Skip to content

GitLab Upgrade Alert - Security Upgrade Alert

Zack Cuddy requested to merge 379130-version-check-alert into master

What does this MR do and why?

Work towards #344682 (closed)
Closes #379130 (closed)

This change adds a Non-Dismissible Alert for instance admins to upgrade when their instance is behind a Security Release. We use the existing Version Check application to determine the severity of an upgrade and only render the alert when the severity is danger.

There is a lot of discussion and context about this initiative on this issue: #344682 (closed)

Additionally some snowplow tracking has been added to the rendering of this component and the links.

Screenshots or screen recordings

Description Screenshot
Up to date Up_to_date
Update available Update_available
Update ASAP Screen_Shot_2022-11-22_at_11.55.27_AM
Alert Screen_Shot_2022-11-22_at_11.55.33_AM

How to set up and validate locally

Important

  1. Ensure Gitlab::CurrentSettings.version_check_enabled is set to true (it defaults to true)
  2. Version Check uses ReactiveCache so the first time you navigate to a place where the badge should be, it may not be in the cache and required a single reload.

Patch to spoof Security Patch

diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 0bb92dfd118..e0b156a1700 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -13,7 +13,8 @@ def show_version_check?
   end
 
   def gitlab_version_check
-    VersionCheck.new.response
+    # VersionCheck.new.response
+    { 'severity' => SECURITY_ALERT_SEVERITY }
   end
   strong_memoize_attr :gitlab_version_check

How to test

  1. Log in as NON-ADMIN
  2. Click ? dropdown
  3. Ensure the Version Check Badge DOES NOT show up
  4. Ensure the Security Patch Alert DOES NOT show up
  5. Apply patch above
  6. Ensure the Security Patch Alert DOES NOT show up

  1. Log in as ADMIN
  2. Click ? dropdown
  3. Ensure the Version Check Badge DOES show up
  4. Ensure the Security Patch Alert DOES NOT show up
  5. Apply patch above
  6. Ensure the Security Patch Alert DOES show up

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #379130 (closed)

Edited by Zack Cuddy

Merge request reports