diff --git a/app/models/project.rb b/app/models/project.rb
index 4c60135d62f..8093295d5c5 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1648,11 +1648,28 @@ class Project < ApplicationRecord
notes.where(noteable_type: "Commit")
end
+ # Returns sanitized import URL.
+ #
+ # @param `masked:` [Boolean] Toggles how URL will be sanitized. Defaults to `true`.
+ # when `true` the userinfo credentials will be masked,
+ # when `false` the userinfo credentials will be stripped.
+ #
+ # @example project.safe_import_url #=> "https://*****:*****@example.com"
+ # @example project.safe_import_url(masked: false) # => "https://example.com"
+ #
+ # @return [String] Sanitized import URL.
+ def safe_import_url(masked: true)
+ url = Gitlab::UrlSanitizer.new(import_url)
+ masked ? url.masked_url : url.sanitized_url
+ end
+
def import_url=(value)
if Gitlab::UrlSanitizer.valid?(value)
+ # Assign sanitized URL, stripped of userinfo credentials, to `Project#import_url` attribute.
import_url = Gitlab::UrlSanitizer.new(value)
super(import_url.sanitized_url)
+ # Assign any userinfo credentials to the `ProjectImportData#credentials` attribute.
credentials = import_url.credentials.to_h.transform_values { |value| CGI.unescape(value.to_s) }
build_or_assign_import_data(credentials: credentials)
else
@@ -1660,6 +1677,17 @@ class Project < ApplicationRecord
end
end
+ # WARNING - This method returns sensitive userinfo credentials of the import URL.
+ # Use `#safe_import_url` instead unless it is necessary to include sensitive credentials.
+ #
+ # Builds an import URL including userinfo credentials from the `import_url` attribute
+ # and the encrypted `ProjectImportData#credentials`.
+ #
+ # @see #safe_import_url
+ #
+ # @example project.import_url #=> "https://user:secretpassword@example.com"
+ #
+ # @return [String] Unsanitized import URL.
def import_url
if import_data && super.present?
import_url = Gitlab::UrlSanitizer.new(super, credentials: import_data.credentials)
@@ -1671,10 +1699,6 @@ class Project < ApplicationRecord
super
end
- def valid_import_url?
- valid?(:import_url) || errors.messages[:import_url].nil?
- end
-
def build_or_assign_import_data(data: nil, credentials: nil)
project_import_data = import_data || build_import_data
@@ -1698,11 +1722,6 @@ class Project < ApplicationRecord
gitea_import? || github_import? || bitbucket_import? || bitbucket_server_import?
end
- def safe_import_url(masked: true)
- url = Gitlab::UrlSanitizer.new(import_url)
- masked ? url.masked_url : url.sanitized_url
- end
-
def jira_import?
import_type == 'jira' && latest_jira_import.present?
end
@@ -1733,7 +1752,7 @@ class Project < ApplicationRecord
def github_enterprise_import?
github_import? &&
- URI.parse(import_url).host != URI.parse(Octokit::Default::API_ENDPOINT).host
+ URI.parse(safe_import_url).host != URI.parse(Octokit::Default::API_ENDPOINT).host
end
# Determine whether any kind of import is in progress.
diff --git a/app/serializers/import/github_failure_entity.rb b/app/serializers/import/github_failure_entity.rb
index 8d8b16c2a6d..9a2b47458a6 100644
--- a/app/serializers/import/github_failure_entity.rb
+++ b/app/serializers/import/github_failure_entity.rb
@@ -102,7 +102,7 @@ module Import
gh_identifiers = failure.external_identifiers
github_repo = project.import_source
- host = host(project.import_url)
+ host = host(project.safe_import_url)
return '' unless host
case gh_identifiers['object_type']
diff --git a/doc/api/graphql/reference/_index.md b/doc/api/graphql/reference/_index.md
index 4cde2d7f71e..68d4a969242 100644
--- a/doc/api/graphql/reference/_index.md
+++ b/doc/api/graphql/reference/_index.md
@@ -2175,6 +2175,35 @@ Input type: `AiAgentUpdateInput`
| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
| `errors` | [`[String!]!`](#string) | Errors encountered during the mutation. |
+### `Mutation.aiDuoWorkflowCreate`
+
+{{< details >}}
+**Introduced** in GitLab 18.1.
+**Status**: Experiment.
+{{< /details >}}
+
+Input type: `AiDuoWorkflowCreateInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `agentPrivileges` | [`[Int!]`](#int) | Actions the agent is allowed to perform. |
+| `allowAgentToRequestUser` | [`Boolean`](#boolean) | When enabled, Duo Workflow may stop to ask the user questions before proceeding. |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `goal` | [`String`](#string) | Goal of the workflow. |
+| `preApprovedAgentPrivileges` | [`[Int!]`](#int) | Actions the agent can perform without asking for approval. |
+| `projectId` | [`ProjectID`](#projectid) | Global ID of the project the user is acting on. |
+| `workflowDefinition` | [`String`](#string) | Workflow type based on its capability. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `errors` | [`[String!]!`](#string) | Errors encountered during the creation process. |
+| `workflow` | [`DuoWorkflow`](#duoworkflow) | Created workflow. |
+
### `Mutation.aiFeatureSettingUpdate`
Updates or creates settings for AI features.
@@ -25017,6 +25046,8 @@ Represents a vulnerability. The connection type is countable.
| `hasRemediations` | [`Boolean`](#boolean) | Indicates whether there is a remediation available for the vulnerability. |
| `id` | [`ID!`](#id) | GraphQL ID of the vulnerability. |
| `identifiers` | [`[VulnerabilityIdentifier!]!`](#vulnerabilityidentifier) | Identifiers of the vulnerability. |
+| `initialDetectedPipeline` {{< icon name="warning-solid" >}} | [`Pipeline`](#pipeline) | **Introduced** in GitLab 18.2. **Status**: Experiment. Pipeline where the vulnerability was first detected. |
+| `latestDetectedPipeline` {{< icon name="warning-solid" >}} | [`Pipeline`](#pipeline) | **Introduced** in GitLab 18.2. **Status**: Experiment. Pipeline where the vulnerability was last detected. |
| `links` | [`[VulnerabilityLink!]!`](#vulnerabilitylink) | List of links associated with the vulnerability. |
| `location` | [`VulnerabilityLocation`](#vulnerabilitylocation) | Location metadata for the vulnerability. Its fields depend on the type of security scan that found the vulnerability. |
| `mergeRequest` | [`MergeRequest`](#mergerequest) | Merge request that fixes the vulnerability. |
@@ -41727,6 +41758,8 @@ Represents a vulnerability.
| `hasRemediations` | [`Boolean`](#boolean) | Indicates whether there is a remediation available for the vulnerability. |
| `id` | [`ID!`](#id) | GraphQL ID of the vulnerability. |
| `identifiers` | [`[VulnerabilityIdentifier!]!`](#vulnerabilityidentifier) | Identifiers of the vulnerability. |
+| `initialDetectedPipeline` {{< icon name="warning-solid" >}} | [`Pipeline`](#pipeline) | **Introduced** in GitLab 18.2. **Status**: Experiment. Pipeline where the vulnerability was first detected. |
+| `latestDetectedPipeline` {{< icon name="warning-solid" >}} | [`Pipeline`](#pipeline) | **Introduced** in GitLab 18.2. **Status**: Experiment. Pipeline where the vulnerability was last detected. |
| `links` | [`[VulnerabilityLink!]!`](#vulnerabilitylink) | List of links associated with the vulnerability. |
| `location` | [`VulnerabilityLocation`](#vulnerabilitylocation) | Location metadata for the vulnerability. Its fields depend on the type of security scan that found the vulnerability. |
| `mergeRequest` | [`MergeRequest`](#mergerequest) | Merge request that fixes the vulnerability. |
diff --git a/doc/api/groups.md b/doc/api/groups.md
index 7fab1fff2ab..bd9cfbc666d 100644
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -929,6 +929,13 @@ Example response:
{{< /history >}}
+{{< alert type="warning" >}}
+
+This endpoint is scheduled for removal in GitLab 18.5.
+Use [`GET /groups/:id/saml_users`](#list-all-saml-users) and [`GET /groups/:id/service_accounts`](group_service_accounts.md#list-all-service-account-users) instead.
+
+{{< /alert >}}
+
Get a list of users for a group. This endpoint returns users that are related to a top-level group regardless
of their current membership. For example, users that have a SAML identity connected to the group, or service accounts created
by the group or subgroups.
diff --git a/doc/topics/offline/quick_start_guide.md b/doc/topics/offline/quick_start_guide.md
index 1d2275b9500..5b83809eede 100644
--- a/doc/topics/offline/quick_start_guide.md
+++ b/doc/topics/offline/quick_start_guide.md
@@ -225,7 +225,7 @@ for offline environments.
### Configure NTP
-In GitLab 15.4 and 15.5, Gitaly Cluster assumes `pool.ntp.org` is accessible. If `pool.ntp.org` is not accessible, [customize the time server setting](../../administration/gitaly/praefect.md#customize-time-server-setting) on the Gitaly
+Gitaly Cluster assumes `pool.ntp.org` is accessible. If `pool.ntp.org` is not accessible, [customize the time server setting](../../administration/gitaly/praefect.md#customize-time-server-setting) on the Gitaly
and Praefect servers so they can use an accessible NTP server.
On offline instances, the [GitLab Geo check Rake task](../../administration/geo/replication/troubleshooting/common.md#can-geo-detect-the-current-site-correctly)
diff --git a/doc/user/application_security/container_scanning/_index.md b/doc/user/application_security/container_scanning/_index.md
index 3b43f51c5ff..c55a2ded494 100644
--- a/doc/user/application_security/container_scanning/_index.md
+++ b/doc/user/application_security/container_scanning/_index.md
@@ -67,19 +67,20 @@ GitLab compares the found vulnerabilities between the source and target branches
## Features
-| Features | In Free and Premium | In Ultimate |
-| --- | ------ | ------ |
-| Customize Settings ([Variables](#available-cicd-variables), [Overriding](#overriding-the-container-scanning-template), [offline environment support](#running-container-scanning-in-an-offline-environment), etc) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| [View JSON Report](#reports-json-format) as a CI job artifact | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| Generate a [CycloneDX SBOM JSON report](#cyclonedx-software-bill-of-materials) as a CI job artifact | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| Ability to enable container scanning via an MR in the GitLab UI | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| [UBI Image Support](#fips-enabled-images) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| Support for Trivy | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| Inclusion of GitLab Advisory Database | Limited to the time-delayed content from GitLab [advisories-communities](https://gitlab.com/gitlab-org/advisories-community/) project | Yes - all the latest content from [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) |
-| Presentation of Report data in Merge Request and Security tab of the CI pipeline job | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
-| [Solutions for vulnerabilities (auto-remediation)](#solutions-for-vulnerabilities-auto-remediation) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
-| Support for the [vulnerability allow list](#vulnerability-allowlisting) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
-| [Access to Dependency List page](../dependency_list/_index.md) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
+| Features | In Free and Premium | In Ultimate |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
+| Customize Settings ([Variables](#available-cicd-variables), [Overriding](#overriding-the-container-scanning-template), [offline environment support](#running-container-scanning-in-an-offline-environment), etc) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| [View JSON Report](#reports-json-format) as a CI job artifact | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| Generate a [CycloneDX SBOM JSON report](#cyclonedx-software-bill-of-materials) as a CI job artifact | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| Ability to enable container scanning via an MR in the GitLab UI | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| [UBI Image Support](#fips-enabled-images) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| Support for Trivy | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| [End-of-life Operating System Detection](#end-of-life-operating-system-detection) | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| Inclusion of GitLab Advisory Database | Limited to the time-delayed content from GitLab [advisories-communities](https://gitlab.com/gitlab-org/advisories-community/) project | Yes - all the latest content from [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) |
+| Presentation of Report data in Merge Request and Security tab of the CI pipeline job | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
+| [Solutions for vulnerabilities (auto-remediation)](#solutions-for-vulnerabilities-auto-remediation) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
+| Support for the [vulnerability allow list](#vulnerability-allowlisting) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
+| [Access to Dependency List page](../dependency_list/_index.md) | {{< icon name="dotted-circle" >}} No | {{< icon name="check-circle" >}} Yes |
## Configuration
@@ -265,31 +266,33 @@ positives.
{{< /alert >}}
-| CI/CD Variable | Default | Description |
-| ------------------------------ | ------------- | ----------- |
-| `ADDITIONAL_CA_CERT_BUNDLE` | `""` | Bundle of CA certs that you want to trust. See [Using a custom SSL CA certificate authority](#using-a-custom-ssl-ca-certificate-authority) for more details. |
-| `CI_APPLICATION_REPOSITORY` | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. |
-| `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. |
-| `CS_ANALYZER_IMAGE` | `registry.gitlab.com/security-products/container-scanning:8` | Docker image of the analyzer. Do not use the `:latest` tag with analyzer images provided by GitLab. |
-| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. |
-| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | {{< icon name="warning" >}} **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/439782)** in GitLab 17.0. |
-| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. |
-| `CS_DOCKER_INSECURE` | `"false"` | Allow access to secure Docker registries using HTTPS without validating the certificates. |
-| `CS_DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. |
-| `CS_INCLUDE_LICENSES` | `""` | If set, this variable includes licenses for each component. It is only applicable to cyclonedx reports and those licenses are provided by [trivy](https://trivy.dev/v0.60/docs/scanner/license/)|
-| `CS_IGNORE_STATUSES` | `""` | Force the analyzer to ignore findings with specified statuses in a comma-delimited list. The following values are allowed: `unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life`. 1 |
-| `CS_IGNORE_UNFIXED` | `"false"` | Ignore findings that are not fixed. Ignored findings are not included in the report. |
-| `CS_IMAGE` | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. |
-| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. |
-| `CS_QUIET` | `""` | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. |
-| `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. |
-| `CS_REGISTRY_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when FIPS mode is enabled. |
-| `CS_REGISTRY_USER` | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when FIPS mode is enabled. |
-| `CS_SEVERITY_THRESHOLD` | `UNKNOWN` | Severity level threshold. The scanner outputs vulnerabilities with severity level higher than or equal to this threshold. Supported levels are `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, and `CRITICAL`. |
-| `CS_TRIVY_JAVA_DB` | `"registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db"` | Specify an alternate location for the [trivy-java-db](https://github.com/aquasecurity/trivy-java-db) vulnerability database. |
-| `CS_TRIVY_DETECTION_PRIORITY` | `"precise"` | Scan using the defined Trivy [detection priority](https://trivy.dev/latest/docs/scanner/vulnerability/#detection-priority). The following values are allowed: `precise` or `comprehensive`. |
-| `SECURE_LOG_LEVEL` | `info` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. |
-| `TRIVY_TIMEOUT` | `5m0s` | Set the timeout for the scan. |
+| CI/CD Variable | Default | Description |
+|------------------------------------------|---------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `ADDITIONAL_CA_CERT_BUNDLE` | `""` | Bundle of CA certs that you want to trust. See [Using a custom SSL CA certificate authority](#using-a-custom-ssl-ca-certificate-authority) for more details. |
+| `CI_APPLICATION_REPOSITORY` | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. |
+| `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. |
+| `CS_ANALYZER_IMAGE` | `registry.gitlab.com/security-products/container-scanning:8` | Docker image of the analyzer. Do not use the `:latest` tag with analyzer images provided by GitLab. |
+| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. |
+| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | {{< icon name="warning" >}} **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/439782)** in GitLab 17.0. |
+| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. |
+| `CS_DOCKER_INSECURE` | `"false"` | Allow access to secure Docker registries using HTTPS without validating the certificates. |
+| `CS_DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. |
+| `CS_INCLUDE_LICENSES` | `""` | If set, this variable includes licenses for each component. It is only applicable to cyclonedx reports and those licenses are provided by [trivy](https://trivy.dev/v0.60/docs/scanner/license/) |
+| `CS_IGNORE_STATUSES` | `""` | Force the analyzer to ignore findings with specified statuses in a comma-delimited list. The following values are allowed: `unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life`. 1 |
+| `CS_IGNORE_UNFIXED` | `"false"` | Ignore findings that are not fixed. Ignored findings are not included in the report. |
+| `CS_IMAGE` | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. |
+| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. |
+| `CS_QUIET` | `""` | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. |
+| `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. |
+| `CS_REGISTRY_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when FIPS mode is enabled. |
+| `CS_REGISTRY_USER` | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when FIPS mode is enabled. |
+| `CS_REPORT_OS_EOL` | `"false"` | Enable EOL detection |
+| `CS_REPORT_OS_EOL_SEVERITY` | `"Medium"` | Severity level assigned to EOL OS findings when `CS_REPORT_OS_EOL` is enabled. EOL findings are always reported regardless of `CS_SEVERITY_THRESHOLD`. Supported levels are `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, and `CRITICAL`. |
+| `CS_SEVERITY_THRESHOLD` | `UNKNOWN` | Severity level threshold. The scanner outputs vulnerabilities with severity level higher than or equal to this threshold. Supported levels are `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, and `CRITICAL`. |
+| `CS_TRIVY_JAVA_DB` | `"registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db"` | Specify an alternate location for the [trivy-java-db](https://github.com/aquasecurity/trivy-java-db) vulnerability database. |
+| `CS_TRIVY_DETECTION_PRIORITY` | `"precise"` | Scan using the defined Trivy [detection priority](https://trivy.dev/latest/docs/scanner/vulnerability/#detection-priority). The following values are allowed: `precise` or `comprehensive`. |
+| `SECURE_LOG_LEVEL` | `info` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. |
+| `TRIVY_TIMEOUT` | `5m0s` | Set the timeout for the scan. |
**Footnotes**:
@@ -800,6 +803,14 @@ container_scanning:
It is important to mention that only SPDX licenses are supported. However, licenses that are non-compliant with SPDX will still be ingested without any user-facing error.
+## End-of-life operating system detection
+
+Container scanning includes the ability to detect and report when your container images are using operating systems that have reached their end-of-life (EOL). Operating systems that have reached EOL no longer receive security updates, leaving them vulnerable to newly discovered security issues.
+
+The EOL detection feature uses Trivy to identify operating systems that are no longer supported by their respective distributions. When an EOL operating system is detected, it's reported as a vulnerability in your container scanning report alongside other security findings.
+
+To enable EOL detection, set `CS_REPORT_OS_EOL` to `"true"`.
+
## Container Scanning for Registry
{{< details >}}
diff --git a/lib/gitlab/bitbucket_server_import/user_finder.rb b/lib/gitlab/bitbucket_server_import/user_finder.rb
index 61bb5efecb3..a7086f683da 100644
--- a/lib/gitlab/bitbucket_server_import/user_finder.rb
+++ b/lib/gitlab/bitbucket_server_import/user_finder.rb
@@ -75,7 +75,7 @@ module Gitlab
@source_user_mapper ||= Gitlab::Import::SourceUserMapper.new(
namespace: project.root_ancestor,
import_type: ::Import::SOURCE_BITBUCKET_SERVER,
- source_hostname: project.import_url
+ source_hostname: project.safe_import_url
)
end
end
diff --git a/lib/gitlab/github_import/contributions_mapper.rb b/lib/gitlab/github_import/contributions_mapper.rb
index 0f391666edd..686957696fb 100644
--- a/lib/gitlab/github_import/contributions_mapper.rb
+++ b/lib/gitlab/github_import/contributions_mapper.rb
@@ -10,7 +10,7 @@ module Gitlab
def user_mapper
::Gitlab::Import::SourceUserMapper.new(
namespace: project.root_ancestor,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
import_type: ::Import::SOURCE_GITHUB
)
end
diff --git a/lib/import/placeholder_references/pusher.rb b/lib/import/placeholder_references/pusher.rb
index 96847f5a33d..e80e09c356b 100644
--- a/lib/import/placeholder_references/pusher.rb
+++ b/lib/import/placeholder_references/pusher.rb
@@ -30,7 +30,7 @@ module Import
def source_user_mapper(project)
@user_mapper ||= ::Gitlab::Import::SourceUserMapper.new(
namespace: project.root_ancestor,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
import_type: ::Import::SOURCE_BITBUCKET_SERVER
)
end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index d081d0d7d44..ebf801b8db2 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -36414,6 +36414,9 @@ msgstr ""
msgid "LearnGitLab|Try all GitLab features for 60 days, no credit card required."
msgstr ""
+msgid "LearnGitLab|Try the walkthrough in a new tab"
+msgstr ""
+
msgid "LearnGitLab|Try walkthrough"
msgstr ""
diff --git a/spec/lib/gitlab/github_import/importer/collaborator_importer_spec.rb b/spec/lib/gitlab/github_import/importer/collaborator_importer_spec.rb
index 39f5c95e65b..caddc31dc2c 100644
--- a/spec/lib/gitlab/github_import/importer/collaborator_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/collaborator_importer_spec.rb
@@ -29,7 +29,7 @@ RSpec.describe Gitlab::GithubImport::Importer::CollaboratorImporter, feature_cat
create(
:import_source_user, :awaiting_approval,
namespace: project.root_ancestor,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
import_type: project.import_type,
source_user_identifier: github_user_id,
reassign_to_user: user
diff --git a/spec/lib/gitlab/github_import/importer/diff_note_importer_spec.rb b/spec/lib/gitlab/github_import/importer/diff_note_importer_spec.rb
index 85b91db2c2e..71b4f359187 100644
--- a/spec/lib/gitlab/github_import/importer/diff_note_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/diff_note_importer_spec.rb
@@ -91,7 +91,7 @@ RSpec.describe Gitlab::GithubImport::Importer::DiffNoteImporter, :aggregate_fail
placeholder_user_id: user.id,
source_user_identifier: user.id,
source_username: user.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/events/changed_assignee_spec.rb b/spec/lib/gitlab/github_import/importer/events/changed_assignee_spec.rb
index 250128789f8..0bb14498d6c 100644
--- a/spec/lib/gitlab/github_import/importer/events/changed_assignee_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/events/changed_assignee_spec.rb
@@ -137,7 +137,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedAssignee, feature_
placeholder_user_id: author.id,
source_user_identifier: 1000,
source_username: 'github_author',
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/events/changed_label_spec.rb b/spec/lib/gitlab/github_import/importer/events/changed_label_spec.rb
index 5090a2e0748..b64435dd661 100644
--- a/spec/lib/gitlab/github_import/importer/events/changed_label_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/events/changed_label_spec.rb
@@ -81,7 +81,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedLabel, feature_cat
placeholder_user_id: user.id,
source_user_identifier: user.id,
source_username: user.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/events/changed_milestone_spec.rb b/spec/lib/gitlab/github_import/importer/events/changed_milestone_spec.rb
index c69e70526f2..2b3bf52bd46 100644
--- a/spec/lib/gitlab/github_import/importer/events/changed_milestone_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/events/changed_milestone_spec.rb
@@ -100,7 +100,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedMilestone, feature
placeholder_user_id: user.id,
source_user_identifier: user.id,
source_username: user.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/events/changed_reviewer_spec.rb b/spec/lib/gitlab/github_import/importer/events/changed_reviewer_spec.rb
index cc06c775be2..1a8428fa29d 100644
--- a/spec/lib/gitlab/github_import/importer/events/changed_reviewer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/events/changed_reviewer_spec.rb
@@ -138,7 +138,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedReviewer, feature_
placeholder_user_id: review_requester.id,
source_user_identifier: review_requester.id,
source_username: review_requester.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
@@ -149,7 +149,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::ChangedReviewer, feature_
placeholder_user_id: requested_reviewer.id,
source_user_identifier: requested_reviewer.id,
source_username: requested_reviewer.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/events/closed_spec.rb b/spec/lib/gitlab/github_import/importer/events/closed_spec.rb
index c391523db7c..b25b051636d 100644
--- a/spec/lib/gitlab/github_import/importer/events/closed_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/events/closed_spec.rb
@@ -135,7 +135,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::Closed, feature_category:
placeholder_user_id: user.id,
source_user_identifier: user.id,
source_username: user.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/events/cross_referenced_spec.rb b/spec/lib/gitlab/github_import/importer/events/cross_referenced_spec.rb
index a1f3549f5c9..3cbd091ffe7 100644
--- a/spec/lib/gitlab/github_import/importer/events/cross_referenced_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/events/cross_referenced_spec.rb
@@ -153,7 +153,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::CrossReferenced, :clean_g
placeholder_user_id: user.id,
source_user_identifier: user.id,
source_username: user.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/events/merged_spec.rb b/spec/lib/gitlab/github_import/importer/events/merged_spec.rb
index 15e37599a89..a76bad65d77 100644
--- a/spec/lib/gitlab/github_import/importer/events/merged_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/events/merged_spec.rb
@@ -72,7 +72,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::Merged, feature_category:
placeholder_user_id: user.id,
source_user_identifier: user.id,
source_username: user.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/events/renamed_spec.rb b/spec/lib/gitlab/github_import/importer/events/renamed_spec.rb
index 2dcd30bc209..65e3d3b1ad5 100644
--- a/spec/lib/gitlab/github_import/importer/events/renamed_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/events/renamed_spec.rb
@@ -106,7 +106,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::Renamed, feature_category
placeholder_user_id: user.id,
source_user_identifier: user.id,
source_username: user.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/events/reopened_spec.rb b/spec/lib/gitlab/github_import/importer/events/reopened_spec.rb
index 5441d05c8dd..cbe2c8cd2d0 100644
--- a/spec/lib/gitlab/github_import/importer/events/reopened_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/events/reopened_spec.rb
@@ -123,7 +123,7 @@ RSpec.describe Gitlab::GithubImport::Importer::Events::Reopened, :aggregate_fail
placeholder_user_id: user.id,
source_user_identifier: user.id,
source_username: user.username,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/issue_importer_spec.rb b/spec/lib/gitlab/github_import/importer/issue_importer_spec.rb
index b51fb876055..19e5e9717be 100644
--- a/spec/lib/gitlab/github_import/importer/issue_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/issue_importer_spec.rb
@@ -41,7 +41,7 @@ RSpec.describe Gitlab::GithubImport::Importer::IssueImporter, :clean_gitlab_redi
create(
:import_source_user,
source_user_identifier: '4',
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: group.id
)
end
@@ -50,7 +50,7 @@ RSpec.describe Gitlab::GithubImport::Importer::IssueImporter, :clean_gitlab_redi
create(
:import_source_user,
source_user_identifier: '5',
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: group.id
)
end
diff --git a/spec/lib/gitlab/github_import/importer/note_importer_spec.rb b/spec/lib/gitlab/github_import/importer/note_importer_spec.rb
index 26e6e88b906..463f0a33522 100644
--- a/spec/lib/gitlab/github_import/importer/note_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/note_importer_spec.rb
@@ -12,7 +12,7 @@ RSpec.describe Gitlab::GithubImport::Importer::NoteImporter, feature_category: :
placeholder_user_id: user.id,
namespace_id: project.root_ancestor.id,
source_user_identifier: '4',
- source_hostname: project.import_url
+ source_hostname: project.safe_import_url
)
end
diff --git a/spec/lib/gitlab/github_import/importer/pull_request_importer_spec.rb b/spec/lib/gitlab/github_import/importer/pull_request_importer_spec.rb
index 1779a80bbc2..ac31f638a63 100644
--- a/spec/lib/gitlab/github_import/importer/pull_request_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/pull_request_importer_spec.rb
@@ -16,7 +16,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequestImporter, :clean_gitla
create(
:import_source_user,
source_user_identifier: user_representation_1.id,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
import_type: Import::SOURCE_GITHUB,
namespace: project.root_ancestor
)
@@ -26,7 +26,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequestImporter, :clean_gitla
create(
:import_source_user,
source_user_identifier: user_representation_2.id,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
import_type: Import::SOURCE_GITHUB,
namespace: project.root_ancestor
)
diff --git a/spec/lib/gitlab/github_import/importer/pull_requests/merged_by_importer_spec.rb b/spec/lib/gitlab/github_import/importer/pull_requests/merged_by_importer_spec.rb
index 4583148abd1..5bd19bcc2f1 100644
--- a/spec/lib/gitlab/github_import/importer/pull_requests/merged_by_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/pull_requests/merged_by_importer_spec.rb
@@ -14,7 +14,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequests::MergedByImporter, :
create(
:import_source_user,
source_user_identifier: 999,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
import_type: Import::SOURCE_GITHUB,
namespace: project.root_ancestor
)
diff --git a/spec/lib/gitlab/github_import/importer/pull_requests/review_importer_spec.rb b/spec/lib/gitlab/github_import/importer/pull_requests/review_importer_spec.rb
index e83e5a0e8a1..431cd48bed5 100644
--- a/spec/lib/gitlab/github_import/importer/pull_requests/review_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/pull_requests/review_importer_spec.rb
@@ -14,7 +14,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequests::ReviewImporter, :cl
create(
:import_source_user,
source_user_identifier: 999,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
import_type: Import::SOURCE_GITHUB,
namespace: project.root_ancestor
)
diff --git a/spec/lib/gitlab/github_import/importer/pull_requests/review_request_importer_spec.rb b/spec/lib/gitlab/github_import/importer/pull_requests/review_request_importer_spec.rb
index c449e1d2d8c..df5d2e34fb6 100644
--- a/spec/lib/gitlab/github_import/importer/pull_requests/review_request_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/pull_requests/review_request_importer_spec.rb
@@ -11,7 +11,7 @@ RSpec.describe Gitlab::GithubImport::Importer::PullRequests::ReviewRequestImport
create(
:import_source_user,
source_user_identifier: 1,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
import_type: Import::SOURCE_GITHUB,
namespace: project.root_ancestor
)
diff --git a/spec/lib/gitlab/github_import/importer/releases_importer_spec.rb b/spec/lib/gitlab/github_import/importer/releases_importer_spec.rb
index 2c75528acd7..227ee21f136 100644
--- a/spec/lib/gitlab/github_import/importer/releases_importer_spec.rb
+++ b/spec/lib/gitlab/github_import/importer/releases_importer_spec.rb
@@ -39,7 +39,7 @@ RSpec.describe Gitlab::GithubImport::Importer::ReleasesImporter, feature_categor
placeholder_user_id: placeholder_user.id,
source_user_identifier: 1,
source_username: 'User A',
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id
)
end
diff --git a/spec/lib/gitlab/github_import/push_placeholder_references_spec.rb b/spec/lib/gitlab/github_import/push_placeholder_references_spec.rb
index fee90b65071..af0764e2ea1 100644
--- a/spec/lib/gitlab/github_import/push_placeholder_references_spec.rb
+++ b/spec/lib/gitlab/github_import/push_placeholder_references_spec.rb
@@ -11,7 +11,7 @@ RSpec.describe Gitlab::GithubImport::PushPlaceholderReferences, feature_category
create(
:import_source_user,
source_user_identifier: source_id,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
namespace_id: project.root_ancestor.id,
placeholder_user_id: author.id
)
diff --git a/spec/lib/gitlab/import/source_user_mapper_spec.rb b/spec/lib/gitlab/import/source_user_mapper_spec.rb
index c2cc6a2c3a6..dff1e1b0be4 100644
--- a/spec/lib/gitlab/import/source_user_mapper_spec.rb
+++ b/spec/lib/gitlab/import/source_user_mapper_spec.rb
@@ -174,6 +174,14 @@ RSpec.describe Gitlab::Import::SourceUserMapper, :request_store, feature_categor
end
end
+ context 'when source host name has userinfo credentials' do
+ let(:source_hostname) { 'https://user:password@myhost.com/path' }
+
+ it 'normalizes the base URI and removes the userinfo credentials' do
+ expect(find_or_create_source_user.source_hostname).to eq('https://myhost.com')
+ end
+ end
+
context 'when source host name has a subdomain' do
let(:source_hostname) { 'https://subdomain.github.com/path' }
diff --git a/spec/serializers/import/github_failure_entity_spec.rb b/spec/serializers/import/github_failure_entity_spec.rb
index 0de710f22cc..638024c89ef 100644
--- a/spec/serializers/import/github_failure_entity_spec.rb
+++ b/spec/serializers/import/github_failure_entity_spec.rb
@@ -3,7 +3,7 @@
require 'spec_helper'
RSpec.describe Import::GithubFailureEntity, feature_category: :importers do
- let(:project) { instance_double(Project, id: 123456, import_url: 'https://github.com/example/repo.git', import_source: 'example/repo') }
+ let(:project) { instance_double(Project, id: 123456, safe_import_url: 'https://github.com/example/repo.git', import_source: 'example/repo') }
let(:source) { 'Gitlab::GithubImport::Importer::PullRequestImporter' }
let(:github_identifiers) { { 'iid' => 2, 'object_type' => 'pull_request', 'title' => 'Implement cool feature' } }
let(:import_failure) do
@@ -309,7 +309,9 @@ RSpec.describe Import::GithubFailureEntity, feature_category: :importers do
end
context 'with an invalid import_url' do
- let(:project) { instance_double(Project, id: 123456, import_url: 'Invalid url', import_source: 'example/repo') }
+ let(:project) do
+ instance_double(Project, id: 123456, safe_import_url: 'Invalid url', import_source: 'example/repo')
+ end
it_behaves_like 'import failure entity' do
let(:title) { 'Implement cool feature' }
diff --git a/spec/serializers/import/github_failure_serializer_spec.rb b/spec/serializers/import/github_failure_serializer_spec.rb
index 170b2739cfc..633e16d0ec5 100644
--- a/spec/serializers/import/github_failure_serializer_spec.rb
+++ b/spec/serializers/import/github_failure_serializer_spec.rb
@@ -17,7 +17,7 @@ RSpec.describe Import::GithubFailureSerializer, feature_category: :importers do
Project,
id: 123456,
import_status: 'finished',
- import_url: 'https://github.com/example/repo.git',
+ safe_import_url: 'https://github.com/example/repo.git',
import_source: 'example/repo'
)
end
diff --git a/spec/support/helpers/import/user_mapping_helper.rb b/spec/support/helpers/import/user_mapping_helper.rb
index ab29be03654..44a08816792 100644
--- a/spec/support/helpers/import/user_mapping_helper.rb
+++ b/spec/support/helpers/import/user_mapping_helper.rb
@@ -38,7 +38,7 @@ module Import
create(
:import_source_user,
source_user_identifier: identifier,
- source_hostname: project.import_url,
+ source_hostname: project.safe_import_url,
import_type: project.import_type,
namespace: project.root_ancestor
)