gemfile | 2 +- Gemfile.checksum | 2 +- Gemfile.lock | 4 +- Gemfile.next.checksum | 6 +- Gemfile.next.lock | 6 +- .../17-9-DS-upgrade-to-SBOM-scanner.yml | 6 +- ...a-dast-devtools-api-timeout-env-change.yml | 20 ++++++ ...cate-crawl-extract-search-timeout-envs.yml | 21 ++++++ .../18-0-updating-ci-job-token.yml | 17 +++++ doc/.vale/gitlab_docs/ReferenceLinks.yml | 2 +- .../gitlab_duo_self_hosted/_index.md | 2 +- .../documentation/styleguide/_index.md | 20 ++++++ doc/update/breaking_windows.md | 2 + doc/update/deprecations.md | 64 ++++++++++++++++++- .../dependency_scanning_sbom/_index.md | 20 ++++-- .../migration_guide_to_sbom_based_scans.md | 19 ++---- doc/user/gitlab_duo_chat/examples.md | 1 + 17 files changed, 179 insertions(+), 35 deletions(-) create mode 100644 data/deprecations/17-9-ast-da-dast-devtools-api-timeout-env-change.yml create mode 100644 data/deprecations/17-9-ast-da-deprecate-crawl-extract-search-timeout-envs.yml create mode 100644 data/deprecations/18-0-updating-ci-job-token.yml diff --git a/Gemfile b/Gemfile index d55b3b0616c..c9d3bc86fd0 100644 --- a/Gemfile +++ b/Gemfile @@ -221,7 +221,7 @@ gem 'google-apis-core', '~> 0.11.0', '>= 0.11.1', feature_category: :shared gem 'google-apis-compute_v1', '~> 0.57.0', feature_category: :shared gem 'google-apis-container_v1', '~> 0.43.0', feature_category: :shared gem 'google-apis-container_v1beta1', '~> 0.43.0', feature_category: :shared -gem 'google-apis-cloudbilling_v1', '~> 0.21.0', feature_category: :shared +gem 'google-apis-cloudbilling_v1', '~> 0.22.0', feature_category: :shared gem 'google-apis-cloudresourcemanager_v1', '~> 0.31.0', feature_category: :shared gem 'google-apis-iam_v1', '~> 0.36.0', feature_category: :shared gem 'google-apis-serviceusage_v1', '~> 0.28.0', feature_category: :shared diff --git a/Gemfile.checksum b/Gemfile.checksum index 0c851e4f6b8..bad4a2f38a6 100644 --- a/Gemfile.checksum +++ b/Gemfile.checksum @@ -247,7 +247,7 @@ {"name":"globalid","version":"1.1.0","platform":"ruby","checksum":"b337e1746f0c8cb0a6c918234b03a1ddeb4966206ce288fbb57779f59b2d154f"}, {"name":"gon","version":"6.4.0","platform":"ruby","checksum":"e3a618d659392890f1aa7db420f17c75fd7d35aeb5f8fe003697d02c4b88d2f0"}, {"name":"google-apis-androidpublisher_v3","version":"0.34.0","platform":"ruby","checksum":"d7e1d7dd92f79c498fe2082222a1740d788e022e660c135564b3fd299cab5425"}, -{"name":"google-apis-cloudbilling_v1","version":"0.21.0","platform":"ruby","checksum":"ea2d847b4409e2ccd7f8a11a58cfcfdcbfb44ffd81c05768389f67341e291e02"}, +{"name":"google-apis-cloudbilling_v1","version":"0.22.0","platform":"ruby","checksum":"db2b72aebdc2664fd5095264a160cf757119ba3a83a036817b78d0d2ad7886fd"}, {"name":"google-apis-cloudresourcemanager_v1","version":"0.31.0","platform":"ruby","checksum":"f0a472a228c0b9b592741380ce79ead2458ea0066a4b5a78635818b9b62efbbf"}, {"name":"google-apis-compute_v1","version":"0.57.0","platform":"ruby","checksum":"404514548abc3a44f5e96393d6a6d588d287548ecb6f5a886ad76e1beea78068"}, {"name":"google-apis-container_v1","version":"0.43.0","platform":"ruby","checksum":"781d2514cb27268be9cfbae57cbc4203966afb2cf8f2c636326f5bc603862424"}, diff --git a/Gemfile.lock b/Gemfile.lock index 2b612d17a23..869adfd9d3a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -822,7 +822,7 @@ GEM request_store (>= 1.0) google-apis-androidpublisher_v3 (0.34.0) google-apis-core (>= 0.9.1, < 2.a) - google-apis-cloudbilling_v1 (0.21.0) + google-apis-cloudbilling_v1 (0.22.0) google-apis-core (>= 0.9.1, < 2.a) google-apis-cloudresourcemanager_v1 (0.31.0) google-apis-core (>= 0.9.1, < 2.a) @@ -2122,7 +2122,7 @@ DEPENDENCIES gitlab_quality-test_tooling (~> 2.4.0) gon (~> 6.4.0) google-apis-androidpublisher_v3 (~> 0.34.0) - google-apis-cloudbilling_v1 (~> 0.21.0) + google-apis-cloudbilling_v1 (~> 0.22.0) google-apis-cloudresourcemanager_v1 (~> 0.31.0) google-apis-compute_v1 (~> 0.57.0) google-apis-container_v1 (~> 0.43.0) diff --git a/Gemfile.next.checksum b/Gemfile.next.checksum index 39ab5c6f7d2..0000318496b 100644 --- a/Gemfile.next.checksum +++ b/Gemfile.next.checksum @@ -247,7 +247,7 @@ {"name":"globalid","version":"1.1.0","platform":"ruby","checksum":"b337e1746f0c8cb0a6c918234b03a1ddeb4966206ce288fbb57779f59b2d154f"}, {"name":"gon","version":"6.4.0","platform":"ruby","checksum":"e3a618d659392890f1aa7db420f17c75fd7d35aeb5f8fe003697d02c4b88d2f0"}, {"name":"google-apis-androidpublisher_v3","version":"0.34.0","platform":"ruby","checksum":"d7e1d7dd92f79c498fe2082222a1740d788e022e660c135564b3fd299cab5425"}, -{"name":"google-apis-cloudbilling_v1","version":"0.21.0","platform":"ruby","checksum":"ea2d847b4409e2ccd7f8a11a58cfcfdcbfb44ffd81c05768389f67341e291e02"}, +{"name":"google-apis-cloudbilling_v1","version":"0.22.0","platform":"ruby","checksum":"db2b72aebdc2664fd5095264a160cf757119ba3a83a036817b78d0d2ad7886fd"}, {"name":"google-apis-cloudresourcemanager_v1","version":"0.31.0","platform":"ruby","checksum":"f0a472a228c0b9b592741380ce79ead2458ea0066a4b5a78635818b9b62efbbf"}, {"name":"google-apis-compute_v1","version":"0.57.0","platform":"ruby","checksum":"404514548abc3a44f5e96393d6a6d588d287548ecb6f5a886ad76e1beea78068"}, {"name":"google-apis-container_v1","version":"0.43.0","platform":"ruby","checksum":"781d2514cb27268be9cfbae57cbc4203966afb2cf8f2c636326f5bc603862424"}, @@ -727,8 +727,8 @@ {"name":"state_machines","version":"0.5.0","platform":"ruby","checksum":"23e6249d374a920b528dccade403518b4abbd83841a3e2c9ef13e6f1a009b102"}, {"name":"state_machines-activemodel","version":"0.8.0","platform":"ruby","checksum":"e932dab190d4be044fb5f9cab01a3ea0b092c5f113d4676c6c0a0d49bf738d2c"}, {"name":"state_machines-activerecord","version":"0.8.0","platform":"ruby","checksum":"072fb701b8ab03de0608297f6c55dc34ed096e556fa8f77e556f3c461c71aab6"}, -{"name":"stringio","version":"3.1.2","platform":"java","checksum":"8a11a30ec257e6d9851a42dacb968b07a56bf2cfe359b2d906ec1f8774ac7d71"}, -{"name":"stringio","version":"3.1.2","platform":"ruby","checksum":"204f1828f85cdb39d57cac4abc6dc44b04505a223f131587f2e20ae3729ba131"}, +{"name":"stringio","version":"3.1.3","platform":"java","checksum":"c8602527d7c568e13d7097de97dd23c59302af13c3f7cdf6ace7af0f2d290efe"}, +{"name":"stringio","version":"3.1.3","platform":"ruby","checksum":"1eedb8369ee99a9a0edfdacea95c72d647feb8ce844427c150bd641e1797abc8"}, {"name":"strings","version":"0.2.1","platform":"ruby","checksum":"933293b3c95cf85b81eb44b3cf673e3087661ba739bbadfeadf442083158d6fb"}, {"name":"strings-ansi","version":"0.2.0","platform":"ruby","checksum":"90262d760ea4a94cc2ae8d58205277a343409c288cbe7c29416b1826bd511c88"}, {"name":"swd","version":"2.0.3","platform":"ruby","checksum":"4cdbe2a4246c19f093fce22e967ec3ebdd4657d37673672e621bf0c7eb770655"}, diff --git a/Gemfile.next.lock b/Gemfile.next.lock index 7f24aaebae8..6b83084675a 100644 --- a/Gemfile.next.lock +++ b/Gemfile.next.lock @@ -834,7 +834,7 @@ GEM request_store (>= 1.0) google-apis-androidpublisher_v3 (0.34.0) google-apis-core (>= 0.9.1, < 2.a) - google-apis-cloudbilling_v1 (0.21.0) + google-apis-cloudbilling_v1 (0.22.0) google-apis-core (>= 0.9.1, < 2.a) google-apis-cloudresourcemanager_v1 (0.31.0) google-apis-core (>= 0.9.1, < 2.a) @@ -1852,7 +1852,7 @@ GEM state_machines-activerecord (0.8.0) activerecord (>= 5.1) state_machines-activemodel (>= 0.8.0) - stringio (3.1.2) + stringio (3.1.3) strings (0.2.1) strings-ansi (~> 0.2) unicode-display_width (>= 1.5, < 3.0) @@ -2157,7 +2157,7 @@ DEPENDENCIES gitlab_quality-test_tooling (~> 2.4.0) gon (~> 6.4.0) google-apis-androidpublisher_v3 (~> 0.34.0) - google-apis-cloudbilling_v1 (~> 0.21.0) + google-apis-cloudbilling_v1 (~> 0.22.0) google-apis-cloudresourcemanager_v1 (~> 0.31.0) google-apis-compute_v1 (~> 0.57.0) google-apis-container_v1 (~> 0.43.0) diff --git a/data/deprecations/17-9-DS-upgrade-to-SBOM-scanner.yml b/data/deprecations/17-9-DS-upgrade-to-SBOM-scanner.yml index 41a8347568a..4b5c6a386dd 100644 --- a/data/deprecations/17-9-DS-upgrade-to-SBOM-scanner.yml +++ b/data/deprecations/17-9-DS-upgrade-to-SBOM-scanner.yml @@ -25,8 +25,10 @@ Please review the fully detailed changes below and consult [the migration guide](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.html) to assist you with the transition. - - When using the Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`), the existing CI/CD jobs based on the Gemnasium analyzer will continue to be used by default. The new Dependency Scanning analyzer will run by default only - for newly supported languages and package managers that are not already covered by the Gemnasium analyzer. You can also opt-in to fully migrate to the new Dependency Scanning analyzer and use for all supported projects. + - To prevent disruptions to your CI/CD configuration, when your application uses the stable Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`), Dependency Scanning uses only the existing CI/CD jobs based on the Gemnasium analyzer. + - When your application uses the latest Dependency Scanning CI/CD template (`Dependency-Scanning.latest.gitlab-ci.yml`), Dependency Scanning uses the existing CI/CD jobs based on the Gemnasium analyzer and the new Dependency Scanning analyzer also runs on the supported file types. + - You can also opt-in to enforce the new Dependency Scanning analyzer for all projects. + - Other migration paths might be considered as the feature gains maturity. - To transition to Dependency Scanning with SBOM, the security scan results generated by the Gemansium analyzer will no longer be uploaded to the GitLab platform as a [Dependency Scanning security report artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning). Instead, Dependency Scanning results will be generated within the GitLab platform, using the GitLab SBOM Vulnerability Scanner, and based on the [CycloneDX SBOM report artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscyclonedx) generated in the CI/CD pipeline. diff --git a/data/deprecations/17-9-ast-da-dast-devtools-api-timeout-env-change.yml b/data/deprecations/17-9-ast-da-dast-devtools-api-timeout-env-change.yml new file mode 100644 index 00000000000..f61836903ad --- /dev/null +++ b/data/deprecations/17-9-ast-da-dast-devtools-api-timeout-env-change.yml @@ -0,0 +1,20 @@ +- title: "DAST `dast_devtools_api_timeout` will have a lower default value" + removal_milestone: "18.0" + announcement_milestone: "17.9" + breaking_change: true + window: 1 + reporter: DavidNelsonGL + stage: application security testing + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/517254 + impact: low + scope: project + resolution_role: Developer + manual_task: false + body: | # (required) Don't change this line. + The `DAST_DEVTOOLS_API_TIMEOUT` environment variable determines how long a DAST scan waits for a response from the browser. Before GitLab 18.0, the variable has a static value of 45 seconds. After GitLab 18.0, `DAST_DEVTOOLS_API_TIMEOUT` environment variable has a dynamic value, which is calculated based on other timeout configurations. + In most cases, the 45-second value was higher than the timeout value of many scanner functions. The dynamically calculated value makes the `DAST_DEVTOOLS_API_TIMEOUT` variable more useful by increasing the number of cases it applies to. + end_of_support_milestone: + tiers: [Ultimate] + documentation_url: https://docs.gitlab.com/ee/user/application_security/dast/browser/configuration/variables.html + image_url: + video_url: diff --git a/data/deprecations/17-9-ast-da-deprecate-crawl-extract-search-timeout-envs.yml b/data/deprecations/17-9-ast-da-deprecate-crawl-extract-search-timeout-envs.yml new file mode 100644 index 00000000000..ae9df18a726 --- /dev/null +++ b/data/deprecations/17-9-ast-da-deprecate-crawl-extract-search-timeout-envs.yml @@ -0,0 +1,21 @@ +- title: "DAST `dast_crawl_extract_element_timeout` and `dast_crawl_search_element_timeout` variables are deprecated" + removal_milestone: "18.0" + announcement_milestone: "17.9" + breaking_change: false + window: 1 + reporter: DavidNelsonGL + stage: application security testing + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/517250 + impact: low + scope: project + resolution_role: Developer + manual_task: true + body: | # (required) Don't change this line. + The DAST variables `DAST_CRAWL_EXTRACT_ELEMENT_TIMEOUT` and `DAST_CRAWL_SEARCH_ELEMENT_TIMEOUT` are deprecated and will be removed in GitLab 18.0. + When they were introduced, the variables provided granular timeout controls for specific browser interactions. These interactions are now governed by a common timeout value, which makes the variables unnecessary. In addition, because of an underlying implementation issue, the variables haven't been functional since the introduction of the DAST browser-based analyzer. + Removing these two variables will simplify DAST configuration, and provide a better onboarding experience for users. + end_of_support_milestone: + tiers: [Ultimate] + documentation_url: https://docs.gitlab.com/ee/user/application_security/dast/browser/configuration/variables.html + image_url: + video_url: diff --git a/data/deprecations/18-0-updating-ci-job-token.yml b/data/deprecations/18-0-updating-ci-job-token.yml new file mode 100644 index 00000000000..b62e7c5bb96 --- /dev/null +++ b/data/deprecations/18-0-updating-ci-job-token.yml @@ -0,0 +1,17 @@ +- title: "Updating CI/CD job tokens to JWT standard" + announcement_milestone: "17.9" + removal_milestone: "18.0" + breaking_change: true + reporter: jayswain + stage: Software Supply Chain Security + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/509578 + body: | # (required) Do not modify this line, instead modify the lines below. + In GitLab 18.0, CI/CD job tokens are moving to the JWT standard by default. All new projects will use this standard, but existing projects will continue to use the legacy format. Existing projects can switch to the JWT standard before the GitLab 18.0 release. + + In GitLab 18.3, all CI/CD job tokens must use the JWT standard. Before this release, you can temporarily revert your tokens back to the legacy job token format. + + Known issues: + + 1. GitLab Runner's AWS Fargate Drive 0.5.0 and earlier is incompatible with the JWT standard. Users of the [AWS Fargate custom executor driver](https://docs.gitlab.com/runner/configuration/runner_autoscale_aws_fargate/index.html) must upgrade to 0.5.1 or later. For migration instructions, see [the documentation](https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs). + 1. The much longer JWT standard breaks the `echo $CI_JOB_TOKEN | base64` command used in some CI/CD configuration files. You can use the `echo $CI_JOB_TOKEN | base64 -w0` command instead. + window: 2 diff --git a/doc/.vale/gitlab_docs/ReferenceLinks.yml b/doc/.vale/gitlab_docs/ReferenceLinks.yml index a4697b8e924..b55e02a90b3 100644 --- a/doc/.vale/gitlab_docs/ReferenceLinks.yml +++ b/doc/.vale/gitlab_docs/ReferenceLinks.yml @@ -6,7 +6,7 @@ # For a list of all options, see https://vale.sh/docs/topics/styles/ extends: existence message: "Put this link inline with the rest of the text." -link: https://docs.gitlab.com/ee/development/documentation/styleguide/#links +link: https://docs.gitlab.com/ee/development/documentation/styleguide/#inline-links vocab: false level: error nonword: true diff --git a/doc/administration/gitlab_duo_self_hosted/_index.md b/doc/administration/gitlab_duo_self_hosted/_index.md index c866f01c1ee..4f91e580acd 100644 --- a/doc/administration/gitlab_duo_self_hosted/_index.md +++ b/doc/administration/gitlab_duo_self_hosted/_index.md @@ -20,7 +20,7 @@ To maintain full control over your data privacy, security, and the deployment of By deploying GitLab Duo Self-Hosted, you can manage the entire lifecycle of requests made to LLM backends for GitLab Duo features, ensuring that all requests stay in your enterprise network, and avoiding external dependencies. -For a click-through demo, see [GitLab Duo Self-Hosted prooduct tour](https://gitlab.navattic.com/gitlab-duo-self-hosted). +For a click-through demo, see [GitLab Duo Self-Hosted product tour](https://gitlab.navattic.com/gitlab-duo-self-hosted). ## Why use GitLab Duo Self-Hosted diff --git a/doc/development/documentation/styleguide/_index.md b/doc/development/documentation/styleguide/_index.md index a35114a4a86..9266281bf3f 100644 --- a/doc/development/documentation/styleguide/_index.md +++ b/doc/development/documentation/styleguide/_index.md @@ -847,6 +847,26 @@ However, you should avoid putting too many links on any page. Too many links can - Consider using [Related topics](../topic_types/_index.md#related-topics) to reduce links that interrupt the flow of a task. - Try to avoid anchor links to sections on the same page. Let users rely on the right navigation instead. +### Inline links + +Use inline links instead of reference links. Inline links are easier to parse +and edit. +([Vale](../testing/vale.md) rule: [`ReferenceLinks.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/.vale/gitlab_docs/ReferenceLinks.yml)) + +- Do: + + ```markdown + For more information, see [merge requests](path/to/merge_requests.md) + ``` + +- Don't: + + ```markdown + For more information, see [merge requests][1]. + + [1]: path/to/merge_requests.md + ``` + ### Links in the same repository To link to another documentation (`.md`) file in the same repository: diff --git a/doc/update/breaking_windows.md b/doc/update/breaking_windows.md index 870721d066e..342569785b9 100644 --- a/doc/update/breaking_windows.md +++ b/doc/update/breaking_windows.md @@ -48,6 +48,7 @@ This window takes place on April 21 - 23, 2025 from 09:00 UTC to 22:00 UTC. | [Dependency Scanning for JavaScript vendored libraries](https://gitlab.com/gitlab-org/gitlab/-/issues/501308) | Low | Application_security_testing | Project | | [Dependency Scanning upgrades to the GitLab SBOM Vulnerability Scanner](https://gitlab.com/gitlab-org/gitlab/-/issues/501308) | High | Application_security_testing | Project | | [Resolve a vulnerability for Dependency Scanning on Yarn projects](https://gitlab.com/gitlab-org/gitlab/-/issues/501308) | Low | Application_security_testing | Project | +| [DAST `dast_devtools_api_timeout` will have a lower default value](https://gitlab.com/gitlab-org/gitlab/-/issues/517254) | Low | Application security testing | Project | | [API Discovery will use branch pipelines by default](https://gitlab.com/gitlab-org/gitlab/-/issues/515487) | Low | Application_security_testing | Project | | [Container Scanning default severity threshold set to `medium`](https://gitlab.com/gitlab-org/gitlab/-/issues/515358) | Low | Application security testing | Project | | [Subscription related API endpoints in the public API are deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/515371#note_2319368251) | Low | Fulfillment | Instance | @@ -73,6 +74,7 @@ This window takes place on April 28 - 30, 2025 from 09:00 UTC to 22:00 UTC. | [RunnersRegistrationTokenReset GraphQL mutation is deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/505703) | High | Verify | Instance, group, project | | [Behavior change for Upcoming and Started milestone filters](https://gitlab.com/gitlab-org/gitlab/-/issues/501294) | Low | Plan | Group, project | | [`kpt`-based `agentk` is deprecated](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/656) | Low | Deploy | Project | +| [Updating CI/CD job tokens to JWT standard](https://gitlab.com/gitlab-org/gitlab/-/issues/509578) | | Software supply chain security | | ## Window 3 diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index 46b7cbfc943..691070d12c6 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -595,6 +595,41 @@ To continue showing these findings, you must configure the `CS_SEVERITY_THRESHOL +
+ +### DAST `dast_crawl_extract_element_timeout` and `dast_crawl_search_element_timeout` variables are deprecated + +
+ +- Announced in GitLab 17.9 +- Removal in GitLab 18.0 +- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/517250). + +
+ +The DAST variables `DAST_CRAWL_EXTRACT_ELEMENT_TIMEOUT` and `DAST_CRAWL_SEARCH_ELEMENT_TIMEOUT` are deprecated and will be removed in GitLab 18.0. +When they were introduced, the variables provided granular timeout controls for specific browser interactions. These interactions are now governed by a common timeout value, which makes the variables unnecessary. In addition, because of an underlying implementation issue, the variables haven't been functional since the introduction of the DAST browser-based analyzer. +Removing these two variables will simplify DAST configuration, and provide a better onboarding experience for users. + +
+ +
+ +### DAST `dast_devtools_api_timeout` will have a lower default value + +
+ +- Announced in GitLab 17.9 +- Removal in GitLab 18.0 ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change)) +- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/517254). + +
+ +The `DAST_DEVTOOLS_API_TIMEOUT` environment variable determines how long a DAST scan waits for a response from the browser. Before GitLab 18.0, the variable has a static value of 45 seconds. After GitLab 18.0, `DAST_DEVTOOLS_API_TIMEOUT` environment variable has a dynamic value, which is calculated based on other timeout configurations. +In most cases, the 45-second value was higher than the timeout value of many scanner functions. The dynamically calculated value makes the `DAST_DEVTOOLS_API_TIMEOUT` variable more useful by increasing the number of cases it applies to. + +
+
### Dependency Proxy token scope enforcement @@ -662,8 +697,10 @@ using the Gemnasium analyzer will continue to function by default to prevent dis Please review the fully detailed changes below and consult [the migration guide](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.html) to assist you with the transition. -- When using the Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`), the existing CI/CD jobs based on the Gemnasium analyzer will continue to be used by default. The new Dependency Scanning analyzer will run by default only -for newly supported languages and package managers that are not already covered by the Gemnasium analyzer. You can also opt-in to fully migrate to the new Dependency Scanning analyzer and use for all supported projects. +- To prevent disruptions to your CI/CD configuration, when your application uses the stable Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`), Dependency Scanning uses only the existing CI/CD jobs based on the Gemnasium analyzer. +- When your application uses the latest Dependency Scanning CI/CD template (`Dependency-Scanning.latest.gitlab-ci.yml`), Dependency Scanning uses the existing CI/CD jobs based on the Gemnasium analyzer and the new Dependency Scanning analyzer also runs on the supported file types. +- You can also opt-in to enforce the new Dependency Scanning analyzer for all projects. +- Other migration paths might be considered as the feature gains maturity. - To transition to Dependency Scanning with SBOM, the security scan results generated by the Gemansium analyzer will no longer be uploaded to the GitLab platform as a [Dependency Scanning security report artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning). Instead, Dependency Scanning results will be generated within the GitLab platform, using the GitLab SBOM Vulnerability Scanner, and based on the [CycloneDX SBOM report artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscyclonedx) generated in the CI/CD pipeline. @@ -2015,6 +2052,29 @@ In other cases:
+### Updating CI/CD job tokens to JWT standard + +
+ +- Announced in GitLab 17.9 +- Removal in GitLab 18.0 ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change)) +- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/509578). + +
+ +In GitLab 18.0, CI/CD job tokens are moving to the JWT standard by default. All new projects will use this standard, but existing projects will continue to use the legacy format. Existing projects can switch to the JWT standard before the GitLab 18.0 release. + +In GitLab 18.3, all CI/CD job tokens must use the JWT standard. Before this release, you can temporarily revert your tokens back to the legacy job token format. + +Known issues: + +1. GitLab Runner's AWS Fargate Drive 0.5.0 and earlier is incompatible with the JWT standard. Users of the [AWS Fargate custom executor driver](https://docs.gitlab.com/runner/configuration/runner_autoscale_aws_fargate/index.html) must upgrade to 0.5.1 or later. For migration instructions, see [the documentation](https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs). +1. The much longer JWT standard breaks the `echo $CI_JOB_TOKEN | base64` command used in some CI/CD configuration files. You can use the `echo $CI_JOB_TOKEN | base64 -w0` command instead. + +
+ +
+ ### Workspaces `editor` GraphQL field is deprecated
diff --git a/doc/user/application_security/dependency_scanning/dependency_scanning_sbom/_index.md b/doc/user/application_security/dependency_scanning/dependency_scanning_sbom/_index.md index 8fc0405fd28..4ef16bf4308 100644 --- a/doc/user/application_security/dependency_scanning/dependency_scanning_sbom/_index.md +++ b/doc/user/application_security/dependency_scanning/dependency_scanning_sbom/_index.md @@ -14,7 +14,13 @@ DETAILS: > - [Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated](https://gitlab.com/gitlab-org/gitlab/-/issues/395692) in GitLab 17.5. > - Released [lockfile-based Dependency Scanning](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning/-/blob/main/README.md?ref_type=heads#supported-files) analyzer as an [Experiment](../../../../policy/development_stages_support.md#experiment-features) in GitLab 17.4. > - Released [Dependency Scanning CI/CD Component](https://gitlab.com/explore/catalog/components/dependency-scanning) version [`0.4.0`](https://gitlab.com/components/dependency-scanning/-/tags/0.4.0) in GitLab 17.5 with support for the [lockfile-based Dependency Scanning](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning/-/blob/main/README.md?ref_type=heads#supported-files) analyzer. -> - [Enabled by default with the Dependency Scanning CI/CD templates](https://gitlab.com/gitlab-org/gitlab/-/issues/519597) and Scan Execution Policies for Cargo, Conda, Cocoapods and Swift in GitLab 17.9. +> - [Enabled by default with the latest Dependency Scanning CI/CD templates](https://gitlab.com/gitlab-org/gitlab/-/issues/519597) for Cargo, Conda, Cocoapods and Swift in GitLab 17.9. + +FLAG: +The availability of this feature is controlled by a feature flag. +For more information, see the history. +This feature uses an experimental scanner. +This feature is available for testing, but not ready for production use. Dependency scanning using CycloneDX SBOM analyzes your application's dependencies for known vulnerabilities. All dependencies are scanned, [including transitive dependencies](../_index.md). @@ -104,10 +110,10 @@ following [PURL types](https://github.com/package-url/purl-spec/blob/34658984613 Enable the Dependency Scanning using SBOM feature with one of the following options: -- Use either the Dependency Scanning CI/CD template `Dependency-Scanning.gitlab-ci.yml` or `Dependency-Scanning.latest.gitlab-ci.yml` to enable a GitLab provided analyzer. +- Use the `latest` Dependency Scanning CI/CD template `Dependency-Scanning.latest.gitlab-ci.yml` to enable a GitLab provided analyzer. - The (deprecated) Gemnasium analyzer is used by default. - To enable the new Dependency Scanning analyzer, set the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`. -- Use the [Scan Execution Policies](../../policies/scan_execution_policies.md) to enable a GitLab provided analyzer. +- Use the [Scan Execution Policies](../../policies/scan_execution_policies.md) with the `latest` template to enable a GitLab provided analyzer. - The (deprecated) Gemnasium analyzer is used by default. - To enable the new Dependency Scanning analyzer, set the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`. - Use the [Dependency Scanning CI/CD component](https://gitlab.com/explore/catalog/components/dependency-scanning) to enable the new Dependency Scanning analyzer. @@ -133,18 +139,18 @@ Prerequisites: To enable the analyzer, you must: -- Use either the Dependency Scanning CI/CD template `Dependency-Scanning.gitlab-ci.yml` or `Dependency-Scanning.latest.gitlab-ci.yml` -and enforce the new Dependency Scanning analyzer by settin the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`. +- Use either the `latest` Dependency Scanning CI/CD template `Dependency-Scanning.latest.gitlab-ci.yml` +and enforce the new Dependency Scanning analyzer by setting the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`. ```yaml include: - - template: Jobs/Dependency-Scanning.gitlab-ci.yml + - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml variables: DS_ENFORCE_NEW_ANALYZER: 'true' ``` -- Use the [Scan Execution Policies](../../policies/scan_execution_policies.md) and enforce the new Dependency Scanning analyzer by settin the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`. +- Use the [Scan Execution Policies](../../policies/scan_execution_policies.md) with the `latest` template and enforce the new Dependency Scanning analyzer by setting the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`. - Use the [Dependency Scanning CI/CD component](https://gitlab.com/explore/catalog/components/dependency-scanning) ```yaml diff --git a/doc/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.md b/doc/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.md index f993af18ae3..b16d462ae8f 100644 --- a/doc/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.md +++ b/doc/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.md @@ -15,7 +15,7 @@ replace the legacy Dependency Scanning feature based on the Gemnasium analyzer. Follow this migration guide if you use GitLab Dependency Scanning and any of the following conditions apply: - The Dependency Scanning CI/CD jobs are configured by including a Dependency Scanning CI/CD templates. - + ```yaml include: - template: Jobs/Dependency-Scanning.gitlab-ci.yml @@ -43,15 +43,10 @@ This also impacts the availability of some functionalities that depend on the se ### CI/CD configuration -When you migrate, you'll find several provisions to help prevent disruption to your workflows: +To prevent disruption to your CI/CD pipelines, the new approach is not yet applied to the stable Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`) and you must use the `latest` template (`Dependency-Scanning.latest.gitlab-ci.yml`) to enable it. +Other migration paths might be considered as the feature gains maturity. -The stable Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`) maintains backward compatibility by default. It continues to run existing Gemnasium analyzer jobs, while the new Dependency Scanning analyzer only activates for newly supported languages and package managers. -You can opt-in to use the new Dependency Scanning analyzer for all projects by configuring the `DS_ENFORCE_NEW_ANALYZER` CI/CD variable to `true`. - -For the latest CI/CD template (`Dependency-Scanning.latest.gitlab-ci.yml`), the behavior depends on the version of GitLab you are using: - -- In GitLab 17.9, 17.10, and 17.11, it matches the stable template's behavior. -- From GitLab 18.0 and later, it switches to use the new Dependency Scanning analyzer exclusively for all projects (`DS_ENFORCE_NEW_ANALYZER` is set to `true` by default). +The latest Dependency Scanning CI/CD template (`Dependency-Scanning.latest.gitlab-ci.yml`) still maintains backward compatibility by default. It continues to run existing Gemnasium analyzer jobs, while the new Dependency Scanning analyzer only activates for newly supported languages and package managers. You can opt-in to use the new Dependency Scanning analyzer for all projects by configuring the `DS_ENFORCE_NEW_ANALYZER` CI/CD variable to `true`. If you're using [Scan Execution Policies](../policies/scan_execution_policies.md), these changes apply in the same way because they build upon the CI/CD templates. @@ -86,12 +81,12 @@ To migrate to the Dependency Scanning using SBOM method, perform the following s - If you have manually overridden the `gemnasium-dependency_scanning`, `gemnasium-maven-dependency_scanning`, or `gemnasium-python-dependency_scanning` CI/CD jobs to customize them in a project's `.gitlab-ci.yml` or in the CI/CD configuration for a Pipeline Execution Policy, remove them. - If you have configured any of [the impacted CI/CD variables](#changes-to-cicd-variables), adjust your configuration accordingly. 1. Enable the Dependency Scanning using SBOM feature with one of the following options: - - Use either the Dependency Scanning CI/CD template `Dependency-Scanning.gitlab-ci.yml` or `Dependency-Scanning.latest.gitlab-ci.yml` to run the new Dependency Scanning analyzer: - 1. Keep the Dependency Scanning CI/CD template `include` statement from your `.gitlab-ci.yml` CI/CD configuration. + - Use the `latest` Dependency Scanning CI/CD template `Dependency-Scanning.latest.gitlab-ci.yml` to run the new Dependency Scanning analyzer: + 1. Ensure your `.gitlab-ci.yml` CI/CD configuration includes the latest Dependency Scanning CI/CD template. 1. Add the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` and set it to `true`. This variable can be set in many different places, while observing the [CI/CD variable precedence](../../../ci/variables/_index.md#cicd-variable-precedence). 1. Adjust your project and your CI/CD configuration if needed by following the language-specific instructions below. - Use the [Scan Execution Policies](../policies/scan_execution_policies.md) to run the new Dependency Scanning analyzer: - 1. Edit the configured scan execution policy for Dependency Scanning. + 1. Edit the configured scan execution policy for Dependency Scanning and ensure it uses the `latest` template. 1. Add the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` and set it to `true`. This variable can be set in many different places, while observing the [CI/CD variable precedence](../../../ci/variables/_index.md#cicd-variable-precedence). 1. Adjust your project and your CI/CD configuration if needed by following the language-specific instructions below. - Use the [Dependency Scanning CI/CD component](https://gitlab.com/explore/catalog/components/dependency-scanning) to run the new Dependency Scanning analyzer: diff --git a/doc/user/gitlab_duo_chat/examples.md b/doc/user/gitlab_duo_chat/examples.md index 6ee2c830960..5409f1ca717 100644 --- a/doc/user/gitlab_duo_chat/examples.md +++ b/doc/user/gitlab_duo_chat/examples.md @@ -251,6 +251,7 @@ DETAILS: > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/477258) in GitLab 17.7 [with flags](../../administration/feature_flags.md) named `duo_additional_context` and `duo_include_context_file`. Disabled by default. > - [Enabled](https://gitlab.com/groups/gitlab-org/-/epics/15227) for [self-hosted model configuration](../../administration/gitlab_duo_self_hosted/_index.md#self-hosted-ai-gateway-and-llms) as well as the [default GitLab external AI vendor configuration](../../administration/gitlab_duo_self_hosted/_index.md#gitlabcom-ai-gateway-with-default-gitlab-external-vendor-llms) in GitLab 17.9. +> - [Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated](https://gitlab.com/groups/gitlab-org/-/epics/15183) in GitLab 17.9. FLAG: The availability of this feature is controlled by a feature flag.