root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2023-02-08 06:10:43 +00:00
parent d8b3ba4b19
commit 0812feb16a
9 changed files with 34 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
data/deprecations/15-9-php-python-dev-dependencies.yml Normal file
View File

@ -0,0 +1,9 @@
- title: "Development dependencies reported for PHP and Python"
announcement_milestone: "15.9"
removal_milestone: "16.0"
breaking_change: true
reporter: sam.white
stage: secure
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/375505
body: |
In GitLab 16.0 the GitLab Dependency Scanning analyzer will begin reporting development dependencies for both Python/pipenv and PHP/composer projects. Users who do not wish to have these development dependencies reported should set `DS_INCLUDE_DEV_DEPENDENCIES: false` in their CI/CD file.

1
doc/administration/instance_limits.md
View File

@ -655,7 +655,6 @@ setting is used:
| `ci_max_artifact_size_archive` | 0 |
| `ci_max_artifact_size_browser_performance` | 0 |
| `ci_max_artifact_size_cluster_applications` | 0 |
| `ci_max_artifact_size_cluster_image_scanning` | 0 |
| `ci_max_artifact_size_cobertura` | 0 |
| `ci_max_artifact_size_codequality` | 0 |
| `ci_max_artifact_size_container_scanning` | 0 |

13
doc/ci/yaml/artifacts_reports.md
View File

@ -67,19 +67,6 @@ GitLab can display the results of one report in the merge request
GitLab cannot display the combined results of multiple `browser_performance` reports.
## `artifacts:reports:cluster_image_scanning` **(ULTIMATE)**
> - Introduced in GitLab 14.1.
> - Requires GitLab Runner 14.1 and above.
The `cluster_image_scanning` report collects `CLUSTER_IMAGE_SCANNING` vulnerabilities. The collected
`CLUSTER_IMAGE_SCANNING` report uploads to GitLab as an artifact.
GitLab can display the results of one or more reports in:
- The [security dashboard](../../user/application_security/security_dashboard/index.md).
- The [Project Vulnerability report](../../user/application_security/vulnerability_report/index.md).
## `artifacts:reports:coverage_report`
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/344533) in GitLab 14.10.

52
doc/development/integrations/secure.md
View File

@ -31,7 +31,6 @@ For consistency, scanning jobs should be named after the scanner, in lower case.
The job name is suffixed after the type of scanning:
- `_dependency_scanning`
- `_cluster_image_scanning`
- `_container_scanning`
- `_dast`
- `_sast`
@ -79,7 +78,6 @@ Valid reports are:
- `dependency_scanning`
- `container_scanning`
- `cluster_image_scanning`
- `dast`
- `api_fuzzing`
- `coverage_fuzzing`
@ -108,7 +106,6 @@ for variables such as:
- `DEPENDENCY_SCANNING_DISABLED`
- `CONTAINER_SCANNING_DISABLED`
- `CLUSTER_IMAGE_SCANNING_DISABLED`
- `SAST_DISABLED`
- `DAST_DISABLED`
@ -214,19 +211,6 @@ using the variables `DOCKER_USER` and `DOCKER_PASSWORD`.
If these are not defined, then the scanner should use
`CI_REGISTRY_USER` and `CI_REGISTRY_PASSWORD` as default values.
#### Cluster Image Scanning
To be consistent with the official `cluster_image_scanning` for GitLab, scanners must scan the
Kubernetes cluster whose configuration is given by `KUBECONFIG`.
If you use the `CIS_KUBECONFIG` CI/CD variable, then the
`KUBECONFIG` variable is ignored and the cluster specified in the
`CIS_KUBECONFIG` variable is scanned instead. If you don't provide
the `CIS_KUBECONFIG` CI/CD variable, the value defaults to the value of
`$KUBECONFIG`. `$KUBECONFIG` is a predefined CI/CD variable configured when the project is assigned to a
Kubernetes cluster. When multiple contexts are provided in the `KUBECONFIG` variable, the context
selected as `current-context` is used to fetch vulnerabilities.
#### Configuration files
While scanners may use `CI_PROJECT_DIR` to load specific configuration files,
@ -320,7 +304,6 @@ and [Container Scanning](../../user/application_security/container_scanning/inde
You can find the schemas for these scanners here:
- [Cluster Image Scanning](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/cluster-image-scanning-report-format.json)
- [Container Scanning](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/container-scanning-report-format.json)
- [Coverage Fuzzing](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/coverage-fuzzing-report-format.json)
- [DAST](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/dast-report-format.json)
@ -414,7 +397,6 @@ We recommend that you generate a UUID and use it as the `id` field's value.
The value of the `category` field matches the report type:
- `dependency_scanning`
- `cluster_image_scanning`
- `container_scanning`
- `sast`
- `dast`
@ -604,40 +586,6 @@ so these attributes are mandatory.
The `image` is also mandatory.
All other attributes are optional.
##### Cluster Image Scanning
The `location` of a `cluster_image_scanning` vulnerability has a `dependency` field. It also has
an `operating_system` field. For example, here is the `location` object for a vulnerability
affecting version `2.50.3-2+deb9u1` of Debian package `glib2.0`:
```json
{
"dependency": {
"package": {
"name": "glib2.0"
},
},
"version": "2.50.3-2+deb9u1",
"operating_system": "debian:9",
"image": "index.docker.io/library/nginx:1.18",
"kubernetes_resource": {
"namespace": "production",
"kind": "Deployment",
"name": "nginx-ingress",
"container_name": "nginx",
"agent_id": "1"
}
}
```
The affected package is found when scanning a deployment using the `index.docker.io/library/nginx:1.18` image.
The location fingerprint of a Cluster Image Scanning vulnerability combines the
`namespace`, `kind`, `name`, and `container_name` fields from the `kubernetes_resource`,
as well as the package `name`, so these fields are required. The `image` field is also mandatory.
The `cluster_id` and `agent_id` are mutually exclusive, and one of them must be present.
All other fields are optional.
##### SAST
The `location` of a SAST vulnerability must have a `file` and a `start_line` field,

1
doc/topics/autodevops/cicd_variables.md
View File

@ -94,7 +94,6 @@ Use these variables to disable CI/CD jobs.
| `bandit-sast` | `SAST_DISABLED` | | If the variable is present, the job isn't created. |
| `brakeman-sast` | `SAST_DISABLED` | | If the variable is present, the job isn't created. |
| `canary` | `CANARY_ENABLED` | | This manual job is created if the variable is present. |
| `cluster_image_scanning` | `CLUSTER_IMAGE_SCANNING_DISABLED` | | If the variable is present, the job isn't created. |
| `code_intelligence` | `CODE_INTELLIGENCE_DISABLED` | From GitLab 13.6 | If the variable is present, the job isn't created. |
| `code_quality` | `CODE_QUALITY_DISABLED` | | If the variable is present, the job isn't created. |
| `container_scanning` | `CONTAINER_SCANNING_DISABLED` | | If the variable is present, the job isn't created. |

14
doc/update/deprecations.md
View File

@ -94,6 +94,20 @@ When using the native HashiCorp Vault integration, CI/CD jobs will fail when no
<div class="deprecation removal-160 breaking-change">
### Development dependencies reported for PHP and Python
Planned removal: GitLab <span class="removal-milestone">16.0</span> <span class="removal-date"></span>
WARNING:
This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/).
Review the details carefully before upgrading.
In GitLab 16.0 the GitLab Dependency Scanning analyzer will begin reporting development dependencies for both Python/pipenv and PHP/composer projects. Users who do not wish to have these development dependencies reported should set `DS_INCLUDE_DEV_DEPENDENCIES: false` in their CI/CD file.
</div>
<div class="deprecation removal-160 breaking-change">
### Embedding Grafana panels in Markdown is deprecated
Planned removal: GitLab <span class="removal-milestone">16.0</span> <span class="removal-date"></span>

2
doc/user/application_security/policies/scan-execution-policies.md
View File

@ -89,7 +89,7 @@ This rule enforces the defined actions and schedules a scan on the provided date
| `type` | `string` | `schedule` | The rule's type. |
| `branches` | `array` of `string` | `*` or the branch's name | The branch the given policy applies to (supports wildcard). This field is required if the `agents` field is not set. |
| `cadence` | `string` | CRON expression (for example, `0 0 * * *`) | A whitespace-separated string containing five fields that represents the scheduled time. |
| `agents` | `object` | | The name of the [GitLab agents](../../clusters/agent/index.md) where [cluster image scanning](../../clusters/agent/vulnerabilities.md) runs. The object key is the name of the Kubernetes agent configured for your project in GitLab. This field is required if the `branches` field is not set. |
| `agents` | `object` | | The name of the [GitLab agents](../../clusters/agent/index.md) where [Operational Container Scanning](../../clusters/agent/vulnerabilities.md) runs. The object key is the name of the Kubernetes agent configured for your project in GitLab. This field is required if the `branches` field is not set. |
GitLab supports the following types of CRON syntax for the `cadence` field:

1
doc/user/application_security/terminology/index.md
View File

@ -257,7 +257,6 @@ once it's imported into the database.
Describes the type of scan. This must be one of the following:
- `api_fuzzing`
- `cluster_image_scanning`
- `container_scanning`
- `coverage_fuzzing`
- `dast`

14
locale/gitlab.pot
View File

@ -6036,6 +6036,12 @@ msgstr ""
msgid "Automatically update this project's branches and tags from the upstream repository."
msgstr ""
msgid "Automation"
msgstr ""
msgid "Automation|Automation App"
msgstr ""
msgid "Autosave|Note"
msgstr ""
@ -12715,7 +12721,7 @@ msgstr ""
msgid "DastProfiles|Enter URLs in a comma-separated list."
msgstr ""
msgid "DastProfiles|Enter headers in a comma-separated list."
msgid "DastProfiles|Enter a comma-separated list of request header names and values. DAST adds header to every request."
msgstr ""
msgid "DastProfiles|Error Details"
@ -12733,6 +12739,9 @@ msgstr ""
msgid "DastProfiles|Excluded paths (optional)"
msgstr ""
msgid "DastProfiles|Headers will appear in vulnerability reports. %{linkStart}Only some headers are automatically masked%{linkEnd}."
msgstr ""
msgid "DastProfiles|Hide debug messages"
msgstr ""
@ -12799,9 +12808,6 @@ msgstr ""
msgid "DastProfiles|Profile name"
msgstr ""
msgid "DastProfiles|Request header names and values. Headers are added to every request made by DAST."
msgstr ""
msgid "DastProfiles|Request headers"
msgstr ""