Commit 835b633a authored by Nick Gaskill's avatar Nick Gaskill

Merge branch 'russell/move-vulnerability-docs' into 'master'

Moved some vulnerability docs

See merge request gitlab-org/gitlab!59122
parents 9f75979c 5dcf5d47
...@@ -548,7 +548,7 @@ of the available SAST Analyzers and what data is currently available. ...@@ -548,7 +548,7 @@ of the available SAST Analyzers and what data is currently available.
The `remediations` field of the report is an array of remediation objects. The `remediations` field of the report is an array of remediation objects.
Each remediation describes a patch that can be applied to Each remediation describes a patch that can be applied to
[automatically fix](../../user/application_security/#apply-an-automatic-remediation-for-a-vulnerability) [automatically fix](../../user/application_security/vulnerabilities/index.md#remediate-a-vulnerability-automatically)
a set of vulnerabilities. a set of vulnerabilities.
Here is an example of a report that contains remediations. Here is an example of a report that contains remediations.
......
...@@ -101,7 +101,7 @@ and complete an integration with the Secure stage. ...@@ -101,7 +101,7 @@ and complete an integration with the Secure stage.
- Users can interact with the findings from your artifact within their workflow. They can dismiss the findings or accept them and create a backlog issue. - Users can interact with the findings from your artifact within their workflow. They can dismiss the findings or accept them and create a backlog issue.
- To automatically create issues without user interaction, use the [issue API](../../api/issues.md). - To automatically create issues without user interaction, use the [issue API](../../api/issues.md).
1. Optional: Provide auto-remediation steps: 1. Optional: Provide auto-remediation steps:
- If you specified `remediations` in your artifact, it is proposed through our [automatic remediation](../../user/application_security/index.md#apply-an-automatic-remediation-for-a-vulnerability) - If you specified `remediations` in your artifact, it is proposed through our [automatic remediation](../../user/application_security/vulnerabilities/index.md#remediate-a-vulnerability-automatically)
interface. interface.
1. Demo the integration to GitLab: 1. Demo the integration to GitLab:
- After you have tested and are ready to demo your integration please - After you have tested and are ready to demo your integration please
......
...@@ -996,7 +996,7 @@ pipelines. For more information, see the [Security Dashboard documentation](../s ...@@ -996,7 +996,7 @@ pipelines. For more information, see the [Security Dashboard documentation](../s
Fuzzing faults show up as vulnerabilities with a severity of Unknown. Fuzzing faults show up as vulnerabilities with a severity of Unknown.
Once a fault is found, you can interact with it. Read more on how to Once a fault is found, you can interact with it. Read more on how to
[address the vulnerabilities](../index.md#addressing-vulnerabilities). [address the vulnerabilities](../vulnerabilities/index.md).
## Handling False Positives ## Handling False Positives
......
...@@ -694,7 +694,7 @@ If you're using Klar and want more information about the vulnerabilities databas ...@@ -694,7 +694,7 @@ If you're using Klar and want more information about the vulnerabilities databas
## Interacting with the vulnerabilities ## Interacting with the vulnerabilities
After a vulnerability is found, you can [address it](../index.md#addressing-vulnerabilities). After a vulnerability is found, you can [address it](../vulnerabilities/index.md).
## Solutions for vulnerabilities (auto-remediation) ## Solutions for vulnerabilities (auto-remediation)
...@@ -708,7 +708,7 @@ file, it's necessary to set [`GIT_STRATEGY: fetch`](../../../ci/runners/README.m ...@@ -708,7 +708,7 @@ file, it's necessary to set [`GIT_STRATEGY: fetch`](../../../ci/runners/README.m
your `.gitlab-ci.yml` file by following the instructions described in this document's your `.gitlab-ci.yml` file by following the instructions described in this document's
[overriding the container scanning template](#overriding-the-container-scanning-template) section. [overriding the container scanning template](#overriding-the-container-scanning-template) section.
Read more about the [solutions for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability). Read more about the [solutions for vulnerabilities](../vulnerabilities/index.md#remediate-a-vulnerability-automatically).
## Troubleshooting ## Troubleshooting
......
...@@ -237,7 +237,7 @@ The `covfuzz-ci.yml` is the same as that in the [original synchronous example](h ...@@ -237,7 +237,7 @@ The `covfuzz-ci.yml` is the same as that in the [original synchronous example](h
## Interacting with the vulnerabilities ## Interacting with the vulnerabilities
After a vulnerability is found, you can [address it](../index.md#addressing-vulnerabilities). After a vulnerability is found, you can [address it](../vulnerabilities/index.md).
The merge request widget lists the vulnerability and contains a button for downloading the fuzzing The merge request widget lists the vulnerability and contains a button for downloading the fuzzing
artifacts. By clicking one of the detected vulnerabilities, you can see its details. artifacts. By clicking one of the detected vulnerabilities, you can see its details.
......
...@@ -228,13 +228,13 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m ...@@ -228,13 +228,13 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m
## Interacting with the vulnerabilities ## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to Once a vulnerability is found, you can interact with it. Read more on how to
[address the vulnerabilities](../index.md#addressing-vulnerabilities). [address the vulnerabilities](../vulnerabilities/index.md).
## Solutions for vulnerabilities (auto-remediation) ## Solutions for vulnerabilities (auto-remediation)
Some vulnerabilities can be fixed by applying the solution that GitLab Some vulnerabilities can be fixed by applying the solution that GitLab
automatically generates. Read more about the automatically generates. Read more about the
[solutions for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability). [solutions for vulnerabilities](../vulnerabilities/index.md#remediate-a-vulnerability-automatically).
## Security Dashboard ## Security Dashboard
......
...@@ -119,99 +119,6 @@ reports are available to download. To download a report, click on the ...@@ -119,99 +119,6 @@ reports are available to download. To download a report, click on the
![Security widget](img/security_widget_v13_7.png) ![Security widget](img/security_widget_v13_7.png)
## Addressing vulnerabilities
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.8.
For each security vulnerability in a merge request or [Vulnerability Report](vulnerability_report/index.md),
you can:
- [Dismiss the vulnerability](#dismiss-a-vulnerability).
- Create a [confidential](../project/issues/confidential_issues.md)
[issue](vulnerabilities/index.md#create-a-gitlab-issue-for-a-vulnerability).
- Apply an [automatically remediation](#apply-an-automatic-remediation-for-a-vulnerability).
### Dismiss a vulnerability
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0, a dismissal reason.
You can dismiss a vulnerability for the entire project.
1. Select the vulnerability in the Security Dashboard.
1. In the top-right, from the **Status** selector menu, select **Dismissed**.
1. Optional. Add a reason for the dismissal and select **Save comment**.
To undo this action, select a different status from the same menu.
#### Dismiss multiple vulnerabilities
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
You can dismiss multiple vulnerabilities at once.
1. In the list of vulnerabilities, select the checkbox for each vulnerability you want to dismiss.
To select all, select the checkbox in the table header.
1. Above the table, select a dismissal reason.
1. Select **Dismiss Selected**.
### Create an issue for a vulnerability
You can create a GitLab or Jira issue for a vulnerability. For details, see [Vulnerability Pages](vulnerabilities/index.md).
#### Link to an existing issue
If you already have an open issue, you can link to it from the vulnerability.
- The vulnerability page shows related issues, but the issue page doesn't show the vulnerability it's related to.
- An issue can only be related to one vulnerability at a time.
- Issues can be linked across groups and projects.
To link to an existing issue:
1. Open the vulnerability.
1. [Add a linked issue](../project/issues/related_issues.md).
### Apply an automatic remediation for a vulnerability
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5656) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.7.
Some vulnerabilities can be fixed by applying the solution that GitLab automatically generates.
The following scanners are supported:
- [Dependency Scanning](dependency_scanning/index.md).
Automatic Patch creation is only available for Node.js projects managed with
`yarn`.
- [Container Scanning](container_scanning/index.md).
#### Manually apply the suggested patch
To manually apply the patch that GitLab generated for a vulnerability:
1. Select the **Resolve with merge request** dropdown, then select **Download patch to resolve**:
![Resolve with Merge Request button dropdown](img/vulnerability_page_merge_request_button_dropdown_v13_1.png)
1. Ensure your local project has the same commit checked out that was used to generate the patch.
1. Run `git apply remediation.patch`.
1. Verify and commit the changes to your branch.
#### Create a merge request with the suggested patch
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9224) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.9.
In some cases, you can create a merge request that automatically remediates the
vulnerability. Any vulnerability that has a
[solution](#apply-an-automatic-remediation-for-a-vulnerability) can have a merge
request created to automatically solve the issue.
If this action is available:
1. Select the **Resolve with merge request** dropdown, then select **Resolve with merge request**.
![Create merge request from vulnerability](img/create_mr_from_vulnerability_v13_4.png)
A merge request is created. It that applies the solution to the source branch.
## Security approvals in merge requests ## Security approvals in merge requests
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9928) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.2. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9928) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.2.
......
...@@ -59,14 +59,14 @@ mirroring the packages inside your own offline network. ...@@ -59,14 +59,14 @@ mirroring the packages inside your own offline network.
### Interacting with the vulnerabilities ### Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to Once a vulnerability is found, you can interact with it. Read more on how to
[address the vulnerabilities](../index.md#addressing-vulnerabilities). [address the vulnerabilities](../vulnerabilities/index.md).
Please note that in some cases the reported vulnerabilities provide metadata that can contain Please note that in some cases the reported vulnerabilities provide metadata that can contain
external links exposed in the UI. These links might not be accessible within an offline environment. external links exposed in the UI. These links might not be accessible within an offline environment.
### Automatic remediation for vulnerabilities ### Automatic remediation for vulnerabilities
The [automatic remediation for vulnerabilities](../index.md#apply-an-automatic-remediation-for-a-vulnerability) feature is available for offline Dependency Scanning and Container Scanning, but may not work The [automatic remediation for vulnerabilities](../vulnerabilities/index.md#remediate-a-vulnerability-automatically) feature is available for offline Dependency Scanning and Container Scanning, but may not work
depending on your instance's configuration. We can only suggest solutions, which are generally more depending on your instance's configuration. We can only suggest solutions, which are generally more
current versions that have been patched, when we are able to access up-to-date registry services current versions that have been patched, when we are able to access up-to-date registry services
hosting the latest versions of that dependency or image. hosting the latest versions of that dependency or image.
......
...@@ -135,12 +135,12 @@ Different features are available in different [GitLab tiers](https://about.gitla ...@@ -135,12 +135,12 @@ Different features are available in different [GitLab tiers](https://about.gitla
as shown in the following table: as shown in the following table:
| Capability | In Free | In Ultimate | | Capability | In Free | In Ultimate |
|:-------------------------------------------------------------------------------------------------------------|:--------------------|:-------------------| |:---------------------------------------------------------------------------------------|:--------------------|:-------------------|
| [Configure SAST Scanners](#configuration) | **{check-circle}** | **{check-circle}** | | [Configure SAST Scanners](#configuration) | **{check-circle}** | **{check-circle}** |
| [Customize SAST Settings](#customizing-the-sast-settings) | **{check-circle}** | **{check-circle}** | | [Customize SAST Settings](#customizing-the-sast-settings) | **{check-circle}** | **{check-circle}** |
| View [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** | | View [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** |
| Presentation of JSON Report in Merge Request | **{dotted-circle}** | **{check-circle}** | | Presentation of JSON Report in Merge Request | **{dotted-circle}** | **{check-circle}** |
| [Address vulnerabilities](../../application_security/index.md#addressing-vulnerabilities) | **{dotted-circle}** | **{check-circle}** | | [Address vulnerabilities](../../application_security/vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** | | [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** | | [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** |
| [Customize SAST Rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** | | [Customize SAST Rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** |
......
...@@ -211,4 +211,4 @@ Each scenario can be a third-level heading, e.g. `### Getting error message X`. ...@@ -211,4 +211,4 @@ Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. --> but commented out to help encourage others to add to it in the future. -->
Read more on how to [address the vulnerabilities](../index.md#addressing-vulnerabilities). Read more on how to [address the vulnerabilities](../vulnerabilities/index.md).
...@@ -12,7 +12,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -12,7 +12,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
Each security vulnerability in a project's [Vulnerability Report](../vulnerability_report/index.md) has an individual page which includes: Each security vulnerability in a project's [Vulnerability Report](../vulnerability_report/index.md) has an individual page which includes:
- Details of the vulnerability. - Details of the vulnerability.
- The status of the vulnerability within the project. - The status of the vulnerability in the project.
- Available actions for the vulnerability. - Available actions for the vulnerability.
- Any issues related to the vulnerability. - Any issues related to the vulnerability.
...@@ -21,8 +21,10 @@ On the vulnerability's page, you can: ...@@ -21,8 +21,10 @@ On the vulnerability's page, you can:
- [Change the vulnerability's status](#change-vulnerability-status). - [Change the vulnerability's status](#change-vulnerability-status).
- [Create an issue](#create-an-issue-for-a-vulnerability). - [Create an issue](#create-an-issue-for-a-vulnerability).
- [Link issues to the vulnerability](#link-gitlab-issues-to-the-vulnerability). - [Link issues to the vulnerability](#link-gitlab-issues-to-the-vulnerability).
- [Automatically remediate the vulnerability](#automatically-remediate-the-vulnerability), if an - [Remediate a vulnerability automatically](#remediate-a-vulnerability-automatically), if an
automatic solution is available. automatic solution is available.
- [Remediate a vulnerability manually](#remediate-a-vulnerability-manually), if a solution is
available.
## Change vulnerability status ## Change vulnerability status
...@@ -60,7 +62,7 @@ To create a GitLab issue for a vulnerability: ...@@ -60,7 +62,7 @@ To create a GitLab issue for a vulnerability:
1. In GitLab, go to the vulnerability's page. 1. In GitLab, go to the vulnerability's page.
1. Select **Create issue**. 1. Select **Create issue**.
An issue is created in the project, prepopulated with information from the vulnerability report. An issue is created in the project, pre-populated with information from the vulnerability report.
The issue is then opened so you can take further action. The issue is then opened so you can take further action.
### Create a Jira issue for a vulnerability ### Create a Jira issue for a vulnerability
...@@ -120,10 +122,59 @@ that the resolution of one issue would resolve multiple vulnerabilities. ...@@ -120,10 +122,59 @@ that the resolution of one issue would resolve multiple vulnerabilities.
Linked issues are shown in the Vulnerability Report and the vulnerability's page. Linked issues are shown in the Vulnerability Report and the vulnerability's page.
## Automatically remediate the vulnerability ## Link to an existing issue
You can fix some vulnerabilities by applying the solution that GitLab automatically If you already have an open issue, you can link to it from the vulnerability.
generates for you. [Read more about the automatic remediation for vulnerabilities feature](../index.md#apply-an-automatic-remediation-for-a-vulnerability).
- The vulnerability page shows related issues, but the issue page doesn't show the vulnerability it's related to.
- An issue can only be related to one vulnerability at a time.
- Issues can be linked across groups and projects.
To link to an existing issue:
1. Open the vulnerability.
1. [Add a linked issue](../../project/issues/related_issues.md).
## Remediate a vulnerability automatically
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5656) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.7.
Some vulnerabilities can be fixed by applying the solution that GitLab automatically generates.
The following scanners are supported:
- [Dependency Scanning](../dependency_scanning/index.md).
Automatic Patch creation is only available for Node.js projects managed with
`yarn`.
- [Container Scanning](../container_scanning/index.md).
### Remediate a vulnerability manually
To manually apply the patch that GitLab generated for a vulnerability:
1. Select the **Resolve with merge request** dropdown, then select **Download patch to resolve**:
![Resolve with Merge Request button dropdown](img/vulnerability_page_merge_request_button_dropdown_v13_1.png)
1. Ensure your local project has the same commit checked out that was used to generate the patch.
1. Run `git apply remediation.patch`.
1. Verify and commit the changes to your branch.
### Create a merge request with the suggested patch
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9224) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.9.
In some cases, you can create a merge request that automatically remediates the
vulnerability. Any vulnerability that has a
[solution](#remediate-a-vulnerability-automatically) can have a merge
request created to automatically solve the issue.
If this action is available:
1. Select the **Resolve with merge request** dropdown, then select **Resolve with merge request**.
![Create merge request from vulnerability](img/create_mr_from_vulnerability_v13_4.png)
A merge request is created. It applies the solution to the source branch.
## Vulnerability scanner maintenance ## Vulnerability scanner maintenance
......
...@@ -162,3 +162,26 @@ computer. ...@@ -162,3 +162,26 @@ computer.
NOTE: NOTE:
It may take several minutes for the download to start if your project contains It may take several minutes for the download to start if your project contains
thousands of vulnerabilities. Don't close the page until the download finishes. thousands of vulnerabilities. Don't close the page until the download finishes.
## Dismiss a vulnerability
> The option of adding a dismissal reason was introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0.
You can dismiss a vulnerability for the entire project:
1. Select the vulnerability in the Security Dashboard.
1. In the top-right, from the **Status** selector menu, select **Dismissed**.
1. Optional. Add a reason for the dismissal and select **Save comment**.
To undo this action, select a different status from the same menu.
### Dismiss multiple vulnerabilities
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
You can dismiss multiple vulnerabilities at once:
1. In the list of vulnerabilities, select the checkbox for each vulnerability you want to dismiss.
To select all, select the checkbox in the table header.
1. Above the table, select a dismissal reason.
1. Select **Dismiss Selected**.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment