GitLab issueshttps://gitlab.com/gitlab-org/gitlab/-/issues2023-10-16T20:41:30Zhttps://gitlab.com/gitlab-org/gitlab/-/issues/297389Group SAML - Check SSO status on API activity and direct user to SSO2023-10-16T20:41:30ZMelissa UshakovGroup SAML - Check SSO status on API activity and direct user to SSO### Problem to solve
While we're [enforcing SSO](https://gitlab.com/gitlab-org/gitlab-ee/issues/5291), we should similarly enforce SSO outside of the GitLab UI. For the purposes of security, this gives enterprises a greater degree of co...### Problem to solve
While we're [enforcing SSO](https://gitlab.com/gitlab-org/gitlab-ee/issues/5291), we should similarly enforce SSO outside of the GitLab UI. For the purposes of security, this gives enterprises a greater degree of control over protected resources.
### Proposal
We should perform the same check on API activity that we do in the [UI](https://gitlab.com/gitlab-org/gitlab-ee/issues/5291):
* When a user attempts an API action in a group that's enforcing SSO:
* If the represented user does not meet the [SSO login threshold](https://gitlab.com/gitlab-org/gitlab-ee/issues/5291), present them with an error: ``"Cannot find valid SSO session. Please login via your group's SSO at #{group_saml_url}"``
* This change should be a configuration option at the group level.
* Credentials that are not tied to human users should not have an SSO check enforces (Project Access token, deploy keys, etc).
### Iteration plan
1. Introduce a new configuration option at the group level. This option should be disabled by default for existing and new SAML setups:
![image](/uploads/00d75cb5658b1d297ee1fc3d5eabcb53/image.png)
2. If user attempts an API action in a group that's enforcing SSO, and the represented user does not meet the SSO login threshold, present them with an error: ``"Cannot find valid SSO session. Please login via your group's SSO at #{group_saml_url}"
3. Credentials that are not tied to human users should not have an SSO check enforces (Project Access token, deploy keys, etc).
### Availability & Testing
<!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.
What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?
Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance.
* Unit test changes
* Integration test changes
* End-to-end test change
See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning -->
**What risks does this change pose to our availability?**
A potential risk to account access: Users/bots may lose access incase we default enable the enforce SSO for API activity for all existing accounts that use PAT for automated access.
**What additional test coverage or changes to tests will be needed?**
* Ensure the feature is off by default
* Ensure Project access tokens (for bot users) are exempt from this enforcement.
* Ensure Personal access tokens are NOT exempt from this enforcement.
Also, we should be adding end-to-end tests coverage for this feature.Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/206952gemnasium-python fails to install psycopg2 (Dependency Scanning)2024-03-22T20:33:36ZPeter Bittnerdjango@bittner.itgemnasium-python fails to install psycopg2 (Dependency Scanning)While trying to integrate [dependency scanning](https://gitlab.com/help/user/application_security/dependency_scanning/index.md#configuration) in [our (publicly visible) pipeline](https://gitlab.com/appuio/example-django/pipelines) I get ...While trying to integrate [dependency scanning](https://gitlab.com/help/user/application_security/dependency_scanning/index.md#configuration) in [our (publicly visible) pipeline](https://gitlab.com/appuio/example-django/pipelines) I get a failing build when `gemnasium-python` tries to installs our [project requirements](https://gitlab.com/appuio/example-django/-/blob/master/requirements/production.txt):
```
Error: pg_config executable not found.
```
The reason for this is that you need [development prerequisites installed](https://github.com/painless-software/docker-tox/blob/master/Dockerfile#L10) for the Postgres integration package [psycopg2](https://pypi.org/project/psycopg2/), which provides the `pg_config` executable (likewise for MySQL/MariaDB, by the way).
```python
...
2020/02/17 14:58:38 [gemnasium-python] Starting analyzer...
Found project in /tmp/app
From https://gitlab.com/gitlab-org/security-products/gemnasium-db
* branch master -> FETCH_HEAD
b66ab3ea..99138979 master -> origin/master
HEAD is now at 99138979 Merge branch 'adbcurate/CVE-2020-2124.yml' into 'master'
Collecting django-environ==0.4.5
Downloading https://files.pythonhosted.org/packages/9f/32/76295a1a5d00bf556c495216581c6997e7fa5f533b2229e0a9d6cbaa95ae/django_environ-0.4.5-py2.py3-none-any.whl
Saved ./dist/django_environ-0.4.5-py2.py3-none-any.whl
Collecting django-probes==1.2.0
Downloading https://files.pythonhosted.org/packages/fa/c2/f41118c770f66dda3c388ecf63db28cf4e5b144197c4d79c4df3a90df958/django_probes-1.2.0.tar.gz
Saved ./dist/django_probes-1.2.0.tar.gz
Collecting django==2.2.9
Downloading https://files.pythonhosted.org/packages/cb/c9/ef1e25bdd092749dae74c95c2707dff892fde36e4053c4a2354b2303be10/Django-2.2.9-py3-none-any.whl (7.5MB)
Saved ./dist/Django-2.2.9-py3-none-any.whl
Collecting pytz==2019.3
Downloading https://files.pythonhosted.org/packages/e7/f9/f0b53f88060247251bf481fa6ea62cd0d25bf1b11a87888e53ce5b7c8ad2/pytz-2019.3-py2.py3-none-any.whl (509kB)
Saved ./dist/pytz-2019.3-py2.py3-none-any.whl
Collecting sqlparse==0.3.0
Downloading https://files.pythonhosted.org/packages/ef/53/900f7d2a54557c6a37886585a91336520e5539e3ae2423ff1102daf4f3a7/sqlparse-0.3.0-py2.py3-none-any.whl
Saved ./dist/sqlparse-0.3.0-py2.py3-none-any.whl
Collecting uwsgi==2.0.18
Downloading https://files.pythonhosted.org/packages/e7/1e/3dcca007f974fe4eb369bf1b8629d5e342bb3055e2001b2e5340aaefae7a/uwsgi-2.0.18.tar.gz (801kB)
Saved ./dist/uwsgi-2.0.18.tar.gz
Collecting psycopg2==2.8.4
Downloading https://files.pythonhosted.org/packages/84/d7/6a93c99b5ba4d4d22daa3928b983cec66df4536ca50b22ce5dcac65e4e71/psycopg2-2.8.4.tar.gz (377kB)
Saved ./dist/psycopg2-2.8.4.tar.gz
ERROR: Command errored out with exit status 1:
command: /usr/local/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-download-d3azdy5y/psycopg2/setup.py'"'"'; __file__='"'"'/tmp/pip-download-d3azdy5y/psycopg2/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-download-d3azdy5y/psycopg2/pip-egg-info
cwd: /tmp/pip-download-d3azdy5y/psycopg2/
Complete output (23 lines):
running egg_info
creating /tmp/pip-download-d3azdy5y/psycopg2/pip-egg-info/psycopg2.egg-info
writing /tmp/pip-download-d3azdy5y/psycopg2/pip-egg-info/psycopg2.egg-info/PKG-INFO
writing dependency_links to /tmp/pip-download-d3azdy5y/psycopg2/pip-egg-info/psycopg2.egg-info/dependency_links.txt
writing top-level names to /tmp/pip-download-d3azdy5y/psycopg2/pip-egg-info/psycopg2.egg-info/top_level.txt
writing manifest file '/tmp/pip-download-d3azdy5y/psycopg2/pip-egg-info/psycopg2.egg-info/SOURCES.txt'
Error: pg_config executable not found.
pg_config is required to build psycopg2 from source. Please add the directory
containing pg_config to the $PATH or specify the full executable path with the
option:
python setup.py build_ext --pg-config /path/to/pg_config build ...
or with the pg_config option in 'setup.cfg'.
If you prefer to avoid building psycopg2 from source, please install the PyPI
'psycopg2-binary' package instead.
For further information please check the 'doc/src/install.rst' file (also at
<http://initd.org/psycopg/docs/install.html>).
----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
exit status 1
2020/02/17 14:58:47 Container exited with non zero status code
```
In other words, with the [current setup](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml) of Dependency Scanning on GitLab, projects that require the `psycopg2` Python package will be unable to run a successful dependency scan.
Is there a way to make this work that I didn't see?Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/13754Introduce NPM Audit to the GitLab NPM Registry2023-08-14T17:09:37ZTim Rizzitrizzi@gitlab.comIntroduce NPM Audit to the GitLab NPM Registry### Problem to solve
The GitLab NPM Registry allows node.js developers to build and publish images to GitLab. However, we do not take full advantage of NPM's capabilities with regards to security and vulnerability scanning.
`npm audit`...### Problem to solve
The GitLab NPM Registry allows node.js developers to build and publish images to GitLab. However, we do not take full advantage of NPM's capabilities with regards to security and vulnerability scanning.
`npm audit` is a command that performs a security review of the dependency tree. Audit reports contain information about security vulnerabilities in dependencies and can help fix a vulnerability by providing simple-to-run npm commands and recommendations for further troubleshooting.
### Intended users
- [Software Developer](https://design.gitlab.com/getting-started/personas#persona-sasha)
- [DevOps Engineer](https://design.gitlab.com/getting-started/personas#persona-devon)
- [Systems Administrator](https://design.gitlab.com/getting-started/personas#persona-sidney)
- [Security Analyst](https://design.gitlab.com/getting-started/personas#persona-sam)
### Further details
<!-- Include use cases, benefits, and/or goals (contributes to our vision?) -->
### Proposal
Add `npm audit` to the list of supported commands for the NPM Registry and UI so that users can view and remediate any security vulnerabilities as part of their registry.
### Permissions and Security
<!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)? -->
### Documentation
<!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html
Add all known Documentation Requirements here, per https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements -->
### Testing
<!-- What risks does this change pose? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? See the test engineering process for further help: https://about.gitlab.com/handbook/engineering/quality/test-engineering/ -->
### What does success look like, and how can we measure that?
<!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. -->
### What is the type of buyer?
<!-- Which leads to: in which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers -->
### Links / references
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/13681Index Microsoft Word files in ElasticSearch2022-06-16T15:11:54ZFrancis Potter (personal)Index Microsoft Word files in ElasticSearchAn [enterprise customer](https://gitlab.my.salesforce.com/00161000003RIHP) is interested in using GitLab as a sort of document management system, which requires them to store Microsoft Word files in repos. They understand and accept that...An [enterprise customer](https://gitlab.my.salesforce.com/00161000003RIHP) is interested in using GitLab as a sort of document management system, which requires them to store Microsoft Word files in repos. They understand and accept that they won't be able to see the Word files in the GitLab UI, but would like to be able to search within them. This issue is to add Microsoft Word to the ElasticSearch indexer.
/cc @phikai @dsatcher @nick.thomas @ebrinkman @bdowneyhttps://gitlab.com/gitlab-org/gitlab/-/issues/417989Create SAML Group Lock for SaaS2023-12-11T15:22:05ZSegolene BoulyCreate SAML Group Lock for SaaS<!-- This template is a great use for issues that are feature::additions or technical tasks for larger issues.-->
### Proposal
<!-- Use this section to explain the feature and how it will work. It can be helpful to add technical detail...<!-- This template is a great use for issues that are feature::additions or technical tasks for larger issues.-->
### Proposal
<!-- Use this section to explain the feature and how it will work. It can be helpful to add technical details, design proposals, and links to related epics or issues. -->
<!-- Consider adding related issues and epics to this issue. You can also reference the Feature Proposal Template (https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Feature%20proposal%20-%20detailed.md) for additional details to consider adding to this issue. Additionally, as a data oriented organization, when your feature exits planning breakdown, consider adding the `What does success look like, and how can we measure that?` section.
-->
[Available for self-managed](https://docs.gitlab.com/ee/user/group/saml_sso/group_sync.html#global-saml-group-memberships-lock) since GitLab 15.10, create a "SAML Group Lock" for SaaS at top level group.
Top level group owner should be able to have a SAML group memberships lock to prevent group members from inviting new members to subgroups that have their membership synchronized with [SAML Group Links](https://docs.gitlab.com/ee/user/group/saml_sso/group_sync.html#configure-saml-group-links).
<!-- Label reminders
Use the following resources to find the appropriate labels:
- Use only one tier label choosing the lowest tier this is intended for
- https://gitlab.com/gitlab-org/gitlab/-/labels
- https://about.gitlab.com/handbook/product/categories/features/
-->Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/415427Expand "Scan Execution Policies" to run on MR pipelines2024-03-19T12:18:21ZBen KingExpand "Scan Execution Policies" to run on MR pipelines### Release notes
[Scan execution policies](https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html) have now been expanded to allow a requirement for security scans to run on merge request pipelines. ...### Release notes
[Scan execution policies](https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html) have now been expanded to allow a requirement for security scans to run on merge request pipelines. Previously this was limited to branch pipelines or a specified schedule.
### Problem to solve
The [execution policy editor](https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html#scan-execution-policy-editor) is currently limited in that:
- You cannot define a condition to run on a merge request pipeline
- In `.yaml` mode, you cannot define the `.latest` versions of the security templates, which [now allow for use in MR pipelines](https://docs.gitlab.com/ee/user/application_security/#use-security-scanning-tools-with-merge-request-pipelines).
### Proposal
Some customers ([example: A Large SaaS customer](https://gitlab.my.salesforce.com/00161000006g0a3AAA)) have [expressed interest](https://gitlab.zendesk.com/agent/tickets/418291) (these links are internal only) in adding the ability to define execution policies for merge request pipelines.
An MVC solution would be to allow for `.yaml` modification to specify the "latest" version of the security templates.
### Current alternatives
Customers can use [compliance pipelines](https://docs.gitlab.com/ee/user/group/compliance_frameworks.html#compliance-pipelines) to enforce the running of security jobs. Because compliance pipelines allow you to specify the template file, users can specify the latest version of the templates.
Additionally, users can override/specify rules locally in projects to trigger the jobs running on MR pipelines.
### Intended users
* [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/product/personas/#alex-security-operations-engineer)
<!-- Label reminders
Use the following resources to find the appropriate labels:
- Use only one tier label choosing the lowest tier this is intended for
- https://gitlab.com/gitlab-org/gitlab/-/labels
- https://about.gitlab.com/handbook/product/categories/features/
-->
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/385177Enable two_factor_enabled API field for group owners2024-01-16T03:16:04ZKatrin Leinweber (GTLB)Enable two_factor_enabled API field for group owners<!-- This issue template can be used as a great starting point for feature requests. The section "Release notes" can be used as a summary of the feature and is also required if you want to have your release post blog MR auto generated us...<!-- This issue template can be used as a great starting point for feature requests. The section "Release notes" can be used as a summary of the feature and is also required if you want to have your release post blog MR auto generated using the release post item generator: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator. The remaining sections are the backbone for every feature in GitLab.
The goal of this template is brevity for quick/smaller iterations. For a more thorough list of considerations for larger features or feature sets, you can leverage the detailed [feature proposal](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Feature%20proposal%20-%20detailed.md). -->
### Release notes
<!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " -->
### Problem to solve
Group owners on GitLab.com want to confirm 2FA usage of group members.
The current situation is confusing, possible a result https://gitlab.com/gitlab-org/gitlab/-/issues/352210 :
- [Our permissions say that group owners can do so](https://gitlab.com/gitlab-org/gitlab/-/blame/v15.6.1-ee/doc/user/permissions.md#L429-433), but [only admins can get the info through the API](https://gitlab.com/gitlab-org/gitlab/-/blame/v15.6.1-ee/doc/api/users.md#L107-160). Owners can _view_ the `2FA` badge on `https://gitlab.com/groups/…path…/-/group_members` pages.
- For [_provisioned_ users OTOH, the API field `two_factor_enabled` is available to owners](https://gitlab.com/gitlab-org/gitlab/-/blame/v15.6.1-ee/doc/api/groups.md?no_pagination=true#L1198-1260).
Alternatively, the `https://gitlab.com/groups/…path…/-/edit` pages have a `Two-factor authentication` option, that can be enforced for all, which may make checking the status unnecessary.
### Proposal
Include `two_factor_enabled` in `GET /groups/:id/members` responses for owners of that group, like `GET /users/:id` already does for instance admins.
### Intended users
* [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager)
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Ingrid (Infrastructure Operator)](https://about.gitlab.com/handbook/product/personas/#ingrid-infrastructure-operator)
### Feature Usage Metrics
<!-- How are you going to track usage of this feature? Think about user behavior and their interaction with the product. What indicates someone is getting value from it?
Create tracking issue using the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md
-->
<!-- Label reminders
Use the following resources to find the appropriate labels:
- https://gitlab.com/gitlab-org/gitlab/-/labels
- https://about.gitlab.com/handbook/product/categories/features/
-->
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/384014Display CWEs on the Vulnerability Details dialog page for Dependency Scanning2024-02-21T20:57:48ZJohn FeeneyDisplay CWEs on the Vulnerability Details dialog page for Dependency Scanning### Overview
Many organizations rely on the CWE classification system and use it as a guide with which they can triage and prioritize remediation of vulnerabilities, e.g., the annual CWE Top 25.
For Dependency Scanning, Gemnasium captu...### Overview
Many organizations rely on the CWE classification system and use it as a guide with which they can triage and prioritize remediation of vulnerabilities, e.g., the annual CWE Top 25.
For Dependency Scanning, Gemnasium captures the CWEs associated with a vulnerability but this metadata is not displayed within the Vulnerability Details dialog.
### Context
Unlike SAST, the Vulnerability Details page for Dependency Scanning does not list associated CWEs. You can find them however with the link to the Gemnasium identifier (highlighted):
![2022-11-29_10-27-49](/uploads/aa89ec63e625ef85ad10c4409e9ce08b/2022-11-29_10-27-49.png)
Following this link bring us to YAML where the CWEs are listed:
![2022-11-29_10-28-50](/uploads/210f4ac2a623c18715b5c8c34cd728dc/2022-11-29_10-28-50.png)
### Proposal
Surface this CWE metadata from the YAML to the Vulnerability Details page.Next 1-3 releaseshttps://gitlab.com/gitlab-org/gitlab/-/issues/372826Allow resending failed webook requests with the API2024-02-07T12:08:21ZKenneth ChuAllow resending failed webook requests with the API<!-- This template is a great use for issues that are feature::additions or technical tasks for larger issues.-->
### Problem to solve
GitLab provides the ability to resend webhook requests in the UI. [Documentation here](https://docs....<!-- This template is a great use for issues that are feature::additions or technical tasks for larger issues.-->
### Problem to solve
GitLab provides the ability to resend webhook requests in the UI. [Documentation here](https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#troubleshoot-webhooks)
A customer would like the ability to be able to resend any failed requests using the API so they can resend them programmatically when they have many failures (hundred or more).
### Proposal
Add an API endpoint that would allow users to resend failed webhook requests.
### Workaround
Use the UI to resend requests, but this can be cumbersome when there are hundreds of failures.Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/361726Commit and run CI from last stop2023-03-13T19:13:03ZDov Hershkovitchdhershkovitch@gitlab.comCommit and run CI from last stop<!-- This issue template can be used as a great starting point for feature requests. The section "Release notes" can be used as a summary of the feature and is also required if you want to have your release post blog MR auto generated us...<!-- This issue template can be used as a great starting point for feature requests. The section "Release notes" can be used as a summary of the feature and is also required if you want to have your release post blog MR auto generated using the release post item generator: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator. The remaining sections are the backbone for every feature in GitLab.
The goal of this template is brevity for quick/smaller iterations. For a more thorough list of considerations for larger features or feature sets, you can leverage the detailed [feature proposal](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Feature%20proposal%20-%20detailed.md). -->
### Release notes
<!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " -->
### Problem to solve
Sometimes it's not necessary to run a pipeline from the very beginning, when you have a sizeable pipeline that is failing you may wont to commit and run the pipeline from the last job or stage it failed, using the previous job output (artifact, reports, variables, etc)
### Proposal
Provide users the ability to commit and run a pipeline from the last successful job
### Intended users
<!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later.
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
* [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager)
* [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager)
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Presley (Product Designer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#presley-product-designer)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
* [Priyanka (Platform Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#priyanka-platform-engineer)
* [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)
* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager)
* [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer)
* [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test)
* [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops)
* [Ingrid (Infrastructure Operator)](https://about.gitlab.com/handbook/product/personas/#ingrid-infrastructure-operator)
* [Dakota (Application Development Director)](https://about.gitlab.com/handbook/product/personas/#dakota-application-development-director)
* [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst)
* [Eddie (Content Editor)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#eddie-content-editor)
-->
### Feature Usage Metrics
<!-- How are you going to track usage of this feature? Think about user behavior and their interaction with the product. What indicates someone is getting value from it?
Create tracking issue using the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md
-->
<!-- Label reminders
Use the following resources to find the appropriate labels:
- https://gitlab.com/gitlab-org/gitlab/-/labels
- https://about.gitlab.com/handbook/product/categories/features/
-->
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/355575Custom domain support for SaaS2024-02-13T22:00:34ZFabian ZimmerCustom domain support for SaaS<!-- The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook: https://about.gitlab.com/ha...<!-- The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator and this video: https://www.youtube.com/watch?v=rfn9ebgTwKg. The next four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended in your first draft, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. -->
### Release notes
<!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " -->
Customers using GitLab's SaaS service can now bring their own domains.
### Problem to solve
<!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." -->
Customers using gitlab.com rely on the base URL and can create top-level namespaces relative to this domain. For example: `gitlab.com/customer`. For many customers it may be beneficial to bring the own namespace URL, for example via CNAME record in DNS
### Intended users
* [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator)
### User experience goal
<!-- What is the single user experience workflow this problem addresses?
For example, "The user should be able to use the UI/API/.gitlab-ci.yml with GitLab to <perform a specific task>"
https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/ -->
Customers can define their own customer domain when using our multi-tenant SaaS platform
### Proposal
<!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey -->
Allow customers to define their own custom domain.
### Further details
<!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. -->
E.g. for GitLab Pages https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/
### Documentation
<!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change
* Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/workflow.html
* If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html -->
TBD
### Availability & Testing
<!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.
What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?
Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance.
* Unit test changes
* Integration test changes
* End-to-end test change
See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning -->
TBD
### Available Tier
<!-- This section should be used for setting the appropriate tier that this feature will belong to. Pricing can be found here: https://about.gitlab.com/pricing/
* Free
* Premium/Silver
* Ultimate/Gold
-->
Likely a Silver/Gold feature.
### What does success look like, and how can we measure that?
<!--
Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this.
Create tracking issue using the the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md
-->
### What is the type of buyer?
<!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/
In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#three-tiers -->
SMB and smaller enterprise customers
### Is this a cross-stage feature?
<!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features -->
Yes
### Links / references
<!-- Label reminders - you should have one of each of the following labels.
Use the following resources to find the appropriate labels:
- https://gitlab.com/gitlab-org/gitlab/-/labels
- https://about.gitlab.com/handbook/product/categories/features/
-->
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->https://gitlab.com/gitlab-org/gitlab/-/issues/352967Dependency Scanner Support for Conda2024-03-27T14:56:09ZJefferson JonesDependency Scanner Support for Conda### Note to wider-community, sales, support and customer success
As always [we welcome contributions](https://about.gitlab.com/community/contribute/) so feel free to ask questions [the PM of Composition Analysis](https://about.gitlab.co...### Note to wider-community, sales, support and customer success
As always [we welcome contributions](https://about.gitlab.com/community/contribute/) so feel free to ask questions [the PM of Composition Analysis](https://about.gitlab.com/handbook/product/categories/#composition-analysis-group) if you are unsure about what needs to be done here and want to contribute the fix yourself!
NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our [sensing mechanisms]( https://about.gitlab.com/handbook/product/product-management/process/#sensing-mechanism). Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
<!-- This template is a great use for issues that are feature::additions or technical tasks for larger issues.-->
### Proposal
Teams are currently using Conda as a package manager and would like to see it supported within Dependency ScanningBackloghttps://gitlab.com/gitlab-org/gitlab/-/issues/350398Backend: Rollout limits for directed acyclic graph on gitlab.com2023-12-18T19:41:11ZJason YavorskaBackend: Rollout limits for directed acyclic graph on gitlab.comThe new directed acyclic graph feature carries some risk of performance issues until https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31768 is implemented:
> Note that one day one of the launch, we are temporarily limiting the
> ...The new directed acyclic graph feature carries some risk of performance issues until https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31768 is implemented:
> Note that one day one of the launch, we are temporarily limiting the
> maximum number of jobs that a single job can need in the `needs:` array. Track
> our [infrastructure issue](https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/7541)
> for details on the current limit.
This limits the following types of situations, where the number of a jobs that a single job wants to depend on is over the limit:
```yaml
my_job:
needs: [dependency1, dependency2, ...]
...
```
As such, we plan to roll it out as follows:
- On the 22nd the feature will be shipped with a small limit (`5`). If someone goes over the limit, they will receive a pipeline creation error (`rspec: one job can only need 5 others, but you have listed 6. See needs keyword documentation for more details`)
- @ayufan will monitor over a few days to determine the performance characteristics.
- If the feature is performant, we will set the feature to a large limit (`50`). It will remain there for the next monitoring period.
- If we see serious performance issues, we will disable the feature entirely. Users pipelines that use the DAG will still run, but will follow stage sequencing.
The feature flag for toggling between `50` and `5` is `ci_dag_limit_needs`; it will limit to 5 when enabled. The feature flag for turning the feature on or off completely is `ci_dag_support`. We will need infrastructure support for the monitoring and toggling of necessary feature flags per the above plan.
Once the limit has been removed, we should update the `needs:` section in the yaml docs to remove the reference to this issue.Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/347291Dependency Scanning for .NET projects without packages.lock.json (aka Direct ...2023-12-18T15:33:49ZSujeevan VijayakumaranDependency Scanning for .NET projects without packages.lock.json (aka Direct support for .csproj)### Note to wider-community, sales, support and customer success
As always [we welcome contributions](https://about.gitlab.com/community/contribute/) so feel free to ask questions [the PM of Composition Analysis](https://about.gitlab.co...### Note to wider-community, sales, support and customer success
As always [we welcome contributions](https://about.gitlab.com/community/contribute/) so feel free to ask questions [the PM of Composition Analysis](https://about.gitlab.com/handbook/product/categories/#composition-analysis-group) if you are unsure about what needs to be done here and want to contribute the fix yourself!
NOTE if you are a user who also would like to see this feature, please UPVOTE :thumbsup: it and comment to help it get prioritized (So it’s raised as part of our [sensing mechanisms](https://about.gitlab.com/handbook/product/product-management/process/#sensing-mechanism). Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
### Problem to solve
Dependency Scanning support for NuGet/.NET projects is limited to git repositories having `package.lock.json`, a lock file generated by NuGet. However, the lock file is optional, and users might not want to add it to their repositories.
Currently the [Dependency Scanning docs](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#supported-languages-and-package-managers) link to [NuGet docs](https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files), which explains how to generate a lock file.
**Warning!** Not using a lock file might result in a gap between the packages detected during the scan, and the ones deployed to production; the versions might not be the same.
### Proposal
Add support for NuGet/.NET projects that don't have a lock file, so that they can be scan right away without any additional setup.
Technically, Gemnasium could be changed to run `dotnet` command to generate `packages.lock.json` prior to scanning it; this would be implemented using a `builder`. Support might be limited to specific versions of .NET, unless we publish multiple images to support multiple versions. See https://gitlab.com/gitlab-org/gitlab/-/issues/347291#note_1136889431
Alternatively, support for .NET projects w/o `packages.lock.json` might be implemented in the SBOM generators, which gives more complexity and reduces maintenance cost. See https://gitlab.com/gitlab-org/gitlab/-/issues/347291#note_1137378141 and https://gitlab.com/groups/gitlab-org/-/epics/8206+.
### Workaround (And Possible Solution Code)
Here is a recent working example of making packages.lock.json dynamic. It is compatible with scanner changes since the original above. This command is for .NET Framework 4.x. This job documents the dotnet.exe command line needed for modern .net: https://gitlab.com/guided-explorations/microsoft/azure-aks/aks-windows/-/blob/master/gitlab-ci-libs/nuget-dependency-scanning.ci.ymlBackloghttps://gitlab.com/gitlab-org/gitlab/-/issues/342158Support for Shallow Forks2022-10-24T17:35:48ZLee FausSupport for Shallow Forks## Proposal
### Background
Git has been around for 10+ years. Companies, Teams, and OSS Projects that have been using Git for a long period of time are hitting the upper bounds of the recommended Git limits for storage. There are als...## Proposal
### Background
Git has been around for 10+ years. Companies, Teams, and OSS Projects that have been using Git for a long period of time are hitting the upper bounds of the recommended Git limits for storage. There are also projects that are wanting to leverage a _monorepo_ model to simplify their CI/CD process which also pushes the limits of a Git repository. We are seeing projects 10G, 20G even 500G in size. Forking these repositories for the sole purpose of recommending a change will cause undo IO/CPU on the machines performing the _fork_ operation. When implementing capabilities like Gitaly clusters, the size of this fork chain could easily be in the many TB range that needs to be replicated n times causing unusually high network traffic, making global replication more difficult to ensure eventual consistency.
### Example
A quick look at a project like Chromium. The overall size of the repository is ~19G in size. If there are 100 people working on this project that are not core committers, we would need 1,900G or 2Tb of storage for the user forks. We know that users don't delete their forks once their commit(s) have been approved, leaving orphaned forks that continue to be backed up and replicated. These forks also become stale over time so the easy path is for users to _re-fork_ without understanding the consequences.
### Suggestion
When a user clicks the fork button, provide a modal dialog box that asks the user to choose either a Full Fork or a Shallow Fork. The Full Fork would work the way it does today where the Shallow Fork is basically a `git clone --filter=blob:none --no-checkout ...`. This would reduce the overall size of the clone above from ~19G to ~1.9G. The repository would show no files in the repository so there should be a page similar to the one when you create a new empty project explaining to a user how to leverage commands like `sparse-checkout` to limit the amount data that needs to be transferred from the GitLab instance the users workstation. A normal branching workflow would now take place allowing the user to perform an MR back to the parent repository. There are a number of benefits here like leveraging CI for smaller commits allow clones to leverage commands like `filter=oid:<branch>` to perform quick clones and faster feedback cycles.
### Other options
- Allow the user to choose a branch for the fork and then using a `filter=combine` to group the clone to limit the blobs/oids that are replicated
- Allow a user to do this manually on their own machine giving them full control of the options they want to use and then giving them the ability to add a _remote_ to the project allowing them to manually attach a fork
- Allow a user to provide a new branch and do a sparse checkout on the backend for them showing the files and then they leverage tools like the web ide for changes
/cc @andrewn @sean_carrollBacklogLee FausLee Faushttps://gitlab.com/gitlab-org/gitlab/-/issues/327264Microsoft Teams Bot Integration2023-04-26T00:52:30ZJefferson JonesMicrosoft Teams Bot Integration
### Proposal
Curious if GitLab was planning to create a MS Teams bot similar to the GitHub bot for MS Teams.
https://techcommunity.microsoft.com/t5/microsoft-teams-blog/github-code-better-together-with-github-and-microsoft-teams/ba-p/6...
### Proposal
Curious if GitLab was planning to create a MS Teams bot similar to the GitHub bot for MS Teams.
https://techcommunity.microsoft.com/t5/microsoft-teams-blog/github-code-better-together-with-github-and-microsoft-teams/ba-p/659444
The GitHub bot gives real time feedback in MS Teams and a very dynamic experience with our Open Source projects out on GitHub that is very awesome. WebHooks are great, but they are a bit static and clutter up a channel with new posts every time something happens.
I understand that Microsoft owns both ends of that integration now but it’s a compelling integration and we’d love to see GitLab implement something similar.
### Links / references
Customer: https://gitlab.my.salesforce.com/0014M00001lbBxr?srPos=0&srKp=001
cc: @deuley
<!-- Label reminders - you should have one of each of the following labels.
Use the following resources to find the appropriate labels:
- https://gitlab.com/gitlab-org/gitlab/-/labels
- https://about.gitlab.com/handbook/product/categories/features/
-->Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/299490Allow CI Reports to be Namespaced to support monorepos2024-02-08T01:52:36ZTim PoffenbargerAllow CI Reports to be Namespaced to support monorepos<!-- The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook: https://about.gitlab.com/ha...<!-- The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator and this video: https://www.youtube.com/watch?v=rfn9ebgTwKg. The next four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended in your first draft, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. -->
### Release notes
<!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " -->
### Problem to solve
<!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." -->
In a monorepo, there is a need to segment aspects of scans and test reports based on parts of the repository (whether that is a specific file or application) rather than inherently all of the contents of the repository. In GitLab, reports are currently tied to artifacts and the artifacts are tied to the gitlab-ci.yaml file which is tied to the project, so this means that reports are viewed at the whole entirety of the project or source code repo.
As GitLab is leveraged for more diverse source code and CI needs, we are missing the ability to scope CI Report Artifacts within specific areas of a repository.
Currently all results for a given "report type" (i.e. `sast` or `junit` or [many others](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreports)) get merged into the same dataset. This is convenient when I want MANY jobs to funnel into a single report, but for when I want to have different Reports for different areas within a given codebase, I am unable to do so.
For DAST, oftentimes the "Default Branch" will be used to deploy to multiple environments and if multiple environments run DAST scans, the results will be a combination of all environments - which is not helpful.
### Intended users
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)
* [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test)
### User experience goal
<!-- What is the single user experience workflow this problem addresses?
For example, "The user should be able to use the UI/API/.gitlab-ci.yml with GitLab to <perform a specific task>"
https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/ -->
We ought to support namespaces for Artifact Reports
### Proposal
<!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey -->
Add a `namespace` designation so that reports when defined can be namespaced.
```yaml
sast:app1:
variables:
CI_PROJECT_DIR: app1/
artifacts:
reports:
sast: gl-sast-report.json
namespace: app1
sast:app2:
variables:
CI_PROJECT_DIR: app2/
artifacts:
reports:
sast: gl-sast-report.json
namespace: app2
```
**OR** like how [environment namespaces](https://docs.gitlab.com/ee/ci/environments/#grouping-similar-environments) work:
```yaml
sast:app1:
variables:
CI_PROJECT_DIR: app1/
artifacts:
reports:
sast/app1: gl-sast-report.json
sast:app2:
variables:
CI_PROJECT_DIR: app2/
artifacts:
reports:
sast/app2: gl-sast-report.json
```
### Further details
<!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. -->
This is vital for to enable support for monorepo architectures.
### Permissions and Security
<!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?
Consider adding checkboxes and expectations of users with certain levels of membership https://docs.gitlab.com/ee/user/permissions.html
* [ ] Add expected impact to members with no access (0)
* [ ] Add expected impact to Guest (10) members
* [ ] Add expected impact to Reporter (20) members
* [ ] Add expected impact to Developer (30) members
* [ ] Add expected impact to Maintainer (40) members
* [ ] Add expected impact to Owner (50) members -->
### Documentation
<!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change
* Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements
* If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html -->
### Availability & Testing
<!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.
What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?
Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance.
* Unit test changes
* Integration test changes
* End-to-end test change
See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning -->
### Available Tier
<!-- This section should be used for setting the appropriate tier that this feature will belong to. Pricing can be found here: https://about.gitlab.com/pricing/
* Free
* Premium/Silver
* Ultimate/Gold
-->
### What does success look like, and how can we measure that?
<!--
Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this.
Create tracking issue using the the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md
-->
### What is the type of buyer?
<!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/
In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers -->
### Is this a cross-stage feature?
<!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features -->
### Links / references
<!-- Label reminders - you should have one of each of the following labels.
Use the following resources to find the appropriate labels:
- https://gitlab.com/gitlab-org/gitlab/-/labels
- https://about.gitlab.com/handbook/product/categories/features/
-->Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/229817Report vulnerable dependency paths for Maven, Gradle (Java)2024-01-29T22:00:39ZFabien Catteaufcatteau@gitlab.comReport vulnerable dependency paths for Maven, Gradle (Java)### Problem to solve
Dependency Scanning should report the dependency paths for vulnerable dependencies found in Java projects using Maven or Gradle. These dependency paths can then be shown in the UI, including in the dependency list. ...### Problem to solve
Dependency Scanning should report the dependency paths for vulnerable dependencies found in Java projects using Maven or Gradle. These dependency paths can then be shown in the UI, including in the dependency list. See https://gitlab.com/gitlab-org/gitlab/-/issues/227620
### Proposal
Update the lock file parser used to parse the JSON output of the Gemnasium plugins for Maven and Gradle (same output), and make it able to build the dependency graph.
### Implementation plan
- [ ] update the specific lock file [parser](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/tree/v2.18.0/scanner/parser) so that it lists dependency links, and release a new version of [gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium)
- [ ] update the `gemnasium` dependency in [gemnasium-maven](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven), and release a new version (unless https://gitlab.com/gitlab-org/gitlab/-/issues/198361 is done)
- [ ] update expected Dependency Scanning reports in [test projects](https://gitlab.com/gitlab-org/security-products/tests) using this package manager
- [ ] update [Dependency Scanning documentation](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html) and tell dependency paths are supported for this particular package manager
### Permissions and Security
N/A
### Documentation
Dependency Path support for this particular package manager should be documented in [Dependency Scanning documentation](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html).
### Availability & Testing
To be tested doing automatically when doing QA for the analyzer project and checking the generated report.
### What does success look like, and how can we measure that?
The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.
### What is the type of buyer?
~"GitLab Ultimate"
### Links / references
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/215470Container Scanning - Enable scan of multiple images2024-01-24T20:43:28ZOlivier GonzalezContainer Scanning - Enable scan of multiple images<!-- The first three sections: "Problem to solve", "Intended users" and "Proposal", are strongly recommended, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that p...<!-- The first three sections: "Problem to solve", "Intended users" and "Proposal", are strongly recommended, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. -->
### Problem to solve
Allow scanning multiple container images in the same pipeline as some changes might impact and introduce security issues in multiple images.
As the maintainer of a large monolithic project, I need to scan several images. This set of images may change on a semi-frequent basis, and I would like to be able to dynamically feed the list of images to Container Scanning so that I do not need to make changes to my `.gitlab-ci.yml` for each image.
The GitLab AppSec team also mentioned that they need to scan upwards of 40 images, and it's tedious to create separate CI jobs for each.
### Intended users
<!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later.
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager)
* [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager)
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
* [Presley (Product Designer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#presley-product-designer)
* [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer)
* [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)
* [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst)
* [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test)
* [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops) -->
### Further details
<!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. -->
### Proposal
- validate all pre-requisite work is achieved (see blocking issues)
- update documentation
### Permissions and Security
<!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?-->
### Documentation
<!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html
* Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements
* If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html -->
### Availability & Testing
<!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.
What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?
Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance.
* Unit test changes
* Integration test changes
* End-to-end test change
See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning -->
### What does success look like, and how can we measure that?
<!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. -->
### What is the type of buyer?
<!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/
In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers -->
### Is this a cross-stage feature?
<!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features -->
### Links / references
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->Backloghttps://gitlab.com/gitlab-org/gitlab/-/issues/8375Automatically notify and update dependencies2024-01-24T10:21:08ZJoshua LambertAutomatically notify and update dependenciesWe are working to automatically remediate dependencies with a security vulnerability, but there is also value in notifying users and potentially automatically updating deps which are out of date.
This is helpful for a few reasons:
* If...We are working to automatically remediate dependencies with a security vulnerability, but there is also value in notifying users and potentially automatically updating deps which are out of date.
This is helpful for a few reasons:
* If you let a dependency get very far out of date, upgrading can be time intensive and risky.
* For some libraries, there could be security updates but they are not generating CVE's or getting the some feeds.
It would be great to have a service which performed this function, and not just for dependency versions with a published vulnerability.
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->Backlog