Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

.rubocop_todo/gitlab/namespaced_class.yml

@@ -854,7 +854,6 @@ Gitlab/NamespacedClass:
     - 'ee/app/controllers/sitemap_controller.rb'
     - 'ee/app/controllers/smartcard_controller.rb'
     - 'ee/app/controllers/subscriptions_controller.rb'
-    - 'ee/app/controllers/survey_responses_controller.rb'
     - 'ee/app/controllers/trial_registrations_controller.rb'
     - 'ee/app/controllers/trials_controller.rb'
     - 'ee/app/finders/audit_event_finder.rb'

.rubocop_todo/layout/line_length.yml

@@ -2691,7 +2691,6 @@ Layout/LineLength:
     - 'ee/spec/requests/rack_attack_global_spec.rb'
     - 'ee/spec/requests/repositories/git_http_controller_spec.rb'
     - 'ee/spec/requests/smartcard_controller_spec.rb'
-    - 'ee/spec/requests/survey_responses_controller_spec.rb'
     - 'ee/spec/routing/admin_routing_spec.rb'
     - 'ee/spec/routing/group_routing_spec.rb'
     - 'ee/spec/routing/groups/cadences_routing_spec.rb'

.rubocop_todo/layout/space_inside_block_braces.yml

@@ -191,7 +191,6 @@ Layout/SpaceInsideBlockBraces:
     - 'ee/spec/requests/groups/contribution_analytics_spec.rb'
     - 'ee/spec/requests/lfs_http_spec.rb'
     - 'ee/spec/requests/projects/security/policies_controller_spec.rb'
-    - 'ee/spec/requests/survey_responses_controller_spec.rb'
     - 'ee/spec/serializers/member_user_entity_spec.rb'
     - 'ee/spec/serializers/merge_request_poll_widget_entity_spec.rb'
     - 'ee/spec/serializers/vulnerabilities/finding_reports_comparer_entity_spec.rb'

.rubocop_todo/layout/space_inside_parens.yml

@@ -129,7 +129,6 @@ Layout/SpaceInsideParens:
     - 'ee/spec/requests/api/ldap_group_links_spec.rb'
     - 'ee/spec/requests/api/project_milestones_spec.rb'
     - 'ee/spec/requests/customers_dot/proxy_controller_spec.rb'
-    - 'ee/spec/requests/survey_responses_controller_spec.rb'
     - 'ee/spec/serializers/member_user_entity_spec.rb'
     - 'ee/spec/services/app_sec/dast/profiles/create_service_spec.rb'
     - 'ee/spec/services/app_sec/dast/site_profile_secret_variables/create_or_update_service_spec.rb'

.rubocop_todo/style/percent_literal_delimiters.yml

@@ -140,7 +140,6 @@ Style/PercentLiteralDelimiters:
     - 'app/models/resource_timebox_event.rb'
     - 'app/models/user.rb'
     - 'app/models/user_interacted_project.rb'
-    - 'app/models/users/in_product_marketing_email.rb'
     - 'app/policies/identity_provider_policy.rb'
     - 'app/presenters/dev_ops_report/metric_presenter.rb'
     - 'app/presenters/search_service_presenter.rb'

app/models/users/in_product_marketing_email.rb

@@ -41,7 +41,7 @@ class InProductMarketingEmail < ApplicationRecord
 
     # Tracks we don't send emails for (e.g. unsuccessful experiment). These
     # are kept since we already have DB records that use the enum value.
-    INACTIVE_TRACK_NAMES = %w(invite_team).freeze
+    INACTIVE_TRACK_NAMES = %w[invite_team experience].freeze
     ACTIVE_TRACKS = tracks.except(*INACTIVE_TRACK_NAMES)
 
     scope :for_user_with_track_and_series, -> (user, track, series) do

app/services/namespaces/in_product_marketing_emails_service.rb

@@ -37,11 +37,6 @@ class InProductMarketingEmailsService
         interval_days: [1, 5, 10],
         completed_actions: [:git_write, :pipeline_created, :trial_started],
         incomplete_actions: [:user_added]
-      },
-      experience: {
-        interval_days: [30],
-        completed_actions: [:created, :git_write],
-        incomplete_actions: []
       }
     }.freeze
 

config/metrics/counts_all/20210518081225_in_product_marketing_email_experience_0_sent.yml

@@ -8,9 +8,11 @@ product_stage: growth
 product_group: activation
 product_category: onboarding
 value_type: number
-status: active
+status: removed
 milestone: "13.12"
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/61347
+removed_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92280
+milestone_removed: "15.2"
 time_frame: all
 data_source: database
 distribution:

config/routes.rb

@@ -190,9 +190,6 @@
         scope '/push_from_secondary/:geo_node_id' do
           draw :git_http
         end
-
-        # Used for survey responses
-        resources :survey_responses, only: :index
       end
 
       Gitlab.jh do

doc/topics/autodevops/cloud_deployments/img/guide_base_domain_v12_3.png

@@ -222,9 +222,9 @@ From the merge request security widget, select **Expand** to unfold the widget,
 
 ## View security scan information in the pipeline Security tab
 
-A pipeline's security tab lists all findings in the current branch. It includes new findings introduced by this branch and existing vulnerabilities that were already present when the branch was created. These results likely do not match the findings displayed in the Merge Request security widget as those do not include the existing vulnerabilities (with the exception of showing any existing vulnerabilities that are no longer detected in the feature branch).
-
-For more details, see [security tab](vulnerability_report/pipeline.md#view-vulnerabilities-in-a-pipeline).
+A pipeline's security tab lists all findings in the current branch. It includes new findings introduced by this branch
+and existing vulnerabilities already present when you created the branch. These results likely do not match the findings
+displayed in the Merge Request security widget, as those do not include the existing vulnerabilities. Refer to [View vulnerabilities in a pipeline](vulnerability_report/pipeline.md) for more information.
 
 ## View security scan information in the Security Dashboard
 

doc/topics/autodevops/cloud_deployments/img/guide_project_landing_page_v12_10.png

@@ -16,27 +16,32 @@ To view vulnerabilities in a pipeline:
 1. From the list, select the pipeline you want to check for vulnerabilities.
 1. Select the **Security** tab.
 
-**Scan details** shows vulnerabilities introduced by the merge request, in addition to existing vulnerabilities
-from the latest successful pipeline in your project's default branch.
+A pipeline consists of multiple jobs, which may include security scans. When a job declares and produces security scan
+reports using [`artifacts:reports`](../../../ci/yaml/artifacts_reports.md), GitLab parses and ingests the contents of
+these reports to create vulnerabilities associated with the project the pipeline belongs to.
 
-A pipeline consists of multiple jobs, such as SAST and DAST scans. If a job fails to finish,
-the security dashboard doesn't show SAST scanner output. For example, if the SAST
-job finishes but the DAST job fails, the security dashboard doesn't show SAST results. On failure,
-the analyzer outputs an [exit code](../../../development/integrations/secure.md#exit-code).
+If a job fails to finish, the pipeline vulnerability report doesn't show vulnerability findings detected by this job.
+For example, if a pipeline contains DAST and SAST jobs, but the DAST job fails by returning a non-zero
+[exit code](../../../development/integrations/secure.md#exit-code), the report doesn't show DAST results.
 
-## View total number of vulnerabilities per scan
+The pipeline vulnerability report only shows results contained in the security report artifacts. This report differs from
+the [Vulnerability Report](index.md), which contains cumulative results of all successful jobs, and from the merge request
+[security widget](../#view-security-scan-information-in-merge-requests), which combines the branch results with
+cumulative results.
 
-To view the total number of vulnerabilities per scan:
+Before GitLab displays results, the vulnerability findings in all pipeline reports are [deduplicated](#deduplication-process).
 
-1. On the top bar, select **Menu > Projects** and find your project.
-1. On the left sidebar, select **CI/CD > Pipelines**.
-1. Select the **Status** of a branch.
-1. Select the **Security** tab.
+## Scan details
+
+**Scan details** shows a summary of vulnerability findings in the pipeline and the source reports.
+
+GitLab displays one row of information for each [scan type](../terminology/#scan-type-report-type) artifact present in
+the pipeline.
 
-**Scan details** shows vulnerabilities introduced by the merge request, in addition to existing vulnerabilities
-from the latest successful pipeline in your project's default branch.
+Note that each scan type's total number of vulnerabilities includes dismissed findings. If the number of findings
+in the report doesn't match the number in **Scan details**, ensure that **Hide dismissed** is disabled.
 
-## Download security scan outputs
+### Download security scan outputs
 
 > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3728) in GitLab 13.10.
 > - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/333660) in GitLab 14.2.
@@ -48,10 +53,89 @@ Depending on the type of security scanner, you can download:
 
 To download a security scan output:
 
-1. On the top bar, select **Menu > Projects** and find your project.
-1. On the left sidebar, select **CI/CD > Pipelines**.
-1. Select the **Status** of a branch.
-1. Select the **Security** tab.
 1. In **Scan details**, select **Download results**:
     - To download a JSON file, select the JSON artifact.
     - To download a CSV file, select **Download scanned resources**.
+
+## Scan results
+
+This shows a list of the combined results for all security report artifacts. The filters work like the
+[Vulnerability Report filters](index.md#vulnerability-report-filters), but they are limited to **Severity** and **Tool**, with 
+the addition of a **Hide dismissed** toggle.
+
+When you review the vulnerability findings reported in the pipeline, you can select one or more entries for dismissal, 
+similar to [Dismissing a vulnerability](index.md#dismissing-a-vulnerability) in the Vulnerability Report.
+
+When you merge the branch corresponding to the pipeline into the default branch, all reported findings are combined into
+the [Vulnerability Report](index.md). Scan results in pipelines executed on the default branch are 
+incorporated once the pipeline finishes.
+
+| Existing vulnerability status | Dismissed in pipeline? | New vulnerability status |
+|:------------------------------|:-----------------------|:-------------------------|
+| any                           | Yes                    | Dismissed                |
+| Dismissed                     | any                    | Dismissed                |
+| Confirmed                     | No                     | Confirmed                |
+| Needs triage (Detected)       | No                     | Needs triage (Detected)  |
+| Resolved                      | No                     | Needs triage (Detected)  |
+| N/A (i.e.: new vulnerability) | No                     | Needs triage (Detected)  |
+
+## Deduplication process
+
+When a pipeline contains jobs that produce multiple security reports of the same type, it is possible that the same
+vulnerability finding is present in multiple reports. This duplication is common when different scanners are used to
+increase coverage. The deduplication process allows you to maximize the vulnerability scanning coverage while reducing
+the number of findings you need to manage.
+
+A finding is considered a duplicate of another finding when their [scan type](../terminology/#scan-type-report-type),
+[location](../terminology/#location-fingerprint) and
+[identifiers](../../../development/integrations/secure.md#identifiers) are the same.
+
+The scan type must match because each can have its own definition for the location of a vulnerability. For example,
+static analyzers are able to locate a file path and line number, whereas a container scanning analyzer uses the image
+name instead.
+
+When comparing identifiers, GitLab does not compare `CWE` and `WASC` during deduplication because they are
+"type identifiers" and are used to classify groups of vulnerabilities. Including these identifiers results in
+many findings being incorrectly considered duplicates.
+
+In a set of duplicated findings, the first occurrence of a finding is kept and the remaining are skipped. Security
+reports are processed in alphabetical file path order, and findings are processed sequentially in the order they
+appear in a report.
+
+### Deduplication examples
+
+- Example 1: matching identifiers and location, mismatching scan type.
+  - Finding
+    - Scan type: `sast`
+    - Location fingerprint: `adc83b19e793491b1c6ea0fd8b46cd9f32e592fc`
+    - Identifiers: CVE-2022-25510
+  - Other Finding
+    - Scan type: `secret_detection`
+    - Location fingerprint: `adc83b19e793491b1c6ea0fd8b46cd9f32e592fc`
+    - Identifiers: CVE-2022-25510
+  - Deduplication result: not duplicates because the scan type is different.
+- Example 2: matching location and scan type, mismatching type identifiers.
+  - Finding
+    - Scan type: `sast`
+    - Location fingerprint: `adc83b19e793491b1c6ea0fd8b46cd9f32e592fc`
+    - Identifiers: CWE-259
+  - Other Finding
+    - Scan type: `sast`
+    - Location fingerprint: `adc83b19e793491b1c6ea0fd8b46cd9f32e592fc`
+    - Identifiers: CWE-798
+  - Deduplication result: duplicates because `CWE` identifiers are ignored.
+- Example 3: matching scan type, location and identifiers.
+  - Finding
+    - Scan type: `container_scanning`
+    - Location fingerprint: `adc83b19e793491b1c6ea0fd8b46cd9f32e592fc`
+    - Identifiers: CVE-2022-25510, CWE-259
+  - Other Finding
+    - Scan type: `container_scanning`
+    - Location fingerprint: `adc83b19e793491b1c6ea0fd8b46cd9f32e592fc`
+    - Identifiers: CVE-2022-25510, CWE-798
+  - Deduplication result: duplicates because all criteria match, and type identifiers are ignored.
+
+The examples above don't include the raw location values. Each scan type defines its own
+`fingerprint_data`, which is used to generate a `SHA1` hash that is used as the `location_fingerprint`.
+You can find definitions for each scan type [`gitlab/lib/gitlab/ci/reports/security/locations`](https://gitlab.com/gitlab-org/gitlab/-/tree/01c69e97340b7c1c7e30c0caec8506910b6503c8/lib/gitlab/ci/reports/security/locations)
+and [`gitlab/ee/lib/gitlab/ci/reports/security/locations`](https://gitlab.com/gitlab-org/gitlab/-/tree/01c69e97340b7c1c7e30c0caec8506910b6503c8/ee/lib/gitlab/ci/reports/security/locations).

doc/user/application_security/index.md

@@ -85,6 +85,12 @@ Inviting **Subgroup Y** to a parent group of **Project A**
 [is not supported](https://gitlab.com/gitlab-org/gitlab/-/issues/288851). To set **Subgroup Y** as
 Code Owners, add this group directly to the project itself.
 
+NOTE:
+For approval to be required, groups as Code Owners must have a direct membership
+(not inherited membership) in the project. Approval can only be optional for groups
+that inherit membership. Members in the Code Owners group also must be direct members,
+and not inherit membership from any parent groups.
+
 ### Add a group as a Code Owner
 
 To set a group as a Code Owner: