Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
GitLab Bot
parent
4956ffe458
commit
c2d10c27b4
|
|
@ -1648,11 +1648,28 @@ class Project < ApplicationRecord
|
|||
notes.where(noteable_type: "Commit")
|
||||
end
|
||||
|
||||
# Returns sanitized import URL.
|
||||
#
|
||||
# @param `masked:` [Boolean] Toggles how URL will be sanitized. Defaults to `true`.
|
||||
# when `true` the userinfo credentials will be masked,
|
||||
# when `false` the userinfo credentials will be stripped.
|
||||
#
|
||||
# @example project.safe_import_url #=> "https://*****:*****@example.com"
|
||||
# @example project.safe_import_url(masked: false) # => "https://example.com"
|
||||
#
|
||||
# @return [String] Sanitized import URL.
|
||||
def safe_import_url(masked: true)
|
||||
url = Gitlab::UrlSanitizer.new(import_url)
|
||||
masked ? url.masked_url : url.sanitized_url
|
||||
end
|
||||
|
||||
def import_url=(value)
|
||||
if Gitlab::UrlSanitizer.valid?(value)
|
||||
# Assign sanitized URL, stripped of userinfo credentials, to `Project#import_url` attribute.
|
||||
import_url = Gitlab::UrlSanitizer.new(value)
|
||||
super(import_url.sanitized_url)
|
||||
|
||||
# Assign any userinfo credentials to the `ProjectImportData#credentials` attribute.
|
||||
credentials = import_url.credentials.to_h.transform_values { |value| CGI.unescape(value.to_s) }
|
||||
build_or_assign_import_data(credentials: credentials)
|
||||
else
|
||||
|
|
@ -1660,6 +1677,17 @@ class Project < ApplicationRecord
|
|||
end
|
||||
end
|
||||
|
||||
# WARNING - This method returns sensitive userinfo credentials of the import URL.
|
||||
# Use `#safe_import_url` instead unless it is necessary to include sensitive credentials.
|
||||
#
|
||||
# Builds an import URL including userinfo credentials from the `import_url` attribute
|
||||
# and the encrypted `ProjectImportData#credentials`.
|
||||
#
|
||||
# @see #safe_import_url
|
||||
#
|
||||
# @example project.import_url #=> "https://user:secretpassword@example.com"
|
||||
#
|
||||
# @return [String] Unsanitized import URL.
|
||||
def import_url
|
||||
if import_data && super.present?
|
||||
import_url = Gitlab::UrlSanitizer.new(super, credentials: import_data.credentials)
|
||||
|
|
@ -1671,10 +1699,6 @@ class Project < ApplicationRecord
|
|||
super
|
||||
end
|
||||
|
||||
def valid_import_url?
|
||||
valid?(:import_url) || errors.messages[:import_url].nil?
|
||||
end
|
||||
|
||||
def build_or_assign_import_data(data: nil, credentials: nil)
|
||||
project_import_data = import_data || build_import_data
|
||||
|
||||
|
|
@ -1698,11 +1722,6 @@ class Project < ApplicationRecord
|
|||
gitea_import? || github_import? || bitbucket_import? || bitbucket_server_import?
|
||||
end
|
||||
|
||||
def safe_import_url(masked: true)
|
||||
url = Gitlab::UrlSanitizer.new(import_url)
|
||||
masked ? url.masked_url : url.sanitized_url
|
||||
end
|
||||
|
||||
def jira_import?
|
||||
import_type == 'jira' && latest_jira_import.present?
|
||||
end
|
||||
|
|
@ -1733,7 +1752,7 @@ class Project < ApplicationRecord
|
|||
|
||||
def github_enterprise_import?
|
||||
github_import? &&
|
||||
URI.parse(import_url).host != URI.parse(Octokit::Default::API_ENDPOINT).host
|
||||
URI.parse(safe_import_url).host != URI.parse(Octokit::Default::API_ENDPOINT).host
|
||||
end
|
||||
|
||||
# Determine whether any kind of import is in progress.
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ module Import
|
|||
gh_identifiers = failure.external_identifiers
|
||||
github_repo = project.import_source
|
||||
|
||||
host = host(project.import_url)
|
||||
host = host(project.safe_import_url)
|
||||
return '' unless host
|
||||
|
||||
case gh_identifiers['object_type']
|
||||
|
|
|
|||
|
|
@ -2175,6 +2175,35 @@ Input type: `AiAgentUpdateInput`
|
|||
| <a id="mutationaiagentupdateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
|
||||
| <a id="mutationaiagentupdateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during the mutation. |
|
||||
|
||||
### `Mutation.aiDuoWorkflowCreate`
|
||||
|
||||
{{< details >}}
|
||||
**Introduced** in GitLab 18.1.
|
||||
**Status**: Experiment.
|
||||
{{< /details >}}
|
||||
|
||||
Input type: `AiDuoWorkflowCreateInput`
|
||||
|
||||
#### Arguments
|
||||
|
||||
| Name | Type | Description |
|
||||
| ---- | ---- | ----------- |
|
||||
| <a id="mutationaiduoworkflowcreateagentprivileges"></a>`agentPrivileges` | [`[Int!]`](#int) | Actions the agent is allowed to perform. |
|
||||
| <a id="mutationaiduoworkflowcreateallowagenttorequestuser"></a>`allowAgentToRequestUser` | [`Boolean`](#boolean) | When enabled, Duo Workflow may stop to ask the user questions before proceeding. |
|
||||
| <a id="mutationaiduoworkflowcreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
|
||||
| <a id="mutationaiduoworkflowcreategoal"></a>`goal` | [`String`](#string) | Goal of the workflow. |
|
||||
| <a id="mutationaiduoworkflowcreatepreapprovedagentprivileges"></a>`preApprovedAgentPrivileges` | [`[Int!]`](#int) | Actions the agent can perform without asking for approval. |
|
||||
| <a id="mutationaiduoworkflowcreateprojectid"></a>`projectId` | [`ProjectID`](#projectid) | Global ID of the project the user is acting on. |
|
||||
| <a id="mutationaiduoworkflowcreateworkflowdefinition"></a>`workflowDefinition` | [`String`](#string) | Workflow type based on its capability. |
|
||||
|
||||
#### Fields
|
||||
|
||||
| Name | Type | Description |
|
||||
| ---- | ---- | ----------- |
|
||||
| <a id="mutationaiduoworkflowcreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
|
||||
| <a id="mutationaiduoworkflowcreateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during the creation process. |
|
||||
| <a id="mutationaiduoworkflowcreateworkflow"></a>`workflow` | [`DuoWorkflow`](#duoworkflow) | Created workflow. |
|
||||
|
||||
### `Mutation.aiFeatureSettingUpdate`
|
||||
|
||||
Updates or creates settings for AI features.
|
||||
|
|
@ -25017,6 +25046,8 @@ Represents a vulnerability. The connection type is countable.
|
|||
| <a id="countablevulnerabilityhasremediations"></a>`hasRemediations` | [`Boolean`](#boolean) | Indicates whether there is a remediation available for the vulnerability. |
|
||||
| <a id="countablevulnerabilityid"></a>`id` | [`ID!`](#id) | GraphQL ID of the vulnerability. |
|
||||
| <a id="countablevulnerabilityidentifiers"></a>`identifiers` | [`[VulnerabilityIdentifier!]!`](#vulnerabilityidentifier) | Identifiers of the vulnerability. |
|
||||
| <a id="countablevulnerabilityinitialdetectedpipeline"></a>`initialDetectedPipeline` {{< icon name="warning-solid" >}} | [`Pipeline`](#pipeline) | **Introduced** in GitLab 18.2. **Status**: Experiment. Pipeline where the vulnerability was first detected. |
|
||||
| <a id="countablevulnerabilitylatestdetectedpipeline"></a>`latestDetectedPipeline` {{< icon name="warning-solid" >}} | [`Pipeline`](#pipeline) | **Introduced** in GitLab 18.2. **Status**: Experiment. Pipeline where the vulnerability was last detected. |
|
||||
| <a id="countablevulnerabilitylinks"></a>`links` | [`[VulnerabilityLink!]!`](#vulnerabilitylink) | List of links associated with the vulnerability. |
|
||||
| <a id="countablevulnerabilitylocation"></a>`location` | [`VulnerabilityLocation`](#vulnerabilitylocation) | Location metadata for the vulnerability. Its fields depend on the type of security scan that found the vulnerability. |
|
||||
| <a id="countablevulnerabilitymergerequest"></a>`mergeRequest` | [`MergeRequest`](#mergerequest) | Merge request that fixes the vulnerability. |
|
||||
|
|
@ -41727,6 +41758,8 @@ Represents a vulnerability.
|
|||
| <a id="vulnerabilityhasremediations"></a>`hasRemediations` | [`Boolean`](#boolean) | Indicates whether there is a remediation available for the vulnerability. |
|
||||
| <a id="vulnerabilityid"></a>`id` | [`ID!`](#id) | GraphQL ID of the vulnerability. |
|
||||
| <a id="vulnerabilityidentifiers"></a>`identifiers` | [`[VulnerabilityIdentifier!]!`](#vulnerabilityidentifier) | Identifiers of the vulnerability. |
|
||||
| <a id="vulnerabilityinitialdetectedpipeline"></a>`initialDetectedPipeline` {{< icon name="warning-solid" >}} | [`Pipeline`](#pipeline) | **Introduced** in GitLab 18.2. **Status**: Experiment. Pipeline where the vulnerability was first detected. |
|
||||
| <a id="vulnerabilitylatestdetectedpipeline"></a>`latestDetectedPipeline` {{< icon name="warning-solid" >}} | [`Pipeline`](#pipeline) | **Introduced** in GitLab 18.2. **Status**: Experiment. Pipeline where the vulnerability was last detected. |
|
||||
| <a id="vulnerabilitylinks"></a>`links` | [`[VulnerabilityLink!]!`](#vulnerabilitylink) | List of links associated with the vulnerability. |
|
||||
| <a id="vulnerabilitylocation"></a>`location` | [`VulnerabilityLocation`](#vulnerabilitylocation) | Location metadata for the vulnerability. Its fields depend on the type of security scan that found the vulnerability. |
|
||||
| <a id="vulnerabilitymergerequest"></a>`mergeRequest` | [`MergeRequest`](#mergerequest) | Merge request that fixes the vulnerability. |
|
||||
|
|
|
|||
|
|
@ -929,6 +929,13 @@ Example response:
|
|||
|
||||
{{< /history >}}
|
||||
|
||||
{{< alert type="warning" >}}
|
||||
|
||||
This endpoint is scheduled for removal in GitLab 18.5.
|
||||
Use [`GET /groups/:id/saml_users`](#list-all-saml-users) and [`GET /groups/:id/service_accounts`](group_service_accounts.md#list-all-service-account-users) instead.
|
||||
|
||||
{{< /alert >}}
|
||||
|
||||
Get a list of users for a group. This endpoint returns users that are related to a top-level group regardless
|
||||
of their current membership. For example, users that have a SAML identity connected to the group, or service accounts created
|
||||
by the group or subgroups.
|
||||
|
|
|
|||
|
|
@ -225,7 +225,7 @@ for offline environments.
|
|||
|
||||
### Configure NTP
|
||||
|
||||
In GitLab 15.4 and 15.5, Gitaly Cluster assumes `pool.ntp.org` is accessible. If `pool.ntp.org` is not accessible, [customize the time server setting](../../administration/gitaly/praefect.md#customize-time-server-setting) on the Gitaly
|
||||
Gitaly Cluster assumes `pool.ntp.org` is accessible. If `pool.ntp.org` is not accessible, [customize the time server setting](../../administration/gitaly/praefect.md#customize-time-server-setting) on the Gitaly
|
||||
and Praefect servers so they can use an accessible NTP server.
|
||||
|
||||
On offline instances, the [GitLab Geo check Rake task](../../administration/geo/replication/troubleshooting/common.md#can-geo-detect-the-current-site-correctly)
|
||||
|
|
|
|||
|
|
@ -67,19 +67,20 @@ GitLab compares the found vulnerabilities between the source and target branches
|
|||
|
||||
## Features
|
||||
|
||||
| Features | In Free and Premium | In Ultimate |
|
||||
| --- | ------ | ------ |
|
||||
| Customize Settings ([Variables](#available-cicd-variables), [Overriding](#overriding-the-container-scanning-template), [offline environment support](#running-container-scanning-in-an-offline-environment), etc) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| [View JSON Report](#reports-json-format) as a CI job artifact | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| Generate a [CycloneDX SBOM JSON report](#cyclonedx-software-bill-of-materials) as a CI job artifact | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| Ability to enable container scanning via an MR in the GitLab UI | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| [UBI Image Support](#fips-enabled-images) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| Support for Trivy | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| Inclusion of GitLab Advisory Database | Limited to the time-delayed content from GitLab [advisories-communities](https://gitlab.com/gitlab-org/advisories-community/) project | Yes - all the latest content from [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) |
|
||||
| Presentation of Report data in Merge Request and Security tab of the CI pipeline job | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
|
||||
| [Solutions for vulnerabilities (auto-remediation)](#solutions-for-vulnerabilities-auto-remediation) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
|
||||
| Support for the [vulnerability allow list](#vulnerability-allowlisting) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
|
||||
| [Access to Dependency List page](../dependency_list/_index.md) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
|
||||
| Features | In Free and Premium | In Ultimate |
|
||||
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
|
||||
| Customize Settings ([Variables](#available-cicd-variables), [Overriding](#overriding-the-container-scanning-template), [offline environment support](#running-container-scanning-in-an-offline-environment), etc) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| [View JSON Report](#reports-json-format) as a CI job artifact | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| Generate a [CycloneDX SBOM JSON report](#cyclonedx-software-bill-of-materials) as a CI job artifact | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| Ability to enable container scanning via an MR in the GitLab UI | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| [UBI Image Support](#fips-enabled-images) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| Support for Trivy | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| [End-of-life Operating System Detection](#end-of-life-operating-system-detection) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
|
||||
| Inclusion of GitLab Advisory Database | Limited to the time-delayed content from GitLab [advisories-communities](https://gitlab.com/gitlab-org/advisories-community/) project | Yes - all the latest content from [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) |
|
||||
| Presentation of Report data in Merge Request and Security tab of the CI pipeline job | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
|
||||
| [Solutions for vulnerabilities (auto-remediation)](#solutions-for-vulnerabilities-auto-remediation) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
|
||||
| Support for the [vulnerability allow list](#vulnerability-allowlisting) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
|
||||
| [Access to Dependency List page](../dependency_list/_index.md) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
|
||||
|
||||
## Configuration
|
||||
|
||||
|
|
@ -265,31 +266,33 @@ positives.
|
|||
|
||||
{{< /alert >}}
|
||||
|
||||
| CI/CD Variable | Default | Description |
|
||||
| ------------------------------ | ------------- | ----------- |
|
||||
| `ADDITIONAL_CA_CERT_BUNDLE` | `""` | Bundle of CA certs that you want to trust. See [Using a custom SSL CA certificate authority](#using-a-custom-ssl-ca-certificate-authority) for more details. |
|
||||
| `CI_APPLICATION_REPOSITORY` | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. |
|
||||
| `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. |
|
||||
| `CS_ANALYZER_IMAGE` | `registry.gitlab.com/security-products/container-scanning:8` | Docker image of the analyzer. Do not use the `:latest` tag with analyzer images provided by GitLab. |
|
||||
| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. |
|
||||
| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | {{< icon name="warning" >}} **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/439782)** in GitLab 17.0. |
|
||||
| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. |
|
||||
| `CS_DOCKER_INSECURE` | `"false"` | Allow access to secure Docker registries using HTTPS without validating the certificates. |
|
||||
| `CS_DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. |
|
||||
| `CS_INCLUDE_LICENSES` | `""` | If set, this variable includes licenses for each component. It is only applicable to cyclonedx reports and those licenses are provided by [trivy](https://trivy.dev/v0.60/docs/scanner/license/)|
|
||||
| `CS_IGNORE_STATUSES` | `""` | Force the analyzer to ignore findings with specified statuses in a comma-delimited list. The following values are allowed: `unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life`. <sup>1</sup> |
|
||||
| `CS_IGNORE_UNFIXED` | `"false"` | Ignore findings that are not fixed. Ignored findings are not included in the report. |
|
||||
| `CS_IMAGE` | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. |
|
||||
| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. |
|
||||
| `CS_QUIET` | `""` | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. |
|
||||
| `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. |
|
||||
| `CS_REGISTRY_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when FIPS mode is enabled. |
|
||||
| `CS_REGISTRY_USER` | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when FIPS mode is enabled. |
|
||||
| `CS_SEVERITY_THRESHOLD` | `UNKNOWN` | Severity level threshold. The scanner outputs vulnerabilities with severity level higher than or equal to this threshold. Supported levels are `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, and `CRITICAL`. |
|
||||
| `CS_TRIVY_JAVA_DB` | `"registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db"` | Specify an alternate location for the [trivy-java-db](https://github.com/aquasecurity/trivy-java-db) vulnerability database. |
|
||||
| `CS_TRIVY_DETECTION_PRIORITY` | `"precise"` | Scan using the defined Trivy [detection priority](https://trivy.dev/latest/docs/scanner/vulnerability/#detection-priority). The following values are allowed: `precise` or `comprehensive`. |
|
||||
| `SECURE_LOG_LEVEL` | `info` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. |
|
||||
| `TRIVY_TIMEOUT` | `5m0s` | Set the timeout for the scan. |
|
||||
| CI/CD Variable | Default | Description |
|
||||
|------------------------------------------|---------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `ADDITIONAL_CA_CERT_BUNDLE` | `""` | Bundle of CA certs that you want to trust. See [Using a custom SSL CA certificate authority](#using-a-custom-ssl-ca-certificate-authority) for more details. |
|
||||
| `CI_APPLICATION_REPOSITORY` | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. |
|
||||
| `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. |
|
||||
| `CS_ANALYZER_IMAGE` | `registry.gitlab.com/security-products/container-scanning:8` | Docker image of the analyzer. Do not use the `:latest` tag with analyzer images provided by GitLab. |
|
||||
| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. |
|
||||
| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | {{< icon name="warning" >}} **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/439782)** in GitLab 17.0. |
|
||||
| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. |
|
||||
| `CS_DOCKER_INSECURE` | `"false"` | Allow access to secure Docker registries using HTTPS without validating the certificates. |
|
||||
| `CS_DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. |
|
||||
| `CS_INCLUDE_LICENSES` | `""` | If set, this variable includes licenses for each component. It is only applicable to cyclonedx reports and those licenses are provided by [trivy](https://trivy.dev/v0.60/docs/scanner/license/) |
|
||||
| `CS_IGNORE_STATUSES` | `""` | Force the analyzer to ignore findings with specified statuses in a comma-delimited list. The following values are allowed: `unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life`. <sup>1</sup> |
|
||||
| `CS_IGNORE_UNFIXED` | `"false"` | Ignore findings that are not fixed. Ignored findings are not included in the report. |
|
||||
| `CS_IMAGE` | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. |
|
||||
| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. |
|
||||
| `CS_QUIET` | `""` | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. |
|
||||
| `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. |
|
||||
| `CS_REGISTRY_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when FIPS mode is enabled. |
|
||||
| `CS_REGISTRY_USER` | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when FIPS mode is enabled. |
|
||||
| `CS_REPORT_OS_EOL` | `"false"` | Enable EOL detection |
|
||||
| `CS_REPORT_OS_EOL_SEVERITY` | `"Medium"` | Severity level assigned to EOL OS findings when `CS_REPORT_OS_EOL` is enabled. EOL findings are always reported regardless of `CS_SEVERITY_THRESHOLD`. Supported levels are `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, and `CRITICAL`. |
|
||||
| `CS_SEVERITY_THRESHOLD` | `UNKNOWN` | Severity level threshold. The scanner outputs vulnerabilities with severity level higher than or equal to this threshold. Supported levels are `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, and `CRITICAL`. |
|
||||
| `CS_TRIVY_JAVA_DB` | `"registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db"` | Specify an alternate location for the [trivy-java-db](https://github.com/aquasecurity/trivy-java-db) vulnerability database. |
|
||||
| `CS_TRIVY_DETECTION_PRIORITY` | `"precise"` | Scan using the defined Trivy [detection priority](https://trivy.dev/latest/docs/scanner/vulnerability/#detection-priority). The following values are allowed: `precise` or `comprehensive`. |
|
||||
| `SECURE_LOG_LEVEL` | `info` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. |
|
||||
| `TRIVY_TIMEOUT` | `5m0s` | Set the timeout for the scan. |
|
||||
|
||||
**Footnotes**:
|
||||
|
||||
|
|
@ -800,6 +803,14 @@ container_scanning:
|
|||
|
||||
It is important to mention that only SPDX licenses are supported. However, licenses that are non-compliant with SPDX will still be ingested without any user-facing error.
|
||||
|
||||
## End-of-life operating system detection
|
||||
|
||||
Container scanning includes the ability to detect and report when your container images are using operating systems that have reached their end-of-life (EOL). Operating systems that have reached EOL no longer receive security updates, leaving them vulnerable to newly discovered security issues.
|
||||
|
||||
The EOL detection feature uses Trivy to identify operating systems that are no longer supported by their respective distributions. When an EOL operating system is detected, it's reported as a vulnerability in your container scanning report alongside other security findings.
|
||||
|
||||
To enable EOL detection, set `CS_REPORT_OS_EOL` to `"true"`.
|
||||
|
||||
## Container Scanning for Registry
|
||||
|
||||
{{< details >}}
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ module Gitlab
|
|||
@source_user_mapper ||= Gitlab::Import::SourceUserMapper.new(
|
||||
namespace: project.root_ancestor,
|
||||
import_type: ::Import::SOURCE_BITBUCKET_SERVER,
|
||||
source_hostname: project.import_url
|
||||
source_hostname: project.safe_import_url
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ module Gitlab
|
|||
def user_mapper
|
||||
::Gitlab::Import::SourceUserMapper.new(
|
||||
namespace: project.root_ancestor,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
import_type: ::Import::SOURCE_GITHUB
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ module Import
|
|||
def source_user_mapper(project)
|
||||
@user_mapper ||= ::Gitlab::Import::SourceUserMapper.new(
|
||||
namespace: project.root_ancestor,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
import_type: ::Import::SOURCE_BITBUCKET_SERVER
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -36414,6 +36414,9 @@ msgstr ""
|
|||
msgid "LearnGitLab|Try all GitLab features for 60 days, no credit card required."
|
||||
msgstr ""
|
||||
|
||||
msgid "LearnGitLab|Try the walkthrough in a new tab"
|
||||
msgstr ""
|
||||
|
||||
msgid "LearnGitLab|Try walkthrough"
|
||||
msgstr ""
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ RSpec.describe Gitlab::GithubImport::Importer::CollaboratorImporter, feature_cat
|
|||
create(
|
||||
:import_source_user, :awaiting_approval,
|
||||
namespace: project.root_ancestor,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
import_type: project.import_type,
|
||||
source_user_identifier: github_user_id,
|
||||
reassign_to_user: user
|
||||
|
|
|
|||
|
|
@ -91,7 +91,7 @@ RSpec.describe Gitlab::GithubImport::Importer::DiffNoteImporter, :aggregate_fail
|
|||
placeholder_user_id: user.id,
|
||||
source_user_identifier: user.id,
|
||||
source_username: user.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -137,7 +137,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedAssignee, feature_
|
|||
placeholder_user_id: author.id,
|
||||
source_user_identifier: 1000,
|
||||
source_username: 'github_author',
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -81,7 +81,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedLabel, feature_cat
|
|||
placeholder_user_id: user.id,
|
||||
source_user_identifier: user.id,
|
||||
source_username: user.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedMilestone, feature
|
|||
placeholder_user_id: user.id,
|
||||
source_user_identifier: user.id,
|
||||
source_username: user.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -138,7 +138,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedReviewer, feature_
|
|||
placeholder_user_id: review_requester.id,
|
||||
source_user_identifier: review_requester.id,
|
||||
source_username: review_requester.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
@ -149,7 +149,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedReviewer, feature_
|
|||
placeholder_user_id: requested_reviewer.id,
|
||||
source_user_identifier: requested_reviewer.id,
|
||||
source_username: requested_reviewer.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -135,7 +135,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::Closed, feature_category:
|
|||
placeholder_user_id: user.id,
|
||||
source_user_identifier: user.id,
|
||||
source_username: user.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -153,7 +153,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::CrossReferenced, :clean_g
|
|||
placeholder_user_id: user.id,
|
||||
source_user_identifier: user.id,
|
||||
source_username: user.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -72,7 +72,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::Merged, feature_category:
|
|||
placeholder_user_id: user.id,
|
||||
source_user_identifier: user.id,
|
||||
source_username: user.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::Renamed, feature_category
|
|||
placeholder_user_id: user.id,
|
||||
source_user_identifier: user.id,
|
||||
source_username: user.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -123,7 +123,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::Reopened, :aggregate_fail
|
|||
placeholder_user_id: user.id,
|
||||
source_user_identifier: user.id,
|
||||
source_username: user.username,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ RSpec.describe Gitlab::GithubImport::Importer::IssueImporter, :clean_gitlab_redi
|
|||
create(
|
||||
:import_source_user,
|
||||
source_user_identifier: '4',
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: group.id
|
||||
)
|
||||
end
|
||||
|
|
@ -50,7 +50,7 @@ RSpec.describe Gitlab::GithubImport::Importer::IssueImporter, :clean_gitlab_redi
|
|||
create(
|
||||
:import_source_user,
|
||||
source_user_identifier: '5',
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: group.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ RSpec.describe Gitlab::GithubImport::Importer::NoteImporter, feature_category: :
|
|||
placeholder_user_id: user.id,
|
||||
namespace_id: project.root_ancestor.id,
|
||||
source_user_identifier: '4',
|
||||
source_hostname: project.import_url
|
||||
source_hostname: project.safe_import_url
|
||||
)
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequestImporter, :clean_gitla
|
|||
create(
|
||||
:import_source_user,
|
||||
source_user_identifier: user_representation_1.id,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
import_type: Import::SOURCE_GITHUB,
|
||||
namespace: project.root_ancestor
|
||||
)
|
||||
|
|
@ -26,7 +26,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequestImporter, :clean_gitla
|
|||
create(
|
||||
:import_source_user,
|
||||
source_user_identifier: user_representation_2.id,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
import_type: Import::SOURCE_GITHUB,
|
||||
namespace: project.root_ancestor
|
||||
)
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequests::MergedByImporter, :
|
|||
create(
|
||||
:import_source_user,
|
||||
source_user_identifier: 999,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
import_type: Import::SOURCE_GITHUB,
|
||||
namespace: project.root_ancestor
|
||||
)
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequests::ReviewImporter, :cl
|
|||
create(
|
||||
:import_source_user,
|
||||
source_user_identifier: 999,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
import_type: Import::SOURCE_GITHUB,
|
||||
namespace: project.root_ancestor
|
||||
)
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequests::ReviewRequestImport
|
|||
create(
|
||||
:import_source_user,
|
||||
source_user_identifier: 1,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
import_type: Import::SOURCE_GITHUB,
|
||||
namespace: project.root_ancestor
|
||||
)
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ RSpec.describe Gitlab::GithubImport::Importer::ReleasesImporter, feature_categor
|
|||
placeholder_user_id: placeholder_user.id,
|
||||
source_user_identifier: 1,
|
||||
source_username: 'User A',
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ RSpec.describe Gitlab::GithubImport::PushPlaceholderReferences, feature_category
|
|||
create(
|
||||
:import_source_user,
|
||||
source_user_identifier: source_id,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
namespace_id: project.root_ancestor.id,
|
||||
placeholder_user_id: author.id
|
||||
)
|
||||
|
|
|
|||
|
|
@ -174,6 +174,14 @@ RSpec.describe Gitlab::Import::SourceUserMapper, :request_store, feature_categor
|
|||
end
|
||||
end
|
||||
|
||||
context 'when source host name has userinfo credentials' do
|
||||
let(:source_hostname) { 'https://user:password@myhost.com/path' }
|
||||
|
||||
it 'normalizes the base URI and removes the userinfo credentials' do
|
||||
expect(find_or_create_source_user.source_hostname).to eq('https://myhost.com')
|
||||
end
|
||||
end
|
||||
|
||||
context 'when source host name has a subdomain' do
|
||||
let(:source_hostname) { 'https://subdomain.github.com/path' }
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
require 'spec_helper'
|
||||
|
||||
RSpec.describe Import::GithubFailureEntity, feature_category: :importers do
|
||||
let(:project) { instance_double(Project, id: 123456, import_url: 'https://github.com/example/repo.git', import_source: 'example/repo') }
|
||||
let(:project) { instance_double(Project, id: 123456, safe_import_url: 'https://github.com/example/repo.git', import_source: 'example/repo') }
|
||||
let(:source) { 'Gitlab::GithubImport::Importer::PullRequestImporter' }
|
||||
let(:github_identifiers) { { 'iid' => 2, 'object_type' => 'pull_request', 'title' => 'Implement cool feature' } }
|
||||
let(:import_failure) do
|
||||
|
|
@ -309,7 +309,9 @@ RSpec.describe Import::GithubFailureEntity, feature_category: :importers do
|
|||
end
|
||||
|
||||
context 'with an invalid import_url' do
|
||||
let(:project) { instance_double(Project, id: 123456, import_url: 'Invalid url', import_source: 'example/repo') }
|
||||
let(:project) do
|
||||
instance_double(Project, id: 123456, safe_import_url: 'Invalid url', import_source: 'example/repo')
|
||||
end
|
||||
|
||||
it_behaves_like 'import failure entity' do
|
||||
let(:title) { 'Implement cool feature' }
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ RSpec.describe Import::GithubFailureSerializer, feature_category: :importers do
|
|||
Project,
|
||||
id: 123456,
|
||||
import_status: 'finished',
|
||||
import_url: 'https://github.com/example/repo.git',
|
||||
safe_import_url: 'https://github.com/example/repo.git',
|
||||
import_source: 'example/repo'
|
||||
)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ module Import
|
|||
create(
|
||||
:import_source_user,
|
||||
source_user_identifier: identifier,
|
||||
source_hostname: project.import_url,
|
||||
source_hostname: project.safe_import_url,
|
||||
import_type: project.import_type,
|
||||
namespace: project.root_ancestor
|
||||
)
|
||||
|
|
|
|||
Loading…
Reference in New Issue