diff --git a/.gitlab/ci/database.gitlab-ci.yml b/.gitlab/ci/database.gitlab-ci.yml index de576e20b27..f54865c2967 100644 --- a/.gitlab/ci/database.gitlab-ci.yml +++ b/.gitlab/ci/database.gitlab-ci.yml @@ -47,7 +47,7 @@ db:rollback single-db: db:migrate:multi-version-upgrade-1: stage: test - image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-ruby-${RUBY_VERSION}:bundler-2.3-docker-${DOCKER_VERSION} + image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}:bundler-${BUNDLER_VERSION}-docker-${DOCKER_VERSION} extends: - .db-job-base - .use-docker-in-docker diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml index 0d8195e0f28..09c909627a4 100644 --- a/.gitlab/ci/global.gitlab-ci.yml +++ b/.gitlab/ci/global.gitlab-ci.yml @@ -484,7 +484,7 @@ .use-buildx: extends: .use-docker-in-docker - image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-slim:docker-${DOCKER_VERSION} + image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-${DEBIAN_VERSION}-slim:docker-${DOCKER_VERSION} variables: QEMU_IMAGE: tonistiigi/binfmt:qemu-v7.0.0 before_script: diff --git a/.gitlab/ci/preflight.gitlab-ci.yml b/.gitlab/ci/preflight.gitlab-ci.yml index 859243384cb..3d9caa74060 100644 --- a/.gitlab/ci/preflight.gitlab-ci.yml +++ b/.gitlab/ci/preflight.gitlab-ci.yml @@ -5,7 +5,7 @@ needs: [] .qa-preflight-job: - image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-ruby-${RUBY_VERSION}:bundler-${BUNDLER_VERSION}-chrome-${CHROME_VERSION}-docker-${DOCKER_VERSION} + image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}:bundler-${BUNDLER_VERSION}-chrome-${CHROME_VERSION}-docker-${DOCKER_VERSION} extends: - .preflight-job-base - .qa-cache diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml index 860e20614ae..dba9e53f392 100644 --- a/.gitlab/ci/rails.gitlab-ci.yml +++ b/.gitlab/ci/rails.gitlab-ci.yml @@ -451,7 +451,7 @@ rspec:artifact-collector ee remainder: - !reference ['.rails:rules:ee-only-system', rules] rspec:coverage: - image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-slim-ruby-${RUBY_VERSION} + image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-${DEBIAN_VERSION}-slim-ruby-${RUBY_VERSION} extends: - .coverage-base - .rails:rules:rspec-coverage @@ -502,7 +502,7 @@ rspec:coverage: path: coverage/coverage.xml rspec:undercoverage: - image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-slim-ruby-${RUBY_VERSION} + image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-${DEBIAN_VERSION}-slim-ruby-${RUBY_VERSION} extends: - .coverage-base - .rails:rules:rspec-undercoverage diff --git a/.gitlab/issue_templates/Analytics_Instrumentation_Incident_Template.md b/.gitlab/issue_templates/Analytics Instrumentation Incident.md similarity index 99% rename from .gitlab/issue_templates/Analytics_Instrumentation_Incident_Template.md rename to .gitlab/issue_templates/Analytics Instrumentation Incident.md index 2ebd5acdcd4..132bd605c43 100644 --- a/.gitlab/issue_templates/Analytics_Instrumentation_Incident_Template.md +++ b/.gitlab/issue_templates/Analytics Instrumentation Incident.md @@ -9,7 +9,7 @@ https://www.learning-styles-online.com/style/visual-spatial/ ## Problem -## Detection +## Detection diff --git a/.gitlab/issue_templates/Analytics Instrumentation Issue.md b/.gitlab/issue_templates/Analytics Instrumentation Issue.md new file mode 100644 index 00000000000..d71ca7cddd2 --- /dev/null +++ b/.gitlab/issue_templates/Analytics Instrumentation Issue.md @@ -0,0 +1,20 @@ +## Problem + + +## Desired Outcome + + +## Potential Solution + + +## How to verify + + +## Further actions needed + + + + + + +/label ~devops::analytics ~"group::analytics instrumentation" diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index f5d56ac5598..d03d56367fd 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -e4f946ba6483d4e297e66b7790a4831b9bae9651 +5274274cf9ea696f8bdb95687a0f9591b73b6550 diff --git a/app/helpers/projects/pipeline_helper.rb b/app/helpers/projects/pipeline_helper.rb index b37d5f3327e..be252ed2a3f 100644 --- a/app/helpers/projects/pipeline_helper.rb +++ b/app/helpers/projects/pipeline_helper.rb @@ -20,7 +20,7 @@ module Projects has_test_report: pipeline.has_test_reports?, empty_state_image_path: image_path('illustrations/empty-todos-md.svg'), empty_dag_svg_path: image_path('illustrations/empty-state/empty-dag-md.svg'), - artifacts_expired_image_path: image_path('illustrations/pipeline.svg'), + artifacts_expired_image_path: image_path('illustrations/empty-state/empty-pipeline-md.svg'), tests_count: pipeline.test_report_summary.total[:count] } end diff --git a/app/validators/addressable_url_validator.rb b/app/validators/addressable_url_validator.rb index 5f96ffebd4c..15c04add76c 100644 --- a/app/validators/addressable_url_validator.rb +++ b/app/validators/addressable_url_validator.rb @@ -45,6 +45,8 @@ class AddressableUrlValidator < ActiveModel::EachValidator attr_reader :record + DENY_ALL_REQUESTS_EXCEPT_ALLOWED_DEFAULT = proc { deny_all_requests_except_allowed? }.freeze + # By default, we avoid checking the dns rebinding protection # when saving/updating a record. Sometimes, the url # is not resolvable at that point, and some automated @@ -56,7 +58,7 @@ class AddressableUrlValidator < ActiveModel::EachValidator allow_localhost: true, allow_local_network: true, ascii_only: false, - deny_all_requests_except_allowed: false, + deny_all_requests_except_allowed: DENY_ALL_REQUESTS_EXCEPT_ALLOWED_DEFAULT, enforce_user: false, enforce_sanitization: false, dns_rebind_protection: false, @@ -110,11 +112,7 @@ class AddressableUrlValidator < ActiveModel::EachValidator args[:allow_localhost] = args[:allow_local_network] = true end - if deny_all_requests_except_allowed? - args[:deny_all_requests_except_allowed] = true - end - - args[:outbound_local_requests_allowlist] = ApplicationSetting.current&.outbound_local_requests_whitelist || [] # rubocop:disable Naming/InclusiveLanguage -- existing setting + args[:outbound_local_requests_allowlist] = self.class.outbound_local_requests_allowlist end end @@ -128,7 +126,11 @@ class AddressableUrlValidator < ActiveModel::EachValidator ApplicationSetting.current&.allow_local_requests_from_web_hooks_and_services? end - def deny_all_requests_except_allowed? + def self.deny_all_requests_except_allowed? ApplicationSetting.current&.deny_all_requests_except_allowed? end + + def self.outbound_local_requests_allowlist + ApplicationSetting.current&.outbound_local_requests_whitelist || [] # rubocop:disable Naming/InclusiveLanguage -- existing setting + end end diff --git a/doc/administration/packages/container_registry.md b/doc/administration/packages/container_registry.md index cc5e92787cc..9cd6b058212 100644 --- a/doc/administration/packages/container_registry.md +++ b/doc/administration/packages/container_registry.md @@ -1278,10 +1278,10 @@ DETAILS: **Status:** Beta You can run garbage collection in the background without the need to schedule it or require read-only mode, -if you migrate to the [metadata database (beta)](container_registry_metadata_database.md). +if you migrate to the [metadata database](container_registry_metadata_database.md). NOTE: -If you would like to try this [beta feature](../../policy/experiment-beta-support.md#beta), +If you would like to try this [Beta feature](../../policy/experiment-beta-support.md#beta), you should review the [known limitations](container_registry_metadata_database.md#known-limitations). If you have any feedback, you can let us know in the [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/423459). diff --git a/doc/api/bulk_imports.md b/doc/api/bulk_imports.md index d8c96f3377e..90b8cd3505f 100644 --- a/doc/api/bulk_imports.md +++ b/doc/api/bulk_imports.md @@ -33,7 +33,7 @@ prerequisites for [migrating groups by direct transfer](../user/group/import/ind Use this endpoint to start a new group or project migration. Specify: - `entities[group_entity]` to migrate a group. -- `entities[project_entity]` to migrate a project (Beta). +- `entities[project_entity]` to migrate a project. (**Status:** Beta) ```plaintext POST /bulk_imports diff --git a/doc/ci/pipelines/cicd_minutes.md b/doc/ci/pipelines/cicd_minutes.md index e74c38533ff..cb8d5512b74 100644 --- a/doc/ci/pipelines/cicd_minutes.md +++ b/doc/ci/pipelines/cicd_minutes.md @@ -291,8 +291,8 @@ GitLab SaaS runners have different cost factors, depending on the runner type (L | Linux OS amd64 | `xlarge` | 6 | | Linux OS amd64 | `2xlarge` | 12 | | Linux OS amd64 + GPU-enabled | `medium`, GPU standard | 7 | -| macOS M1 | `medium` | 6 (Beta) | -| Windows Server | - | 1 (Beta) | +| macOS M1 | `medium` | 6 (**Status:** Beta) | +| Windows Server | - | 1 (**Status:** Beta) | ### Monthly reset of compute usage diff --git a/doc/ci/testing/code_coverage.md b/doc/ci/testing/code_coverage.md index 65e123b4f72..e79a7a2e80e 100644 --- a/doc/ci/testing/code_coverage.md +++ b/doc/ci/testing/code_coverage.md @@ -52,7 +52,7 @@ coverage in the tool's output: - Simplecov (Ruby). Example: `/\(\d+.\d+\%\) covered/`. -- pytest-cov (Python). Example: `/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/`. +- pytest-cov (Python). Example: `/TOTAL.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/`. - Scoverage (Scala). Example: `/Statement coverage[A-Za-z\.*]\s*:\s*([^%]+)/`. - `pest --coverage --colors=never` (PHP). Example: `/^\s*Cov:\s*\d+\.\d+?%$/`. - `phpunit --coverage-text --colors=never` (PHP). Example: `/^\s*Lines:\s*\d+.\d+\%/`. diff --git a/doc/subscriptions/gitlab_dedicated/index.md b/doc/subscriptions/gitlab_dedicated/index.md index ab75bc30648..26437261424 100644 --- a/doc/subscriptions/gitlab_dedicated/index.md +++ b/doc/subscriptions/gitlab_dedicated/index.md @@ -123,7 +123,10 @@ To enable GitLab Pages for GitLab Dedicated, submit a [support request](https:// #### GitLab Runners -##### Hosted by GitLab (Beta) +##### Hosted by GitLab + +DETAILS: +**Status:** Beta On 2024-01-31, GitLab released Hosted runners in closed [Beta](../../policy/experiment-beta-support.md#beta). diff --git a/doc/user/application_security/api_fuzzing/performance.md b/doc/user/application_security/api_fuzzing/performance.md index a1bcf5b9a08..eb1253d3792 100644 --- a/doc/user/application_security/api_fuzzing/performance.md +++ b/doc/user/application_security/api_fuzzing/performance.md @@ -20,7 +20,7 @@ If API Fuzzing testing job still takes longer than expected after following the The first step to resolving performance issues is to understand what is contributing to the slower-than-expected testing time. Some common issues we see are: -- API Fuzzing is running on a slow or single-CPU GitLab Runner (GitLab Shared Runners are single-CPU) +- API Fuzzing is running on a low-vCPU runner - The application deployed to a slow/single-CPU instance and is not able to keep up with the testing load - The application contains a slow operation that impacts the overall test speed (> 1/2 second) - The application contains an operation that returns a large amount of data (> 500K+) @@ -51,8 +51,7 @@ An average response time of 2 seconds is a good initial indicator that this spec For this issue, the team might decide to: -- Use a multi-CPU runner. Using a multi-CPU runner allows API Fuzzing to parallelize the work being performed. This helps lower the test time, but getting the test down under 10 minutes might still be problematic without moving to a high CPU machine due to how long the operation takes to test. - - Trade off between how many CPUs and cost. +- Use a runner with more vCPUs, because this allows API Fuzzing to parallelize the work being performed. This helps lower the test time, but getting the test down under 10 minutes might still be problematic without moving to a high CPU machine due to how long the operation takes to test. While larger runners are more costly, you also pay for less minutes if the job executions are quicker. - [Exclude this operation](#excluding-slow-operations) from the API Fuzzing test. While this is the simplest, it has the downside of a gap in security test coverage. - [Exclude the operation from feature branch API Fuzzing tests, but include it in the default branch test](#excluding-operations-in-feature-branches-but-not-default-branch). - [Split up the API Fuzzing testing into multiple jobs](#splitting-a-test-into-multiple-jobs). @@ -63,40 +62,36 @@ The likely solution is to use a combination of these solutions to reach an accep The following sections document various options for addressing performance issues for API Fuzzing: -- [Using a multi-CPU Runner](#using-a-multi-cpu-runner) +- [Using a larger runner](#using-a-larger-runner) - [Excluding slow operations](#excluding-slow-operations) - [Splitting a test into multiple jobs](#splitting-a-test-into-multiple-jobs) - [Excluding operations in feature branches, but not default branch](#excluding-operations-in-feature-branches-but-not-default-branch) -### Using a multi-CPU Runner +### Using a larger runner -One of the easiest performance boosts can be achieved using a multi-CPU runner with API Fuzzing. This table shows statistics collected during benchmarking of a Java Spring Boot REST API. In this benchmark, the target and API Fuzzing share a single runner instance. +One of the easiest performance boosts can be achieved using a [larger runner](../../../ci/runners/saas/linux_saas_runner.md#machine-types-available-for-linux-x86-64) +with API Fuzzing. This table shows statistics collected during benchmarking of a Java Spring Boot REST API. In this benchmark, the target and API Fuzzing share a single runner instance. -| CPU Count | Request per Second | -|----------------------|--------------------| -| 1 CPU (Shared Runner)| 75 | -| 4 CPU | 255 | -| 8 CPU | 400 | +| SaaS runner on Linux tag | Requests per Second | +|------------------------------------|-----------| +| `saas-linux-small-amd64` (default) | 255 | +| `saas-linux-medium-amd64` | 400 | -As we can see from this table, increasing the CPU count of the runner can have a large impact on testing speed/performance. +As we can see from this table, increasing the size of the runner and vCPU count can have a large impact on testing speed/performance. -To use a multi-CPU typically requires deploying a self-managed GitLab Runner onto a multi-CPU machine or cloud compute instance. - -When multiple types of GitLab Runners are available for use, the various instances are commonly set up with tags that can be used in the job definition to select a type of runner. - -Here is an example job definition for API Fuzzing that adds a `tags` section with the tag `multi-cpu`. The job automatically extends the job definition included through the API Fuzzing template. +Here is an example job definition for API Fuzzing that adds a `tags` section to use the medium SaaS runner on Linux. The job extends the job definition included through the API Fuzzing template. ```yaml apifuzzer_fuzz: tags: - - multi-cpu + - saas-linux-medium-amd64 ``` -To verify that API Fuzzing can detect multiple CPUs in the runner, download the `gl-api-security-scanner.log` file from a completed job's artifacts. Search the file for the string `Starting work item processor` and inspect the reported max DOP (degree of parallelism). The max DOP should be greater than or equal to the number of CPUs assigned to the runner. The value is never lower than 2, even on single CPU runners, unless forced through a configuration variable. If the value reported is less than the number of CPUs assigned to the runner, then something is wrong with the runner deployment. If unable to identify the problem, open a ticket with support to assist. +In the `gl-api-security-scanner.log` file you can search for the string `Starting work item processor` to inspect the reported max DOP (degree of parallelism). The max DOP should be greater than or equal to the number of vCPUs assigned to the runner. If unable to identify the problem, open a ticket with support to assist. Example log entry: -`17:00:01.084 [INF] Starting work item processor with 2 max DOP` +`17:00:01.084 [INF] Starting work item processor with 4 max DOP` ### Excluding slow operations diff --git a/doc/user/application_security/api_fuzzing/troubleshooting.md b/doc/user/application_security/api_fuzzing/troubleshooting.md index 993ee089e92..15bee118c24 100644 --- a/doc/user/application_security/api_fuzzing/troubleshooting.md +++ b/doc/user/application_security/api_fuzzing/troubleshooting.md @@ -8,12 +8,12 @@ info: To determine the technical writer assigned to the Stage/Group associated w ## API Fuzzing job times out after N hours -The top two reasons for the API Fuzzing job timing out are slow operations (> 1 second) and using a single-CPU runner for API Fuzzing (GitLab shared runners are single-CPU). Before you can diagnose the problem further, the job must complete so the output can be analyzed. We recommend to start with a multi-CPU runner first, then exclude portions of your API operations until the job completes and the output can be further reviewed. +For larger repositories, the API Fuzzing job could time out on the [small SaaS runner on Linux](../../../ci/runners/saas/linux_saas_runner.md#machine-types-available-for-linux-x86-64), which is set per default. If this happens in your jobs, you should scale up to a [larger runner](performance.md#using-a-larger-runner). See the following documentation sections for assistance: - [Performance tuning and testing speed](performance.md) -- [Using a multi-CPU Runner](performance.md#using-a-multi-cpu-runner) +- [Using a larger Runner](performance.md#using-a-larger-runner) - [Excluding operations by path](configuration/customizing_analyzer_settings.md#exclude-paths) - [Excluding slow operations](performance.md#excluding-slow-operations) diff --git a/doc/user/application_security/dast_api/performance.md b/doc/user/application_security/dast_api/performance.md index 86ee43c6481..22f621539aa 100644 --- a/doc/user/application_security/dast_api/performance.md +++ b/doc/user/application_security/dast_api/performance.md @@ -20,7 +20,7 @@ If the DAST API testing job still takes longer than expected reach after followi The first step to resolving performance issues is to understand what is contributing to the slower-than-expected testing time. Some common issues we see are: -- DAST API is running on a slow or single-CPU GitLab Runner (GitLab Shared Runners are single-CPU) +- DAST API is running on a low-vCPU runner - The application deployed to a slow/single-CPU instance and is not able to keep up with the testing load - The application contains a slow operation that impacts the overall test speed (> 1/2 second) - The application contains an operation that returns a large amount of data (> 500K+) @@ -51,8 +51,7 @@ An average response time of 2 seconds is a good initial indicator that this spec For this issue, the team might decide to: -- Use a multi-CPU runner. Using a multi-CPU runner allows DAST API to parallelize the work being performed. This helps lower the test time, but getting the test down under 10 minutes might still be problematic without moving to a high CPU machine due to how long the operation takes to test. - - Trade off between how many CPUs and cost. +- Use a runner with more vCPUs, as this allows DAST API to parallelize the work being performed. This helps lower the test time, but getting the test down under 10 minutes might still be problematic without moving to a high CPU machine due to how long the operation takes to test. While larger runners are more costly, you also pay for less minutes if the job executions are quicker. - [Exclude this operation](#excluding-slow-operations) from the DAST API test. While this is the simplest, it has the downside of a gap in security test coverage. - [Exclude the operation from feature branch DAST API tests, but include it in the default branch test](#excluding-operations-in-feature-branches-but-not-default-branch). - [Split up the DAST API testing into multiple jobs](#splitting-a-test-into-multiple-jobs). @@ -63,40 +62,35 @@ The likely solution is to use a combination of these solutions to reach an accep The following sections document various options for addressing performance issues for DAST API: -- [Using a multi-CPU Runner](#using-a-multi-cpu-runner) +- [Using a larger runner](#using-a-larger-runner) - [Excluding slow operations](#excluding-slow-operations) - [Splitting a test into multiple jobs](#splitting-a-test-into-multiple-jobs) - [Excluding operations in feature branches, but not default branch](#excluding-operations-in-feature-branches-but-not-default-branch) -### Using a multi-CPU Runner +### Using a larger runner -One of the easiest performance boosts can be achieved using a multi-CPU runner with DAST API. This table shows statistics collected during benchmarking of a Java Spring Boot REST API. In this benchmark, the target and DAST API share a single runner instance. +One of the easiest performance boosts can be achieved using a [larger runner](../../../ci/runners/saas/linux_saas_runner.md#machine-types-available-for-linux-x86-64) with DAST API. This table shows statistics collected during benchmarking of a Java Spring Boot REST API. In this benchmark, the target and DAST API share a single runner instance. -| CPU Count | Request per Second | -|----------------------|--------------------| -| 1 CPU (Shared Runner)| 75 | -| 4 CPU | 255 | -| 8 CPU | 400 | +| SaaS runner on Linux tag | Requests per Second | +|------------------------------------|-----------| +| `saas-linux-small-amd64` (default) | 255 | +| `saas-linux-medium-amd64` | 400 | -As we can see from this table, increasing the CPU count of the runner can have a large impact on testing speed/performance. +As we can see from this table, increasing the size of the runner and vCPU count can have a large impact on testing speed/performance. -To use a multi-CPU typically requires deploying a self-managed GitLab Runner onto a multi-CPU machine or cloud compute instance. - -When multiple types of GitLab Runners are available for use, the various instances are commonly set up with tags that can be used in the job definition to select a type of runner. - -Here is an example job definition for DAST API that adds a `tags` section with the tag `multi-cpu`. The job automatically extends the job definition included through the DAST API template. +Here is an example job definition for DAST API that adds a `tags` section to use the medium SaaS runner on Linux. The job extends the job definition included through the DAST API template. ```yaml dast_api: tags: - - multi-cpu + - saas-linux-medium-amd64 ``` -To verify that DAST API can detect multiple CPUs in the runner, download the `gl-api-security-scanner.log` file from a completed job's artifacts. Search the file for the string `Starting work item processor` and inspect the reported max DOP (degree of parallelism). The max DOP should be greater than or equal to the number of CPUs assigned to the runner. The value is never lower than 2, even on single CPU runners, unless forced through a configuration variable. If the value reported is less than the number of CPUs assigned to the runner, then something is wrong with the runner deployment. If unable to identify the problem, open a ticket with support to assist. +In the `gl-api-security-scanner.log` file you can search for the string `Starting work item processor` to inspect the reported max DOP (degree of parallelism). The max DOP should be greater than or equal to the number of vCPUs assigned to the runner. If unable to identify the problem, open a ticket with support to assist. Example log entry: -`17:00:01.084 [INF] Starting work item processor with 2 max DOP` +`17:00:01.084 [INF] Starting work item processor with 4 max DOP` ### Excluding slow operations diff --git a/doc/user/application_security/dast_api/troubleshooting.md b/doc/user/application_security/dast_api/troubleshooting.md index c7469a96970..88d30bbb1af 100644 --- a/doc/user/application_security/dast_api/troubleshooting.md +++ b/doc/user/application_security/dast_api/troubleshooting.md @@ -8,12 +8,12 @@ info: To determine the technical writer assigned to the Stage/Group associated w ## DAST API job times out after N hours -The top two reasons for the DAST API job timing out are slow operations (> 1 second) and using a single-CPU runner for DAST API (GitLab shared runners are single-CPU). Before you can diagnose the problem further, the job must complete so the output can be analyzed. We recommend to start with a multi-CPU runner first, then exclude portions of your API operations until the job completes and the output can be further reviewed. +For larger repositories, the DAST API job could time out on the [small SaaS runner on Linux](../../../ci/runners/saas/linux_saas_runner.md#machine-types-available-for-linux-x86-64), which is set per default. If this happens in your jobs, you should scale up to a [larger runner](performance.md#using-a-larger-runner). See the following documentation sections for assistance: - [Performance tuning and testing speed](performance.md#performance-tuning-and-testing-speed) -- [Using a multi-CPU Runner](performance.md#using-a-multi-cpu-runner) +- [Using a larger Runner](performance.md#using-a-larger-runner) - [Excluding operations by path](configuration/customizing_analyzer_settings.md#exclude-paths) - [Excluding slow operations](performance.md#excluding-slow-operations) diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 5e4449853f1..b5eb682fd06 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -702,9 +702,8 @@ Prerequisites: - The `test` stage is required in the `.gitlab-ci.yml` file. - On GitLab self-managed you need GitLab Runner with the [`docker`](https://docs.gitlab.com/runner/executors/docker.html) or - [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor. On GitLab.com this - is enabled by default on the shared runners. The analyzer images provided are for the Linux/amd64 - architecture. + [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor. +- If you're using SaaS runners on GitLab.com, this is enabled by default. To enable the analyzer, either: diff --git a/doc/user/application_security/iac_scanning/index.md b/doc/user/application_security/iac_scanning/index.md index 079778ef357..e0358b4fb00 100644 --- a/doc/user/application_security/iac_scanning/index.md +++ b/doc/user/application_security/iac_scanning/index.md @@ -34,9 +34,8 @@ Prerequisites: - The `test` stage is required in the `.gitlab-ci.yml` file. - On GitLab self-managed you need GitLab Runner with the [`docker`](https://docs.gitlab.com/runner/executors/docker.html) or - [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor. On GitLab.com this - is enabled by default on the shared runners. The analyzer images provided are for the Linux/amd64 - architecture. + [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor. +- If you're using SaaS runners on GitLab.com, this is enabled by default. To enable IaC scanning of a project: diff --git a/doc/user/application_security/sast/analyzers.md b/doc/user/application_security/sast/analyzers.md index d7ed85db38f..a26e2d4f773 100644 --- a/doc/user/application_security/sast/analyzers.md +++ b/doc/user/application_security/sast/analyzers.md @@ -33,7 +33,7 @@ SAST supports the following official analyzers: - [`brakeman`](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) (Brakeman) - [`flawfinder`](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) (Flawfinder) - [`kubesec`](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) (Kubesec) -- [`mobsf`](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (MobSF (beta)) +- [`mobsf`](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (MobSF) (**Status:** Beta) - [`nodejs-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) (NodeJsScan) - [`phpcs-security-audit`](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP CS security-audit) - [`pmd-apex`](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (PMD (Apex only)) diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 1d06ec8a0c4..06150f70a07 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -40,14 +40,10 @@ SAST runs in the `test` stage, which is available by default. If you redefine th To run SAST jobs, by default, you need GitLab Runner with the [`docker`](https://docs.gitlab.com/runner/executors/docker.html) or [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor. -If you're using the shared runners on GitLab.com, this is enabled by default. +If you're using SaaS runners on GitLab.com, this is enabled by default. -WARNING: -GitLab SAST analyzers don't support running on Windows or on any CPU architectures other than amd64. - -WARNING: -If you use your own runners, make sure the Docker version installed -is **not** `19.03.0`. See [troubleshooting information](troubleshooting.md#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) for details. +NOTE: +GitLab SAST analyzers only run in a Docker on Linux amd64 environment, which is **not** `Docker 19.03.0`. See [troubleshooting information](troubleshooting.md#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) for details. ## Supported languages and frameworks @@ -67,13 +63,13 @@ For more information about our plans for language support in SAST, see the [cate | Groovy1 | [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) with the find-sec-bugs plugin | 11.3 (Gradle) & 11.9 (Maven, SBT) | | Helm Charts | [Kubesec](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) | 13.1 | | Java (any build system) | [Semgrep](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) with [GitLab-managed rules](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/#sast-rules) | 14.10 | -| Java (Android) | [MobSF (beta)](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) | 13.5 | +| Java (Android) | [MobSF](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (**Status:** Beta) | 13.5 | | JavaScript | [Semgrep](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) with [GitLab-managed rules](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/#sast-rules) | 13.10 | -| Kotlin (Android) | [MobSF (beta)](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) | 13.5 | +| Kotlin (Android) | [MobSF](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (**Status:** Beta) | 13.5 | | Kotlin (General)1 | [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) with the find-sec-bugs plugin | 13.11 | | Kubernetes manifests | [Kubesec](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) | 12.6 | | Node.js | [NodeJsScan](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) | 11.1 | -| Objective-C (iOS) | [MobSF (beta)](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) | 13.5 | +| Objective-C (iOS) | [MobSF](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (**Status:** Beta) | 13.5 | | PHP | [phpcs-security-audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) | 10.8 | | Python | [Semgrep](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) with [GitLab-managed rules](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/#sast-rules) | 13.9 | | React | [Semgrep](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) with [GitLab-managed rules](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/#sast-rules) | 13.10 | @@ -81,7 +77,7 @@ For more information about our plans for language support in SAST, see the [cate | Ruby on Rails | [brakeman](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) | 10.3 | | Scala (any build system) | [Semgrep](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) with [GitLab-managed rules](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/#sast-rules) | 16.0 | | Scala 1 | [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) with the find-sec-bugs plugin | 11.0 (SBT) & 11.9 (Gradle, Maven) | -| Swift (iOS) | [MobSF (beta)](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) | 13.5 | +| Swift (iOS) | [MobSF](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf) (**Status:** Beta) | 13.5 | | TypeScript | [Semgrep](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) with [GitLab-managed rules](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/#sast-rules) | 13.10 | diff --git a/doc/user/application_security/secret_detection/index.md b/doc/user/application_security/secret_detection/index.md index 4dfd9c0233d..37dec3e3e2e 100644 --- a/doc/user/application_security/secret_detection/index.md +++ b/doc/user/application_security/secret_detection/index.md @@ -119,8 +119,8 @@ Secret Detection can detect if a secret was added in one commit and removed in a Prerequisites: - Linux-based GitLab Runner with the [`docker`](https://docs.gitlab.com/runner/executors/docker.html) or - [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor. If you're using the - shared runners on GitLab.com, this is enabled by default. + [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor. +- If you're using SaaS runners on GitLab.com, this is enabled by default. - Windows Runners are not supported. - CPU architectures other than amd64 are not supported. - If you use your own runners, make sure the Docker version installed is **not** `19.03.0`. See diff --git a/doc/user/application_security/vulnerabilities/severities.md b/doc/user/application_security/vulnerabilities/severities.md index 536b82055b8..41a5f994b80 100644 --- a/doc/user/application_security/vulnerabilities/severities.md +++ b/doc/user/application_security/vulnerabilities/severities.md @@ -62,6 +62,38 @@ To provide consistent vulnerability severity level values, the GitLab vulnerabil convert from the above values to a standardized GitLab vulnerability severity level, as outlined in the following tables: +## Container Scanning + +| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | +|------------------------------------------------------------------------|--------------------------|----------------------------|--------------------------------------------------------------| +| [`container-scanning`](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)| **{check-circle}** Yes | String | `Unknown`, `Low`, `Medium`, `High`, `Critical` | + +When available, the vendor severity level takes precedence and is used by the analyzer. If that is not available then it falls back on the CVSS v3.1 rating. If that is also not available, then the CVSS v2.0 rating is used instead. Details on this implementation are available on the issue for [trivy](https://github.com/aquasecurity/trivy/issues/310). + +## DAST + +| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | +|------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------| +| [`Browser-based DAST`](../dast/browser/index.md) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW`, `INFO` | + +## DAST API + +| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | +|------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------| +| [`DAST API`](../dast_api/index.md) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW` | + +## Dependency Scanning + +| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | +|------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------| +| [`gemnasium`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) | **{check-circle}** Yes | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating 1 | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` | + +The CVSS v3.1 rating is used to calculate the severity level. If it's not available, the CVSS v2.0 rating is used instead. + +## Fuzz Testing + +All fuzz testing results are reported as Unknown. They should be reviewed and triaged manually to find exploitable faults to prioritize for fixing. + ## SAST | GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | @@ -78,23 +110,3 @@ the following tables: | [`secrets`](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) | **{check-circle}** Yes | Not applicable | Hardcodes all severity levels to `Critical` | | [`semgrep`](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep) | **{check-circle}** Yes | String | `error`, `warning`, `note`, `none` | | [`kics`](https://gitlab.com/gitlab-org/security-products/analyzers/kics) | **{check-circle}** Yes | String | `error`, `warning`, `note`, `none` (gets mapped to `info` in [analyzer version 3.7.0 and later](https://gitlab.com/gitlab-org/security-products/analyzers/kics/-/releases/v3.7.0)) | - -## Dependency Scanning - -| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | -|------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------| -| [`gemnasium`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) | **{check-circle}** Yes | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating 1 | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` | - -The CVSS v3.1 rating is used to calculate the severity level. If it's not available, the CVSS v2.0 rating is used instead. - -## Container Scanning - -| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | -|------------------------------------------------------------------------|--------------------------|----------------------------|--------------------------------------------------------------| -| [`container-scanning`](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)| **{check-circle}** Yes | String | `Unknown`, `Low`, `Medium`, `High`, `Critical` | - -When available, the vendor severity level takes precedence and is used by the analyzer. If that is not available then it falls back on the CVSS v3.1 rating. If that is also not available, then the CVSS v2.0 rating is used instead. Details on this implementation are available on the respective issues for [trivy](https://github.com/aquasecurity/trivy/issues/310) and [grype](https://github.com/anchore/grype/issues/287). - -## Fuzz Testing - -All fuzz testing results are reported as Unknown. They should be reviewed and triaged manually to find exploitable faults to prioritize for fixing. diff --git a/doc/user/organization/index.md b/doc/user/organization/index.md index 4edbc63a838..923c5ad928e 100644 --- a/doc/user/organization/index.md +++ b/doc/user/organization/index.md @@ -37,7 +37,7 @@ see [epic 9265](https://gitlab.com/groups/gitlab-org/-/epics/9265). To view the organizations you have access to: -- On the left sidebar, select **Organizations** (**{organization}**). +- On the left sidebar, select **Organizations**. ## Create an organization @@ -50,7 +50,7 @@ To view the organizations you have access to: ## Edit an organization's name -1. On the left sidebar, select **Organizations** (**{organization}**) and find the organization you want to edit. +1. On the left sidebar, select **Organizations** and find the organization you want to edit. 1. Select **Settings > General**. 1. In the **Organization name** text box, edit the name. 1. In the **Organization description** text box, edit the description. Supports a [limited subset of Markdown](#supported-markdown-for-organization-description). @@ -61,7 +61,7 @@ To view the organizations you have access to: ## Change an organization's URL -1. On the left sidebar, select **Organizations** (**{organization}**) and find organization whose URL you want to change. +1. On the left sidebar, select **Organizations** and find the organization whose URL you want to change. 1. Select **Settings > General**. 1. Expand the **Advanced** section. 1. In the **Organization URL** text box, edit the URL. @@ -69,7 +69,7 @@ To view the organizations you have access to: ## Manage groups and projects -1. On the left sidebar, select **Organizations** (**{organization}**) and find the organization you want to manage. +1. On the left sidebar, select **Organizations** and find the organization you want to manage. 1. Select **Manage > Groups and projects**. 1. Optional. Filter the results: - To search for specific groups or projects, in the search box enter your search term. @@ -78,7 +78,7 @@ To view the organizations you have access to: ## Manage users -1. On the left sidebar, select **Organizations** (**{organization}**) and find the organization you want to manage. +1. On the left sidebar, select **Organizations** and find the organization you want to manage. 1. Select **Manage > Users**. ## Supported Markdown for Organization description diff --git a/doc/user/permissions.md b/doc/user/permissions.md index d69fdffab18..5d031d6f76c 100644 --- a/doc/user/permissions.md +++ b/doc/user/permissions.md @@ -265,7 +265,7 @@ The following table lists project permissions available for each role: | Run [interactive web terminals](../ci/interactive_web_terminal/index.md) | | | | ✓ | ✓ | ✓ | | | Add project runners to project | | | | | ✓ | ✓ | | | Clear runner caches manually | | | | | ✓ | ✓ | | -| Enable shared runners in project | | | | | ✓ | ✓ | | +| Enable instance runners in project | | | | | ✓ | ✓ | | | Manage CI/CD settings | | | | | ✓ | ✓ | | | Manage job triggers | | | | | ✓ | ✓ | | | Manage project-level CI/CD variables | | | | | ✓ | ✓ | | diff --git a/doc/user/project/import/github.md b/doc/user/project/import/github.md index f1bf3a06c37..0817b095cc2 100644 --- a/doc/user/project/import/github.md +++ b/doc/user/project/import/github.md @@ -22,7 +22,7 @@ The namespace is a user or group in GitLab, such as `gitlab.com/sidney-jones` or Using the GitLab UI, the GitHub importer always imports from the `github.com` domain. If you are importing from a self-hosted GitHub Enterprise Server domain, use the -[GitLab Import API](#use-the-rest-api) GitHub endpoint. +[GitLab Import API](#use-the-api) GitHub endpoint. When importing projects: @@ -85,13 +85,15 @@ You can import your GitHub repository by either: - [Using GitHub OAuth](#use-github-oauth) - [Using a GitHub Personal Access Token](#use-a-github-personal-access-token) -- [Using the API](#use-the-rest-api) +- [Using the API](#use-the-api) + +If importing from `github.com` you can use any method to import. Self-hosted GitHub Enterprise Server customers must use the API. ### Use GitHub OAuth If you are importing to GitLab.com or to a self-managed GitLab that has GitHub OAuth [configured](../../../integration/github.md), you can use GitHub OAuth to import your repository. -This method has an advantage over using a [Personal Access Token (PAT)](#use-a-github-personal-access-token) +This method has an advantage over using a [Personal Access Token (PAT)](#use-a-github-personal-access-token) because the backend exchanges the access token with the appropriate permissions. 1. On the left sidebar, at the top, select **Create new** (**{plus}**) and **New project/repository**. @@ -123,7 +125,7 @@ To use a different token to perform an import after previously performing these steps, sign out of your GitLab account and sign in again, or revoke the older token in GitHub. -### Use the REST API +### Use the API The [GitLab REST API](../../../api/import.md#import-repository-from-github) can be used to import a GitHub repository. It has some advantages over using the GitLab UI: diff --git a/doc/user/project/index.md b/doc/user/project/index.md index 64d4ac7e9f0..47cb8976206 100644 --- a/doc/user/project/index.md +++ b/doc/user/project/index.md @@ -200,8 +200,6 @@ DETAILS: FLAG: On self-managed GitLab, by default this feature is not available. To make it available, an administrator can enable the [feature flag](../../administration/feature_flags.md) named `support_sha256_repositories`. -On GitLab.com, this feature is not available because it's an [Experiment](../../policy/experiment-beta-support.md#experiment). -If you would like access on GitLab.com, please fill out this [form](https://forms.gle/pUUPB8GBgaPCvdNc6). You can select SHA-256 hashing for a project only when you create the project. diff --git a/doc/user/project/service_desk/index.md b/doc/user/project/service_desk/index.md index 2903991e02f..60b97891985 100644 --- a/doc/user/project/service_desk/index.md +++ b/doc/user/project/service_desk/index.md @@ -55,7 +55,7 @@ Meanwhile: - [Use a custom template for Service Desk tickets](configure.md#use-a-custom-template-for-service-desk-tickets) - [Support Bot user](configure.md#support-bot-user) - [Reopen issues when an external participant comments](configure.md#reopen-issues-when-an-external-participant-comments) - - [Custom email address (Beta)](configure.md#custom-email-address) + - [Custom email address](configure.md#custom-email-address) - [Use an additional Service Desk alias email](configure.md#use-an-additional-service-desk-alias-email) - [Configure email ingestion in multi-node environments](configure.md#configure-email-ingestion-in-multi-node-environments) - [Use Service Desk](using_service_desk.md#use-service-desk) diff --git a/lib/peek/views/redis_detailed.rb b/lib/peek/views/redis_detailed.rb index 76c283bf802..6b5c4b37c9d 100644 --- a/lib/peek/views/redis_detailed.rb +++ b/lib/peek/views/redis_detailed.rb @@ -16,24 +16,30 @@ module Peek private def format_call_details(call) - cmd = call[:commands].map do |command| - format_command(command) - end.join(', ') + call[:commands] = call[:commands].map { |command| format_command(command) } + cmd = call[:commands].map { |command| command.join(' ') }.join(', ') super.merge(cmd: cmd, instance: call[:storage]) end def format_command(cmd) + # Perform a deep clone of commands if any auth commands are present as ["AUTH", password] + # is a reference to `RedisClient::Config.connection_prelude`. `format_command` will update + # the password to and lead to NOAUTH errors. + # + # See issue: https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/2826 if cmd.length >= 2 && cmd.first =~ /^auth$/i + cmd = cmd.deep_dup cmd[-1] = REDACTED_MARKER # Scrub out the value of the SET calls to avoid binary # data or large data from spilling into the view elsif cmd.length >= 3 && cmd.first =~ /set/i + cmd = cmd.deep_dup cmd[2..-1] = REDACTED_MARKER end - cmd.join(' ') + cmd end end end diff --git a/qa/Gemfile b/qa/Gemfile index 33dccf8e0fa..d4654011449 100644 --- a/qa/Gemfile +++ b/qa/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' -gem 'gitlab-qa', '~> 14', '>= 14.0.2', require: 'gitlab/qa' +gem 'gitlab-qa', '~> 14', '>= 14.1.0', require: 'gitlab/qa' gem 'gitlab_quality-test_tooling', '~> 1.11.0', require: false gem 'gitlab-utils', path: '../gems/gitlab-utils' gem 'activesupport', '~> 7.0.8' # This should stay in sync with the root's Gemfile diff --git a/qa/Gemfile.lock b/qa/Gemfile.lock index 982e62154bd..e9a9b846176 100644 --- a/qa/Gemfile.lock +++ b/qa/Gemfile.lock @@ -119,7 +119,7 @@ GEM gitlab (4.19.0) httparty (~> 0.20) terminal-table (>= 1.5.1) - gitlab-qa (14.0.2) + gitlab-qa (14.1.0) activesupport (>= 6.1, < 7.2) gitlab (~> 4.19) http (~> 5.0) @@ -357,7 +357,7 @@ DEPENDENCIES faraday-retry (~> 2.2) fog-core (= 2.1.0) fog-google (~> 1.19) - gitlab-qa (~> 14, >= 14.0.2) + gitlab-qa (~> 14, >= 14.1.0) gitlab-utils! gitlab_quality-test_tooling (~> 1.11.0) influxdb-client (~> 3.0) @@ -383,4 +383,4 @@ DEPENDENCIES zeitwerk (~> 2.6, >= 2.6.12) BUNDLED WITH - 2.5.5 + 2.5.6 diff --git a/qa/qa/factories/_shared.rb b/qa/qa/factories/_shared.rb index 0fd38faa7dd..008d600c12a 100644 --- a/qa/qa/factories/_shared.rb +++ b/qa/qa/factories/_shared.rb @@ -2,6 +2,8 @@ module QA FactoryBot.define do - to_create(&:fabricate_via_api!) + to_create do |instance| + instance.class.fabricate_via_api!(resource: instance) + end end end diff --git a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb index 634d7ab3cd6..15147c1a393 100644 --- a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb +++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb @@ -77,7 +77,7 @@ module QA end end - it 'publishes a nuget package and installs', testcase: params[:testcase] do + it 'publishes a nuget package and installs', :blocking, testcase: params[:testcase] do Flow::Login.sign_in Support::Retrier.retry_on_exception(max_attempts: 3, sleep_interval: 2) do diff --git a/spec/helpers/projects/pipeline_helper_spec.rb b/spec/helpers/projects/pipeline_helper_spec.rb index 7b8b349c3e5..dacc55fb61f 100644 --- a/spec/helpers/projects/pipeline_helper_spec.rb +++ b/spec/helpers/projects/pipeline_helper_spec.rb @@ -33,7 +33,7 @@ RSpec.describe Projects::PipelineHelper do has_test_report: pipeline.complete_and_has_reports?(Ci::JobArtifact.of_report_type(:test)), empty_dag_svg_path: match_asset_path('illustrations/empty-state/empty-dag-md.svg'), empty_state_image_path: match_asset_path('illustrations/empty-todos-md.svg'), - artifacts_expired_image_path: match_asset_path('illustrations/pipeline.svg'), + artifacts_expired_image_path: match_asset_path('illustrations/empty-state/empty-pipeline-md.svg'), tests_count: pipeline.test_report_summary.total[:count] }) end diff --git a/spec/lib/peek/views/redis_detailed_spec.rb b/spec/lib/peek/views/redis_detailed_spec.rb index 5d75a6522e4..c0020899a10 100644 --- a/spec/lib/peek/views/redis_detailed_spec.rb +++ b/spec/lib/peek/views/redis_detailed_spec.rb @@ -7,27 +7,51 @@ RSpec.describe Peek::Views::RedisDetailed, :request_store do using RSpec::Parameterized::TableSyntax - where(:commands, :expected) do - [[:auth, 'test']] | 'auth ' - [[:set, 'key', 'value']] | 'set key ' - [[:set, 'bad']] | 'set bad' - [[:hmset, 'key1', 'value1', 'key2', 'value2']] | 'hmset key1 ' - [[:get, 'key']] | 'get key' - [[:get, 'key1'], [:get, 'key2']] | 'get key1, get key2' - [[:set, 'key1', 'value'], [:set, 'key2', 'value']] | 'set key1 , set key2 ' + where(:commands, :expected_commands, :expected_cmd) do + [[:auth, 'test']] | [[:auth, '']] | 'auth ' + [[:set, 'key', 'value']] | [[:set, 'key', '']] | 'set key ' + [[:set, 'bad']] | [[:set, 'bad']] | 'set bad' + [[:hmset, 'key1', 'value1', 'key2', 'value2']] | [[:hmset, 'key1', '']] | 'hmset key1 ' + [[:get, 'key']] | [[:get, 'key']] | 'get key' + [[:get, 'key1'], [:get, 'key2']] | [[:get, 'key1'], [:get, 'key2']] | 'get key1, get key2' + [[:set, 'key1', 'value'], + [:set, 'key2', + 'value']] | [[:set, 'key1', ''], + [:set, 'key2', '']] | 'set key1 , set key2 ' end with_them do - it 'scrubs Redis commands' do + before do Gitlab::Instrumentation::Redis::SharedState.detail_store << { commands: commands, duration: 1.second } + end + it 'scrubs Redis commands' do expect(subject.results[:details].count).to eq(1) expect(subject.results[:details].first) .to include({ - cmd: expected, - duration: 1000 + commands: expected_commands, + cmd: expected_cmd, + duration: 1000 }) end + + it 'does not mutate input variable for redacted commands' do + input = commands.deep_dup + + subject.results + + expect(commands).to eq(input) + end + end + + it 'does not mutate input variable for auth commands' do + commands = [[:auth, 'test']] + Gitlab::Instrumentation::Redis::SharedState.detail_store << { commands: commands, duration: 1.second } + + expect(subject.results[:details].first) + .to include({ commands: [[:auth, ""]], cmd: 'auth ', duration: 1000 }) + + expect(commands).to eq([[:auth, 'test']]) end it 'returns aggregated results' do diff --git a/spec/services/work_items/create_service_spec.rb b/spec/services/work_items/create_service_spec.rb index b64d9a29fbf..24112ef9317 100644 --- a/spec/services/work_items/create_service_spec.rb +++ b/spec/services/work_items/create_service_spec.rb @@ -6,44 +6,7 @@ RSpec.describe WorkItems::CreateService, feature_category: :team_planning do include AfterNextHelpers RSpec.shared_examples 'creates work item in container' do |container_type| - let_it_be_with_reload(:project) { create(:project) } - let_it_be_with_reload(:group) { create(:group) } - - let_it_be(:container) do - case container_type - when :project then project - when :project_namespace then project.project_namespace - when :group then group - end - end - - let_it_be(:container_args) do - case container_type - when :project, :project_namespace then { project: project } - when :group then { namespace: group } - end - end - - let_it_be(:parent) { create(:work_item, **container_args) } - let_it_be(:guest) { create(:user) } - let_it_be(:reporter) { create(:user) } - let_it_be(:user_with_no_access) { create(:user) } - - let(:widget_params) { {} } - let(:perform_spam_check) { false } - let(:current_user) { guest } - let(:opts) do - { - title: 'Awesome work_item', - description: 'please fix' - } - end - - before_all do - memberships_container = container.is_a?(Namespaces::ProjectNamespace) ? container.reload.project : container - memberships_container.add_guest(guest) - memberships_container.add_reporter(reporter) - end + include_context 'with container for work items service', container_type describe '#execute' do shared_examples 'fails creating work item and returns errors' do @@ -55,16 +18,6 @@ RSpec.describe WorkItems::CreateService, feature_category: :team_planning do end end - let(:service) do - described_class.new( - container: container, - current_user: current_user, - params: opts, - perform_spam_check: perform_spam_check, - widget_params: widget_params - ) - end - subject(:service_result) { service.execute } context 'when user is not allowed to create a work item in the container' do diff --git a/spec/support/shared_contexts/services/work_items/create_shared_context.rb b/spec/support/shared_contexts/services/work_items/create_shared_context.rb new file mode 100644 index 00000000000..0ba456028ea --- /dev/null +++ b/spec/support/shared_contexts/services/work_items/create_shared_context.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +RSpec.shared_context 'with container for work items service' do |container_type| + let_it_be_with_reload(:project) { create(:project) } + let_it_be_with_reload(:group) { create(:group) } + + let_it_be(:container) do + case container_type + when :project then project + when :project_namespace then project.project_namespace + when :group then group + end + end + + let_it_be(:container_args) do + case container_type + when :project, :project_namespace then { project: project } + when :group then { namespace: group } + end + end + + let_it_be(:parent) { create(:work_item, **container_args) } + let_it_be(:guest) { create(:user) } + let_it_be(:reporter) { create(:user) } + let_it_be(:user_with_no_access) { create(:user) } + + let(:widget_params) { {} } + let(:extra_params) { {} } + let(:perform_spam_check) { false } + let(:current_user) { guest } + let(:opts) do + { + title: 'Awesome work_item', + description: 'please fix' + } + end + + let(:service) do + described_class.new( + container: container, + current_user: current_user, + params: opts.merge(extra_params), + perform_spam_check: perform_spam_check, + widget_params: widget_params + ) + end + + before_all do + memberships_container = container.is_a?(Namespaces::ProjectNamespace) ? container.reload.project : container + memberships_container.add_guest(guest) + memberships_container.add_reporter(reporter) + end +end diff --git a/spec/validators/addressable_url_validator_spec.rb b/spec/validators/addressable_url_validator_spec.rb index 4808f938f5a..c685e9c7d42 100644 --- a/spec/validators/addressable_url_validator_spec.rb +++ b/spec/validators/addressable_url_validator_spec.rb @@ -397,6 +397,34 @@ RSpec.describe AddressableUrlValidator do end end end + + context 'a proc' do + let(:options) { super().merge(deny_all_requests_except_allowed: deny_all_requests_except_allowed_proc) } + + context 'that is evaluating true' do + let(:deny_all_requests_except_allowed_proc) { ->(_) { true } } + + it 'prevents the url' do + badge.link_url = url + + subject + + expect(badge.errors).to be_present + end + end + + context 'that is evaluating false' do + let(:deny_all_requests_except_allowed_proc) { ->(_) { false } } + + it 'allows the url' do + badge.link_url = url + + subject + + expect(badge.errors).to be_empty + end + end + end end context 'when enforce_sanitization is' do