Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

GITALY_SERVER_VERSION

@@ -1 +1 @@
-af0566ee3ca5075025da8442a44ba7e411caa530
+3f12b41f93ded89c6ee7843526bf5529982250af

app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue

@@ -94,10 +94,10 @@ export default {
     ),
     pipelineExecutionPoliciesLabel: s__('ProjectSettings|Pipeline execution policies'),
     sppRepositoryPipelineAccessLabel: s__(
-      'ProjectSettings|Grant access to this repository for projects linked to it as the security policy project source for security policies.',
+      'ProjectSettings|Grant access to the CI/CD configurations for projects linked to this security policy project as the source for security policies.',
     ),
     sppRepositoryPipelineAccessHelpText: s__(
-      'ProjectSettings|Allow users and tokens read-only access to fetch security policy configurations within this project to enforce policies. %{linkStart}Learn more%{linkEnd}.',
+      'ProjectSettings|Allow users and tokens read-only access to fetch security policy configurations in this project to enforce policies. %{linkStart}Learn more%{linkEnd}.',
     ),
   },
   VISIBILITY_LEVEL_PRIVATE_INTEGER,

db/docs/batched_background_migrations/backfill_identifier_names_of_vulnerability_reads.yml

@@ -0,0 +1,8 @@
+---
+migration_job_name: BackfillIdentifierNamesOfVulnerabilityReads
+description: Backfills identifier_names column for vulnerability_reads table.
+feature_category: vulnerability_management
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163088
+milestone: '17.5'
+queued_migration_version: 20241007115637
+finalize_after: '2024-10-20'

db/post_migrate/20241007115637_queue_backfill_identifier_names_of_vulnerability_reads.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class QueueBackfillIdentifierNamesOfVulnerabilityReads < Gitlab::Database::Migration[2.2]
+  milestone '17.5'
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_sec
+
+  MIGRATION = "BackfillIdentifierNamesOfVulnerabilityReads"
+  DELAY_INTERVAL = 160.seconds
+  BATCH_SIZE = 12000
+  SUB_BATCH_SIZE = 40 # Total number of sub-batches: 375
+
+  def up
+    queue_batched_background_migration(
+      MIGRATION,
+      :vulnerability_reads,
+      :id,
+      job_interval: DELAY_INTERVAL,
+      batch_size: BATCH_SIZE,
+      sub_batch_size: SUB_BATCH_SIZE
+    )
+  end
+
+  def down
+    delete_batched_background_migration(MIGRATION, :vulnerability_reads, :id, [])
+  end
+end

db/schema_migrations/20241007115637

@@ -0,0 +1 @@
+edcd4fe555d70c81956eabc52e6207e8a81f81620e64869cdfdd72e55113be4c

doc/administration/packages/container_registry_metadata_database.md

@@ -506,7 +506,7 @@ you must restore to a backup of the desired version in order to downgrade.
 
 ## Troubleshooting
 
-### `there are pending database migrations` error
+### Error: `there are pending database migrations`
 
 If the registry has been updated and there are pending schema migrations,
 the registry fails to start with the following error message:
@@ -517,7 +517,7 @@ FATA[0000] configuring application: there are pending database migrations, use t
 
 To fix this issue, follow the steps to [apply schema migrations](#apply-schema-migrations).
 
-### `offline garbage collection is no longer possible` error
+### Error: `offline garbage collection is no longer possible`
 
 If the registry uses the metadata database and you try to run
 [offline garbage collection](container_registry.md#container-registry-garbage-collection),
@@ -626,3 +626,45 @@ You must truncate the table manually on your PostgreSQL instance:
    ```
 
 1. After truncating the `tags` table, try running the migration process again.
+
+### Error: `database-in-use lockfile exists`
+
+If you try to [migrate existing registries](#existing-registries) and encounter the following error:
+
+```shell
+|  [0s] step two: import tags failed to import metadata: importing all repositories: 1 error occurred:
+    * could not restore lockfiles: database-in-use lockfile exists
+```
+
+This error means that you have previously imported the registry and completed importing all
+repository data (step two) and the `database-in-use` exists in the registry file system.
+You should not run the importer again if you encounter this issue.
+
+If you must proceed, you must delete the `database-in-use` lock file manually from the file system.
+The file is located at `/path/to/rootdirectory/docker/registry/lockfiles/database-in-use`.
+
+### Registry fails to start due to metadata management issues
+
+The registry could fail to start with of the following errors:
+
+#### Error: `registry filesystem metadata in use, please import data before enabling the database`
+
+This error happens when the database is enabled in your configuration `registry['database'] = { 'enabled' => true}`
+but you have not [migrated existing data](#existing-registries) to the metadata database yet.
+
+#### Error: `registry metadata database in use, please enable the database`
+
+This error happens when you have completed [migrating existing data](#existing-registries) to the metadata database, 
+but you have not enabled the database in your configuration.
+
+#### Problems checking or creating the lock files
+
+If you encounter any of the following errors:
+
+- `could not check if filesystem metadata is locked`
+- `could not check if database metadata is locked`
+- `failed to mark filesystem for database only usage`
+- `failed to mark filesystem only usage`
+
+The registry cannot access the configured `rootdirectory`. This error is unlikely to happen if you
+had a working registry previously. Review the error logs for any misconfiguration issues.

doc/user/application_security/policies/pipeline_execution_policies.md

@@ -128,10 +128,21 @@ These stages are always available, regardless of any project's CI/CD configurati
 | `file` | `string` | true | A full file path relative to the root directory (/). The YAML files must have the `.yml` or `.yaml` extension. |
 | `ref` | `string` | false | The ref to retrieve the file from. Defaults to the HEAD of the project when not specified. |
 
-To run pipelines with injected CI/CD configuration, users must have access to the project with the CI/CD configuration.
+Use the `content` type in a policy to reference a CI/CD configuration stored in another repository.
+This allows you to reuse the same CI/CD configuration across multiple policies, reducing the
+overhead of maintaining these configurations. For example, if you have a custom secret detection
+CI/CD configuration you want to enforce in policy A and policy B, you can create a single YAML configuration file and reference the configuration in both policies.
 
-Starting in GitLab 17.4, users can store the CI/CD configuration in a security policy project repository and grant pipeline execution access to the repository. Projects linked to the security policy project then have access to the repository as a source for security policies.
-You can configure this in the project's general settings for security policy projects.
+Prerequisites:
+
+- Users triggering pipelines run in those projects on which a policy containing the `content` type
+  is enforced must have at minimum read-only access to the project containing the CI/CD
+- In projects that enforce pipeline execution policies, users must have at least read-only access to the project that contains the CI/CD configuration to trigger the pipeline. 
+
+  In GitLab 17.4 and later, you can grant the required read-only access for the CI/CD configuration file
+  specified in a security policy project using the `content` type. To do so, enable the setting **Pipeline execution policies** in the general settings of the security policy project.
+  Enabling this setting grants the user who triggered the pipeline access to 
+  read the CI/CD configuration file enforced by the pipeline execution policy. This setting does not grant the user access to any other parts of the project where the configuration file is stored.
 
 ### `policy_scope` scope type
 

doc/user/project/repository/repository_size.md

@@ -323,6 +323,8 @@ For example, to get a list of files at a given commit or branch sorted by size:
 
    The third column in the output is the object ID of the blob.
 
+Alternatively, you can get these IDs using the [Repositories API list repository tree](../../../api/repositories.md#list-repository-tree) endpoint.
+
 ## Storage limits
 
 Repository size limits:

lib/gitlab/background_migration/backfill_identifier_names_of_vulnerability_reads.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    class BackfillIdentifierNamesOfVulnerabilityReads < BatchedMigrationJob
+      operation_name :backfill_identifier_names
+      feature_category :vulnerability_management
+
+      UPDATE_SQL = <<~SQL
+        UPDATE vulnerability_reads AS vr
+        SET identifier_names = selected_ids.names
+        FROM (?) AS selected_ids
+        WHERE vr.id = selected_ids.id
+      SQL
+
+      class VulnerabilitiesRead < ::Gitlab::Database::SecApplicationRecord
+        self.table_name = 'vulnerability_reads'
+      end
+
+      def perform
+        each_sub_batch do |sub_batch|
+          cte = Gitlab::SQL::CTE.new(:batched_relation, sub_batch.limit(40))
+
+          filtered_results = cte
+            .apply_to(VulnerabilitiesRead.all)
+            .joins(
+              'INNER JOIN vulnerability_occurrences vo ' \
+                'ON vulnerability_reads.vulnerability_id = vo.vulnerability_id'
+            )
+            .joins('INNER JOIN vulnerability_occurrence_identifiers voi ON vo.id = voi.occurrence_id')
+            .joins('INNER JOIN vulnerability_identifiers vi ON voi.identifier_id = vi.id')
+            .group("vulnerability_reads.id")
+            .select(
+              'vulnerability_reads.id AS id',
+              'ARRAY_AGG(vi.name ORDER BY vi.name) AS names'
+            )
+
+          update_query = VulnerabilitiesRead.sanitize_sql([UPDATE_SQL, filtered_results])
+
+          connection.execute(update_query)
+        end
+      end
+    end
+  end
+end

locale/gitlab.pot

@@ -43101,7 +43101,7 @@ msgstr ""
 msgid "ProjectSettings|Allow skipping the merge train"
 msgstr ""
 
-msgid "ProjectSettings|Allow users and tokens read-only access to fetch security policy configurations within this project to enforce policies. %{linkStart}Learn more%{linkEnd}."
+msgid "ProjectSettings|Allow users and tokens read-only access to fetch security policy configurations in this project to enforce policies. %{linkStart}Learn more%{linkEnd}."
 msgstr ""
 
 msgid "ProjectSettings|Always show thumbs-up and thumbs-down emoji buttons on issues, merge requests, and snippets."
@@ -43266,7 +43266,7 @@ msgstr ""
 msgid "ProjectSettings|Global"
 msgstr ""
 
-msgid "ProjectSettings|Grant access to this repository for projects linked to it as the security policy project source for security policies."
+msgid "ProjectSettings|Grant access to the CI/CD configurations for projects linked to this security policy project as the source for security policies."
 msgstr ""
 
 msgid "ProjectSettings|Highlight the usage of hidden unicode characters. These have innocent uses for right-to-left languages, but can also be used in potential exploits."

spec/lib/gitlab/background_migration/backfill_identifier_names_of_vulnerability_reads_spec.rb

@@ -0,0 +1,177 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::BackgroundMigration::BackfillIdentifierNamesOfVulnerabilityReads, feature_category: :vulnerability_management do
+  let(:namespaces) { table(:namespaces) }
+  let(:projects) { table(:projects) }
+  let(:users) { table(:users) }
+  let(:scanners) { table(:vulnerability_scanners) }
+  let(:vulnerabilities) { table(:vulnerabilities) }
+  let(:vulnerability_reads) { table(:vulnerability_reads) }
+  let(:vulnerability_findings) { table(:vulnerability_occurrences) }
+  let(:vulnerability_occurrence_identifiers) { table(:vulnerability_occurrence_identifiers) }
+  let(:vulnerability_identifiers) { table(:vulnerability_identifiers) }
+
+  let(:namespace) { namespaces.create!(name: 'user', path: 'user') }
+  let(:project) { projects.create!(namespace_id: namespace.id, project_namespace_id: namespace.id) }
+  let(:user) { users.create!(username: 'john_doe', email: '[email protected]', projects_limit: 10) }
+  let(:scanner) { scanners.create!(project_id: project.id, external_id: 'external_id', name: 'Test Scanner') }
+
+  shared_context 'with vulnerability data' do
+    let(:identifier_1) do
+      create_identifier(external_id: 'A03:2021', external_type: 'owasp', name: 'A03:2021 - Injection')
+    end
+
+    let(:identifier_2) { create_identifier(external_id: 'CVE-2021-1234', external_type: 'cve', name: 'CVE-2021-1234') }
+    let(:identifier_3) { create_identifier(external_id: '79', external_type: 'cwe', name: 'CWE-79') }
+
+    let(:finding_1) { create_finding(primary_identifier_id: identifier_1.id) }
+    let(:finding_2) { create_finding(primary_identifier_id: identifier_2.id) }
+    let(:finding_3) { create_finding(primary_identifier_id: identifier_3.id) }
+
+    let(:vulnerability_1) { create_vulnerability(title: 'vulnerability 1', finding_id: finding_1.id) }
+    let(:vulnerability_2) { create_vulnerability(title: 'vulnerability 2', finding_id: finding_2.id) }
+    let(:vulnerability_3) { create_vulnerability(title: 'vulnerability 3', finding_id: finding_3.id) }
+
+    let!(:vulnerability_read_1) { create_vulnerability_read(vulnerability_id: vulnerability_1.id) }
+    let!(:vulnerability_read_2) { create_vulnerability_read(vulnerability_id: vulnerability_2.id) }
+    let!(:vulnerability_read_3) { create_vulnerability_read(vulnerability_id: vulnerability_3.id) }
+
+    before do
+      create_vulnerability_occurrence_identifier(occurrence_id: finding_1.id, identifier_id: identifier_1.id)
+      create_vulnerability_occurrence_identifier(occurrence_id: finding_2.id, identifier_id: identifier_2.id)
+      create_vulnerability_occurrence_identifier(occurrence_id: finding_3.id, identifier_id: identifier_3.id)
+
+      finding_1.update!(vulnerability_id: vulnerability_1.id)
+      finding_2.update!(vulnerability_id: vulnerability_2.id)
+      finding_3.update!(vulnerability_id: vulnerability_3.id)
+    end
+  end
+
+  describe '#perform' do
+    subject(:perform_migration) do
+      described_class.new(
+        start_id: vulnerability_reads.first.id,
+        end_id: vulnerability_reads.last.id,
+        batch_table: :vulnerability_reads,
+        batch_column: :id,
+        sub_batch_size: vulnerability_reads.count,
+        pause_ms: 0,
+        connection: ActiveRecord::Base.connection
+      ).perform
+    end
+
+    context 'with vulnerability data' do
+      include_context 'with vulnerability data'
+
+      it 'updates identifier_names for vulnerability_reads' do
+        expect { perform_migration }
+          .to change { vulnerability_read_1.reload.identifier_names }
+          .from([]).to(array_including(identifier_1.name))
+          .and change { vulnerability_read_2.reload.identifier_names }
+          .from([]).to(array_including(identifier_2.name))
+          .and change { vulnerability_read_3.reload.identifier_names }
+          .from([]).to(array_including(identifier_3.name))
+      end
+
+      it 'updates identifier_names with correct aggregation' do
+        create_vulnerability_occurrence_identifier(occurrence_id: finding_1.id, identifier_id: identifier_2.id)
+        create_vulnerability_occurrence_identifier(occurrence_id: finding_2.id, identifier_id: identifier_3.id)
+
+        perform_migration
+
+        expect(vulnerability_read_1.reload.identifier_names).to contain_exactly(identifier_1.name,
+          identifier_2.name)
+        expect(vulnerability_read_2.reload.identifier_names).to contain_exactly(identifier_2.name,
+          identifier_3.name)
+        expect(vulnerability_read_3.reload.identifier_names).to contain_exactly(identifier_3.name)
+      end
+
+      it 'sorts identifier_names' do
+        create_vulnerability_occurrence_identifier(occurrence_id: finding_1.id, identifier_id: identifier_3.id)
+        create_vulnerability_occurrence_identifier(occurrence_id: finding_1.id, identifier_id: identifier_2.id)
+
+        perform_migration
+
+        expect(vulnerability_read_1.reload.identifier_names).to eq([identifier_1.name,
+          identifier_2.name, identifier_3.name])
+      end
+    end
+
+    context 'with no matching identifiers' do
+      include_context 'with vulnerability data' do
+        before do
+          vulnerability_occurrence_identifiers.delete_all
+        end
+      end
+
+      it 'does not update identifier_names' do
+        perform_migration
+
+        expect(vulnerability_reads.where.not(identifier_names: []).count).to eq(0)
+      end
+    end
+  end
+
+  private
+
+  def create_vulnerability(overrides = {})
+    vulnerabilities.create!({
+      project_id: project.id,
+      author_id: user.id,
+      title: 'test',
+      severity: 1,
+      confidence: 1,
+      report_type: 1
+    }.merge(overrides))
+  end
+
+  def create_vulnerability_read(overrides = {})
+    vulnerability_reads.create!({
+      project_id: project.id,
+      vulnerability_id: 1,
+      scanner_id: scanner.id,
+      severity: 1,
+      report_type: 1,
+      state: 1,
+      uuid: SecureRandom.uuid
+    }.merge(overrides))
+  end
+
+  def create_finding(overrides = {})
+    vulnerability_findings.create!({
+      project_id: project.id,
+      scanner_id: scanner.id,
+      severity: 5, # medium
+      confidence: 2, # unknown,
+      report_type: 99, # generic
+      primary_identifier_id: create_identifier.id,
+      project_fingerprint: SecureRandom.hex(20),
+      location_fingerprint: SecureRandom.hex(20),
+      uuid: SecureRandom.uuid,
+      name: "CVE-2018-1234",
+      raw_metadata: "{}",
+      metadata_version: "test:1.0"
+    }.merge(overrides))
+  end
+
+  def create_identifier(overrides = {})
+    vulnerability_identifiers.create!({
+      project_id: project.id,
+      external_id: "CVE-2018-1234",
+      external_type: "CVE",
+      name: "CVE-2018-1234",
+      fingerprint: SecureRandom.hex(20)
+    }.merge(overrides))
+  end
+
+  def create_vulnerability_occurrence_identifier(overrides = {})
+    vulnerability_occurrence_identifiers.create!({
+      created_at: Time.now.utc,
+      updated_at: Time.now.utc,
+      occurrence_id: nil,
+      identifier_id: nil
+    }.merge(overrides))
+  end
+end