Merge branch 'remove_replace_klar_by_trivy_in_docs' into 'master'

Remove Klar and update documentation See merge request gitlab-org/gitlab!62326

Merge branch 'remove_replace_klar_by_trivy_in_docs' into 'master'
Remove Klar and update documentation See merge request gitlab-org/gitlab!62326
8a387181 · Nick Gaskill · 78775c94 · f4e4b812 · 8a387181 · 8a387181
Commit 8a387181 authored Jun 02, 2021 by Nick Gaskill
5 changed files
--- a/doc/.vale/gitlab/spelling-exceptions.txt
+++ b/doc/.vale/gitlab/spelling-exceptions.txt
@@ -295,7 +295,6 @@ keytab
 keytabs
 Kibana
 Kinesis
-Klar
 Knative
 Kramdown
 Kroki

--- a/doc/api/vulnerability_exports.md
+++ b/doc/api/vulnerability_exports.md
@@ -199,13 +199,13 @@ Example response:
 ```csv
 Group Name,Project Name,Scanner Type,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers
-Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2017-16997 in glibc,,CVE-2017-16997 in glibc,critical,CVE-2017-16997
+Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2017-16997 in glibc,,CVE-2017-16997 in glibc,critical,CVE-2017-16997
-Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2017-18269 in glibc,,CVE-2017-18269 in glibc,critical,CVE-2017-18269
+Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2017-18269 in glibc,,CVE-2017-18269 in glibc,critical,CVE-2017-18269
-Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2018-1000001 in glibc,,CVE-2018-1000001 in glibc,high,CVE-2018-1000001
+Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2018-1000001 in glibc,,CVE-2018-1000001 in glibc,high,CVE-2018-1000001
-Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2016-10228 in glibc,,CVE-2016-10228 in glibc,medium,CVE-2016-10228
+Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2016-10228 in glibc,,CVE-2016-10228 in glibc,medium,CVE-2016-10228
-Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2010-4052 in glibc,,CVE-2010-4052 in glibc,low,CVE-2010-4052
+Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2010-4052 in glibc,,CVE-2010-4052 in glibc,low,CVE-2010-4052
-Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2018-18520 in elfutils,,CVE-2018-18520 in elfutils,low,CVE-2018-18520
+Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2018-18520 in elfutils,,CVE-2018-18520 in elfutils,low,CVE-2018-18520
-Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2018-16869 in nettle,,CVE-2018-16869 in nettle,unknown,CVE-2018-16869,CWE-1
+Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2018-16869 in nettle,,CVE-2018-16869 in nettle,unknown,CVE-2018-16869,CWE-1
 Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Regular Expression Denial of Service in debug,,Regular Expression Denial of Service in debug,unknown,CVE-2021-1234,CWE-2,"""yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a"""
 Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js,,Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js,unknown,,,"""yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98"""
 Gitlab.org,Defend,sast,Find Security Bugs,detected,Predictable pseudorandom number generator,,Predictable pseudorandom number generator,medium,,,"""818bf5dacb291e15d9e6dc3c5ac32178:PREDICTABLE_RANDOM:src/main/java/com/gitlab/security_products/tests/App.java:47"""

--- a/doc/topics/autodevops/stages.md
+++ b/doc/topics/autodevops/stages.md
@@ -208,9 +208,9 @@ documentation.
 ## Auto Container Scanning **(ULTIMATE)**
-Vulnerability Static Analysis for containers uses either [Clair](https://github.com/quay/clair)
+Vulnerability static analysis for containers uses [Trivy](https://aquasecurity.github.io/trivy/latest/)
-or [Trivy](https://aquasecurity.github.io/trivy/latest/) to check for potential security issues in
+to check for potential security issues in Docker images. The Auto Container Scanning stage is
-Docker images. The Auto Container Scanning stage is skipped on licenses other than [Ultimate](https://about.gitlab.com/pricing/).
+skipped on licenses other than [Ultimate](https://about.gitlab.com/pricing/).
 After creating the report, it's uploaded as an artifact which you can later download and
 check out. The merge request displays any detected security issues.

--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -46,12 +46,7 @@ To enable container scanning in your pipeline, you need the following:
  or [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor.
 - Docker `18.09.03` or higher installed on the same computer as the runner. If you're using the
  shared runners on GitLab.com, then this is already the case.
- An image matching the following supported distributions (depending on the scanner being used):
+- An image matching the [supported distributions](https://aquasecurity.github.io/trivy/latest/vuln-detection/os/)).
-  | Scanning Engine | Supported distributions |
-  | --- | --- |
-  | [Trivy](https://github.com/aquasecurity/trivy) | Supported [operating systems](https://aquasecurity.github.io/trivy/latest/vuln-detection/os/) and [languages](https://aquasecurity.github.io/trivy/latest/vuln-detection/library/) |
 - [Build and push](../../packages/container_registry/index.md#build-and-push-by-using-gitlab-cicd)
  your Docker image to your project's container registry. The name of the Docker image should use
  the following [predefined CI/CD variables](../../../ci/variables/predefined_variables.md):
@@ -98,14 +93,16 @@ How you enable container scanning depends on your GitLab version:
  variable.
 - GitLab 13.9 [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/322656) integration with
  [Trivy](https://github.com/aquasecurity/trivy) by upgrading `CS_MAJOR_VERSION` from `3` to `4`.
- GitLab 14.0 makes Trivy the default scanner.
+- GitLab 14.0 [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/61850)
+  integration with [Trivy](https://github.com/aquasecurity/trivy)
+  as the default for container scanning.
 To include the `Container-Scanning.gitlab-ci.yml` template (GitLab 11.9 and later), add the
 following to your `.gitlab-ci.yml` file:
 ```yaml
 include:
-  - template: Container-Scanning.gitlab-ci.yml
+  - template: Security/Container-Scanning.gitlab-ci.yml
 ```
 The included template:
@@ -144,7 +141,7 @@ build:
    - docker push $IMAGE
 include:
-  - template: Container-Scanning.gitlab-ci.yml
+  - template: Security/Container-Scanning.gitlab-ci.yml
 ```
 ### Customizing the container scanning settings
@@ -161,7 +158,7 @@ enables verbose output for the analyzer:
 ```yaml
 include:
-  - template: Container-Scanning.gitlab-ci.yml
+  - template: Security/Container-Scanning.gitlab-ci.yml
 variables:
    SECURE_LOG_LEVEL: 'debug'
@@ -169,7 +166,7 @@ variables:
 #### Available CI/CD variables
-You can [configure](#customizing-the-container-scanning-settings) both analyzers by using the following CI/CD variables:
+You can [configure](#customizing-the-container-scanning-settings) analyzers by using the following CI/CD variables:
 | CI/CD Variable                 | Default       | Description | Scanner |
 | ------------------------------ | ------------- | ----------- | ------------ |
@@ -195,7 +192,7 @@ This example sets `GIT_STRATEGY` to `fetch`:
 ```yaml
 include:
-  - template: Container-Scanning.gitlab-ci.yml
+  - template: Security/Container-Scanning.gitlab-ci.yml
 container_scanning:
  variables:
@@ -224,7 +221,7 @@ your CI file:
   offline environment, see
   [Running container scanning in an offline environment](#running-container-scanning-in-an-offline-environment).
-1. If present, remove the `.cs_common` configuration section.
+1. If present, remove the `.cs_common` and `container_scanning_new` configuration sections.
 1. If the `container_scanning` section is present, it's safer to create one from scratch based on
   the new version of the [`Container-Scanning.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml).
@@ -408,7 +405,7 @@ For details on saving and transporting Docker images as a file, see Docker's doc
   ```yaml
   include:
-     - template: Container-Scanning.gitlab-ci.yml
+     - template: Security/Container-Scanning.gitlab-ci.yml
   container_scanning:
     image: $CI_REGISTRY/namespace/gitlab-container-scanning
@@ -432,7 +429,7 @@ variables:
 image: docker:stable
-update-vulnerabilities-db:
+update-scanner-image:
  services:
    - docker:19-dind
  script:
@@ -574,8 +571,8 @@ the security vulnerabilities in your groups, projects and pipelines.
 ## Vulnerabilities database update
-If you're using Klar and want more information about the vulnerabilities database update, see the
+If you use container scanning and want more information about the vulnerabilities database update,
-[maintenance table](../vulnerabilities/index.md#vulnerability-scanner-maintenance).
+see the [maintenance table](../vulnerabilities/index.md#vulnerability-scanner-maintenance).
 ## Interacting with the vulnerabilities

--- a/doc/user/application_security/terminology/index.md
+++ b/doc/user/application_security/terminology/index.md
@@ -101,7 +101,7 @@ of the finding's [first identifier](https://gitlab.com/gitlab-org/security-produ
 combine to create the value.
 Examples of primary identifiers include `PluginID` for OWASP Zed Attack Proxy (ZAP), or `CVE` for
-Klar. Note that the identifier must be stable. Subsequent scans must return the same value for the
+Trivy. Note that the identifier must be stable. Subsequent scans must return the same value for the
 same finding, even if the location has slightly changed.
 ### Report finding
@@ -122,7 +122,7 @@ The type of scan. This must be one of the following:
 ### Scanner
 Software that can scan for vulnerabilities. The resulting scan report is typically not in the
-[Secure report format](#secure-report-format). Examples include ESLint, Klar, and ZAP.
+[Secure report format](#secure-report-format). Examples include ESLint, Trivy, and ZAP.
 ### Secure product