From f25ba4b4194d4279ed66ad55fafd60d5286608e2 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Wed, 16 Oct 2019 22:59:23 +0300 Subject: [PATCH 01/62] Add doc stubs for Vulnerabilities-related APIs Add stubs for: - Project Vulnerability Findings API (former Project Vulnerabilities API) - Project Vulnerabilities API - Standalone Vulnerabilities API - Permissions table with new permissions for Vulnerabilities --- ...ources_stub_first_class_vulnerabilities.md | 147 ++++++ doc/api/project_vulnerabilities_stub.md | 202 ++++++++ .../project_vulnerability_findings_stub.md | 120 +++++ doc/api/vulnerabilities_stub.md | 111 +++++ ...ssions_stub_first_class_vulnerabilities.md | 430 ++++++++++++++++++ 5 files changed, 1010 insertions(+) create mode 100644 doc/api/api_resources_stub_first_class_vulnerabilities.md create mode 100644 doc/api/project_vulnerabilities_stub.md create mode 100644 doc/api/project_vulnerability_findings_stub.md create mode 100644 doc/api/vulnerabilities_stub.md create mode 100644 doc/user/permissions_stub_first_class_vulnerabilities.md diff --git a/doc/api/api_resources_stub_first_class_vulnerabilities.md b/doc/api/api_resources_stub_first_class_vulnerabilities.md new file mode 100644 index 00000000000000..0882986b852f99 --- /dev/null +++ b/doc/api/api_resources_stub_first_class_vulnerabilities.md @@ -0,0 +1,147 @@ +# API resources + +Available resources for the [GitLab API](README.md) can be grouped in the following contexts: + +- [Projects](#project-resources). +- [Groups](#group-resources). +- [Standalone](#standalone-resources). + +See also: + +- [V3 to V4](v3_to_v4.md). +- Adding [deploy keys for multiple projects](deploy_key_multiple_projects.md). +- [API Resources for various templates](#templates-api-resources). + +## Project resources + +The following API resources are available in the project context: + +| Resource | Available endpoints | +|:---------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [Access requests](access_requests.md) | `/projects/:id/access_requests` (also available for groups) | +| [Award emoji](award_emoji.md) | `/projects/:id/issues/.../award_emoji`, `/projects/:id/merge_requests/.../award_emoji`, `/projects/:id/snippets/.../award_emoji` | +| [Branches](branches.md) | `/projects/:id/repository/branches/`, `/projects/:id/repository/merged_branches` | +| [Commits](commits.md) | `/projects/:id/repository/commits`, `/projects/:id/statuses` | +| [Container Registry](container_registry.md) | `/projects/:id/registry/repositories` | +| [Custom attributes](custom_attributes.md) | `/projects/:id/custom_attributes` (also available for groups and users) | +| [Dependencies](dependencies.md) **(ULTIMATE)** | `/projects/:id/dependencies` | +| [Deploy keys](deploy_keys.md) | `/projects/:id/deploy_keys` (also available standalone) | +| [Deployments](deployments.md) | `/projects/:id/deployments` | +| [Discussions](discussions.md) (threaded comments) | `/projects/:id/issues/.../discussions`, `/projects/:id/snippets/.../discussions`, `/projects/:id/merge_requests/.../discussions`, `/projects/:id/commits/.../discussions` (also available for groups) | +| [Environments](environments.md) | `/projects/:id/environments` | +| [Events](events.md) | `/projects/:id/events` (also available for users and standalone) | +| [Issues](issues.md) | `/projects/:id/issues` (also available for groups and standalone) | +| [Issues Statistics](issues_statistics.md) | `/projects/:id/issues_statistics` (also available for groups and standalone) | +| [Issue boards](boards.md) | `/projects/:id/boards` | +| [Issue links](issue_links.md) **(STARTER)** | `/projects/:id/issues/.../links` | +| [Jobs](jobs.md) | `/projects/:id/jobs`, `/projects/:id/pipelines/.../jobs` | +| [Labels](labels.md) | `/projects/:id/labels` | +| [Managed licenses](managed_licenses.md) **(ULTIMATE)** | `/projects/:id/managed_licenses` | +| [Members](members.md) | `/projects/:id/members` (also available for groups) | +| [Merge request approvals](merge_request_approvals.md) **(STARTER)** | `/projects/:id/approvals`, `/projects/:id/merge_requests/.../approvals` | +| [Merge requests](merge_requests.md) | `/projects/:id/merge_requests` (also available for groups and standalone) | +| [Notes](notes.md) (comments) | `/projects/:id/issues/.../notes`, `/projects/:id/snippets/.../notes`, `/projects/:id/merge_requests/.../notes` (also available for groups) | +| [Notification settings](notification_settings.md) | `/projects/:id/notification_settings` (also available for groups and standalone) | +| [Packages](packages.md) **(PREMIUM)** | `/projects/:id/packages` | +| [Pages domains](pages_domains.md) | `/projects/:id/pages` (also available standalone) | +| [Pipelines](pipelines.md) | `/projects/:id/pipelines` | +| [Pipeline schedules](pipeline_schedules.md) | `/projects/:id/pipeline_schedules` | +| [Pipeline triggers](pipeline_triggers.md) | `/projects/:id/triggers` | +| [Projects](projects.md) including setting Webhooks | `/projects`, `/projects/:id/hooks` (also available for users) | +| [Project badges](project_badges.md) | `/projects/:id/badges` | +| [Project clusters](project_clusters.md) | `/projects/:id/clusters` | +| [Project-level variables](project_level_variables.md) | `/projects/:id/variables` | +| [Project import/export](project_import_export.md) | `/projects/:id/export`, `/projects/import`, `/projects/:id/import` | +| [Project milestones](milestones.md) | `/projects/:id/milestones` | +| [Project snippets](project_snippets.md) | `/projects/:id/snippets` | +| [Project templates](project_templates.md) | `/projects/:id/templates` | +| [Protected branches](protected_branches.md) | `/projects/:id/protected_branches` | +| [Protected tags](protected_tags.md) | `/projects/:id/protected_tags` | +| [Releases](releases/index.md) | `/projects/:id/releases` | +| [Release links](releases/links.md) | `/projects/:id/releases/.../assets/links` | +| [Repositories](repositories.md) | `/projects/:id/repository` | +| [Repository files](repository_files.md) | `/projects/:id/repository/files` | +| [Repository submodules](repository_submodules.md) | `/projects/:id/repository/submodules` | +| [Resource label events](resource_label_events.md) | `/projects/:id/issues/.../resource_label_events`, `/projects/:id/merge_requests/.../resource_label_events` (also available for groups) | +| [Runners](runners.md) | `/projects/:id/runners` (also available standalone) | +| [Search](search.md) | `/projects/:id/search` (also available for groups and standalone) | +| [Services](services.md) | `/projects/:id/services` | +| [Tags](tags.md) | `/projects/:id/repository/tags` | +| [Vulnerability Findings](project_vulnerability_findings_stub.md) **(ULTIMATE)** | `/projects/:id/vulnerability_findings` | +| [Vulnerabilities](project_vulnerabilities_stub.md) **(ULTIMATE)** | `/projects/:id/vulnerabilities` | +| [Wikis](wikis.md) | `/projects/:id/wikis` | + +## Group resources + +The following API resources are available in the group context: + +| Resource | Available endpoints | +|:-----------------------------------------------------------------|:---------------------------------------------------------------------------------| +| [Access requests](access_requests.md) | `/groups/:id/access_requests/` (also available for projects) | +| [Custom attributes](custom_attributes.md) | `/groups/:id/custom_attributes` (also available for projects and users) | +| [Discussions](discussions.md) (threaded comments) **(ULTIMATE)** | `/groups/:id/epics/.../discussions` (also available for projects) | +| [Epic issues](epic_issues.md) **(ULTIMATE)** | `/groups/:id/epics/.../issues` | +| [Epic links](epic_links.md) **(ULTIMATE)** | `/groups/:id/epics/.../epics` | +| [Epics](epics.md) **(ULTIMATE)** | `/groups/:id/epics` | +| [Groups](groups.md) | `/groups`, `/groups/.../subgroups` | +| [Group badges](group_badges.md) | `/groups/:id/badges` | +| [Group issue boards](group_boards.md) | `/groups/:id/boards` | +| [Group labels](group_labels.md) | `/groups/:id/labels` | +| [Group-level variables](group_level_variables.md) | `/groups/:id/variables` | +| [Group milestones](group_milestones.md) | `/groups/:id/milestones` | +| [Issues](issues.md) | `/groups/:id/issues` (also available for projects and standalone) | +| [Issues Statistics](issues_statistics.md) | `/groups/:id/issues_statistics` (also available for projects and standalone) | +| [Members](members.md) | `/groups/:id/members` (also available for projects) | +| [Merge requests](merge_requests.md) | `/groups/:id/merge_requests` (also available for projects and standalone) | +| [Notes](notes.md) (comments) | `/groups/:id/epics/.../notes` (also available for projects) | +| [Notification settings](notification_settings.md) | `/groups/:id/notification_settings` (also available for projects and standalone) | +| [Resource label events](resource_label_events.md) | `/groups/:id/epics/.../resource_label_events` (also available for projects) | +| [Search](search.md) | `/groups/:id/search` (also available for projects and standalone) | + +## Standalone resources + +The following API resources are available outside of project and group contexts (including `/users`): + +| Resource | Available endpoints | +|:-----------------------------------------------------------|:------------------------------------------------------------------------| +| [Applications](applications.md) | `/applications` | +| [Avatar](avatar.md) | `/avatar` | +| [Broadcast messages](broadcast_messages.md) | `/broadcast_messages` | +| [Code snippets](snippets.md) | `/snippets` | +| [Custom attributes](custom_attributes.md) | `/users/:id/custom_attributes` (also available for groups and projects) | +| [Deploy keys](deploy_keys.md) | `/deploy_keys` (also available for projects) | +| [Events](events.md) | `/events`, `/users/:id/events` (also available for projects) | +| [Feature flags](features.md) | `/features` | +| [Geo Nodes](geo_nodes.md) **(PREMIUM ONLY)** | `/geo_nodes` | +| [Import repository from GitHub](import.md) | `/import/github` | +| [Issues](issues.md) | `/issues` (also available for groups and projects) | +| [Issues Statistics](issues_statistics.md) | `/issues_statistics` (also available for groups and projects) | +| [Keys](keys.md) | `/keys` | +| [License](license.md) **(CORE ONLY)** | `/license` | +| [Markdown](markdown.md) | `/markdown` | +| [Merge requests](merge_requests.md) | `/merge_requests` (also available for groups and projects) | +| [Namespaces](namespaces.md) | `/namespaces` | +| [Notification settings](notification_settings.md) | `/notification_settings` (also available for groups and projects) | +| [Pages domains](pages_domains.md) | `/pages/domains` (also available for projects) | +| [Projects](projects.md) | `/users/:id/projects` (also available for projects) | +| [Runners](runners.md) | `/runners` (also available for projects) | +| [Search](search.md) | `/search` (also available for groups and projects) | +| [Settings](settings.md) | `/application/settings` | +| [Statistics](statistics.md) | `/application/statistics` | +| [Sidekiq metrics](sidekiq_metrics.md) | `/sidekiq` | +| [Suggestions](suggestions.md) | `/suggestions` | +| [System hooks](system_hooks.md) | `/hooks` | +| [Todos](todos.md) | `/todos` | +| [Users](users.md) | `/users` | +| [Validate `.gitlab-ci.yml` file](lint.md) | `/lint` | +| [Version](version.md) | `/version` | +| [Vulnerabilities](vulnerabilities_stub.md) **(ULTIMATE)** | `/vulnerabilities` (also available for projects) | + +## Templates API resources + +Endpoints are available for: + +- [Dockerfile templates](templates/dockerfiles.md). +- [`.gitignore` templates](templates/gitignores.md). +- [GitLab CI YAML templates](templates/gitlab_ci_ymls.md). +- [Open source license templates](templates/licenses.md). diff --git a/doc/api/project_vulnerabilities_stub.md b/doc/api/project_vulnerabilities_stub.md new file mode 100644 index 00000000000000..6e0300b740aea1 --- /dev/null +++ b/doc/api/project_vulnerabilities_stub.md @@ -0,0 +1,202 @@ +# Vulnerabilities API **(ULTIMATE)** + +Every API call to vulnerabilities must be authenticated. + +Vulnerabilities are project-bound entities. If a user is not +a member of a project to which the vulnerability belongs +and the project is private, a request on that project +will result in a `404` status code. + +CAUTION: **Caution:** +This API is in an alpha stage and considered unstable. +The response payload may be subject to change or breakage +across GitLab releases. + +## Vulnerabilities pagination + +By default, `GET` requests return 20 results at a time because the API results +are paginated. + +Read more on [pagination](README.md#pagination). + +## List project vulnerabilities + +List all of a project's vulnerabilities. + +If an authenticated user does not have permission to +[use the Project Security Dashboard](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +`GET` requests for vulnerabilities of this project will result in a `403` status code. + +``` +GET /projects/:id/vulnerabilities +``` + +| Attribute | Type | Required | Description | +| ------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user. | + +```bash +curl --header "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/projects/4/vulnerabilities +``` + +Example response: + +```json +[ + { + "id": 2, + "title": "Predictable pseudorandom number generator", + "description": null, + "state": "closed", + "severity": "medium", + "confidence": "medium", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-13T15:08:40.219Z", + "updated_at": "2019-10-13T15:09:40.382Z", + "last_edited_at": null, + "closed_at": null + }, + { + "id": 3, + "title": "ECB mode is insecure", + "description": null, + "state": "opened", + "severity": "medium", + "confidence": "high", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-16T11:19:21.691Z", + "updated_at": "2019-10-16T11:19:21.691Z", + "last_edited_at": null, + "closed_at": null + } +] +``` + +## New vulnerability + +Creates a new vulnerability. + +If an authenticated user does not have a permission to +[create vulnerability](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +this request will result in a `403` status code. + +``` +POST /projects/:id/vulnerabilities +``` + +| Attribute | Type | Required | Description | +| ------------------- | ---------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------| +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) which the authenticated user is a member of | +| `finding_id` | integer/string | yes | The ID of a Vulnerability Finding from which the new Vulnerability will be created | + +The rest of the attributes of a newly created Vulnerability are populated from +its source Vulnerability Finding or with their default values: + +| Attribute | Value | +|--------------|-------------------------------------------------------| +| `author` | The authenticated user | +| `title` | The `name` attribute of a Vulnerability Finding | +| `state` | `opened` | +| `severity` | The `severity` attribute of a Vulnerability Finding | +| `confidence` | The `confidence` attribute of a Vulnerability Finding | + +```bash +curl --header POST "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/projects/1/vulnerabilities?finding_id=1 +``` + +Example response: + +```json +{ + "id": 2, + "title": "Predictable pseudorandom number generator", + "description": null, + "state": "opened", + "severity": "medium", + "confidence": "medium", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-13T15:08:40.219Z", + "updated_at": "2019-10-13T15:09:40.382Z", + "last_edited_at": null, + "closed_at": null +} +``` + +Errors: + +_A Vulnerability Finding is already attached to a different Vulnerability_ + +Occurs when a Finding chosen to create a Vulnerability from is already associated with a different Vulnerability. + +Example response: + +```json +{ + "message": { + "base": [ + "already exists for specified finding(s)" + ] + } +} +``` + +_Vulnerability Finding not found_ + +Occurs when the specified `finding_id` is unknown. + +```json +{ + "message": { + "base": [ + "finding to promote from is not found" + ] + } +} +``` + +_Conflict: a Finding is being promoted by another user_ + +Occurs when specified `finding_id` was locked by another user while promoting to a Vulnerability. + +```json +{ + "message": { + "base": [ + "finding is being promoted to vulnerability by another user" + ] + } +} +``` diff --git a/doc/api/project_vulnerability_findings_stub.md b/doc/api/project_vulnerability_findings_stub.md new file mode 100644 index 00000000000000..85e9edeb8fd3ff --- /dev/null +++ b/doc/api/project_vulnerability_findings_stub.md @@ -0,0 +1,120 @@ +# Vulnerability Findings API **(ULTIMATE)** + +Every API call to vulnerability findings must be authenticated. + +Vulnerability findings are project-bound entities. If a user is not +a member of a project and the project is private, a request on +that project will result in a `404` status code. + +If a user is able to access the project but does not have permission to +[use the Project Security Dashboard](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +any request for vulnerability findings of this project will result in a `403` status code. + +CAUTION: **Caution:** +This API is in an alpha stage and considered unstable. +The response payload may be subject to change or breakage +across GitLab releases. + +## Vulnerability findings pagination + +By default, `GET` requests return 20 results at a time because the API results +are paginated. + +Read more on [pagination](README.md#pagination). + +## List project vulnerability findings + +List all of a project's vulnerability findings. + +``` +GET /projects/:id/vulnerability_findings +GET /projects/:id/vulnerability_findings?report_type=sast +GET /projects/:id/vulnerability_findings?report_type=container_scanning +GET /projects/:id/vulnerability_findings?report_type=sast,dast +GET /projects/:id/vulnerability_findings?scope=all +GET /projects/:id/vulnerability_findings?scope=dismissed +GET /projects/:id/vulnerability_findings?severity=high +GET /projects/:id/vulnerability_findings?confidence=unknown,experimental +GET /projects/:id/vulnerability_findings?pipeline_id=42 +``` + +| Attribute | Type | Required | Description | +| ------------- | -------------- | -------- | -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) which the authenticated user is a member of. | +| `report_type` | string array | no | Returns vulnerability findings belonging to specified report type. Valid values: `sast`, `dast`, `dependency_scanning`, or `container_scanning`. | +| `scope` | string | no | Returns vulnerability findings for the given scope: `all` or `dismissed`. Defaults to `dismissed`. | +| `severity` | string array | no | Returns vulnerability findings belonging to specified severity level: `undefined`, `info`, `unknown`, `low`, `medium`, `high`, or `critical`. Defaults to all. | +| `confidence` | string array | no | Returns vulnerability findings belonging to specified confidence level: `undefined`, `ignore`, `unknown`, `experimental`, `low`, `medium`, `high`, or `confirmed`. Defaults to all. | +| `pipeline_id` | integer/string | no | Returns vulnerability findings belonging to specified pipeline. | + +```bash +curl --header "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/projects/4/vulnerability_findings +``` + +Example response: + +```json +[ + { + "id": null, + "report_type": "dependency_scanning", + "name": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js", + "severity": "unknown", + "confidence": "undefined", + "scanner": { + "external_id": "gemnasium", + "name": "Gemnasium" + }, + "identifiers": [ + { + "external_type": "gemnasium", + "external_id": "9952e574-7b5b-46fa-a270-aeb694198a98", + "name": "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98", + "url": "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.5.0/advisories" + }, + { + "external_type": "cve", + "external_id": "CVE-2017-11429", + "name": "CVE-2017-11429", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429" + } + ], + "project_fingerprint": "fa6f5b6c5d240b834ac5e901dc69f9484cef89ec", + "create_vulnerability_feedback_issue_path": "/tests/yarn-remediation-test/vulnerability_feedback", + "create_vulnerability_feedback_merge_request_path": "/tests/yarn-remediation-test/vulnerability_feedback", + "create_vulnerability_feedback_dismissal_path": "/tests/yarn-remediation-test/vulnerability_feedback", + "project": { + "id": 31, + "name": "yarn-remediation-test", + "full_path": "/tests/yarn-remediation-test", + "full_name": "tests / yarn-remediation-test" + }, + "dismissal_feedback": null, + "issue_feedback": null, + "merge_request_feedback": null, + "description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.", + "links": [ + { + "url": "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279" + }, + { + "url": "https://www.kb.cert.org/vuls/id/475445" + }, + { + "url": "https://github.com/Clever/saml2/issues/127" + } + ], + "location": { + "file": "yarn.lock", + "dependency": { + "package": { + "name": "saml2-js" + }, + "version": "1.5.0" + } + }, + "solution": "Upgrade to fixed version.\r\n", + "blob_path": "/tests/yarn-remediation-test/blob/cc6c4a0778460455ae5d16ca7025ca9ca1ca75ac/yarn.lock" + } +] +``` diff --git a/doc/api/vulnerabilities_stub.md b/doc/api/vulnerabilities_stub.md new file mode 100644 index 00000000000000..bda463e62003e1 --- /dev/null +++ b/doc/api/vulnerabilities_stub.md @@ -0,0 +1,111 @@ +# Vulnerabilities API **(ULTIMATE)** + +Every API call to vulnerabilities must be authenticated. + +Vulnerabilities are project-bound entities. If a user is not +a member of a project to which vulnerability belongs +and the project is private, a request on that project +will result in a `404` status code. + +CAUTION: **Caution:** +This API is in an alpha stage and considered unstable. +The response payload may be subject to change or breakage +across GitLab releases. + +## Resolve vulnerability + +Resolves a given vulnerability. Returns status code `304` if the vulnerability is already resolved. + +If an authenticated user does not have permission to +[resolve vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +this request will result in a `403` status code. + +``` +POST /vulnerabilities/:id/resolve +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID of a Vulnerability to resolve | + +```bash +curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve" +``` + +Example response: + +```json +{ + "id": 2, + "title": "Predictable pseudorandom number generator", + "description": null, + "state": "closed", + "severity": "medium", + "confidence": "medium", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-13T15:08:40.219Z", + "updated_at": "2019-10-13T15:09:40.382Z", + "last_edited_at": null, + "closed_at": null +} +``` + +## Dismiss vulnerability + +Dismisses a given vulnerability. Returns status code `304` if the vulnerability is already dismissed. + +If an authenticated user does not have a permission to +[dismiss vulnerability](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +this request will result in a `403` status code. + +``` +POST /vulnerabilities/:id/dismiss +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID of a Vulnerability to dismiss | + +```bash +curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss" +``` + +Example response: + +```json +{ + "id": 2, + "title": "Predictable pseudorandom number generator", + "description": null, + "state": "closed", + "severity": "medium", + "confidence": "medium", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-13T15:08:40.219Z", + "updated_at": "2019-10-13T15:09:40.382Z", + "last_edited_at": null, + "closed_at": null +} +``` diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md new file mode 100644 index 00000000000000..10055b8561654b --- /dev/null +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -0,0 +1,430 @@ +--- +description: 'Understand and explore the user permission levels in GitLab, and what features each of them grants you access to.' +--- + +# Permissions + +Users have different abilities depending on the access level they have in a +particular group or project. If a user is both in a group's project and the +project itself, the highest permission level is used. + +On public and internal projects the Guest role is not enforced. All users will +be able to create issues, leave comments, and clone or download the project code. + +When a member leaves a team's project, all the assigned [Issues](project/issues/index.md) and [Merge Requests](project/merge_requests/index.md) +will be unassigned automatically. + +GitLab [administrators](../administration/index.md) receive all permissions. + +To add or import a user, you can follow the +[project members documentation](project/members/index.md). + +For information on eligible approvers for Merge Requests, see +[Eligible approvers](project/merge_requests/merge_request_approvals.md#eligible-approvers). + +## Principles behind permissions + +See our [product handbook on permissions](https://about.gitlab.com/handbook/product/#permissions-in-gitlab) + +## Instance-wide user permissions + +By default, users can create top-level groups and change their +usernames. A GitLab administrator can configure the GitLab instance to +[modify this behavior](../administration/user_settings.md). + +## Project members permissions + +NOTE: **Note:** +In GitLab 11.0, the Master role was renamed to Maintainer. + +While Maintainer is the highest project-level role, some actions can only be performed by a personal namespace or group owner. + +The following table depicts the various user permission levels in a project. + +| Action | Guest | Reporter | Developer |Maintainer| Owner | +|---------------------------------------------------|---------|------------|-------------|----------|--------| +| Download project | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| Leave comments | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| View Insights charts **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ | +| View approved/blacklisted licenses **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ | +| View License Compliance reports **(ULTIMATE)** | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| View Security reports **(ULTIMATE)** | ✓ (*3*) | ✓ | ✓ | ✓ | ✓ | +| View Dependency list **(ULTIMATE)** | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| View licenses in Dependency list **(ULTIMATE)** | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| View [Design Management](project/issues/design_management.md) pages **(PREMIUM)** | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| View project code | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| Pull project code | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| View GitLab Pages protected by [access control](project/pages/introduction.md#gitlab-pages-access-control-core) | ✓ | ✓ | ✓ | ✓ | ✓ | +| View wiki pages | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| See a list of jobs | ✓ (*3*) | ✓ | ✓ | ✓ | ✓ | +| See a job log | ✓ (*3*) | ✓ | ✓ | ✓ | ✓ | +| Download and browse job artifacts | ✓ (*3*) | ✓ | ✓ | ✓ | ✓ | +| Create new issue | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| See related issues | ✓ | ✓ | ✓ | ✓ | ✓ | +| Create confidential issue | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | +| View confidential issues | (*2*) | ✓ | ✓ | ✓ | ✓ | +| Assign issues | | ✓ | ✓ | ✓ | ✓ | +| Label issues | | ✓ | ✓ | ✓ | ✓ | +| Lock issue threads | | ✓ | ✓ | ✓ | ✓ | +| Manage issue tracker | | ✓ | ✓ | ✓ | ✓ | +| Manage related issues **(STARTER)** | | ✓ | ✓ | ✓ | ✓ | +| Manage labels | | ✓ | ✓ | ✓ | ✓ | +| Create code snippets | | ✓ | ✓ | ✓ | ✓ | +| See a commit status | | ✓ | ✓ | ✓ | ✓ | +| See a container registry | | ✓ | ✓ | ✓ | ✓ | +| See environments | | ✓ | ✓ | ✓ | ✓ | +| See a list of merge requests | | ✓ | ✓ | ✓ | ✓ | +| View project statistics | | ✓ | ✓ | ✓ | ✓ | +| View Error Tracking list | | ✓ | ✓ | ✓ | ✓ | +| Pull from [Conan repository](packages/conan_repository/index.md), [Maven repository](packages/maven_repository/index.md), or [NPM registry](packages/npm_registry/index.md) **(PREMIUM)** | | ✓ | ✓ | ✓ | ✓ | +| Publish to [Conan repository](packages/conan_repository/index.md), [Maven repository](packages/maven_repository/index.md), or [NPM registry](packages/npm_registry/index.md) **(PREMIUM)** | | | ✓ | ✓ | ✓ | +| Upload [Design Management](project/issues/design_management.md) files **(PREMIUM)** | | | ✓ | ✓ | ✓ | +| Create new branches | | | ✓ | ✓ | ✓ | +| Push to non-protected branches | | | ✓ | ✓ | ✓ | +| Force push to non-protected branches | | | ✓ | ✓ | ✓ | +| Remove non-protected branches | | | ✓ | ✓ | ✓ | +| Create new merge request | | | ✓ | ✓ | ✓ | +| Assign merge requests | | | ✓ | ✓ | ✓ | +| Label merge requests | | | ✓ | ✓ | ✓ | +| Lock merge request threads | | | ✓ | ✓ | ✓ | +| Manage/Accept merge requests | | | ✓ | ✓ | ✓ | +| Create new environments | | | ✓ | ✓ | ✓ | +| Stop environments | | | ✓ | ✓ | ✓ | +| Add tags | | | ✓ | ✓ | ✓ | +| Cancel and retry jobs | | | ✓ | ✓ | ✓ | +| Create or update commit status | | | ✓ | ✓ | ✓ | +| Update a container registry | | | ✓ | ✓ | ✓ | +| Remove a container registry image | | | ✓ | ✓ | ✓ | +| Create/edit/delete project milestones | | | ✓ | ✓ | ✓ | +| Use security dashboard **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| View vulnerability findings in Dependency list **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Create issue from vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Dismiss vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Create vulnerability from vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Resolve vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Dismiss vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Apply code change suggestions | | | ✓ | ✓ | ✓ | +| Create and edit wiki pages | | | ✓ | ✓ | ✓ | +| Rewrite/remove Git tags | | | ✓ | ✓ | ✓ | +| Use environment terminals | | | | ✓ | ✓ | +| Run Web IDE's Interactive Web Terminals **(ULTIMATE ONLY)** | | | | ✓ | ✓ | +| Add new team members | | | | ✓ | ✓ | +| Enable/disable branch protection | | | | ✓ | ✓ | +| Push to protected branches | | | | ✓ | ✓ | +| Turn on/off protected branch push for devs | | | | ✓ | ✓ | +| Enable/disable tag protections | | | | ✓ | ✓ | +| Edit project | | | | ✓ | ✓ | +| Add deploy keys to project | | | | ✓ | ✓ | +| Configure project hooks | | | | ✓ | ✓ | +| Manage Runners | | | | ✓ | ✓ | +| Manage job triggers | | | | ✓ | ✓ | +| Manage variables | | | | ✓ | ✓ | +| Manage GitLab Pages | | | | ✓ | ✓ | +| Manage GitLab Pages domains and certificates | | | | ✓ | ✓ | +| Remove GitLab Pages | | | | ✓ | ✓ | +| Manage clusters | | | | ✓ | ✓ | +| Manage license policy **(ULTIMATE)** | | | | ✓ | ✓ | +| Edit comments (posted by any user) | | | | ✓ | ✓ | +| Manage Error Tracking | | | | ✓ | ✓ | +| Delete wiki pages | | | | ✓ | ✓ | +| View project Audit Events | | | | ✓ | ✓ | +| Manage [push rules](../push_rules/push_rules.md) | | | | ✓ | ✓ | +| Switch visibility level | | | | | ✓ | +| Transfer project to another namespace | | | | | ✓ | +| Remove project | | | | | ✓ | +| Delete issues | | | | | ✓ | +| Disable notification emails | | | | | ✓ | +| Force push to protected branches (*4*) | | | | | | +| Remove protected branches (*4*) | | | | | | + +- (*1*): Guest users are able to perform this action on public and internal projects, but not private projects. +- (*2*): Guest users can only view the confidential issues they created themselves +- (*3*): If **Public pipelines** is enabled in **Project Settings > CI/CD** +- (*4*): Not allowed for Guest, Reporter, Developer, Maintainer, or Owner. See [Protected Branches](./project/protected_branches.md). + +## Project features permissions + +### Wiki and issues + +Project features like wiki and issues can be hidden from users depending on +which visibility level you select on project settings. + +- Disabled: disabled for everyone +- Only team members: only team members will see even if your project is public or internal +- Everyone with access: everyone can see depending on your project visibility level +- Everyone: enabled for everyone (only available for GitLab Pages) + +### Protected branches + +Additional restrictions can be applied on a per-branch basis with [protected branches](project/protected_branches.md). +Additionally, you can customize permissions to allow or prevent project +Maintainers and Developers from pushing to a protected branch. Read through the documentation on +[Allowed to Merge and Allowed to Push settings](project/protected_branches.md#using-the-allowed-to-merge-and-allowed-to-push-settings) +to learn more. + +### Cycle Analytics permissions + +Find the current permissions on the Cycle Analytics dashboard on +the [documentation on Cycle Analytics permissions](analytics/cycle_analytics.md#permissions). + +### Issue Board permissions + +Developers and users with higher permission level can use all +the functionality of the Issue Board, that is create/delete lists +and drag issues around. Read though the +[documentation on Issue Boards permissions](project/issue_board.md#permissions) +to learn more. + +### File Locking permissions **(PREMIUM)** + +The user that locks a file or directory is the only one that can edit and push their changes back to the repository where the locked objects are located. + +Read through the documentation on [permissions for File Locking](project/file_lock.md#permissions-on-file-locking) to learn more. + +### Confidential Issues permissions + +Confidential issues can be accessed by reporters and higher permission levels, +as well as by guest users that create a confidential issue. To learn more, +read through the documentation on [permissions and access to confidential issues](project/issues/confidential_issues.md#permissions-and-access-to-confidential-issues). + +### Releases permissions + +[Project Releases](project/releases/index.md) can be read by project +members with Reporter, Developer, Maintainer, and Owner permissions. +Guest users can access Release pages for downloading assets but +are not allowed to download the source code nor see repository +information such as tags and commits. + +Releases can be created, updated, or deleted via [Releases APIs](../api/releases/index.md) +by project Developers, Maintainers, and Owners. + +## Group members permissions + +NOTE: **Note:** +In GitLab 11.0, the Master role was renamed to Maintainer. + +Any user can remove themselves from a group, unless they are the last Owner of +the group. The following table depicts the various user permission levels in a +group. + +| Action | Guest | Reporter | Developer | Maintainer | Owner | +|--------------------------------------------------------|-------|----------|-----------|------------|-------| +| Browse group | ✓ | ✓ | ✓ | ✓ | ✓ | +| View Insights charts **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ | +| View group epic **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ | +| Create/edit group epic **(ULTIMATE)** | | ✓ | ✓ | ✓ | ✓ | +| Manage group labels | | ✓ | ✓ | ✓ | ✓ | +| Create project in group | | | ✓ (3) | ✓ (3) | ✓ (3) | +| Create/edit/delete group milestones | | | ✓ | ✓ | ✓ | +| Enable/disable a dependency proxy **(PREMIUM)** | | | ✓ | ✓ | ✓ | +| Use security dashboard **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Create subgroup | | | | ✓ (1) | ✓ | +| Edit group | | | | | ✓ | +| Manage group members | | | | | ✓ | +| Remove group | | | | | ✓ | +| Delete group epic **(ULTIMATE)** | | | | | ✓ | +| Edit epic comments (posted by any user) **(ULTIMATE)** | | | | ✓ (2) | ✓ (2) | +| View group Audit Events | | | | | ✓ | +| Disable notification emails | | | | | ✓ | +| View/manage group-level Kubernetes cluster | | | | ✓ | ✓ | + +- (1): Groups can be set to [allow either Owners or Owners and + Maintainers to create subgroups](group/subgroups/index.md#creating-a-subgroup) +- (2): Introduced in GitLab 12.2. +- (3): Default project creation role can be changed at: + - The [instance level](admin_area/settings/visibility_and_access_controls.md#default-project-creation-protection). + - The [group level](group/index.html#default-project-creation-level). + +### Subgroup permissions + +When you add a member to a subgroup, they inherit the membership and +permission level from the parent group. This model allows access to +nested groups if you have membership in one of its parents. + +To learn more, read through the documentation on +[subgroups memberships](group/subgroups/index.md#membership). + +## External users **(CORE ONLY)** + +In cases where it is desired that a user has access only to some internal or +private projects, there is the option of creating **External Users**. This +feature may be useful when for example a contractor is working on a given +project and should only have access to that project. + +External users: + +- Cannot create groups or projects. +- Can only access projects to which they are explicitly granted access, + thus hiding all other internal or private ones from them (like being + logged out). + +Access can be granted by adding the user as member to the project or group. +They will, like usual users, receive a role in the project or group with all +the abilities that are mentioned in the [permissions table above](#project-members-permissions). +For example, if an external user is added as Guest, and your project is +private, they will not have access to the code; you would need to grant the external +user access at the Reporter level or above if you want them to have access to the code. You should +always take into account the +[project's visibility and permissions settings](project/settings/index.md#sharing-and-permissions) +as well as the permission level of the user. + +NOTE: **Note:** +External users still count towards a license seat. + +An administrator can flag a user as external by either of the following methods: + +- Either [through the API](../api/users.md#user-modification). +- Or by navigating to the **Admin area > Overview > Users** to create a new user + or edit an existing one. There, you will find the option to flag the user as + external. + +### Setting new users to external + +By default, new users are not set as external users. This behavior can be changed +by an administrator under the **Admin Area > Settings > General > Account and limit** page. + +If you change the default behavior of creating new users as external, you will +have the option to narrow it down by defining a set of internal users. +The **Internal users** field allows specifying an email address regex pattern to +identify default internal users. New users whose email address matches the regex +pattern will be set to internal by default rather than an external collaborator. + +The regex pattern format is Ruby, but it needs to be convertible to JavaScript, +and the ignore case flag will be set (`/regex pattern/i`). Here are some examples: + +- Use `\.internal@domain\.com$` to mark email addresses ending with + `.internal@domain.com` as internal. +- Use `^(?:(?!\.ext@domain\.com).)*$\r?` to mark users with email addresses + NOT including `.ext@domain.com` as internal. + +CAUTION: **Warning:** +Be aware that this regex could lead to a +[regular expression denial of service (ReDoS) attack](https://en.wikipedia.org/wiki/ReDoS). + +## Free Guest users **(ULTIMATE)** + +When a user is given Guest permissions on a project, group, or both, and holds no +higher permission level on any other project or group on the GitLab instance, +the user is considered a guest user by GitLab and will not consume a license seat. +There is no other specific "guest" designation for newly created users. + +If the user is assigned a higher role on any projects or groups, the user will +take a license seat. If a user creates a project, the user becomes a Maintainer +on the project, resulting in the use of a license seat. Also, note that if your +project is internal or private, Guest users will have all the abilities that are +mentioned in the [permissions table above](#project-members-permissions) (they +will not be able to browse the project's repository for example). + +TIP: **Tip:** +To prevent a guest user from creating projects, as an admin, you can edit the +user's profile to mark the user as [external](#external-users-core-only). +Beware though that even if a user is external, if they already have Reporter or +higher permissions in any project or group, they will **not** be counted as a +free guest user. + +## Auditor users **(PREMIUM ONLY)** + +>[Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/998) in [GitLab Premium](https://about.gitlab.com/pricing/) 8.17. + +Auditor users are given read-only access to all projects, groups, and other +resources on the GitLab instance. + +An Auditor user should be able to access all projects and groups of a GitLab instance +with the permissions described on the documentation on [auditor users permissions](../administration/auditor_users.md#permissions-and-restrictions-of-an-auditor-user). + +[Read more about Auditor users.](../administration/auditor_users.md) + +## Project features + +Project features like wiki and issues can be hidden from users depending on +which visibility level you select on project settings. + +- Disabled: disabled for everyone +- Only team members: only team members will see even if your project is public or internal +- Everyone with access: everyone can see depending on your project visibility level +- Everyone: enabled for everyone (only available for GitLab Pages) + +## GitLab CI/CD permissions + +NOTE: **Note:** +In GitLab 11.0, the Master role was renamed to Maintainer. + +GitLab CI/CD permissions rely on the role the user has in GitLab. There are four +permission levels in total: + +- admin +- maintainer +- developer +- guest/reporter + +The admin user can perform any action on GitLab CI/CD in scope of the GitLab +instance and project. In addition, all admins can use the admin interface under +`/admin/runners`. + +| Action | Guest, Reporter | Developer |Maintainer| Admin | +|---------------------------------------|-----------------|-------------|----------|--------| +| See commits and jobs | ✓ | ✓ | ✓ | ✓ | +| Retry or cancel job | | ✓ | ✓ | ✓ | +| Erase job artifacts and trace | | ✓ (*1*) | ✓ | ✓ | +| Remove project | | | ✓ | ✓ | +| Create project | | | ✓ | ✓ | +| Change project configuration | | | ✓ | ✓ | +| Add specific runners | | | ✓ | ✓ | +| Add shared runners | | | | ✓ | +| See events in the system | | | | ✓ | +| Admin interface | | | | ✓ | + +- *1*: Only if the job was triggered by the user + +### Job permissions + +NOTE: **Note:** +In GitLab 11.0, the Master role was renamed to Maintainer. + +>**Note:** +GitLab 8.12 has a completely redesigned job permissions system. +Read all about the [new model and its implications](project/new_ci_build_permissions_model.md). + +This table shows granted privileges for jobs triggered by specific types of +users: + +| Action | Guest, Reporter | Developer |Maintainer| Admin | +|---------------------------------------------|-----------------|-------------|----------|---------| +| Run CI job | | ✓ | ✓ | ✓ | +| Clone source and LFS from current project | | ✓ | ✓ | ✓ | +| Clone source and LFS from public projects | | ✓ | ✓ | ✓ | +| Clone source and LFS from internal projects | | ✓ (*1*) | ✓ (*1*) | ✓ | +| Clone source and LFS from private projects | | ✓ (*2*) | ✓ (*2*) | ✓ (*2*) | +| Pull container images from current project | | ✓ | ✓ | ✓ | +| Pull container images from public projects | | ✓ | ✓ | ✓ | +| Pull container images from internal projects| | ✓ (*1*) | ✓ (*1*) | ✓ | +| Pull container images from private projects | | ✓ (*2*) | ✓ (*2*) | ✓ (*2*) | +| Push container images to current project | | ✓ | ✓ | ✓ | +| Push container images to other projects | | | | | +| Push source and LFS | | | | | + +- *1*: Only if the user is not an external one +- *2*: Only if the user is a member of the project + +### New CI job permissions model + +GitLab 8.12 has a completely redesigned job permissions system. To learn more, +read through the documentation on the [new CI/CD permissions model](project/new_ci_build_permissions_model.md#new-ci-job-permissions-model). + +## Running pipelines on protected branches + +The permission to merge or push to protected branches is used to define if a user can +run CI/CD pipelines and execute actions on jobs that are related to those branches. + +See [Security on protected branches](../ci/pipelines.md#security-on-protected-branches) +for details about the pipelines security model. + +## LDAP users permissions + +Since GitLab 8.15, LDAP user permissions can now be manually overridden by an admin user. +Read through the documentation on [LDAP users permissions](../administration/auth/how_to_configure_ldap_gitlab_ee/index.html) to learn more. + +## Project aliases + +Project aliases can only be read, created and deleted by a GitLab administrator. +Read through the documentation on [Project aliases](../user/project/index.md#project-aliases-premium-only) to learn more. -- GitLab From 5fea69bdb28d112575d915538bb56e19b10cd4b8 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Thu, 24 Oct 2019 15:37:48 +0300 Subject: [PATCH 02/62] Add docs on Get single Vulnerability API call --- doc/api/vulnerabilities_stub.md | 45 +++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/doc/api/vulnerabilities_stub.md b/doc/api/vulnerabilities_stub.md index bda463e62003e1..3f12668216baa9 100644 --- a/doc/api/vulnerabilities_stub.md +++ b/doc/api/vulnerabilities_stub.md @@ -12,6 +12,51 @@ This API is in an alpha stage and considered unstable. The response payload may be subject to change or breakage across GitLab releases. +## Single vulnerability + +Gets a single vulnerability + +``` +GET /vulnerabilities/:id +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID of a Vulnerability to get | + +```bash +curl --header "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/vulnerabilities/1 +``` + +Example response: + +```json +{ + "id": 1, + "title": "Predictable pseudorandom number generator", + "description": null, + "state": "opened", + "severity": "medium", + "confidence": "medium", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-13T15:08:40.219Z", + "updated_at": "2019-10-13T15:09:40.382Z", + "last_edited_at": null, + "closed_at": null +} +``` + ## Resolve vulnerability Resolves a given vulnerability. Returns status code `304` if the vulnerability is already resolved. -- GitLab From acb1c7d3a1ba2094cade490ad4cebaf7e21ee4f0 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Thu, 24 Oct 2019 15:51:31 +0300 Subject: [PATCH 03/62] Address code review comments --- doc/api/project_vulnerabilities_stub.md | 39 ++++--------------- .../project_vulnerability_findings_stub.md | 14 +++---- doc/api/vulnerabilities_stub.md | 8 ++-- 3 files changed, 18 insertions(+), 43 deletions(-) diff --git a/doc/api/project_vulnerabilities_stub.md b/doc/api/project_vulnerabilities_stub.md index 6e0300b740aea1..0da344520537e8 100644 --- a/doc/api/project_vulnerabilities_stub.md +++ b/doc/api/project_vulnerabilities_stub.md @@ -1,6 +1,6 @@ # Vulnerabilities API **(ULTIMATE)** -Every API call to vulnerabilities must be authenticated. +Every API call to vulnerabilities must be [authenticated](README.md#authentication). Vulnerabilities are project-bound entities. If a user is not a member of a project to which the vulnerability belongs @@ -157,45 +157,20 @@ Example response: Errors: -_A Vulnerability Finding is already attached to a different Vulnerability_ +_A Vulnerability Finding is not found or already attached to a different Vulnerability_ -Occurs when a Finding chosen to create a Vulnerability from is already associated with a different Vulnerability. +Occurs when a Finding chosen to create a Vulnerability from is not found or +is already associated with a different Vulnerability. -Example response: - -```json -{ - "message": { - "base": [ - "already exists for specified finding(s)" - ] - } -} -``` - -_Vulnerability Finding not found_ - -Occurs when the specified `finding_id` is unknown. +Status code: `400` -```json -{ - "message": { - "base": [ - "finding to promote from is not found" - ] - } -} -``` - -_Conflict: a Finding is being promoted by another user_ - -Occurs when specified `finding_id` was locked by another user while promoting to a Vulnerability. +Example response: ```json { "message": { "base": [ - "finding is being promoted to vulnerability by another user" + "finding is not found or is already attached to a vulnerability" ] } } diff --git a/doc/api/project_vulnerability_findings_stub.md b/doc/api/project_vulnerability_findings_stub.md index 85e9edeb8fd3ff..814040da9dbae8 100644 --- a/doc/api/project_vulnerability_findings_stub.md +++ b/doc/api/project_vulnerability_findings_stub.md @@ -1,6 +1,6 @@ # Vulnerability Findings API **(ULTIMATE)** -Every API call to vulnerability findings must be authenticated. +Every API call to vulnerability findings must be [authenticated](README.md#authentication). Vulnerability findings are project-bound entities. If a user is not a member of a project and the project is private, a request on @@ -38,14 +38,14 @@ GET /projects/:id/vulnerability_findings?confidence=unknown,experimental GET /projects/:id/vulnerability_findings?pipeline_id=42 ``` -| Attribute | Type | Required | Description | -| ------------- | -------------- | -------- | -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) which the authenticated user is a member of. | -| `report_type` | string array | no | Returns vulnerability findings belonging to specified report type. Valid values: `sast`, `dast`, `dependency_scanning`, or `container_scanning`. | +| Attribute | Type | Required | Description | +| ------------- | -------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) which the authenticated user is a member of. | +| `report_type` | string array | no | Returns vulnerability findings belonging to specified report type. Valid values: `sast`, `dast`, `dependency_scanning`, or `container_scanning`. Defaults to all. | | `scope` | string | no | Returns vulnerability findings for the given scope: `all` or `dismissed`. Defaults to `dismissed`. | -| `severity` | string array | no | Returns vulnerability findings belonging to specified severity level: `undefined`, `info`, `unknown`, `low`, `medium`, `high`, or `critical`. Defaults to all. | +| `severity` | string array | no | Returns vulnerability findings belonging to specified severity level: `undefined`, `info`, `unknown`, `low`, `medium`, `high`, or `critical`. Defaults to all. | | `confidence` | string array | no | Returns vulnerability findings belonging to specified confidence level: `undefined`, `ignore`, `unknown`, `experimental`, `low`, `medium`, `high`, or `confirmed`. Defaults to all. | -| `pipeline_id` | integer/string | no | Returns vulnerability findings belonging to specified pipeline. | +| `pipeline_id` | integer/string | no | Returns vulnerability findings belonging to specified pipeline. | ```bash curl --header "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/projects/4/vulnerability_findings diff --git a/doc/api/vulnerabilities_stub.md b/doc/api/vulnerabilities_stub.md index 3f12668216baa9..43eec1dfafc768 100644 --- a/doc/api/vulnerabilities_stub.md +++ b/doc/api/vulnerabilities_stub.md @@ -1,6 +1,6 @@ # Vulnerabilities API **(ULTIMATE)** -Every API call to vulnerabilities must be authenticated. +Every API call to vulnerabilities must be [authenticated](README.md#authentication). Vulnerabilities are project-bound entities. If a user is not a member of a project to which vulnerability belongs @@ -110,8 +110,8 @@ Example response: Dismisses a given vulnerability. Returns status code `304` if the vulnerability is already dismissed. -If an authenticated user does not have a permission to -[dismiss vulnerability](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +If an authenticated user does not have permission to +[dismiss vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), this request will result in a `403` status code. ``` @@ -120,7 +120,7 @@ POST /vulnerabilities/:id/dismiss | Attribute | Type | Required | Description | | --------- | ---- | -------- | ----------- | -| `id` | integer/string | yes | The ID of a Vulnerability to dismiss | +| `id` | integer/string | yes | The ID of a vulnerability to dismiss | ```bash curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss" -- GitLab From 0ed6fb45d1b5788221ced48b747d297947533332 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Wed, 30 Oct 2019 11:33:35 +0200 Subject: [PATCH 04/62] Add state attribute to the example JSON response --- doc/api/project_vulnerability_findings_stub.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/api/project_vulnerability_findings_stub.md b/doc/api/project_vulnerability_findings_stub.md index 814040da9dbae8..cb14ea54cac9b0 100644 --- a/doc/api/project_vulnerability_findings_stub.md +++ b/doc/api/project_vulnerability_findings_stub.md @@ -114,6 +114,7 @@ Example response: } }, "solution": "Upgrade to fixed version.\r\n", + "state": "unresolved", "blob_path": "/tests/yarn-remediation-test/blob/cc6c4a0778460455ae5d16ca7025ca9ca1ca75ac/yarn.lock" } ] -- GitLab From ff8176a34964d82c43aad6aef0fd89894e8cf605 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Sat, 2 Nov 2019 13:46:20 +0200 Subject: [PATCH 05/62] Remove mistakenly added link to Vulnerabilities --- doc/api/api_resources.md | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/api/api_resources.md b/doc/api/api_resources.md index c2713f54c47a12..5ef681130dbbbf 100644 --- a/doc/api/api_resources.md +++ b/doc/api/api_resources.md @@ -68,7 +68,6 @@ The following API resources are available in the project context: | [Services](services.md) | `/projects/:id/services` | | [Tags](tags.md) | `/projects/:id/repository/tags` | | [Visual Review discussions](visual_review_discussions.md) **(STARTER**) | `/projects/:id/merge_requests/:merge_request_id/visual_review_discussions` | -| [Vulnerabilities](vulnerabilities.md) **(ULTIMATE)** | `/projects/:id/vulnerabilities` | | [Vulnerability Findings](vulnerability_findings.md) **(ULTIMATE)** | `/projects/:id/vulnerability_findings` | | [Wikis](wikis.md) | `/projects/:id/wikis` | -- GitLab From d197d5d3d943e04fc668dffb41d2a51a769b678c Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Sat, 2 Nov 2019 13:47:43 +0200 Subject: [PATCH 06/62] Remove Project Vulns stub became unnecessary --- ...ources_stub_first_class_vulnerabilities.md | 2 +- .../project_vulnerability_findings_stub.md | 121 ------------------ 2 files changed, 1 insertion(+), 122 deletions(-) delete mode 100644 doc/api/project_vulnerability_findings_stub.md diff --git a/doc/api/api_resources_stub_first_class_vulnerabilities.md b/doc/api/api_resources_stub_first_class_vulnerabilities.md index 0882986b852f99..d6acb869f4aa5a 100644 --- a/doc/api/api_resources_stub_first_class_vulnerabilities.md +++ b/doc/api/api_resources_stub_first_class_vulnerabilities.md @@ -67,7 +67,7 @@ The following API resources are available in the project context: | [Search](search.md) | `/projects/:id/search` (also available for groups and standalone) | | [Services](services.md) | `/projects/:id/services` | | [Tags](tags.md) | `/projects/:id/repository/tags` | -| [Vulnerability Findings](project_vulnerability_findings_stub.md) **(ULTIMATE)** | `/projects/:id/vulnerability_findings` | +| [Vulnerability Findings](vulnerability_findings.md) **(ULTIMATE)** | `/projects/:id/vulnerability_findings` | | [Vulnerabilities](project_vulnerabilities_stub.md) **(ULTIMATE)** | `/projects/:id/vulnerabilities` | | [Wikis](wikis.md) | `/projects/:id/wikis` | diff --git a/doc/api/project_vulnerability_findings_stub.md b/doc/api/project_vulnerability_findings_stub.md deleted file mode 100644 index cb14ea54cac9b0..00000000000000 --- a/doc/api/project_vulnerability_findings_stub.md +++ /dev/null @@ -1,121 +0,0 @@ -# Vulnerability Findings API **(ULTIMATE)** - -Every API call to vulnerability findings must be [authenticated](README.md#authentication). - -Vulnerability findings are project-bound entities. If a user is not -a member of a project and the project is private, a request on -that project will result in a `404` status code. - -If a user is able to access the project but does not have permission to -[use the Project Security Dashboard](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), -any request for vulnerability findings of this project will result in a `403` status code. - -CAUTION: **Caution:** -This API is in an alpha stage and considered unstable. -The response payload may be subject to change or breakage -across GitLab releases. - -## Vulnerability findings pagination - -By default, `GET` requests return 20 results at a time because the API results -are paginated. - -Read more on [pagination](README.md#pagination). - -## List project vulnerability findings - -List all of a project's vulnerability findings. - -``` -GET /projects/:id/vulnerability_findings -GET /projects/:id/vulnerability_findings?report_type=sast -GET /projects/:id/vulnerability_findings?report_type=container_scanning -GET /projects/:id/vulnerability_findings?report_type=sast,dast -GET /projects/:id/vulnerability_findings?scope=all -GET /projects/:id/vulnerability_findings?scope=dismissed -GET /projects/:id/vulnerability_findings?severity=high -GET /projects/:id/vulnerability_findings?confidence=unknown,experimental -GET /projects/:id/vulnerability_findings?pipeline_id=42 -``` - -| Attribute | Type | Required | Description | -| ------------- | -------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) which the authenticated user is a member of. | -| `report_type` | string array | no | Returns vulnerability findings belonging to specified report type. Valid values: `sast`, `dast`, `dependency_scanning`, or `container_scanning`. Defaults to all. | -| `scope` | string | no | Returns vulnerability findings for the given scope: `all` or `dismissed`. Defaults to `dismissed`. | -| `severity` | string array | no | Returns vulnerability findings belonging to specified severity level: `undefined`, `info`, `unknown`, `low`, `medium`, `high`, or `critical`. Defaults to all. | -| `confidence` | string array | no | Returns vulnerability findings belonging to specified confidence level: `undefined`, `ignore`, `unknown`, `experimental`, `low`, `medium`, `high`, or `confirmed`. Defaults to all. | -| `pipeline_id` | integer/string | no | Returns vulnerability findings belonging to specified pipeline. | - -```bash -curl --header "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/projects/4/vulnerability_findings -``` - -Example response: - -```json -[ - { - "id": null, - "report_type": "dependency_scanning", - "name": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js", - "severity": "unknown", - "confidence": "undefined", - "scanner": { - "external_id": "gemnasium", - "name": "Gemnasium" - }, - "identifiers": [ - { - "external_type": "gemnasium", - "external_id": "9952e574-7b5b-46fa-a270-aeb694198a98", - "name": "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98", - "url": "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.5.0/advisories" - }, - { - "external_type": "cve", - "external_id": "CVE-2017-11429", - "name": "CVE-2017-11429", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429" - } - ], - "project_fingerprint": "fa6f5b6c5d240b834ac5e901dc69f9484cef89ec", - "create_vulnerability_feedback_issue_path": "/tests/yarn-remediation-test/vulnerability_feedback", - "create_vulnerability_feedback_merge_request_path": "/tests/yarn-remediation-test/vulnerability_feedback", - "create_vulnerability_feedback_dismissal_path": "/tests/yarn-remediation-test/vulnerability_feedback", - "project": { - "id": 31, - "name": "yarn-remediation-test", - "full_path": "/tests/yarn-remediation-test", - "full_name": "tests / yarn-remediation-test" - }, - "dismissal_feedback": null, - "issue_feedback": null, - "merge_request_feedback": null, - "description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.", - "links": [ - { - "url": "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279" - }, - { - "url": "https://www.kb.cert.org/vuls/id/475445" - }, - { - "url": "https://github.com/Clever/saml2/issues/127" - } - ], - "location": { - "file": "yarn.lock", - "dependency": { - "package": { - "name": "saml2-js" - }, - "version": "1.5.0" - } - }, - "solution": "Upgrade to fixed version.\r\n", - "state": "unresolved", - "blob_path": "/tests/yarn-remediation-test/blob/cc6c4a0778460455ae5d16ca7025ca9ca1ca75ac/yarn.lock" - } -] -``` -- GitLab From f284fe153e32a47e7a28cdf93e191273c05f1a91 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Sat, 2 Nov 2019 13:49:21 +0200 Subject: [PATCH 07/62] Add report_type attributes to example responses --- doc/api/project_vulnerabilities_stub.md | 3 +++ doc/api/vulnerabilities_stub.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/doc/api/project_vulnerabilities_stub.md b/doc/api/project_vulnerabilities_stub.md index 0da344520537e8..c88b9d80188a31 100644 --- a/doc/api/project_vulnerabilities_stub.md +++ b/doc/api/project_vulnerabilities_stub.md @@ -50,6 +50,7 @@ Example response: "state": "closed", "severity": "medium", "confidence": "medium", + "report_type": "sast", "project": { "id": 32, "name": "security-reports", @@ -74,6 +75,7 @@ Example response: "state": "opened", "severity": "medium", "confidence": "high", + "report_type": "sast", "project": { "id": 32, "name": "security-reports", @@ -136,6 +138,7 @@ Example response: "state": "opened", "severity": "medium", "confidence": "medium", + "report_type": "sast", "project": { "id": 32, "name": "security-reports", diff --git a/doc/api/vulnerabilities_stub.md b/doc/api/vulnerabilities_stub.md index 43eec1dfafc768..3ec4dd80ea3bf7 100644 --- a/doc/api/vulnerabilities_stub.md +++ b/doc/api/vulnerabilities_stub.md @@ -38,6 +38,7 @@ Example response: "state": "opened", "severity": "medium", "confidence": "medium", + "report_type": "sast", "project": { "id": 32, "name": "security-reports", @@ -87,6 +88,7 @@ Example response: "state": "closed", "severity": "medium", "confidence": "medium", + "report_type": "sast", "project": { "id": 32, "name": "security-reports", @@ -136,6 +138,7 @@ Example response: "state": "closed", "severity": "medium", "confidence": "medium", + "report_type": "sast", "project": { "id": 32, "name": "security-reports", -- GitLab From d19a8967c97bb21e08712eb879c9400bd7d96697 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Sat, 2 Nov 2019 13:51:27 +0200 Subject: [PATCH 08/62] Add finding_id to POST request definition --- doc/api/project_vulnerabilities_stub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/project_vulnerabilities_stub.md b/doc/api/project_vulnerabilities_stub.md index c88b9d80188a31..3c1c17c29f0e58 100644 --- a/doc/api/project_vulnerabilities_stub.md +++ b/doc/api/project_vulnerabilities_stub.md @@ -105,7 +105,7 @@ If an authenticated user does not have a permission to this request will result in a `403` status code. ``` -POST /projects/:id/vulnerabilities +POST /projects/:id/vulnerabilities?finding_id= ``` | Attribute | Type | Required | Description | -- GitLab From 1837d0f3146980b57680644da2d3e21417ffdb40 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Sat, 2 Nov 2019 13:54:10 +0200 Subject: [PATCH 09/62] Set the response status "resolved" upon API call --- doc/api/vulnerabilities_stub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/vulnerabilities_stub.md b/doc/api/vulnerabilities_stub.md index 3ec4dd80ea3bf7..376117ab36d68f 100644 --- a/doc/api/vulnerabilities_stub.md +++ b/doc/api/vulnerabilities_stub.md @@ -85,7 +85,7 @@ Example response: "id": 2, "title": "Predictable pseudorandom number generator", "description": null, - "state": "closed", + "state": "resolved", "severity": "medium", "confidence": "medium", "report_type": "sast", -- GitLab From 99d1890231840be90369385ea2c47f1fa37c304f Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Sat, 2 Nov 2019 17:39:20 +0200 Subject: [PATCH 10/62] Add "view vulnerability" to permissions table --- doc/user/permissions_stub_first_class_vulnerabilities.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 10055b8561654b..659a92f4512140 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -100,6 +100,7 @@ The following table depicts the various user permission levels in a project. | View vulnerability findings in Dependency list **(ULTIMATE)** | | | ✓ | ✓ | ✓ | | Create issue from vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | | Dismiss vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| View vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | | Create vulnerability from vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | | Resolve vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | | Dismiss vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -- GitLab From d007ccc948ae178bd464d4f7c5f386d8fd9cd815 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Fri, 22 Nov 2019 16:42:30 +0200 Subject: [PATCH 11/62] Move stubs content to actual API doc files Move Vulnerabilities API stubs content to actual API docs files and the list of API resources. Add and reorganize caution messages related to this API in alpha stage and is protected by a feature flag. --- doc/api/api_resources.md | 2 + ...ources_stub_first_class_vulnerabilities.md | 147 --------------- ...ies_stub.md => project_vulnerabilities.md} | 22 ++- doc/api/vulnerabilities.md | 174 +++++++++++++++++- doc/api/vulnerabilities_stub.md | 159 ---------------- 5 files changed, 191 insertions(+), 313 deletions(-) delete mode 100644 doc/api/api_resources_stub_first_class_vulnerabilities.md rename doc/api/{project_vulnerabilities_stub.md => project_vulnerabilities.md} (89%) delete mode 100644 doc/api/vulnerabilities_stub.md diff --git a/doc/api/api_resources.md b/doc/api/api_resources.md index 5ef681130dbbbf..6ce9950e3a5415 100644 --- a/doc/api/api_resources.md +++ b/doc/api/api_resources.md @@ -68,6 +68,7 @@ The following API resources are available in the project context: | [Services](services.md) | `/projects/:id/services` | | [Tags](tags.md) | `/projects/:id/repository/tags` | | [Visual Review discussions](visual_review_discussions.md) **(STARTER**) | `/projects/:id/merge_requests/:merge_request_id/visual_review_discussions` | +| [Vulnerabilities](project_vulnerabilities.md) **(ULTIMATE)** | `/projects/:id/vulnerabilities` | | [Vulnerability Findings](vulnerability_findings.md) **(ULTIMATE)** | `/projects/:id/vulnerability_findings` | | [Wikis](wikis.md) | `/projects/:id/wikis` | @@ -136,6 +137,7 @@ The following API resources are available outside of project and group contexts | [Users](users.md) | `/users` | | [Validate `.gitlab-ci.yml` file](lint.md) | `/lint` | | [Version](version.md) | `/version` | +| [Vulnerabilities](vulnerabilities.md) **(ULTIMATE)** | `/vulnerabilities` (also available for projects) | ## Templates API resources diff --git a/doc/api/api_resources_stub_first_class_vulnerabilities.md b/doc/api/api_resources_stub_first_class_vulnerabilities.md deleted file mode 100644 index d6acb869f4aa5a..00000000000000 --- a/doc/api/api_resources_stub_first_class_vulnerabilities.md +++ /dev/null @@ -1,147 +0,0 @@ -# API resources - -Available resources for the [GitLab API](README.md) can be grouped in the following contexts: - -- [Projects](#project-resources). -- [Groups](#group-resources). -- [Standalone](#standalone-resources). - -See also: - -- [V3 to V4](v3_to_v4.md). -- Adding [deploy keys for multiple projects](deploy_key_multiple_projects.md). -- [API Resources for various templates](#templates-api-resources). - -## Project resources - -The following API resources are available in the project context: - -| Resource | Available endpoints | -|:---------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [Access requests](access_requests.md) | `/projects/:id/access_requests` (also available for groups) | -| [Award emoji](award_emoji.md) | `/projects/:id/issues/.../award_emoji`, `/projects/:id/merge_requests/.../award_emoji`, `/projects/:id/snippets/.../award_emoji` | -| [Branches](branches.md) | `/projects/:id/repository/branches/`, `/projects/:id/repository/merged_branches` | -| [Commits](commits.md) | `/projects/:id/repository/commits`, `/projects/:id/statuses` | -| [Container Registry](container_registry.md) | `/projects/:id/registry/repositories` | -| [Custom attributes](custom_attributes.md) | `/projects/:id/custom_attributes` (also available for groups and users) | -| [Dependencies](dependencies.md) **(ULTIMATE)** | `/projects/:id/dependencies` | -| [Deploy keys](deploy_keys.md) | `/projects/:id/deploy_keys` (also available standalone) | -| [Deployments](deployments.md) | `/projects/:id/deployments` | -| [Discussions](discussions.md) (threaded comments) | `/projects/:id/issues/.../discussions`, `/projects/:id/snippets/.../discussions`, `/projects/:id/merge_requests/.../discussions`, `/projects/:id/commits/.../discussions` (also available for groups) | -| [Environments](environments.md) | `/projects/:id/environments` | -| [Events](events.md) | `/projects/:id/events` (also available for users and standalone) | -| [Issues](issues.md) | `/projects/:id/issues` (also available for groups and standalone) | -| [Issues Statistics](issues_statistics.md) | `/projects/:id/issues_statistics` (also available for groups and standalone) | -| [Issue boards](boards.md) | `/projects/:id/boards` | -| [Issue links](issue_links.md) **(STARTER)** | `/projects/:id/issues/.../links` | -| [Jobs](jobs.md) | `/projects/:id/jobs`, `/projects/:id/pipelines/.../jobs` | -| [Labels](labels.md) | `/projects/:id/labels` | -| [Managed licenses](managed_licenses.md) **(ULTIMATE)** | `/projects/:id/managed_licenses` | -| [Members](members.md) | `/projects/:id/members` (also available for groups) | -| [Merge request approvals](merge_request_approvals.md) **(STARTER)** | `/projects/:id/approvals`, `/projects/:id/merge_requests/.../approvals` | -| [Merge requests](merge_requests.md) | `/projects/:id/merge_requests` (also available for groups and standalone) | -| [Notes](notes.md) (comments) | `/projects/:id/issues/.../notes`, `/projects/:id/snippets/.../notes`, `/projects/:id/merge_requests/.../notes` (also available for groups) | -| [Notification settings](notification_settings.md) | `/projects/:id/notification_settings` (also available for groups and standalone) | -| [Packages](packages.md) **(PREMIUM)** | `/projects/:id/packages` | -| [Pages domains](pages_domains.md) | `/projects/:id/pages` (also available standalone) | -| [Pipelines](pipelines.md) | `/projects/:id/pipelines` | -| [Pipeline schedules](pipeline_schedules.md) | `/projects/:id/pipeline_schedules` | -| [Pipeline triggers](pipeline_triggers.md) | `/projects/:id/triggers` | -| [Projects](projects.md) including setting Webhooks | `/projects`, `/projects/:id/hooks` (also available for users) | -| [Project badges](project_badges.md) | `/projects/:id/badges` | -| [Project clusters](project_clusters.md) | `/projects/:id/clusters` | -| [Project-level variables](project_level_variables.md) | `/projects/:id/variables` | -| [Project import/export](project_import_export.md) | `/projects/:id/export`, `/projects/import`, `/projects/:id/import` | -| [Project milestones](milestones.md) | `/projects/:id/milestones` | -| [Project snippets](project_snippets.md) | `/projects/:id/snippets` | -| [Project templates](project_templates.md) | `/projects/:id/templates` | -| [Protected branches](protected_branches.md) | `/projects/:id/protected_branches` | -| [Protected tags](protected_tags.md) | `/projects/:id/protected_tags` | -| [Releases](releases/index.md) | `/projects/:id/releases` | -| [Release links](releases/links.md) | `/projects/:id/releases/.../assets/links` | -| [Repositories](repositories.md) | `/projects/:id/repository` | -| [Repository files](repository_files.md) | `/projects/:id/repository/files` | -| [Repository submodules](repository_submodules.md) | `/projects/:id/repository/submodules` | -| [Resource label events](resource_label_events.md) | `/projects/:id/issues/.../resource_label_events`, `/projects/:id/merge_requests/.../resource_label_events` (also available for groups) | -| [Runners](runners.md) | `/projects/:id/runners` (also available standalone) | -| [Search](search.md) | `/projects/:id/search` (also available for groups and standalone) | -| [Services](services.md) | `/projects/:id/services` | -| [Tags](tags.md) | `/projects/:id/repository/tags` | -| [Vulnerability Findings](vulnerability_findings.md) **(ULTIMATE)** | `/projects/:id/vulnerability_findings` | -| [Vulnerabilities](project_vulnerabilities_stub.md) **(ULTIMATE)** | `/projects/:id/vulnerabilities` | -| [Wikis](wikis.md) | `/projects/:id/wikis` | - -## Group resources - -The following API resources are available in the group context: - -| Resource | Available endpoints | -|:-----------------------------------------------------------------|:---------------------------------------------------------------------------------| -| [Access requests](access_requests.md) | `/groups/:id/access_requests/` (also available for projects) | -| [Custom attributes](custom_attributes.md) | `/groups/:id/custom_attributes` (also available for projects and users) | -| [Discussions](discussions.md) (threaded comments) **(ULTIMATE)** | `/groups/:id/epics/.../discussions` (also available for projects) | -| [Epic issues](epic_issues.md) **(ULTIMATE)** | `/groups/:id/epics/.../issues` | -| [Epic links](epic_links.md) **(ULTIMATE)** | `/groups/:id/epics/.../epics` | -| [Epics](epics.md) **(ULTIMATE)** | `/groups/:id/epics` | -| [Groups](groups.md) | `/groups`, `/groups/.../subgroups` | -| [Group badges](group_badges.md) | `/groups/:id/badges` | -| [Group issue boards](group_boards.md) | `/groups/:id/boards` | -| [Group labels](group_labels.md) | `/groups/:id/labels` | -| [Group-level variables](group_level_variables.md) | `/groups/:id/variables` | -| [Group milestones](group_milestones.md) | `/groups/:id/milestones` | -| [Issues](issues.md) | `/groups/:id/issues` (also available for projects and standalone) | -| [Issues Statistics](issues_statistics.md) | `/groups/:id/issues_statistics` (also available for projects and standalone) | -| [Members](members.md) | `/groups/:id/members` (also available for projects) | -| [Merge requests](merge_requests.md) | `/groups/:id/merge_requests` (also available for projects and standalone) | -| [Notes](notes.md) (comments) | `/groups/:id/epics/.../notes` (also available for projects) | -| [Notification settings](notification_settings.md) | `/groups/:id/notification_settings` (also available for projects and standalone) | -| [Resource label events](resource_label_events.md) | `/groups/:id/epics/.../resource_label_events` (also available for projects) | -| [Search](search.md) | `/groups/:id/search` (also available for projects and standalone) | - -## Standalone resources - -The following API resources are available outside of project and group contexts (including `/users`): - -| Resource | Available endpoints | -|:-----------------------------------------------------------|:------------------------------------------------------------------------| -| [Applications](applications.md) | `/applications` | -| [Avatar](avatar.md) | `/avatar` | -| [Broadcast messages](broadcast_messages.md) | `/broadcast_messages` | -| [Code snippets](snippets.md) | `/snippets` | -| [Custom attributes](custom_attributes.md) | `/users/:id/custom_attributes` (also available for groups and projects) | -| [Deploy keys](deploy_keys.md) | `/deploy_keys` (also available for projects) | -| [Events](events.md) | `/events`, `/users/:id/events` (also available for projects) | -| [Feature flags](features.md) | `/features` | -| [Geo Nodes](geo_nodes.md) **(PREMIUM ONLY)** | `/geo_nodes` | -| [Import repository from GitHub](import.md) | `/import/github` | -| [Issues](issues.md) | `/issues` (also available for groups and projects) | -| [Issues Statistics](issues_statistics.md) | `/issues_statistics` (also available for groups and projects) | -| [Keys](keys.md) | `/keys` | -| [License](license.md) **(CORE ONLY)** | `/license` | -| [Markdown](markdown.md) | `/markdown` | -| [Merge requests](merge_requests.md) | `/merge_requests` (also available for groups and projects) | -| [Namespaces](namespaces.md) | `/namespaces` | -| [Notification settings](notification_settings.md) | `/notification_settings` (also available for groups and projects) | -| [Pages domains](pages_domains.md) | `/pages/domains` (also available for projects) | -| [Projects](projects.md) | `/users/:id/projects` (also available for projects) | -| [Runners](runners.md) | `/runners` (also available for projects) | -| [Search](search.md) | `/search` (also available for groups and projects) | -| [Settings](settings.md) | `/application/settings` | -| [Statistics](statistics.md) | `/application/statistics` | -| [Sidekiq metrics](sidekiq_metrics.md) | `/sidekiq` | -| [Suggestions](suggestions.md) | `/suggestions` | -| [System hooks](system_hooks.md) | `/hooks` | -| [Todos](todos.md) | `/todos` | -| [Users](users.md) | `/users` | -| [Validate `.gitlab-ci.yml` file](lint.md) | `/lint` | -| [Version](version.md) | `/version` | -| [Vulnerabilities](vulnerabilities_stub.md) **(ULTIMATE)** | `/vulnerabilities` (also available for projects) | - -## Templates API resources - -Endpoints are available for: - -- [Dockerfile templates](templates/dockerfiles.md). -- [`.gitignore` templates](templates/gitignores.md). -- [GitLab CI YAML templates](templates/gitlab_ci_ymls.md). -- [Open source license templates](templates/licenses.md). diff --git a/doc/api/project_vulnerabilities_stub.md b/doc/api/project_vulnerabilities.md similarity index 89% rename from doc/api/project_vulnerabilities_stub.md rename to doc/api/project_vulnerabilities.md index 3c1c17c29f0e58..0c9d0a7b12dfb3 100644 --- a/doc/api/project_vulnerabilities_stub.md +++ b/doc/api/project_vulnerabilities.md @@ -1,17 +1,27 @@ -# Vulnerabilities API **(ULTIMATE)** +# Project Vulnerabilities API **(ULTIMATE)** -Every API call to vulnerabilities must be [authenticated](README.md#authentication). +> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/10242) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. -Vulnerabilities are project-bound entities. If a user is not -a member of a project to which the vulnerability belongs -and the project is private, a request on that project -will result in a `404` status code. +CAUTION: **Caution:** +This API is currently in development and is protected by a **disabled** +[feature flag](https://docs.gitlab.com/ee/development/feature_flags/). +On a self-managed GitLab instance, an administrator can enable it by starting the Rails console +(`sudo gitlab-rails console`) and then running the following command: `Feature.enable(:first_class_vulnerabilities)`. +To test if the Vulnerabilities API was successfully enabled, run the following command: +`Feature.enabled?(:first_class_vulnerabilities)`. CAUTION: **Caution:** This API is in an alpha stage and considered unstable. The response payload may be subject to change or breakage across GitLab releases. +Every API call to vulnerabilities must be [authenticated](README.md#authentication). + +Vulnerabilities are project-bound entities. If a user is not +a member of a project to which the vulnerability belongs +and the project is private, a request on that project +will result in a `404` status code. + ## Vulnerabilities pagination By default, `GET` requests return 20 results at a time because the API results diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index 21b3a6f4c96532..a936a3ca61ef13 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -1,3 +1,175 @@ # Vulnerabilities API **(ULTIMATE)** -This document was moved to [another location](vulnerability_findings.md). +> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/10242) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. + +NOTE: **Note:** +Former Vulnerabilities API was renamed to Vulnerability Findings API +and its documentation was moved to [a different location](vulnerability_findings.md). +This document describes the new Vulnerabilities API that provides access to +[Standalone Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/634). + +CAUTION: **Caution:** +This API is currently in development and is protected by a **disabled** +[feature flag](https://docs.gitlab.com/ee/development/feature_flags/). +On a self-managed GitLab instance, an administrator can enable it by starting the Rails console +(`sudo gitlab-rails console`) and then running the following command: `Feature.enable(:first_class_vulnerabilities)`. +To test if the Vulnerabilities API was successfully enabled, run the following command: +`Feature.enabled?(:first_class_vulnerabilities)`. + +CAUTION: **Caution:** +This API is in an alpha stage and considered unstable. +The response payload may be subject to change or breakage +across GitLab releases. + +Every API call to vulnerabilities must be [authenticated](README.md#authentication). + +Vulnerabilities are project-bound entities. If a user is not +a member of a project to which vulnerability belongs +and the project is private, a request on that project +will result in a `404` status code. + +## Single vulnerability + +Gets a single vulnerability + +``` +GET /vulnerabilities/:id +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID of a Vulnerability to get | + +```bash +curl --header "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/vulnerabilities/1 +``` + +Example response: + +```json +{ + "id": 1, + "title": "Predictable pseudorandom number generator", + "description": null, + "state": "opened", + "severity": "medium", + "confidence": "medium", + "report_type": "sast", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-13T15:08:40.219Z", + "updated_at": "2019-10-13T15:09:40.382Z", + "last_edited_at": null, + "closed_at": null +} +``` + +## Resolve vulnerability + +Resolves a given vulnerability. Returns status code `304` if the vulnerability is already resolved. + +If an authenticated user does not have permission to +[resolve vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +this request will result in a `403` status code. + +``` +POST /vulnerabilities/:id/resolve +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID of a Vulnerability to resolve | + +```bash +curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve" +``` + +Example response: + +```json +{ + "id": 2, + "title": "Predictable pseudorandom number generator", + "description": null, + "state": "resolved", + "severity": "medium", + "confidence": "medium", + "report_type": "sast", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-13T15:08:40.219Z", + "updated_at": "2019-10-13T15:09:40.382Z", + "last_edited_at": null, + "closed_at": null +} +``` + +## Dismiss vulnerability + +Dismisses a given vulnerability. Returns status code `304` if the vulnerability is already dismissed. + +If an authenticated user does not have permission to +[dismiss vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +this request will result in a `403` status code. + +``` +POST /vulnerabilities/:id/dismiss +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID of a vulnerability to dismiss | + +```bash +curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss" +``` + +Example response: + +```json +{ + "id": 2, + "title": "Predictable pseudorandom number generator", + "description": null, + "state": "closed", + "severity": "medium", + "confidence": "medium", + "report_type": "sast", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-13T15:08:40.219Z", + "updated_at": "2019-10-13T15:09:40.382Z", + "last_edited_at": null, + "closed_at": null +} +``` diff --git a/doc/api/vulnerabilities_stub.md b/doc/api/vulnerabilities_stub.md deleted file mode 100644 index 376117ab36d68f..00000000000000 --- a/doc/api/vulnerabilities_stub.md +++ /dev/null @@ -1,159 +0,0 @@ -# Vulnerabilities API **(ULTIMATE)** - -Every API call to vulnerabilities must be [authenticated](README.md#authentication). - -Vulnerabilities are project-bound entities. If a user is not -a member of a project to which vulnerability belongs -and the project is private, a request on that project -will result in a `404` status code. - -CAUTION: **Caution:** -This API is in an alpha stage and considered unstable. -The response payload may be subject to change or breakage -across GitLab releases. - -## Single vulnerability - -Gets a single vulnerability - -``` -GET /vulnerabilities/:id -``` - -| Attribute | Type | Required | Description | -| --------- | ---- | -------- | ----------- | -| `id` | integer/string | yes | The ID of a Vulnerability to get | - -```bash -curl --header "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/vulnerabilities/1 -``` - -Example response: - -```json -{ - "id": 1, - "title": "Predictable pseudorandom number generator", - "description": null, - "state": "opened", - "severity": "medium", - "confidence": "medium", - "report_type": "sast", - "project": { - "id": 32, - "name": "security-reports", - "full_path": "/gitlab-examples/security/security-reports", - "full_name": "gitlab-examples / security / security-reports" - }, - "author_id": 1, - "updated_by_id": null, - "last_edited_by_id": null, - "closed_by_id": null, - "start_date": null, - "due_date": null, - "created_at": "2019-10-13T15:08:40.219Z", - "updated_at": "2019-10-13T15:09:40.382Z", - "last_edited_at": null, - "closed_at": null -} -``` - -## Resolve vulnerability - -Resolves a given vulnerability. Returns status code `304` if the vulnerability is already resolved. - -If an authenticated user does not have permission to -[resolve vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), -this request will result in a `403` status code. - -``` -POST /vulnerabilities/:id/resolve -``` - -| Attribute | Type | Required | Description | -| --------- | ---- | -------- | ----------- | -| `id` | integer/string | yes | The ID of a Vulnerability to resolve | - -```bash -curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve" -``` - -Example response: - -```json -{ - "id": 2, - "title": "Predictable pseudorandom number generator", - "description": null, - "state": "resolved", - "severity": "medium", - "confidence": "medium", - "report_type": "sast", - "project": { - "id": 32, - "name": "security-reports", - "full_path": "/gitlab-examples/security/security-reports", - "full_name": "gitlab-examples / security / security-reports" - }, - "author_id": 1, - "updated_by_id": null, - "last_edited_by_id": null, - "closed_by_id": null, - "start_date": null, - "due_date": null, - "created_at": "2019-10-13T15:08:40.219Z", - "updated_at": "2019-10-13T15:09:40.382Z", - "last_edited_at": null, - "closed_at": null -} -``` - -## Dismiss vulnerability - -Dismisses a given vulnerability. Returns status code `304` if the vulnerability is already dismissed. - -If an authenticated user does not have permission to -[dismiss vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), -this request will result in a `403` status code. - -``` -POST /vulnerabilities/:id/dismiss -``` - -| Attribute | Type | Required | Description | -| --------- | ---- | -------- | ----------- | -| `id` | integer/string | yes | The ID of a vulnerability to dismiss | - -```bash -curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss" -``` - -Example response: - -```json -{ - "id": 2, - "title": "Predictable pseudorandom number generator", - "description": null, - "state": "closed", - "severity": "medium", - "confidence": "medium", - "report_type": "sast", - "project": { - "id": 32, - "name": "security-reports", - "full_path": "/gitlab-examples/security/security-reports", - "full_name": "gitlab-examples / security / security-reports" - }, - "author_id": 1, - "updated_by_id": null, - "last_edited_by_id": null, - "closed_by_id": null, - "start_date": null, - "due_date": null, - "created_at": "2019-10-13T15:08:40.219Z", - "updated_at": "2019-10-13T15:09:40.382Z", - "last_edited_at": null, - "closed_at": null -} -``` -- GitLab From 8ab5a9d363c5eb18f2750d0bc77d1a727c8031d8 Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Fri, 22 Nov 2019 17:19:32 +0200 Subject: [PATCH 12/62] WIP Vulnerability Issue links --- doc/api/api_resources.md | 1 + doc/api/vulnerability_issue_links.md | 217 +++++++++++++++++++++++++++ 2 files changed, 218 insertions(+) create mode 100644 doc/api/vulnerability_issue_links.md diff --git a/doc/api/api_resources.md b/doc/api/api_resources.md index 6ce9950e3a5415..cecd2646b22679 100644 --- a/doc/api/api_resources.md +++ b/doc/api/api_resources.md @@ -138,6 +138,7 @@ The following API resources are available outside of project and group contexts | [Validate `.gitlab-ci.yml` file](lint.md) | `/lint` | | [Version](version.md) | `/version` | | [Vulnerabilities](vulnerabilities.md) **(ULTIMATE)** | `/vulnerabilities` (also available for projects) | +| [Vulnerability Issue links](vulnerability_issue_links.md) **(ULTIMATE)** | `/vulnerabilities/:id/issue_links` | ## Templates API resources diff --git a/doc/api/vulnerability_issue_links.md b/doc/api/vulnerability_issue_links.md new file mode 100644 index 00000000000000..ac82436f619efd --- /dev/null +++ b/doc/api/vulnerability_issue_links.md @@ -0,0 +1,217 @@ +# Vulnerability Issue links API **(ULTIMATE)** + +CAUTION: **Caution:** +This API is in an alpha stage and considered unstable. +The response payload may be subject to change or breakage +across GitLab releases. + +## List related issues + +Get a list of related issues of a given issue, sorted by the relationship creation datetime (ascending). +Issues will be filtered according to the user authorizations. + +``` +GET /projects/:id/issues/:issue_iid/links +``` + +Parameters: + +| Attribute | Type | Required | Description | +|-------------|---------|----------|--------------------------------------| +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | +| `issue_iid` | integer | yes | The internal ID of a project's issue | + +```json +[ + { + "id" : 84, + "iid" : 14, + "issue_link_id": 1 + "project_id" : 4, + "created_at" : "2016-01-07T12:44:33.959Z", + "title" : "Issues with auth", + "state" : "opened", + "assignees" : [], + "assignee" : null, + "labels" : [ + "bug" + ], + "author" : { + "name" : "Alexandra Bashirian", + "avatar_url" : null, + "state" : "active", + "web_url" : "https://gitlab.example.com/eileen.lowe", + "id" : 18, + "username" : "eileen.lowe" + }, + "description" : null, + "updated_at" : "2016-01-07T12:44:33.959Z", + "milestone" : null, + "subscribed" : true, + "user_notes_count": 0, + "due_date": null, + "web_url": "http://example.com/example/example/issues/14", + "confidential": false, + "weight": null, + } +] +``` + +## Create an issue link + +Creates a two-way relation between two issues. User must be allowed to update both issues in order to succeed. + +``` +POST /projects/:id/issues/:issue_iid/links +``` + +| Attribute | Type | Required | Description | +|-------------|---------|----------|--------------------------------------| +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | +| `issue_iid` | integer | yes | The internal ID of a project's issue | +| `target_project_id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) of a target project | +| `target_issue_iid` | integer/string | yes | The internal ID of a target project's issue | + +```json +{ + "source_issue" : { + "id" : 83, + "iid" : 11, + "project_id" : 4, + "created_at" : "2016-01-07T12:44:33.959Z", + "title" : "Issues with auth", + "state" : "opened", + "assignees" : [], + "assignee" : null, + "labels" : [ + "bug" + ], + "author" : { + "name" : "Alexandra Bashirian", + "avatar_url" : null, + "state" : "active", + "web_url" : "https://gitlab.example.com/eileen.lowe", + "id" : 18, + "username" : "eileen.lowe" + }, + "description" : null, + "updated_at" : "2016-01-07T12:44:33.959Z", + "milestone" : null, + "subscribed" : true, + "user_notes_count": 0, + "due_date": null, + "web_url": "http://example.com/example/example/issues/11", + "confidential": false, + "weight": null, + }, + "target_issue" : { + "id" : 84, + "iid" : 14, + "project_id" : 4, + "created_at" : "2016-01-07T12:44:33.959Z", + "title" : "Issues with auth", + "state" : "opened", + "assignees" : [], + "assignee" : null, + "labels" : [ + "bug" + ], + "author" : { + "name" : "Alexandra Bashirian", + "avatar_url" : null, + "state" : "active", + "web_url" : "https://gitlab.example.com/eileen.lowe", + "id" : 18, + "username" : "eileen.lowe" + }, + "description" : null, + "updated_at" : "2016-01-07T12:44:33.959Z", + "milestone" : null, + "subscribed" : true, + "user_notes_count": 0, + "due_date": null, + "web_url": "http://example.com/example/example/issues/14", + "confidential": false, + "weight": null, + } +} +``` + +## Delete an issue link + +Deletes an issue link, thus removes the two-way relationship. + +``` +DELETE /projects/:id/issues/:issue_iid/links/:issue_link_id +``` + +| Attribute | Type | Required | Description | +|-------------|---------|----------|--------------------------------------| +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | +| `issue_iid` | integer | yes | The internal ID of a project's issue | +| `issue_link_id` | integer/string | yes | The ID of an issue relationship | + +```json +{ + "source_issue" : { + "id" : 83, + "iid" : 11, + "project_id" : 4, + "created_at" : "2016-01-07T12:44:33.959Z", + "title" : "Issues with auth", + "state" : "opened", + "assignees" : [], + "assignee" : null, + "labels" : [ + "bug" + ], + "author" : { + "name" : "Alexandra Bashirian", + "avatar_url" : null, + "state" : "active", + "web_url" : "https://gitlab.example.com/eileen.lowe", + "id" : 18, + "username" : "eileen.lowe" + }, + "description" : null, + "updated_at" : "2016-01-07T12:44:33.959Z", + "milestone" : null, + "subscribed" : true, + "user_notes_count": 0, + "due_date": null, + "web_url": "http://example.com/example/example/issues/11", + "confidential": false, + "weight": null, + }, + "target_issue" : { + "id" : 84, + "iid" : 14, + "project_id" : 4, + "created_at" : "2016-01-07T12:44:33.959Z", + "title" : "Issues with auth", + "state" : "opened", + "assignees" : [], + "assignee" : null, + "labels" : [ + "bug" + ], + "author" : { + "name" : "Alexandra Bashirian", + "avatar_url" : null, + "state" : "active", + "web_url" : "https://gitlab.example.com/eileen.lowe", + "id" : 18, + "username" : "eileen.lowe" + }, + "description" : null, + "updated_at" : "2016-01-07T12:44:33.959Z", + "milestone" : null, + "subscribed" : true, + "user_notes_count": 0, + "due_date": null, + "web_url": "http://example.com/example/example/issues/14", + "confidential": false, + "weight": null, + } +} +``` -- GitLab From 95146136361edb2c682c3b8791da7c8b31b1839d Mon Sep 17 00:00:00 2001 From: Jonathan Schafer Date: Thu, 30 Jan 2020 12:27:33 -0600 Subject: [PATCH 13/62] Add documentation for confirming a vulnerability --- doc/api/vulnerabilities.md | 50 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index a936a3ca61ef13..a6195eab514e19 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -74,6 +74,56 @@ Example response: } ``` +## Confirm vulnerability + +Confirms a given vulnerability. Returns status code `304` if the vulnerability is already confirmed. + +If an authenticated user does not have permission to +[confirm vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +this request will result in a `403` status code. + +``` +POST /vulnerabilities/:id/confirm +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID of a vulnerability to confirm | + +```bash +curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/confirm" +``` + +Example response: + +```json +{ + "id": 2, + "title": "Predictable pseudorandom number generator", + "description": null, + "state": "confirmed", + "severity": "medium", + "confidence": "medium", + "report_type": "sast", + "project": { + "id": 32, + "name": "security-reports", + "full_path": "/gitlab-examples/security/security-reports", + "full_name": "gitlab-examples / security / security-reports" + }, + "author_id": 1, + "updated_by_id": null, + "last_edited_by_id": null, + "closed_by_id": null, + "start_date": null, + "due_date": null, + "created_at": "2019-10-13T15:08:40.219Z", + "updated_at": "2019-10-13T15:09:40.382Z", + "last_edited_at": null, + "closed_at": null +} +``` + ## Resolve vulnerability Resolves a given vulnerability. Returns status code `304` if the vulnerability is already resolved. -- GitLab From 5f2aacba54b07eb64bc3447235ee184bbaf2360e Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:19:22 +0000 Subject: [PATCH 14/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 0c9d0a7b12dfb3..ace5180e438f88 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -17,10 +17,9 @@ across GitLab releases. Every API call to vulnerabilities must be [authenticated](README.md#authentication). -Vulnerabilities are project-bound entities. If a user is not -a member of a project to which the vulnerability belongs -and the project is private, a request on that project -will result in a `404` status code. +Vulnerability permissions inherit permissions from their project. If a project is +private, and a user isn't a member of the project to which the vulnerability +belongs, requests to that project will return a `404 Not Found` status code. ## Vulnerabilities pagination -- GitLab From c69f1b6259b91107e5836725d72f376cb18fa146 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:19:35 +0000 Subject: [PATCH 15/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index ace5180e438f88..142dd9cf41d526 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -23,8 +23,7 @@ belongs, requests to that project will return a `404 Not Found` status code. ## Vulnerabilities pagination -By default, `GET` requests return 20 results at a time because the API results -are paginated. +API results are paginated, and `GET` requests return 20 results at a time by default. Read more on [pagination](README.md#pagination). -- GitLab From f7cc4b365dab9b65f6098d44c86a126c29e143c1 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:19:46 +0000 Subject: [PATCH 16/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 142dd9cf41d526..5bff5a6c84e437 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -35,7 +35,7 @@ If an authenticated user does not have permission to [use the Project Security Dashboard](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), `GET` requests for vulnerabilities of this project will result in a `403` status code. -``` +```plaintext GET /projects/:id/vulnerabilities ``` -- GitLab From 4de4e1f9a1097a76742c44e39289933336049786 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:19:56 +0000 Subject: [PATCH 17/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 5bff5a6c84e437..d0da5cae4e10a7 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -41,7 +41,7 @@ GET /projects/:id/vulnerabilities | Attribute | Type | Required | Description | | ------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user. | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user. | ```bash curl --header "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/projects/4/vulnerabilities -- GitLab From 42e427f37c9e1abec191db8972f0e36967921cd3 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:20:10 +0000 Subject: [PATCH 18/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index d0da5cae4e10a7..84464e7ca9d12b 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -109,7 +109,7 @@ Example response: Creates a new vulnerability. If an authenticated user does not have a permission to -[create vulnerability](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +[create a new vulnerability](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), this request will result in a `403` status code. ``` -- GitLab From 85ef950676307c95cda64781a9d8768818c28061 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:20:22 +0000 Subject: [PATCH 19/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 84464e7ca9d12b..212698ba353f49 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -112,14 +112,15 @@ If an authenticated user does not have a permission to [create a new vulnerability](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), this request will result in a `403` status code. -``` +```plaintext POST /projects/:id/vulnerabilities?finding_id= ``` -| Attribute | Type | Required | Description | -| ------------------- | ---------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------| -| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) which the authenticated user is a member of | -| `finding_id` | integer/string | yes | The ID of a Vulnerability Finding from which the new Vulnerability will be created | +| Attribute | Type | Required | Description | +| ------------------- | ----------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------| +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) which the authenticated user is a member of | +| `finding_id` | integer or string | yes | The ID of a Vulnerability Finding from which the new Vulnerability will be created + | The rest of the attributes of a newly created Vulnerability are populated from its source Vulnerability Finding or with their default values: -- GitLab From 60b01be475ee5397f43b3a96d8bd2f7d1bbc68bb Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:20:38 +0000 Subject: [PATCH 20/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 212698ba353f49..5bbc4bbfae08a3 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -122,8 +122,8 @@ POST /projects/:id/vulnerabilities?finding_id= | `finding_id` | integer or string | yes | The ID of a Vulnerability Finding from which the new Vulnerability will be created | -The rest of the attributes of a newly created Vulnerability are populated from -its source Vulnerability Finding or with their default values: +The other attributes of a newly created Vulnerability are populated from +its source Vulnerability Finding, or with these default values: | Attribute | Value | |--------------|-------------------------------------------------------| @@ -133,7 +133,7 @@ its source Vulnerability Finding or with their default values: | `severity` | The `severity` attribute of a Vulnerability Finding | | `confidence` | The `confidence` attribute of a Vulnerability Finding | -```bash +```shell curl --header POST "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/projects/1/vulnerabilities?finding_id=1 ``` -- GitLab From c3d0afb1f65ac4671a81173c997e7af6f916cceb Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:20:52 +0000 Subject: [PATCH 21/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 5bbc4bbfae08a3..96a5ce81f6d3e9 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -167,12 +167,14 @@ Example response: } ``` -Errors: +### Errors -_A Vulnerability Finding is not found or already attached to a different Vulnerability_ +This error occurs when a Finding chosen to create a Vulnerability from is not found, or +is already associated with a different Vulnerability: -Occurs when a Finding chosen to create a Vulnerability from is not found or -is already associated with a different Vulnerability. +```plaintext +A Vulnerability Finding is not found or already attached to a different Vulnerability +``` Status code: `400` -- GitLab From f42672f97663f1cd76b0570c0f2c2cad067ca7dc Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:21:03 +0000 Subject: [PATCH 22/62] Apply suggestion to doc/api/vulnerabilities.md --- doc/api/vulnerabilities.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index a6195eab514e19..75e856fa49ded5 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -3,9 +3,9 @@ > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/10242) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. NOTE: **Note:** -Former Vulnerabilities API was renamed to Vulnerability Findings API +The former Vulnerabilities API was renamed to Vulnerability Findings API and its documentation was moved to [a different location](vulnerability_findings.md). -This document describes the new Vulnerabilities API that provides access to +This document now describes the new Vulnerabilities API that provides access to [Standalone Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/634). CAUTION: **Caution:** -- GitLab From 97664f4eeee2bf46eff20739b4272d8c92becfc8 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:23:03 +0000 Subject: [PATCH 23/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 96a5ce81f6d3e9..15f84e0fc077f2 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -4,7 +4,7 @@ CAUTION: **Caution:** This API is currently in development and is protected by a **disabled** -[feature flag](https://docs.gitlab.com/ee/development/feature_flags/). +[feature flag](../development/feature_flags/index.md). On a self-managed GitLab instance, an administrator can enable it by starting the Rails console (`sudo gitlab-rails console`) and then running the following command: `Feature.enable(:first_class_vulnerabilities)`. To test if the Vulnerabilities API was successfully enabled, run the following command: -- GitLab From b20486245197ed81506b79245b74fbd5e8be008a Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:24:22 +0000 Subject: [PATCH 24/62] Apply suggestion to doc/api/vulnerabilities.md --- doc/api/vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index 75e856fa49ded5..acd0f883caa005 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -10,7 +10,7 @@ This document now describes the new Vulnerabilities API that provides access to CAUTION: **Caution:** This API is currently in development and is protected by a **disabled** -[feature flag](https://docs.gitlab.com/ee/development/feature_flags/). +[feature flag](../development/feature_flags/index.md). On a self-managed GitLab instance, an administrator can enable it by starting the Rails console (`sudo gitlab-rails console`) and then running the following command: `Feature.enable(:first_class_vulnerabilities)`. To test if the Vulnerabilities API was successfully enabled, run the following command: -- GitLab From 1475f61f5fd29aab19ffc57ff326ed622f9d62b0 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:24:40 +0000 Subject: [PATCH 25/62] Apply suggestion to doc/api/vulnerabilities.md --- doc/api/vulnerabilities.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index acd0f883caa005..91543e0a169736 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -23,10 +23,9 @@ across GitLab releases. Every API call to vulnerabilities must be [authenticated](README.md#authentication). -Vulnerabilities are project-bound entities. If a user is not -a member of a project to which vulnerability belongs -and the project is private, a request on that project -will result in a `404` status code. +Vulnerability permissions inherit permissions from their project. If a project is +private, and a user isn't a member of the project to which the vulnerability +belongs, requests to that project will return a `404 Not Found` status code. ## Single vulnerability -- GitLab From fbcf301dfd80aa4cb81a65cad55e22e232a4b0aa Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:24:51 +0000 Subject: [PATCH 26/62] Apply suggestion to doc/api/vulnerabilities.md --- doc/api/vulnerabilities.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index 91543e0a169736..4a78a5c7b2faa3 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -31,15 +31,15 @@ belongs, requests to that project will return a `404 Not Found` status code. Gets a single vulnerability -``` +```plaintext GET /vulnerabilities/:id ``` | Attribute | Type | Required | Description | | --------- | ---- | -------- | ----------- | -| `id` | integer/string | yes | The ID of a Vulnerability to get | +| `id` | integer or string | yes | The ID of a Vulnerability to get | -```bash +```shell curl --header "PRIVATE-TOKEN: " https://gitlab.example.com/api/v4/vulnerabilities/1 ``` -- GitLab From 3612b8ed99b0a4463f4e658280bfb5720eb21717 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:26:15 +0000 Subject: [PATCH 27/62] Apply suggestion to doc/api/vulnerabilities.md --- doc/api/vulnerabilities.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index 4a78a5c7b2faa3..660894af8d2c90 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -81,15 +81,15 @@ If an authenticated user does not have permission to [confirm vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), this request will result in a `403` status code. -``` +```plaintext POST /vulnerabilities/:id/confirm ``` | Attribute | Type | Required | Description | | --------- | ---- | -------- | ----------- | -| `id` | integer/string | yes | The ID of a vulnerability to confirm | +| `id` | integer or string | yes | The ID of a vulnerability to confirm | -```bash +```shell curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/confirm" ``` -- GitLab From 09215f59d7fb2ffee106e9dea5750c2a20a4ce46 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:30:42 +0000 Subject: [PATCH 28/62] Apply suggestion to doc/api/vulnerabilities.md --- doc/api/vulnerabilities.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index 660894af8d2c90..3256bf84b6168f 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -131,15 +131,15 @@ If an authenticated user does not have permission to [resolve vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), this request will result in a `403` status code. -``` +```plaintext POST /vulnerabilities/:id/resolve ``` | Attribute | Type | Required | Description | | --------- | ---- | -------- | ----------- | -| `id` | integer/string | yes | The ID of a Vulnerability to resolve | +| `id` | integer or string | yes | The ID of a Vulnerability to resolve | -```bash +```shell curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve" ``` -- GitLab From b7f31a9ec7f3b898f813492ffef3461587016bd2 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:31:15 +0000 Subject: [PATCH 29/62] Apply suggestion to doc/api/vulnerabilities.md --- doc/api/vulnerabilities.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index 3256bf84b6168f..b06cc4282b6941 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -181,15 +181,15 @@ If an authenticated user does not have permission to [dismiss vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), this request will result in a `403` status code. -``` +```plaintext POST /vulnerabilities/:id/dismiss ``` | Attribute | Type | Required | Description | | --------- | ---- | -------- | ----------- | -| `id` | integer/string | yes | The ID of a vulnerability to dismiss | +| `id` | integer or string | yes | The ID of a vulnerability to dismiss | -```bash +```shell curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss" ``` -- GitLab From 687d8febb56b47a7c9ea08f8e8a2fc77e27eb9d0 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:31:25 +0000 Subject: [PATCH 30/62] Apply suggestion to doc/api/vulnerability_issue_links.md --- doc/api/vulnerability_issue_links.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/api/vulnerability_issue_links.md b/doc/api/vulnerability_issue_links.md index ac82436f619efd..5b3cbfc3590b22 100644 --- a/doc/api/vulnerability_issue_links.md +++ b/doc/api/vulnerability_issue_links.md @@ -10,7 +10,7 @@ across GitLab releases. Get a list of related issues of a given issue, sorted by the relationship creation datetime (ascending). Issues will be filtered according to the user authorizations. -``` +```plaintext GET /projects/:id/issues/:issue_iid/links ``` @@ -18,7 +18,7 @@ Parameters: | Attribute | Type | Required | Description | |-------------|---------|----------|--------------------------------------| -| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | | `issue_iid` | integer | yes | The internal ID of a project's issue | ```json -- GitLab From 1e2473cc91c6a1cfca7bbce1e6eb82b16db87b5a Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:31:33 +0000 Subject: [PATCH 31/62] Apply suggestion to doc/api/vulnerability_issue_links.md --- doc/api/vulnerability_issue_links.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/vulnerability_issue_links.md b/doc/api/vulnerability_issue_links.md index 5b3cbfc3590b22..c0ff7048fc0e00 100644 --- a/doc/api/vulnerability_issue_links.md +++ b/doc/api/vulnerability_issue_links.md @@ -61,7 +61,7 @@ Parameters: Creates a two-way relation between two issues. User must be allowed to update both issues in order to succeed. -``` +```plaintext POST /projects/:id/issues/:issue_iid/links ``` -- GitLab From 4e9cc44f5f3fc715e1a0a1e20543c36c5de4449b Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:31:43 +0000 Subject: [PATCH 32/62] Apply suggestion to doc/api/vulnerability_issue_links.md --- doc/api/vulnerability_issue_links.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/api/vulnerability_issue_links.md b/doc/api/vulnerability_issue_links.md index c0ff7048fc0e00..a60333c569ee8c 100644 --- a/doc/api/vulnerability_issue_links.md +++ b/doc/api/vulnerability_issue_links.md @@ -67,10 +67,10 @@ POST /projects/:id/issues/:issue_iid/links | Attribute | Type | Required | Description | |-------------|---------|----------|--------------------------------------| -| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | | `issue_iid` | integer | yes | The internal ID of a project's issue | -| `target_project_id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) of a target project | -| `target_issue_iid` | integer/string | yes | The internal ID of a target project's issue | +| `target_project_id` | integer or string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) of a target project | +| `target_issue_iid` | integer or string | yes | The internal ID of a target project's issue | ```json { -- GitLab From 844632df0f1106ff3e56c9419e7d43aab9adde32 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:31:57 +0000 Subject: [PATCH 33/62] Apply suggestion to doc/api/vulnerability_issue_links.md --- doc/api/vulnerability_issue_links.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/api/vulnerability_issue_links.md b/doc/api/vulnerability_issue_links.md index a60333c569ee8c..c7364d88ccf775 100644 --- a/doc/api/vulnerability_issue_links.md +++ b/doc/api/vulnerability_issue_links.md @@ -141,15 +141,15 @@ POST /projects/:id/issues/:issue_iid/links Deletes an issue link, thus removes the two-way relationship. -``` +```plaintext DELETE /projects/:id/issues/:issue_iid/links/:issue_link_id ``` | Attribute | Type | Required | Description | |-------------|---------|----------|--------------------------------------| -| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | +| `id` | integer or string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | | `issue_iid` | integer | yes | The internal ID of a project's issue | -| `issue_link_id` | integer/string | yes | The ID of an issue relationship | +| `issue_link_id` | integer or string | yes | The ID of an issue relationship | ```json { -- GitLab From c6459fb76dce75c897356596245fe1212c0cd2e6 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:32:32 +0000 Subject: [PATCH 34/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- ...ssions_stub_first_class_vulnerabilities.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 659a92f4512140..a6c38016342ebe 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -5,16 +5,17 @@ description: 'Understand and explore the user permission levels in GitLab, and w # Permissions Users have different abilities depending on the access level they have in a -particular group or project. If a user is both in a group's project and the -project itself, the highest permission level is used. - -On public and internal projects the Guest role is not enforced. All users will -be able to create issues, leave comments, and clone or download the project code. - -When a member leaves a team's project, all the assigned [Issues](project/issues/index.md) and [Merge Requests](project/merge_requests/index.md) -will be unassigned automatically. - -GitLab [administrators](../administration/index.md) receive all permissions. +particular group or project: + +- GitLab [administrators](../administration/index.md) receive all permissions. +- If a user is both in a group's project and the project itself, the highest + permission level is used. For more information, see + [Project member permissions](#project-members-permissions). +- The Guest role is not enforced on public and internal projects. All users can + create issues, leave comments, and clone or download the project code. +- When a member leaves a team's project, all the assigned + [Issues](project/issues/index.md) and [Merge Requests](project/merge_requests/index.md) + will be unassigned automatically. To add or import a user, you can follow the [project members documentation](project/members/index.md). @@ -22,9 +23,8 @@ To add or import a user, you can follow the For information on eligible approvers for Merge Requests, see [Eligible approvers](project/merge_requests/merge_request_approvals.md#eligible-approvers). -## Principles behind permissions - -See our [product handbook on permissions](https://about.gitlab.com/handbook/product/#permissions-in-gitlab) +To learn more about the principles behind permissions, see the +[GitLab product handbook on permissions](https://about.gitlab.com/handbook/product/#permissions-in-gitlab). ## Instance-wide user permissions -- GitLab From e852d91c8630f64014a4e015d4811c37cd924e9c Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:32:42 +0000 Subject: [PATCH 35/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index a6c38016342ebe..f29430918c9131 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -37,9 +37,7 @@ usernames. A GitLab administrator can configure the GitLab instance to NOTE: **Note:** In GitLab 11.0, the Master role was renamed to Maintainer. -While Maintainer is the highest project-level role, some actions can only be performed by a personal namespace or group owner. - -The following table depicts the various user permission levels in a project. +While Maintainer is the highest project-level role, some actions can only be performed by a personal namespace or group owner. The following table depicts the various user permission levels in a project: | Action | Guest | Reporter | Developer |Maintainer| Owner | |---------------------------------------------------|---------|------------|-------------|----------|--------| -- GitLab From de9a9fc6210c97d9abb925845f46fef00cee691e Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:33:02 +0000 Subject: [PATCH 36/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index f29430918c9131..a9ab5256f8029c 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -136,10 +136,10 @@ While Maintainer is the highest project-level role, some actions can only be per | Force push to protected branches (*4*) | | | | | | | Remove protected branches (*4*) | | | | | | -- (*1*): Guest users are able to perform this action on public and internal projects, but not private projects. -- (*2*): Guest users can only view the confidential issues they created themselves -- (*3*): If **Public pipelines** is enabled in **Project Settings > CI/CD** -- (*4*): Not allowed for Guest, Reporter, Developer, Maintainer, or Owner. See [Protected Branches](./project/protected_branches.md). +- (*1*): Guest users can perform this action on public and internal projects, but not private projects. +- (*2*): Guest users can only view the confidential issues they created +- (*3*): If **Public pipelines** is enabled in **{settings}** **Project Settings > CI/CD** +- (*4*): Not allowed for Guest, Reporter, Developer, Maintainer, or Owner. See [Protected Branches](project/protected_branches.md). ## Project features permissions -- GitLab From c12fdb5b67429486dd6e2050e8b9ef3f69108b26 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:33:14 +0000 Subject: [PATCH 37/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- ...permissions_stub_first_class_vulnerabilities.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index a9ab5256f8029c..9675af9cefb0e0 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -143,15 +143,15 @@ While Maintainer is the highest project-level role, some actions can only be per ## Project features permissions -### Wiki and issues +### Wikis and issues -Project features like wiki and issues can be hidden from users depending on -which visibility level you select on project settings. +Project features like wikis and issues can be hidden from users depending on +the visibility level you select in project settings: -- Disabled: disabled for everyone -- Only team members: only team members will see even if your project is public or internal -- Everyone with access: everyone can see depending on your project visibility level -- Everyone: enabled for everyone (only available for GitLab Pages) +- **Disabled**: disabled for everyone. +- **Only team members**: only team members can view, even if your project is public or internal. +- **Everyone with access**: everyone can view, depending on your project visibility level. +- **Everyone**: enabled for everyone (only available for [GitLab Pages](project/pages.md)). ### Protected branches -- GitLab From 811e9f5fa87c7cda0cd196fc6240eebf65f3da76 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:33:22 +0000 Subject: [PATCH 38/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- .../permissions_stub_first_class_vulnerabilities.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 9675af9cefb0e0..e5b3dfa892f853 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -155,11 +155,11 @@ the visibility level you select in project settings: ### Protected branches -Additional restrictions can be applied on a per-branch basis with [protected branches](project/protected_branches.md). -Additionally, you can customize permissions to allow or prevent project -Maintainers and Developers from pushing to a protected branch. Read through the documentation on -[Allowed to Merge and Allowed to Push settings](project/protected_branches.md#using-the-allowed-to-merge-and-allowed-to-push-settings) -to learn more. +You can apply additional restrictions on a per-branch basis using [protected branches](project/protected_branches.md), and customize permissions to allow or prevent +Maintainers or Developers from pushing to a protected branch. + +For more information, see +[Allowed to Merge and Allowed to Push settings](project/protected_branches.md#using-the-allowed-to-merge-and-allowed-to-push-settings). ### Cycle Analytics permissions -- GitLab From 7078450476be697546555e36778a819e018ac400 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:33:35 +0000 Subject: [PATCH 39/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index e5b3dfa892f853..b7cd4c8be0bed8 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -168,10 +168,9 @@ the [documentation on Cycle Analytics permissions](analytics/cycle_analytics.md# ### Issue Board permissions -Developers and users with higher permission level can use all -the functionality of the Issue Board, that is create/delete lists -and drag issues around. Read though the -[documentation on Issue Boards permissions](project/issue_board.md#permissions) +Developers and users with higher permission levels can use all features of the +Issue Board, including creating lists, deleting lists, and dragging-and-dropping +issues. See the [Issue Boards permissions documentation](project/issue_board.md#permissions) to learn more. ### File Locking permissions **(PREMIUM)** -- GitLab From ca9fdbb6c09d9077d077a76e13784a556e932f40 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:33:44 +0000 Subject: [PATCH 40/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index b7cd4c8be0bed8..149aa5c85a5b9a 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -175,9 +175,10 @@ to learn more. ### File Locking permissions **(PREMIUM)** -The user that locks a file or directory is the only one that can edit and push their changes back to the repository where the locked objects are located. +Only the user that locks a file or directory can edit and push their changes back to the repository where the locked objects are located. -Read through the documentation on [permissions for File Locking](project/file_lock.md#permissions-on-file-locking) to learn more. +For more information, see the +[permissions for File Locking](project/file_lock.md#permissions-on-file-locking) documentation. ### Confidential Issues permissions -- GitLab From 73d813b0e34bbdca0ed0ce21e6d3819fa23d730f Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:34:03 +0000 Subject: [PATCH 41/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 149aa5c85a5b9a..6cde6aa94bd4a7 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -182,9 +182,10 @@ For more information, see the ### Confidential Issues permissions -Confidential issues can be accessed by reporters and higher permission levels, -as well as by guest users that create a confidential issue. To learn more, -read through the documentation on [permissions and access to confidential issues](project/issues/confidential_issues.md#permissions-and-access-to-confidential-issues). +Confidential issues can be accessed by users with +[Reporter and higher](permissions.md#project-members-permissions) permission levels. +Guest users that create a confidential issue can view their own issues. To learn more, +see the documentation on [permissions and access to confidential issues](project/issues/confidential_issues.md#permissions-and-access-to-confidential-issues). ### Releases permissions -- GitLab From d251deb115e08ea42a3f3934a3934cfc08d74978 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:34:17 +0000 Subject: [PATCH 42/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 6cde6aa94bd4a7..9335429c744aa5 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -237,9 +237,9 @@ group. ### Subgroup permissions -When you add a member to a subgroup, they inherit the membership and -permission level from the parent group. This model allows access to -nested groups if you have membership in one of its parents. +When you add a member to a subgroup, the user inherits the membership and +permission level from the parent group. This model allows users access to +nested groups if they have membership in one of its parents. To learn more, read through the documentation on [subgroups memberships](group/subgroups/index.md#membership). -- GitLab From 55851e0f4fcd9ca3ed39df3d5639bcf790a32382 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:34:39 +0000 Subject: [PATCH 43/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- ...ssions_stub_first_class_vulnerabilities.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 9335429c744aa5..035cbe4adbf3d5 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -246,26 +246,26 @@ To learn more, read through the documentation on ## External users **(CORE ONLY)** -In cases where it is desired that a user has access only to some internal or -private projects, there is the option of creating **External Users**. This -feature may be useful when for example a contractor is working on a given -project and should only have access to that project. - -External users: - -- Cannot create groups or projects. -- Can only access projects to which they are explicitly granted access, - thus hiding all other internal or private ones from them (like being - logged out). - -Access can be granted by adding the user as member to the project or group. -They will, like usual users, receive a role in the project or group with all -the abilities that are mentioned in the [permissions table above](#project-members-permissions). -For example, if an external user is added as Guest, and your project is -private, they will not have access to the code; you would need to grant the external -user access at the Reporter level or above if you want them to have access to the code. You should -always take into account the -[project's visibility and permissions settings](project/settings/index.md#sharing-and-permissions) +To grant a user has access only to some, but not all, internal or private +projects, you can create **External Users**. This feature can be useful +for limiting which private projects a user can access, such as an external +contractor who should only have access to a specific project. + +External users have the following permissions: + +- They cannot create groups or projects. +- They can only access projects to which they are explicitly granted access. + All other internal or private projects are hidden from them. + +To grant access to an external user, add the user as a member to a project +or group. The external user receives a role in the project or group, with +all the abilities described in the [permissions table](#project-members-permissions). +For example, an external user added to a private project will not have access +to the code; the external user would need access at the Reporter level or above +to have code access. + +You should always consider the +[project's visibility and permissions settings](project/settings/index.md#sharing-and-permissions), as well as the permission level of the user. NOTE: **Note:** -- GitLab From 37b5bb4113b7a1a9f176767fd82e7b438e41d0d2 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:34:50 +0000 Subject: [PATCH 44/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 035cbe4adbf3d5..846045139dabd6 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -271,11 +271,11 @@ as well as the permission level of the user. NOTE: **Note:** External users still count towards a license seat. -An administrator can flag a user as external by either of the following methods: +To mark a user as an external user, an administrator must perform one of the following actions: -- Either [through the API](../api/users.md#user-modification). -- Or by navigating to the **Admin area > Overview > Users** to create a new user - or edit an existing one. There, you will find the option to flag the user as +- Mark the user as external [through the API](../api/users.md#user-modification). +- Navigate to the **Admin area > Overview > Users** to create a new user + or edit an existing user. There, you will find the option to flag the user as external. ### Setting new users to external -- GitLab From 976469f297bda4a6c0b1ebd31041cd258ebd71a2 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:34:58 +0000 Subject: [PATCH 45/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- ...ermissions_stub_first_class_vulnerabilities.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 846045139dabd6..eb085d48ebac89 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -280,14 +280,13 @@ To mark a user as an external user, an administrator must perform one of the fol ### Setting new users to external -By default, new users are not set as external users. This behavior can be changed -by an administrator under the **Admin Area > Settings > General > Account and limit** page. - -If you change the default behavior of creating new users as external, you will -have the option to narrow it down by defining a set of internal users. -The **Internal users** field allows specifying an email address regex pattern to -identify default internal users. New users whose email address matches the regex -pattern will be set to internal by default rather than an external collaborator. +New users are not set as external users by default. An administrator can change +this behavior at the **Admin Area > Settings > General > Account and limit** page. + +After changing the default behavior of creating new users as external, you can +optionally define a set of internal users in the **Internal users** field, by +providing a regex pattern based on email address. New users with an email address +matching the regex pattern will be marked as internal by default. The regex pattern format is Ruby, but it needs to be convertible to JavaScript, and the ignore case flag will be set (`/regex pattern/i`). Here are some examples: -- GitLab From 4d29424977469e8b3401f7472482a59c9e7c5ca2 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:35:14 +0000 Subject: [PATCH 46/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index eb085d48ebac89..68b65a97680255 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -317,9 +317,8 @@ will not be able to browse the project's repository for example). TIP: **Tip:** To prevent a guest user from creating projects, as an admin, you can edit the user's profile to mark the user as [external](#external-users-core-only). -Beware though that even if a user is external, if they already have Reporter or -higher permissions in any project or group, they will **not** be counted as a -free guest user. +Be aware that even if an external user already has Reporter or higher permissions +in any project or group, they will **not** be counted as a free guest user. ## Auditor users **(PREMIUM ONLY)** -- GitLab From 502840660cf9eea043f1913db4998ee2ecc9543e Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:35:26 +0000 Subject: [PATCH 47/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 68b65a97680255..4a10ccf2c17f17 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -327,8 +327,9 @@ in any project or group, they will **not** be counted as a free guest user. Auditor users are given read-only access to all projects, groups, and other resources on the GitLab instance. -An Auditor user should be able to access all projects and groups of a GitLab instance -with the permissions described on the documentation on [auditor users permissions](../administration/auditor_users.md#permissions-and-restrictions-of-an-auditor-user). +An Auditor user can access all projects and groups of a GitLab instance +with the permissions described on the [auditor users permissions](../administration/auditor_users.md#permissions-and-restrictions-of-an-auditor-user) +documentation page. [Read more about Auditor users.](../administration/auditor_users.md) -- GitLab From 40fbee81b8826c7de5626d44506d145b686087d9 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:35:38 +0000 Subject: [PATCH 48/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- .../permissions_stub_first_class_vulnerabilities.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 4a10ccf2c17f17..768377a5eee185 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -335,13 +335,13 @@ documentation page. ## Project features -Project features like wiki and issues can be hidden from users depending on -which visibility level you select on project settings. +Project features like wikis and issues can be hidden from users depending on +the visibility level you select in project settings: -- Disabled: disabled for everyone -- Only team members: only team members will see even if your project is public or internal -- Everyone with access: everyone can see depending on your project visibility level -- Everyone: enabled for everyone (only available for GitLab Pages) + - **Disabled**: disabled for everyone. + - **Only team members**: only team members can view, even if your project is public or internal. + - **Everyone with access**: everyone can view, depending on your project visibility level. + - **Everyone**: enabled for everyone (only available for [GitLab Pages](project/pages.md)). ## GitLab CI/CD permissions -- GitLab From 113a496b969dd4c6949631b8b33887b5100777e4 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:35:49 +0000 Subject: [PATCH 49/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- .../permissions_stub_first_class_vulnerabilities.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 768377a5eee185..e9c6d1ee8efb44 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -348,13 +348,13 @@ the visibility level you select in project settings: NOTE: **Note:** In GitLab 11.0, the Master role was renamed to Maintainer. -GitLab CI/CD permissions rely on the role the user has in GitLab. There are four -permission levels in total: +GitLab CI/CD permissions rely on the role the user has in GitLab. The following +permission levels are available: -- admin -- maintainer -- developer -- guest/reporter +- Admin +- Maintainer +- Developer +- Guest (Reporter) The admin user can perform any action on GitLab CI/CD in scope of the GitLab instance and project. In addition, all admins can use the admin interface under -- GitLab From d906f58ca19b0b827edb2f639478cf2944f3d5fe Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:35:58 +0000 Subject: [PATCH 50/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index e9c6d1ee8efb44..6680e1e366671f 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -412,7 +412,7 @@ read through the documentation on the [new CI/CD permissions model](project/new_ ## Running pipelines on protected branches -The permission to merge or push to protected branches is used to define if a user can +The permission to merge or push to protected branches defines whether a user can run CI/CD pipelines and execute actions on jobs that are related to those branches. See [Security on protected branches](../ci/pipelines.md#security-on-protected-branches) -- GitLab From aa5c25d7fb9a83a8540ec46d0bba8409e43f21cf Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:36:10 +0000 Subject: [PATCH 51/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 6680e1e366671f..826ca7e181f973 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -420,7 +420,7 @@ for details about the pipelines security model. ## LDAP users permissions -Since GitLab 8.15, LDAP user permissions can now be manually overridden by an admin user. +Since GitLab 8.15, admin users can manually override LDAP user permissions. Read through the documentation on [LDAP users permissions](../administration/auth/how_to_configure_ldap_gitlab_ee/index.html) to learn more. ## Project aliases -- GitLab From 397981e2b9d63a010461f31313d97a90fe452d8d Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Sat, 28 Mar 2020 16:40:06 +0000 Subject: [PATCH 52/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 826ca7e181f973..c6e357305eca52 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -315,7 +315,7 @@ mentioned in the [permissions table above](#project-members-permissions) (they will not be able to browse the project's repository for example). TIP: **Tip:** -To prevent a guest user from creating projects, as an admin, you can edit the +Administrators can prevent a guest user from creating projects by editing the user's profile to mark the user as [external](#external-users-core-only). Be aware that even if an external user already has Reporter or higher permissions in any project or group, they will **not** be counted as a free guest user. -- GitLab From 9662694811a53a54c6aaed5f30a408c74cb11103 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Mon, 30 Mar 2020 18:22:51 +0000 Subject: [PATCH 53/62] Apply suggestion to doc/api/vulnerability_issue_links.md --- doc/api/vulnerability_issue_links.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/vulnerability_issue_links.md b/doc/api/vulnerability_issue_links.md index c7364d88ccf775..05213e788c4843 100644 --- a/doc/api/vulnerability_issue_links.md +++ b/doc/api/vulnerability_issue_links.md @@ -139,7 +139,7 @@ POST /projects/:id/issues/:issue_iid/links ## Delete an issue link -Deletes an issue link, thus removes the two-way relationship. +Deletes an issue link, removing the two-way relationship. ```plaintext DELETE /projects/:id/issues/:issue_iid/links/:issue_link_id -- GitLab From 31b66a2e106c9ffb57ee3b6159d2bdbf3b550315 Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Mon, 30 Mar 2020 18:23:17 +0000 Subject: [PATCH 54/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index c6e357305eca52..94ecda71fbc806 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -233,7 +233,7 @@ group. - (2): Introduced in GitLab 12.2. - (3): Default project creation role can be changed at: - The [instance level](admin_area/settings/visibility_and_access_controls.md#default-project-creation-protection). - - The [group level](group/index.html#default-project-creation-level). + - The [group level](group/index.md#default-project-creation-level). ### Subgroup permissions -- GitLab From fa66fad2cf6361cef248af3239fa80aec5c05dab Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Mon, 30 Mar 2020 18:24:05 +0000 Subject: [PATCH 55/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 94ecda71fbc806..690b5bcfb76bc0 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -137,8 +137,8 @@ While Maintainer is the highest project-level role, some actions can only be per | Remove protected branches (*4*) | | | | | | - (*1*): Guest users can perform this action on public and internal projects, but not private projects. -- (*2*): Guest users can only view the confidential issues they created -- (*3*): If **Public pipelines** is enabled in **{settings}** **Project Settings > CI/CD** +- (*2*): Guest users can only view the confidential issues they created. +- (*3*): If **Public pipelines** is enabled in **{settings}** **Project Settings > CI/CD**. - (*4*): Not allowed for Guest, Reporter, Developer, Maintainer, or Owner. See [Protected Branches](project/protected_branches.md). ## Project features permissions -- GitLab From 2e973c2e09d8e6c3ea2b1a55216daa82bd21b26b Mon Sep 17 00:00:00 2001 From: Wayne Haber Date: Mon, 30 Mar 2020 18:25:28 +0000 Subject: [PATCH 56/62] Apply suggestion to doc/user/permissions_stub_first_class_vulnerabilities.md --- doc/user/permissions_stub_first_class_vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md index 690b5bcfb76bc0..01983fe1321d2e 100644 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ b/doc/user/permissions_stub_first_class_vulnerabilities.md @@ -421,7 +421,7 @@ for details about the pipelines security model. ## LDAP users permissions Since GitLab 8.15, admin users can manually override LDAP user permissions. -Read through the documentation on [LDAP users permissions](../administration/auth/how_to_configure_ldap_gitlab_ee/index.html) to learn more. +Read through the documentation on [LDAP users permissions](../administration/auth/how_to_configure_ldap_gitlab_ee/index.md) to learn more. ## Project aliases -- GitLab From a3f21f800c507bc22c029290167d6972ac40be3d Mon Sep 17 00:00:00 2001 From: Achilleas Pipinellis Date: Wed, 1 Apr 2020 11:33:09 +0000 Subject: [PATCH 57/62] Apply suggestion to doc/api/project_vulnerabilities.md --- doc/api/project_vulnerabilities.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 15f84e0fc077f2..33f015442b6b17 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -119,8 +119,7 @@ POST /projects/:id/vulnerabilities?finding_id= | Attribute | Type | Required | Description | | ------------------- | ----------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------| | `id` | integer or string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) which the authenticated user is a member of | -| `finding_id` | integer or string | yes | The ID of a Vulnerability Finding from which the new Vulnerability will be created - | +| `finding_id` | integer or string | yes | The ID of a Vulnerability Finding from which the new Vulnerability will be created | The other attributes of a newly created Vulnerability are populated from its source Vulnerability Finding, or with these default values: -- GitLab From 7e97c245ec353f9670f92690cc4042919202e065 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Zaj=C4=85c?= Date: Mon, 6 Apr 2020 14:40:13 +0200 Subject: [PATCH 58/62] Remove duplicated permissions file Update the main Permissions entry --- doc/user/permissions.md | 8 +- ...ssions_stub_first_class_vulnerabilities.md | 429 ------------------ 2 files changed, 6 insertions(+), 431 deletions(-) delete mode 100644 doc/user/permissions_stub_first_class_vulnerabilities.md diff --git a/doc/user/permissions.md b/doc/user/permissions.md index 4f7284fb05b949..e884118d497c6b 100644 --- a/doc/user/permissions.md +++ b/doc/user/permissions.md @@ -107,8 +107,12 @@ The following table depicts the various user permission levels in a project. | Remove a container registry image | | | ✓ | ✓ | ✓ | | Create/edit/delete project milestones | | | ✓ | ✓ | ✓ | | Use security dashboard **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| View vulnerabilities in Dependency list **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| Create issue from vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| View vulnerability findings in Dependency list **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Create issue from vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Dismiss vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| View vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Create vulnerability from vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | +| Resolve vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | | Dismiss vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | | Apply code change suggestions | | | ✓ | ✓ | ✓ | | Create and edit wiki pages | | | ✓ | ✓ | ✓ | diff --git a/doc/user/permissions_stub_first_class_vulnerabilities.md b/doc/user/permissions_stub_first_class_vulnerabilities.md deleted file mode 100644 index 01983fe1321d2e..00000000000000 --- a/doc/user/permissions_stub_first_class_vulnerabilities.md +++ /dev/null @@ -1,429 +0,0 @@ ---- -description: 'Understand and explore the user permission levels in GitLab, and what features each of them grants you access to.' ---- - -# Permissions - -Users have different abilities depending on the access level they have in a -particular group or project: - -- GitLab [administrators](../administration/index.md) receive all permissions. -- If a user is both in a group's project and the project itself, the highest - permission level is used. For more information, see - [Project member permissions](#project-members-permissions). -- The Guest role is not enforced on public and internal projects. All users can - create issues, leave comments, and clone or download the project code. -- When a member leaves a team's project, all the assigned - [Issues](project/issues/index.md) and [Merge Requests](project/merge_requests/index.md) - will be unassigned automatically. - -To add or import a user, you can follow the -[project members documentation](project/members/index.md). - -For information on eligible approvers for Merge Requests, see -[Eligible approvers](project/merge_requests/merge_request_approvals.md#eligible-approvers). - -To learn more about the principles behind permissions, see the -[GitLab product handbook on permissions](https://about.gitlab.com/handbook/product/#permissions-in-gitlab). - -## Instance-wide user permissions - -By default, users can create top-level groups and change their -usernames. A GitLab administrator can configure the GitLab instance to -[modify this behavior](../administration/user_settings.md). - -## Project members permissions - -NOTE: **Note:** -In GitLab 11.0, the Master role was renamed to Maintainer. - -While Maintainer is the highest project-level role, some actions can only be performed by a personal namespace or group owner. The following table depicts the various user permission levels in a project: - -| Action | Guest | Reporter | Developer |Maintainer| Owner | -|---------------------------------------------------|---------|------------|-------------|----------|--------| -| Download project | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| Leave comments | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| View Insights charts **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ | -| View approved/blacklisted licenses **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ | -| View License Compliance reports **(ULTIMATE)** | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| View Security reports **(ULTIMATE)** | ✓ (*3*) | ✓ | ✓ | ✓ | ✓ | -| View Dependency list **(ULTIMATE)** | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| View licenses in Dependency list **(ULTIMATE)** | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| View [Design Management](project/issues/design_management.md) pages **(PREMIUM)** | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| View project code | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| Pull project code | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| View GitLab Pages protected by [access control](project/pages/introduction.md#gitlab-pages-access-control-core) | ✓ | ✓ | ✓ | ✓ | ✓ | -| View wiki pages | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| See a list of jobs | ✓ (*3*) | ✓ | ✓ | ✓ | ✓ | -| See a job log | ✓ (*3*) | ✓ | ✓ | ✓ | ✓ | -| Download and browse job artifacts | ✓ (*3*) | ✓ | ✓ | ✓ | ✓ | -| Create new issue | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| See related issues | ✓ | ✓ | ✓ | ✓ | ✓ | -| Create confidential issue | ✓ (*1*) | ✓ | ✓ | ✓ | ✓ | -| View confidential issues | (*2*) | ✓ | ✓ | ✓ | ✓ | -| Assign issues | | ✓ | ✓ | ✓ | ✓ | -| Label issues | | ✓ | ✓ | ✓ | ✓ | -| Lock issue threads | | ✓ | ✓ | ✓ | ✓ | -| Manage issue tracker | | ✓ | ✓ | ✓ | ✓ | -| Manage related issues **(STARTER)** | | ✓ | ✓ | ✓ | ✓ | -| Manage labels | | ✓ | ✓ | ✓ | ✓ | -| Create code snippets | | ✓ | ✓ | ✓ | ✓ | -| See a commit status | | ✓ | ✓ | ✓ | ✓ | -| See a container registry | | ✓ | ✓ | ✓ | ✓ | -| See environments | | ✓ | ✓ | ✓ | ✓ | -| See a list of merge requests | | ✓ | ✓ | ✓ | ✓ | -| View project statistics | | ✓ | ✓ | ✓ | ✓ | -| View Error Tracking list | | ✓ | ✓ | ✓ | ✓ | -| Pull from [Conan repository](packages/conan_repository/index.md), [Maven repository](packages/maven_repository/index.md), or [NPM registry](packages/npm_registry/index.md) **(PREMIUM)** | | ✓ | ✓ | ✓ | ✓ | -| Publish to [Conan repository](packages/conan_repository/index.md), [Maven repository](packages/maven_repository/index.md), or [NPM registry](packages/npm_registry/index.md) **(PREMIUM)** | | | ✓ | ✓ | ✓ | -| Upload [Design Management](project/issues/design_management.md) files **(PREMIUM)** | | | ✓ | ✓ | ✓ | -| Create new branches | | | ✓ | ✓ | ✓ | -| Push to non-protected branches | | | ✓ | ✓ | ✓ | -| Force push to non-protected branches | | | ✓ | ✓ | ✓ | -| Remove non-protected branches | | | ✓ | ✓ | ✓ | -| Create new merge request | | | ✓ | ✓ | ✓ | -| Assign merge requests | | | ✓ | ✓ | ✓ | -| Label merge requests | | | ✓ | ✓ | ✓ | -| Lock merge request threads | | | ✓ | ✓ | ✓ | -| Manage/Accept merge requests | | | ✓ | ✓ | ✓ | -| Create new environments | | | ✓ | ✓ | ✓ | -| Stop environments | | | ✓ | ✓ | ✓ | -| Add tags | | | ✓ | ✓ | ✓ | -| Cancel and retry jobs | | | ✓ | ✓ | ✓ | -| Create or update commit status | | | ✓ | ✓ | ✓ | -| Update a container registry | | | ✓ | ✓ | ✓ | -| Remove a container registry image | | | ✓ | ✓ | ✓ | -| Create/edit/delete project milestones | | | ✓ | ✓ | ✓ | -| Use security dashboard **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| View vulnerability findings in Dependency list **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| Create issue from vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| Dismiss vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| View vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| Create vulnerability from vulnerability finding **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| Resolve vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| Dismiss vulnerability **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| Apply code change suggestions | | | ✓ | ✓ | ✓ | -| Create and edit wiki pages | | | ✓ | ✓ | ✓ | -| Rewrite/remove Git tags | | | ✓ | ✓ | ✓ | -| Use environment terminals | | | | ✓ | ✓ | -| Run Web IDE's Interactive Web Terminals **(ULTIMATE ONLY)** | | | | ✓ | ✓ | -| Add new team members | | | | ✓ | ✓ | -| Enable/disable branch protection | | | | ✓ | ✓ | -| Push to protected branches | | | | ✓ | ✓ | -| Turn on/off protected branch push for devs | | | | ✓ | ✓ | -| Enable/disable tag protections | | | | ✓ | ✓ | -| Edit project | | | | ✓ | ✓ | -| Add deploy keys to project | | | | ✓ | ✓ | -| Configure project hooks | | | | ✓ | ✓ | -| Manage Runners | | | | ✓ | ✓ | -| Manage job triggers | | | | ✓ | ✓ | -| Manage variables | | | | ✓ | ✓ | -| Manage GitLab Pages | | | | ✓ | ✓ | -| Manage GitLab Pages domains and certificates | | | | ✓ | ✓ | -| Remove GitLab Pages | | | | ✓ | ✓ | -| Manage clusters | | | | ✓ | ✓ | -| Manage license policy **(ULTIMATE)** | | | | ✓ | ✓ | -| Edit comments (posted by any user) | | | | ✓ | ✓ | -| Manage Error Tracking | | | | ✓ | ✓ | -| Delete wiki pages | | | | ✓ | ✓ | -| View project Audit Events | | | | ✓ | ✓ | -| Manage [push rules](../push_rules/push_rules.md) | | | | ✓ | ✓ | -| Switch visibility level | | | | | ✓ | -| Transfer project to another namespace | | | | | ✓ | -| Remove project | | | | | ✓ | -| Delete issues | | | | | ✓ | -| Disable notification emails | | | | | ✓ | -| Force push to protected branches (*4*) | | | | | | -| Remove protected branches (*4*) | | | | | | - -- (*1*): Guest users can perform this action on public and internal projects, but not private projects. -- (*2*): Guest users can only view the confidential issues they created. -- (*3*): If **Public pipelines** is enabled in **{settings}** **Project Settings > CI/CD**. -- (*4*): Not allowed for Guest, Reporter, Developer, Maintainer, or Owner. See [Protected Branches](project/protected_branches.md). - -## Project features permissions - -### Wikis and issues - -Project features like wikis and issues can be hidden from users depending on -the visibility level you select in project settings: - -- **Disabled**: disabled for everyone. -- **Only team members**: only team members can view, even if your project is public or internal. -- **Everyone with access**: everyone can view, depending on your project visibility level. -- **Everyone**: enabled for everyone (only available for [GitLab Pages](project/pages.md)). - -### Protected branches - -You can apply additional restrictions on a per-branch basis using [protected branches](project/protected_branches.md), and customize permissions to allow or prevent -Maintainers or Developers from pushing to a protected branch. - -For more information, see -[Allowed to Merge and Allowed to Push settings](project/protected_branches.md#using-the-allowed-to-merge-and-allowed-to-push-settings). - -### Cycle Analytics permissions - -Find the current permissions on the Cycle Analytics dashboard on -the [documentation on Cycle Analytics permissions](analytics/cycle_analytics.md#permissions). - -### Issue Board permissions - -Developers and users with higher permission levels can use all features of the -Issue Board, including creating lists, deleting lists, and dragging-and-dropping -issues. See the [Issue Boards permissions documentation](project/issue_board.md#permissions) -to learn more. - -### File Locking permissions **(PREMIUM)** - -Only the user that locks a file or directory can edit and push their changes back to the repository where the locked objects are located. - -For more information, see the -[permissions for File Locking](project/file_lock.md#permissions-on-file-locking) documentation. - -### Confidential Issues permissions - -Confidential issues can be accessed by users with -[Reporter and higher](permissions.md#project-members-permissions) permission levels. -Guest users that create a confidential issue can view their own issues. To learn more, -see the documentation on [permissions and access to confidential issues](project/issues/confidential_issues.md#permissions-and-access-to-confidential-issues). - -### Releases permissions - -[Project Releases](project/releases/index.md) can be read by project -members with Reporter, Developer, Maintainer, and Owner permissions. -Guest users can access Release pages for downloading assets but -are not allowed to download the source code nor see repository -information such as tags and commits. - -Releases can be created, updated, or deleted via [Releases APIs](../api/releases/index.md) -by project Developers, Maintainers, and Owners. - -## Group members permissions - -NOTE: **Note:** -In GitLab 11.0, the Master role was renamed to Maintainer. - -Any user can remove themselves from a group, unless they are the last Owner of -the group. The following table depicts the various user permission levels in a -group. - -| Action | Guest | Reporter | Developer | Maintainer | Owner | -|--------------------------------------------------------|-------|----------|-----------|------------|-------| -| Browse group | ✓ | ✓ | ✓ | ✓ | ✓ | -| View Insights charts **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ | -| View group epic **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ | -| Create/edit group epic **(ULTIMATE)** | | ✓ | ✓ | ✓ | ✓ | -| Manage group labels | | ✓ | ✓ | ✓ | ✓ | -| Create project in group | | | ✓ (3) | ✓ (3) | ✓ (3) | -| Create/edit/delete group milestones | | | ✓ | ✓ | ✓ | -| Enable/disable a dependency proxy **(PREMIUM)** | | | ✓ | ✓ | ✓ | -| Use security dashboard **(ULTIMATE)** | | | ✓ | ✓ | ✓ | -| Create subgroup | | | | ✓ (1) | ✓ | -| Edit group | | | | | ✓ | -| Manage group members | | | | | ✓ | -| Remove group | | | | | ✓ | -| Delete group epic **(ULTIMATE)** | | | | | ✓ | -| Edit epic comments (posted by any user) **(ULTIMATE)** | | | | ✓ (2) | ✓ (2) | -| View group Audit Events | | | | | ✓ | -| Disable notification emails | | | | | ✓ | -| View/manage group-level Kubernetes cluster | | | | ✓ | ✓ | - -- (1): Groups can be set to [allow either Owners or Owners and - Maintainers to create subgroups](group/subgroups/index.md#creating-a-subgroup) -- (2): Introduced in GitLab 12.2. -- (3): Default project creation role can be changed at: - - The [instance level](admin_area/settings/visibility_and_access_controls.md#default-project-creation-protection). - - The [group level](group/index.md#default-project-creation-level). - -### Subgroup permissions - -When you add a member to a subgroup, the user inherits the membership and -permission level from the parent group. This model allows users access to -nested groups if they have membership in one of its parents. - -To learn more, read through the documentation on -[subgroups memberships](group/subgroups/index.md#membership). - -## External users **(CORE ONLY)** - -To grant a user has access only to some, but not all, internal or private -projects, you can create **External Users**. This feature can be useful -for limiting which private projects a user can access, such as an external -contractor who should only have access to a specific project. - -External users have the following permissions: - -- They cannot create groups or projects. -- They can only access projects to which they are explicitly granted access. - All other internal or private projects are hidden from them. - -To grant access to an external user, add the user as a member to a project -or group. The external user receives a role in the project or group, with -all the abilities described in the [permissions table](#project-members-permissions). -For example, an external user added to a private project will not have access -to the code; the external user would need access at the Reporter level or above -to have code access. - -You should always consider the -[project's visibility and permissions settings](project/settings/index.md#sharing-and-permissions), -as well as the permission level of the user. - -NOTE: **Note:** -External users still count towards a license seat. - -To mark a user as an external user, an administrator must perform one of the following actions: - -- Mark the user as external [through the API](../api/users.md#user-modification). -- Navigate to the **Admin area > Overview > Users** to create a new user - or edit an existing user. There, you will find the option to flag the user as - external. - -### Setting new users to external - -New users are not set as external users by default. An administrator can change -this behavior at the **Admin Area > Settings > General > Account and limit** page. - -After changing the default behavior of creating new users as external, you can -optionally define a set of internal users in the **Internal users** field, by -providing a regex pattern based on email address. New users with an email address -matching the regex pattern will be marked as internal by default. - -The regex pattern format is Ruby, but it needs to be convertible to JavaScript, -and the ignore case flag will be set (`/regex pattern/i`). Here are some examples: - -- Use `\.internal@domain\.com$` to mark email addresses ending with - `.internal@domain.com` as internal. -- Use `^(?:(?!\.ext@domain\.com).)*$\r?` to mark users with email addresses - NOT including `.ext@domain.com` as internal. - -CAUTION: **Warning:** -Be aware that this regex could lead to a -[regular expression denial of service (ReDoS) attack](https://en.wikipedia.org/wiki/ReDoS). - -## Free Guest users **(ULTIMATE)** - -When a user is given Guest permissions on a project, group, or both, and holds no -higher permission level on any other project or group on the GitLab instance, -the user is considered a guest user by GitLab and will not consume a license seat. -There is no other specific "guest" designation for newly created users. - -If the user is assigned a higher role on any projects or groups, the user will -take a license seat. If a user creates a project, the user becomes a Maintainer -on the project, resulting in the use of a license seat. Also, note that if your -project is internal or private, Guest users will have all the abilities that are -mentioned in the [permissions table above](#project-members-permissions) (they -will not be able to browse the project's repository for example). - -TIP: **Tip:** -Administrators can prevent a guest user from creating projects by editing the -user's profile to mark the user as [external](#external-users-core-only). -Be aware that even if an external user already has Reporter or higher permissions -in any project or group, they will **not** be counted as a free guest user. - -## Auditor users **(PREMIUM ONLY)** - ->[Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/998) in [GitLab Premium](https://about.gitlab.com/pricing/) 8.17. - -Auditor users are given read-only access to all projects, groups, and other -resources on the GitLab instance. - -An Auditor user can access all projects and groups of a GitLab instance -with the permissions described on the [auditor users permissions](../administration/auditor_users.md#permissions-and-restrictions-of-an-auditor-user) -documentation page. - -[Read more about Auditor users.](../administration/auditor_users.md) - -## Project features - -Project features like wikis and issues can be hidden from users depending on -the visibility level you select in project settings: - - - **Disabled**: disabled for everyone. - - **Only team members**: only team members can view, even if your project is public or internal. - - **Everyone with access**: everyone can view, depending on your project visibility level. - - **Everyone**: enabled for everyone (only available for [GitLab Pages](project/pages.md)). - -## GitLab CI/CD permissions - -NOTE: **Note:** -In GitLab 11.0, the Master role was renamed to Maintainer. - -GitLab CI/CD permissions rely on the role the user has in GitLab. The following -permission levels are available: - -- Admin -- Maintainer -- Developer -- Guest (Reporter) - -The admin user can perform any action on GitLab CI/CD in scope of the GitLab -instance and project. In addition, all admins can use the admin interface under -`/admin/runners`. - -| Action | Guest, Reporter | Developer |Maintainer| Admin | -|---------------------------------------|-----------------|-------------|----------|--------| -| See commits and jobs | ✓ | ✓ | ✓ | ✓ | -| Retry or cancel job | | ✓ | ✓ | ✓ | -| Erase job artifacts and trace | | ✓ (*1*) | ✓ | ✓ | -| Remove project | | | ✓ | ✓ | -| Create project | | | ✓ | ✓ | -| Change project configuration | | | ✓ | ✓ | -| Add specific runners | | | ✓ | ✓ | -| Add shared runners | | | | ✓ | -| See events in the system | | | | ✓ | -| Admin interface | | | | ✓ | - -- *1*: Only if the job was triggered by the user - -### Job permissions - -NOTE: **Note:** -In GitLab 11.0, the Master role was renamed to Maintainer. - ->**Note:** -GitLab 8.12 has a completely redesigned job permissions system. -Read all about the [new model and its implications](project/new_ci_build_permissions_model.md). - -This table shows granted privileges for jobs triggered by specific types of -users: - -| Action | Guest, Reporter | Developer |Maintainer| Admin | -|---------------------------------------------|-----------------|-------------|----------|---------| -| Run CI job | | ✓ | ✓ | ✓ | -| Clone source and LFS from current project | | ✓ | ✓ | ✓ | -| Clone source and LFS from public projects | | ✓ | ✓ | ✓ | -| Clone source and LFS from internal projects | | ✓ (*1*) | ✓ (*1*) | ✓ | -| Clone source and LFS from private projects | | ✓ (*2*) | ✓ (*2*) | ✓ (*2*) | -| Pull container images from current project | | ✓ | ✓ | ✓ | -| Pull container images from public projects | | ✓ | ✓ | ✓ | -| Pull container images from internal projects| | ✓ (*1*) | ✓ (*1*) | ✓ | -| Pull container images from private projects | | ✓ (*2*) | ✓ (*2*) | ✓ (*2*) | -| Push container images to current project | | ✓ | ✓ | ✓ | -| Push container images to other projects | | | | | -| Push source and LFS | | | | | - -- *1*: Only if the user is not an external one -- *2*: Only if the user is a member of the project - -### New CI job permissions model - -GitLab 8.12 has a completely redesigned job permissions system. To learn more, -read through the documentation on the [new CI/CD permissions model](project/new_ci_build_permissions_model.md#new-ci-job-permissions-model). - -## Running pipelines on protected branches - -The permission to merge or push to protected branches defines whether a user can -run CI/CD pipelines and execute actions on jobs that are related to those branches. - -See [Security on protected branches](../ci/pipelines.md#security-on-protected-branches) -for details about the pipelines security model. - -## LDAP users permissions - -Since GitLab 8.15, admin users can manually override LDAP user permissions. -Read through the documentation on [LDAP users permissions](../administration/auth/how_to_configure_ldap_gitlab_ee/index.md) to learn more. - -## Project aliases - -Project aliases can only be read, created and deleted by a GitLab administrator. -Read through the documentation on [Project aliases](../user/project/index.md#project-aliases-premium-only) to learn more. -- GitLab From 35bd6f191b7a058f5d5bb1d3a9e5f7246bfabc95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Zaj=C4=85c?= Date: Mon, 6 Apr 2020 14:56:48 +0200 Subject: [PATCH 59/62] Fix broken links --- doc/api/project_vulnerabilities.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 33f015442b6b17..91e8d0c6385da8 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -32,7 +32,7 @@ Read more on [pagination](README.md#pagination). List all of a project's vulnerabilities. If an authenticated user does not have permission to -[use the Project Security Dashboard](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +[use the Project Security Dashboard](../user/permissions.md#project-members-permissions), `GET` requests for vulnerabilities of this project will result in a `403` status code. ```plaintext @@ -109,7 +109,7 @@ Example response: Creates a new vulnerability. If an authenticated user does not have a permission to -[create a new vulnerability](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +[create a new vulnerability](../user/permissions.md#project-members-permissions), this request will result in a `403` status code. ```plaintext -- GitLab From 3a6ed211e225d7c022c1334ae161efb67dfa1708 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Zaj=C4=85c?= Date: Mon, 6 Apr 2020 16:11:10 +0200 Subject: [PATCH 60/62] Fix more broken links --- doc/api/vulnerabilities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index b06cc4282b6941..f91e442751689b 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -78,7 +78,7 @@ Example response: Confirms a given vulnerability. Returns status code `304` if the vulnerability is already confirmed. If an authenticated user does not have permission to -[confirm vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +[confirm vulnerabilities](../user/permissions.md#project-members-permissions), this request will result in a `403` status code. ```plaintext -- GitLab From 4c3e65ad672df929f6ecac33147f4a00a6ab4af4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Zaj=C4=85c?= Date: Mon, 6 Apr 2020 16:19:29 +0200 Subject: [PATCH 61/62] Fix last broken link --- doc/api/vulnerabilities.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/api/vulnerabilities.md b/doc/api/vulnerabilities.md index f91e442751689b..ff1a6a7ebcd06f 100644 --- a/doc/api/vulnerabilities.md +++ b/doc/api/vulnerabilities.md @@ -128,7 +128,7 @@ Example response: Resolves a given vulnerability. Returns status code `304` if the vulnerability is already resolved. If an authenticated user does not have permission to -[resolve vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +[resolve vulnerabilities](../user/permissions.md#project-members-permissions), this request will result in a `403` status code. ```plaintext @@ -178,7 +178,7 @@ Example response: Dismisses a given vulnerability. Returns status code `304` if the vulnerability is already dismissed. If an authenticated user does not have permission to -[dismiss vulnerabilities](../user/permissions_stub_first_class_vulnerabilities.md#project-members-permissions), +[dismiss vulnerabilities](../user/permissions.md#project-members-permissions), this request will result in a `403` status code. ```plaintext -- GitLab From 4fa2d4ed032aad69683971a1ff62be4f3f18f2eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Zaj=C4=85c?= Date: Wed, 8 Apr 2020 20:17:32 +0200 Subject: [PATCH 62/62] Update Vulnerability JSON response --- doc/api/project_vulnerabilities.md | 171 +++++++++++++++++------------ 1 file changed, 98 insertions(+), 73 deletions(-) diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md index 91e8d0c6385da8..84bbc789b0cd57 100644 --- a/doc/api/project_vulnerabilities.md +++ b/doc/api/project_vulnerabilities.md @@ -51,56 +51,56 @@ Example response: ```json [ - { - "id": 2, - "title": "Predictable pseudorandom number generator", - "description": null, - "state": "closed", - "severity": "medium", - "confidence": "medium", - "report_type": "sast", - "project": { - "id": 32, - "name": "security-reports", - "full_path": "/gitlab-examples/security/security-reports", - "full_name": "gitlab-examples / security / security-reports" - }, - "author_id": 1, - "updated_by_id": null, - "last_edited_by_id": null, - "closed_by_id": null, - "start_date": null, - "due_date": null, - "created_at": "2019-10-13T15:08:40.219Z", - "updated_at": "2019-10-13T15:09:40.382Z", - "last_edited_at": null, - "closed_at": null - }, - { - "id": 3, - "title": "ECB mode is insecure", - "description": null, - "state": "opened", - "severity": "medium", - "confidence": "high", - "report_type": "sast", - "project": { - "id": 32, - "name": "security-reports", - "full_path": "/gitlab-examples/security/security-reports", - "full_name": "gitlab-examples / security / security-reports" - }, - "author_id": 1, - "updated_by_id": null, - "last_edited_by_id": null, - "closed_by_id": null, - "start_date": null, - "due_date": null, - "created_at": "2019-10-16T11:19:21.691Z", - "updated_at": "2019-10-16T11:19:21.691Z", - "last_edited_at": null, - "closed_at": null - } + { + "author_id": 1, + "confidence": "medium", + "created_at": "2020-04-07T14:01:04.655Z", + "description": null, + "dismissed_at": null, + "dismissed_by_id": null, + "due_date": null, + "finding": { + "confidence": "medium", + "created_at": "2020-04-07T14:01:04.630Z", + "id": 103, + "location_fingerprint": "228998b5db51d86d3b091939e2f5873ada0a14a1", + "metadata_version": "2.0", + "name": "Regular Expression Denial of Service in debug", + "primary_identifier_id": 135, + "project_fingerprint": "05e7cc9978ca495cf739a9f707ed34811e41c615", + "project_id": 24, + "raw_metadata": "{\"category\":\"dependency_scanning\",\"name\":\"Regular Expression Denial of Service\",\"message\":\"Regular Expression Denial of Service in debug\",\"description\":\"The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.\",\"cve\":\"yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a\",\"severity\":\"Unknown\",\"solution\":\"Upgrade to latest versions.\",\"scanner\":{\"id\":\"gemnasium\",\"name\":\"Gemnasium\"},\"location\":{\"file\":\"yarn.lock\",\"dependency\":{\"package\":{\"name\":\"debug\"},\"version\":\"1.0.5\"}},\"identifiers\":[{\"type\":\"gemnasium\",\"name\":\"Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a\",\"value\":\"37283ed4-0380-40d7-ada7-2d994afcc62a\",\"url\":\"https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories\"}],\"links\":[{\"url\":\"https://nodesecurity.io/advisories/534\"},{\"url\":\"https://github.com/visionmedia/debug/issues/501\"},{\"url\":\"https://github.com/visionmedia/debug/pull/504\"}],\"remediations\":[null]}", + "report_type": "dependency_scanning", + "scanner_id": 63, + "severity": "low", + "updated_at": "2020-04-07T14:01:04.664Z", + "uuid": "f1d528ae-d0cc-47f6-a72f-936cec846ae7", + "vulnerability_id": 103 + }, + "id": 103, + "last_edited_at": null, + "last_edited_by_id": null, + "project": { + "created_at": "2020-04-07T13:54:25.634Z", + "description": "", + "id": 24, + "name": "security-reports", + "name_with_namespace": "gitlab-org / security-reports", + "path": "security-reports", + "path_with_namespace": "gitlab-org/security-reports" + }, + "project_default_branch": "master", + "report_type": "dependency_scanning", + "resolved_at": null, + "resolved_by_id": null, + "resolved_on_default_branch": false, + "severity": "low", + "start_date": null, + "state": "detected", + "title": "Regular Expression Denial of Service in debug", + "updated_at": "2020-04-07T14:01:04.655Z", + "updated_by_id": null + } ] ``` @@ -140,29 +140,54 @@ Example response: ```json { - "id": 2, - "title": "Predictable pseudorandom number generator", - "description": null, - "state": "opened", - "severity": "medium", - "confidence": "medium", - "report_type": "sast", - "project": { - "id": 32, - "name": "security-reports", - "full_path": "/gitlab-examples/security/security-reports", - "full_name": "gitlab-examples / security / security-reports" - }, - "author_id": 1, - "updated_by_id": null, - "last_edited_by_id": null, - "closed_by_id": null, - "start_date": null, - "due_date": null, - "created_at": "2019-10-13T15:08:40.219Z", - "updated_at": "2019-10-13T15:09:40.382Z", - "last_edited_at": null, - "closed_at": null + "author_id": 1, + "confidence": "medium", + "created_at": "2020-04-07T14:01:04.655Z", + "description": null, + "dismissed_at": null, + "dismissed_by_id": null, + "due_date": null, + "finding": { + "confidence": "medium", + "created_at": "2020-04-07T14:01:04.630Z", + "id": 103, + "location_fingerprint": "228998b5db51d86d3b091939e2f5873ada0a14a1", + "metadata_version": "2.0", + "name": "Regular Expression Denial of Service in debug", + "primary_identifier_id": 135, + "project_fingerprint": "05e7cc9978ca495cf739a9f707ed34811e41c615", + "project_id": 24, + "raw_metadata": "{\"category\":\"dependency_scanning\",\"name\":\"Regular Expression Denial of Service\",\"message\":\"Regular Expression Denial of Service in debug\",\"description\":\"The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.\",\"cve\":\"yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a\",\"severity\":\"Unknown\",\"solution\":\"Upgrade to latest versions.\",\"scanner\":{\"id\":\"gemnasium\",\"name\":\"Gemnasium\"},\"location\":{\"file\":\"yarn.lock\",\"dependency\":{\"package\":{\"name\":\"debug\"},\"version\":\"1.0.5\"}},\"identifiers\":[{\"type\":\"gemnasium\",\"name\":\"Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a\",\"value\":\"37283ed4-0380-40d7-ada7-2d994afcc62a\",\"url\":\"https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories\"}],\"links\":[{\"url\":\"https://nodesecurity.io/advisories/534\"},{\"url\":\"https://github.com/visionmedia/debug/issues/501\"},{\"url\":\"https://github.com/visionmedia/debug/pull/504\"}],\"remediations\":[null]}", + "report_type": "dependency_scanning", + "scanner_id": 63, + "severity": "low", + "updated_at": "2020-04-07T14:01:04.664Z", + "uuid": "f1d528ae-d0cc-47f6-a72f-936cec846ae7", + "vulnerability_id": 103 + }, + "id": 103, + "last_edited_at": null, + "last_edited_by_id": null, + "project": { + "created_at": "2020-04-07T13:54:25.634Z", + "description": "", + "id": 24, + "name": "security-reports", + "name_with_namespace": "gitlab-org / security-reports", + "path": "security-reports", + "path_with_namespace": "gitlab-org/security-reports" + }, + "project_default_branch": "master", + "report_type": "dependency_scanning", + "resolved_at": null, + "resolved_by_id": null, + "resolved_on_default_branch": false, + "severity": "low", + "start_date": null, + "state": "detected", + "title": "Regular Expression Denial of Service in debug", + "updated_at": "2020-04-07T14:01:04.655Z", + "updated_by_id": null } ``` -- GitLab