Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

GITALY_SERVER_VERSION

@@ -1 +1 @@
-0105df4bc690f9a56806eb72ebec59b1c5396d6d
+7d588faba97dfbf48c39a3dc600eee66499cf065

app/assets/javascripts/ci/pipeline_schedules/components/pipeline_schedules_empty_state.vue

@@ -40,16 +40,12 @@ export default {
 </script>
 <template>
   <gl-empty-state
+    :title="$options.i18n.pipelineSchedules"
     :svg-path="$options.SCHEDULE_MD_SVG_URL"
     :svg-height="150"
     :primary-button-text="$options.i18n.createNew"
     :primary-button-link="newSchedulePath"
   >
-    <template #title>
-      <h3>
-        {{ $options.i18n.pipelineSchedules }}
-      </h3>
-    </template>
     <template #description>
       <p class="gl-mb-0">{{ $options.i18n.description }}</p>
       <ul class="gl-list-inside" data-testid="pipeline-schedules-characteristics">

app/assets/javascripts/vue_shared/components/rich_timestamp_tooltip.vue

@@ -1,7 +1,7 @@
 <script>
 import { GlTooltip } from '@gitlab/ui';
 
-import { formatDate } from '~/lib/utils/datetime_utility';
+import { localeDateFormat, newDate } from '~/lib/utils/datetime_utility';
 import timeagoMixin from '~/vue_shared/mixins/timeago';
 
 export default {
@@ -28,7 +28,9 @@ export default {
       return this.rawTimestamp ? this.timeFormatted(this.rawTimestamp) : '';
     },
     timestamp() {
-      return this.rawTimestamp ? formatDate(new Date(this.rawTimestamp)) : '';
+      return this.rawTimestamp
+        ? localeDateFormat.asDateTimeFull.format(newDate(this.rawTimestamp))
+        : '';
     },
   },
 };

doc/administration/package_information/postgresql_versions.md

@@ -35,6 +35,7 @@ Read more about update policies and warnings in the PostgreSQL
 
 | First GitLab version | PostgreSQL versions | Default version for fresh installs | Default version for upgrades | Notes |
 | -------------- | ------------------- | ---------------------------------- | ---------------------------- | ----- |
+| 17.5.0 | 14.11, 16.4 | 14.11 | 16.4 | Single node upgrades from PostgreSQL 14 to PostgreSQL 16 are now supported. |
 | 17.4.0 | 14.11, 16.4 | 14.11 | 14.11 | PostgreSQL 16 is available for new installations if not using [Geo](../geo/index.md#requirements-for-running-geo) or [Patroni](../postgresql/index.md#postgresql-replication-and-failover-for-linux-package-installations). |
 | 17.0.0 | 14.11 | 14.11 | 14.11 | Package upgrades are aborted if PostgreSQL is not upgraded to 14 already. |
 | 16.10.1, 16.9.3, 16.8.5 | 13.14, 14.11 | 14.11 | 14.11 | |

doc/user/application_security/sast/advanced_sast_coverage.md

@@ -38,11 +38,7 @@ You can use GitLab Duo Chat in:
 - [The GitLab Web IDE (VS Code in the cloud)](../project/web_ide/index.md)
 - VS Code, with the [GitLab Workflow extension for VS Code](https://marketplace.visualstudio.com/items?itemName=GitLab.gitlab-workflow)
 - JetBrains IDEs, with the [GitLab Duo Plugin for JetBrains](https://plugins.jetbrains.com/plugin/22325-gitlab-duo)
-
-Visual Studio support is
-[under active development](https://gitlab.com/groups/gitlab-org/editor-extensions/-/epics/22).
-You can express interest in other IDE extension support
-[in this issue](https://gitlab.com/gitlab-org/editor-extensions/meta/-/issues/78).
+- Visual Studio for Windows, with the [GitLab Extension for Visual Studio](https://marketplace.visualstudio.com/items?itemName=GitLab.GitLabExtensionForVisualStudio)
 
 NOTE:
 If you have self-managed GitLab: GitLab Duo requires GitLab 17.2 and later for the best user experience and results. Earlier versions may continue to work, however the experience may be degraded.
@@ -132,6 +128,43 @@ To use GitLab Duo Chat in GitLab Workflow extension for VS Code:
 
 If you have selected code in the editor, this selection is sent along with your question to the AI. This way you can ask questions about this code selection. For instance, `Could you simplify this?`.
 
+### In the editor window
+
+> - [Generally available](https://gitlab.com/groups/gitlab-org/-/epics/15218) in the GitLab Workflow extension for VS Code 5.15.0.
+
+To open GitLab Duo Chat in the editor window, use any of these methods:
+
+- From a keyboard shortcut, by pressing:
+  - MacOS: <kbd>Option</kbd> + <kbd>c</kbd>
+  - Windows and Linux: <kbd>ALT</kbd> + <kbd>c</kbd>
+- In the currently open file in your IDE, by selecting some code.
+- Right-clicking, then selecting **GitLab Duo Chat > Open Quick Chat**.
+
+After Quick Chat opens:
+
+1. In the message box, enter your question. The available commands are shown while you enter text:
+   - Enter `/` to display all available commands.
+   - Enter `/re` to display `/refactor`.
+1. To send your question, select **Send**, or press <kbd>Command<kbd> + <kbd>Enter<kbd>.
+1. To exit chat, either select the chat icon in the gutter, or press **Escape** while focused on the chat.
+
+## Use GitLab Duo Chat in Visual Studio for Windows
+
+To use GitLab Duo Chat in the GitLab extension for Visual Studio: 
+
+1. Install and set up the extension for Visual Studio:
+   1. In Visual Studio, download and install the [GitLab extension for Visual Studio](../../editor_extensions/visual_studio/index.md).
+   1. Configure the [GitLab extension for Visual Studio](../../editor_extensions/visual_studio/index.md).
+1. In Visual Studio, open a file. The file does not need to be a file in a Git repository.
+1. Open Chat by using one of the following methods:
+   - In the top menu bar, click on **Extensions** and then select **Open Duo Chat**.
+   - In the file that you have open in the editor, select some code.
+     1. Right-click and select **GitLab Duo Chat**.
+     1. Select **Explain selected code** or **Generate Tests**.
+1. In the message box, enter your question and press **Enter** or select **Send**.
+
+If you have selected code in the editor, this selection is sent along with your question to the AI. This way you can ask questions about this code selection. For instance, `Could you refactor this?`.
+
 ## Use GitLab Duo Chat in JetBrains IDEs
 
 > - Introduced as generally available in GitLab 16.11.

doc/user/gitlab_duo_chat/index.md

@@ -59,6 +59,8 @@ def initialize(logger: Logger.new($stdout), ruleset_path: RULESET_FILE_PATH)
       #           it instead groups the diffs into smaller array where each array contains diffs with cumulative size of
       #           +MIN_CHUNK_SIZE_PER_PROC_BYTES+ bytes and each group runs in a separate sub-process. Default value
       #           is true.
+      # +exclusions+:: A hash containing arrays of exclusions by their type. Types handled here are
+      #                `raw_value` and `rule`.
       #
       # NOTE:
       # Running the scan in fork mode primarily focuses on reducing the memory consumption of the scan by
@@ -77,7 +79,8 @@ def secrets_scan(
         diffs,
         timeout: DEFAULT_SCAN_TIMEOUT_SECS,
         payload_timeout: DEFAULT_PAYLOAD_TIMEOUT_SECS,
-        subprocess: RUN_IN_SUBPROCESS
+        subprocess: RUN_IN_SUBPROCESS,
+        exclusions: {}
       )
 
         return SecretDetection::Response.new(SecretDetection::Status::INPUT_ERROR) unless validate_scan_input(diffs)
@@ -89,9 +92,9 @@ def secrets_scan(
 
           secrets =
             if subprocess
-              run_scan_within_subprocess(matched_diffs, payload_timeout)
+              run_scan_within_subprocess(matched_diffs, payload_timeout, exclusions)
             else
-              run_scan(matched_diffs, payload_timeout)
+              run_scan(matched_diffs, payload_timeout, exclusions)
             end
 
           scan_status = overall_scan_status(secrets)
@@ -158,10 +161,10 @@ def filter_by_keywords(diffs)
         matched_diffs.freeze
       end
 
-      def run_scan(diffs, payload_timeout)
+      def run_scan(diffs, payload_timeout, exclusions)
         found_secrets = diffs.flat_map do |diff|
           Timeout.timeout(payload_timeout) do
-            find_secrets(diff)
+            find_secrets(diff, exclusions)
           end
         rescue Timeout::Error => e
           logger.error "Secret Detection scan timed out on the diff(id:#{diff.right_blob_id}): #{e}"
@@ -172,7 +175,7 @@ def run_scan(diffs, payload_timeout)
         found_secrets.freeze
       end
 
-      def run_scan_within_subprocess(diffs, payload_timeout)
+      def run_scan_within_subprocess(diffs, payload_timeout, exclusions)
         diff_sizes = diffs.map { |diff| diff.patch.bytesize }
         grouped_diff_indicies = group_by_chunk_size(diff_sizes)
 
@@ -185,7 +188,7 @@ def run_scan_within_subprocess(diffs, payload_timeout)
         ) do |grouped_diff|
           grouped_diff.flat_map do |diff|
             Timeout.timeout(payload_timeout) do
-              find_secrets(diff)
+              find_secrets(diff, exclusions)
             end
           rescue Timeout::Error => e
             logger.error "Secret Detection scan timed out on the diff(id:#{diff.right_blob_id}): #{e}"
@@ -198,7 +201,7 @@ def run_scan_within_subprocess(diffs, payload_timeout)
       end
 
       # finds secrets in the given diff with a timeout circuit breaker
-      def find_secrets(diff)
+      def find_secrets(diff, exclusions)
         line_number_offset = 0
         secrets = []
 
@@ -221,6 +224,10 @@ def find_secrets(diff)
         #  +this context line has a + but starts with a space so isnt an addition
         #  -this context line has a - but starts with a space so isnt a removal
         diff.patch.each_line do |line|
+          exclusions[:raw_value]&.each do |exclusion|
+            line.gsub!(exclusion.value, '') # remove excluded raw value from the line.
+          end
+
           # Parse hunk header for start line
           if line.start_with?("@@")
             hunk_info = line.match(/@@ -\d+(,\d+)? \+(\d+)(,\d+)? @@/)
@@ -239,6 +246,8 @@ def find_secrets(diff)
               type = rules[pattern]["id"]
               description = rules[pattern]["description"]
 
+              next if exclusions[:rule]&.any? { |exclusion| exclusion.value == type }
+
               secrets << SecretDetection::Finding.new(
                 diff.right_blob_id,
                 SecretDetection::Status::FOUND,

gems/gitlab-secret_detection/lib/gitlab/secret_detection/scan_diffs.rb

@@ -12,6 +12,10 @@
   let(:sha1_blank_sha) { ('0' * 40).freeze }
   let(:sample_blob_id) { 'fe29d93da4843da433e62711ace82db601eb4f8f' }
 
+  let(:exclusion) do
+    Struct.new(:value, keyword_init: true)
+  end
+
   let(:ruleset) do
     {
       "title" => "gitleaks config",
@@ -377,5 +381,143 @@
         expect(scan.secrets_scan(all_large_diffs, payload_timeout: each_payload_timeout_secs)).to eq(expected_response)
       end
     end
+
+    context 'when using exclusions' do
+      let(:diffs) do
+        [
+          diff_blob.new(
+            left_blob_id: sha1_blank_sha,
+            right_blob_id: sample_blob_id,
+            patch: "@@ -0,0 +1 @@\n+data with no secret\n",
+            status: :STATUS_END_OF_PATCH,
+            binary: false,
+            over_patch_bytes_limit: false
+          ),
+          diff_blob.new(
+            left_blob_id: sha1_blank_sha,
+            right_blob_id: sample_blob_id,
+            patch: "@@ -0,0 +1 @@\n+GR134894145645645645645645645\n", # gitleaks:allow
+            status: :STATUS_END_OF_PATCH,
+            binary: false,
+            over_patch_bytes_limit: false
+          ),
+          diff_blob.new(
+            left_blob_id: sha1_blank_sha,
+            right_blob_id: sample_blob_id,
+            patch: "@@ -0,0 +1 @@\n+GR134894145645645645645645789\n", # gitleaks:allow
+            status: :STATUS_END_OF_PATCH,
+            binary: false,
+            over_patch_bytes_limit: false
+          ),
+          diff_blob.new(
+            left_blob_id: sha1_blank_sha,
+            right_blob_id: sample_blob_id,
+            patch: "@@ -0,0 +1 @@\n+GR134894112312312312312312312\n", # gitleaks:allow
+            status: :STATUS_END_OF_PATCH,
+            binary: false,
+            over_patch_bytes_limit: false
+          ),
+          diff_blob.new(
+            left_blob_id: sha1_blank_sha,
+            right_blob_id: sample_blob_id,
+            patch: "@@ -0,0 +1 @@\n+glpat-12312312312312312312\n", # gitleaks:allow
+            status: :STATUS_END_OF_PATCH,
+            binary: false,
+            over_patch_bytes_limit: false
+          ),
+          diff_blob.new(
+            left_blob_id: sha1_blank_sha,
+            right_blob_id: sample_blob_id,
+            patch: "@@ -0,0 +1,3 @@\n+test data" \
+                   "\n+glptt-1231231231231231231212312312312312312312\n+line contd", # gitleaks:allow
+            status: :STATUS_END_OF_PATCH,
+            binary: false,
+            over_patch_bytes_limit: false
+          )
+        ]
+      end
+
+      context "when excluding secrets based on raw values" do
+        let(:exclusions) do
+          {
+            raw_value: [
+              exclusion.new(value: 'GR134894112312312312312312312'), # gitleaks:allow
+              exclusion.new(value: 'glpat-12312312312312312312') # gitleaks:allow
+            ]
+          }
+        end
+
+        let(:valid_lines) do
+          [
+            diffs[1].patch,
+            diffs[2].patch,
+            *diffs[5].patch.lines
+          ]
+        end
+
+        it "excludes values from being detected" do
+          expected_scan_status = Gitlab::SecretDetection::Status::FOUND
+
+          expected_response = Gitlab::SecretDetection::Response.new(
+            expected_scan_status,
+            [
+              Gitlab::SecretDetection::Finding.new(
+                diffs[1].right_blob_id,
+                expected_scan_status,
+                1,
+                ruleset['rules'][2]['id'],
+                ruleset['rules'][2]['description']
+              ),
+              Gitlab::SecretDetection::Finding.new(
+                diffs[2].right_blob_id,
+                expected_scan_status,
+                1,
+                ruleset['rules'][2]['id'],
+                ruleset['rules'][2]['description']
+              ),
+              Gitlab::SecretDetection::Finding.new(
+                diffs[5].right_blob_id,
+                expected_scan_status,
+                2,
+                ruleset['rules'][1]['id'],
+                ruleset['rules'][1]['description']
+              )
+            ]
+          )
+
+          expect(scan.secrets_scan(diffs, exclusions: exclusions)).to eq(expected_response)
+        end
+      end
+
+      context "when excluding secrets based on rules from default ruleset" do
+        let(:exclusions) do
+          {
+            rule: [
+              exclusion.new(value: "gitlab_runner_registration_token"),
+              exclusion.new(value: "gitlab_personal_access_token")
+            ]
+          }
+        end
+
+        it 'filters out secrets matching excluded rules from detected findings' do
+          expected_scan_status = Gitlab::SecretDetection::Status::FOUND
+
+          expected_response = Gitlab::SecretDetection::Response.new(
+            expected_scan_status,
+            [
+              Gitlab::SecretDetection::Finding.new(
+                diffs[5].right_blob_id,
+                expected_scan_status,
+                2,
+                ruleset['rules'][1]['id'],
+                ruleset['rules'][1]['description']
+              )
+            ]
+          )
+
+          expect(scan.secrets_scan(diffs, exclusions: exclusions)).to eq(expected_response)
+        end
+      end
+    end
   end
 end

gems/gitlab-secret_detection/spec/lib/gitlab/secret_detection/scan_diffs_spec.rb

@@ -20289,6 +20289,9 @@ msgstr ""
 msgid "DuoChat|Included references"
 msgstr ""
 
+msgid "DuoChat|Learn what Duo Chat can do."
+msgstr ""
+
 msgid "DuoChat|No results found"
 msgstr ""