Version Check - Add support for critical severity
What does this MR do and why?
GitLab Frontend changes for #387719 (closed)
Implements GitLab support for: https://gitlab.com/gitlab-services/version-gitlab-com/-/issues/455
Removes Feature Flag: :critical_security_alert
This change adds support in GitLab for a new upgrade severity value of critical provided from the version.gitlab.com API. This critical value will inform the UI to show some invasive elements to Admin users that their instance is behind a critical security patch.
Initially this featured keyed off the danger severity value. However, danger is used for any level of security release ranging from low severity to critical and resulted in the invasive UI elements to appear way more often than they should have been.
Screenshots or screen recordings
| UI | |
|---|---|
| No updates available |  |
| Non-security update available |  |
| Non-critical security update available |  |
| Critical security update available ASAP |  |
How to set up and validate locally
Important: You will need to provide "spoofs" to make your GDK think its behind a version. Below are patches to achieve each type of scenario.
Important: You need to reset any changes between adding different patches.
No updates available
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 9f9cccf54a53..713cf2491315 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -13,7 +13,8 @@ def show_version_check?
end
def gitlab_version_check
- VersionCheck.new.response
+ #VersionCheck.new.response
+ { "severity" => 'success' }
end
strong_memoize_attr :gitlab_version_check
Non-security update available
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 9f9cccf54a53..adc310b600d3 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -13,7 +13,8 @@ def show_version_check?
end
def gitlab_version_check
- VersionCheck.new.response
+ #VersionCheck.new.response
+ { "severity" => 'warning' }
end
strong_memoize_attr :gitlab_version_check
Non-critical security update available
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 9f9cccf54a53..202101e5c900 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -13,7 +13,8 @@ def show_version_check?
end
def gitlab_version_check
- VersionCheck.new.response
+ #VersionCheck.new.response
+ { "severity" => 'danger' }
end
strong_memoize_attr :gitlab_version_check
Critical security update available
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 9f9cccf54a53..8f2b1ec6bab6 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -13,7 +13,8 @@ def show_version_check?
end
def gitlab_version_check
- VersionCheck.new.response
+ #VersionCheck.new.response
+ { "severity" => SECURITY_ALERT_SEVERITY, "details" => 'There is a runner token vulnerability on this version. Please upgrade to prevent an attacker executing code on your instance', "latest_stable_versions" => ['15.9.2', '15.10.0', '16.0.0'] }
end
strong_memoize_attr :gitlab_version_check
- Login as an Admin (root is admin by default)
- Apply your selected patch
- Refresh any page
- Click Help Dropdown in the Top Right of nav (? icon)
- Ensure UI matches the Screenshot above
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #387719 (closed)