Add latest changes from gitlab-org/gitlab@master

2024-04-22 03:13:21 +00:00 · 2024-04-22 03:13:21 +00:00 · 482fe46a5b
parent dde0c693dd
commit 482fe46a5b
5 changed files with 23 additions and 5 deletions
--- a/db/docs/ci_runner_namespaces.yml
+++ b/db/docs/ci_runner_namespaces.yml
@ -8,3 +8,5 @@ description: Relationships between runners and namespaces for group runners
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/commit/1549239849adf31a078be7503ab2288795e337cf
 milestone: '10.8'
 gitlab_schema: gitlab_ci
+sharding_key:
+  namespace_id: namespaces
--- a/doc/administration/secure_files.md
+++ b/doc/administration/secure_files.md
@ -10,7 +10,6 @@ DETAILS:
 **Tier:** Free, Premium, Ultimate
 **Offering:** Self-managed

-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](feature_flags.md) named `ci_secure_files`. Disabled by default.
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed.

 You can securely store up to 100 files for use in CI/CD pipelines as secure files.
--- a/doc/subscriptions/gitlab_com/index.md
+++ b/doc/subscriptions/gitlab_com/index.md
@ -143,8 +143,6 @@ For example:

 ### Export seat usage

-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/262877) in GitLab 14.2.
-
 To export seat usage data as a CSV file:

 1. On the left sidebar, select **Search or go to** and find your group.
@ -453,8 +451,6 @@ state for all projects is removed, and their excess usage is deducted from the a

 #### For your group namespace

-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5789) in GitLab 14.6.
-
 If you're using GitLab.com, you can purchase additional storage so your
 pipelines aren't blocked after you have used all your storage from your
 main quota. You can find pricing for additional storage on the
--- a/doc/user/application_security/secret_detection/pipeline/index.md
+++ b/doc/user/application_security/secret_detection/pipeline/index.md
@ -96,6 +96,26 @@ can take a long time, especially for larger repositories with lengthy Git histor
 completing an initial full history scan, use only standard Pipeline Secret Detection as part of your
 pipeline.

+## Advanced vulnerability tracking
+
+DETAILS:
+**Tier:** Ultimate
+**Offering:** GitLab.com, Self-managed, GitLab Dedicated
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/434096) in GitLab 17.0.
+
+When developers make changes to a file with identified secrets, it's likely that the positions of these secrets will also change. The Secret Detection analyzer may have already flagged these secrets as vulnerabilities, tracked in the [Vulnerability Report](../../vulnerability_report/index.md). These vulnerabilities are associated with specific secrets for easy identification and action. However, if the detected secrets aren't accurately tracked as they shift, managing vulnerabilities becomes challenging, potentially resulting in duplicate vulnerability reports.
+
+GitLab Secret Detection uses an advanced vulnerability tracking algorithm to more accurately identify when the same secret has moved within a file due to refactoring or unrelated changes.
+
+For more information, see the confidential project `https://gitlab.com/gitlab-org/security-products/post-analyzers/tracking-calculator`. The content of this project is available only to GitLab team members.
+
+### Unsupported workflows
+
+- The algorithm does not support the workflow where the existing finding lacks a tracking signature and does not share the same location as the newly detected finding.
+- For certain rule types like Cryptographic Keys, the Secret Detection identifies leaks by matching the prefix of the secret rather than the entire secret value. In this scenario, the algorithm consolidates different secrets of the same rule type in a file into a single finding, rather than treating each distinct secret as a separate finding. For example, the [SSH Private Key rule type](https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/d2919f65f1d8001755015b5d790af620676b97ea/gitleaks.toml#L138) matches only the `-----BEGIN OPENSSH PRIVATE KEY-----` prefix of a value to confirm the presence of a SSH private key. If there are two distinct SSH Private Keys within the same file, the algorithm considers both values as identical and reports only one finding instead of two.
+- The algorithm's scope is limited to a per-file basis, meaning that the same secret appearing in two different files is treated as two distinct findings.
+
 ## Configuration

 ### Requirements
--- a/spec/lib/gitlab/database/sharding_key_spec.rb
+++ b/spec/lib/gitlab/database/sharding_key_spec.rb
@ -28,6 +28,7 @@ RSpec.describe 'new tables missing sharding_key', feature_category: :cell do
      *['boards.project_id', 'boards.group_id'],
      *['bulk_import_exports.project_id', 'bulk_import_exports.group_id'],
      'ci_pipeline_schedules.project_id',
+      'ci_runner_namespaces.namespace_id',
      'ci_sources_pipelines.project_id',
      'ci_triggers.project_id',
      'gpg_signatures.project_id',