Add latest changes from gitlab-org/gitlab@master

changelogs/unreleased/fix-x509-signed-commit.yml

----
-title: Fix crl_url parsing and certificate visualization
-merge_request: 25876
-author: Roger Meier
-type: fixed

changelogs/unreleased/unlink-cache-deletions.yml

+---
+title: Swap to UNLINK for Redis set cache
+merge_request: 27116
+author:
+type: performance

db/migrate/20200310123229_add_index_on_enabled_and_provider_type_and_id_to_clusters.rb

+# frozen_string_literal: true
+
+class AddIndexOnEnabledAndProviderTypeAndIdToClusters < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :clusters, [:enabled, :provider_type, :id]
+    remove_concurrent_index :clusters, :enabled
+  end
+
+  def down
+    add_concurrent_index :clusters, :enabled
+    remove_concurrent_index :clusters, [:enabled, :provider_type, :id]
+  end
+end

db/schema.rb

@@ -1125,7 +1125,7 @@ ActiveRecord::Schema.define(version: 2020_03_12_163407) do
     t.integer "management_project_id"
     t.integer "cleanup_status", limit: 2, default: 1, null: false
     t.text "cleanup_status_reason"
-    t.index ["enabled"], name: "index_clusters_on_enabled"
+    t.index ["enabled", "provider_type", "id"], name: "index_clusters_on_enabled_and_provider_type_and_id"
     t.index ["management_project_id"], name: "index_clusters_on_management_project_id", where: "(management_project_id IS NOT NULL)"
     t.index ["user_id"], name: "index_clusters_on_user_id"
   end

doc/administration/lfs/manage_large_binaries_with_git_lfs.md

@@ -252,7 +252,7 @@ on [Git Credential Storage documentation](https://git-scm.com/book/en/v2/Git-Too
 GitLab checks files to detect LFS pointers on push. If LFS pointers are detected, GitLab tries to verify that those files already exist in LFS on GitLab.
-Verify that LFS in installed locally and consider a manual push with `git lfs push --all`.
+Verify that LFS is installed locally and consider a manual push with `git lfs push --all`.
 If you are storing LFS files outside of GitLab you can disable LFS on the project by setting `lfs_enabled: false` with the [projects API](../../api/projects.md#edit-project).

doc/api/graphql/reference/gitlab_schema.graphql

@@ -3934,6 +3934,11 @@ enum IssueState {
   opened
 }
+"""
+Represents untyped JSON
+"""
+scalar JSON
+
 type Label {
   """
   Background color of the label
@@ -6060,6 +6065,31 @@ type Project {
   """
   visibility: String
+  """
+  Vulnerabilities reported on the project. Available only when feature flag `first_class_vulnerabilities` is enabled.
+  """
+  vulnerabilities(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+  ): VulnerabilityConnection
+
   """
   Web URL of the project
   """
@@ -8421,4 +8451,117 @@ enum VisibilityScopesEnum {
   internal
   private
   public
+}
+
+"""
+Represents a vulnerability.
+"""
+type Vulnerability {
+  """
+  Description of the vulnerability
+  """
+  description: String
+
+  """
+  GraphQL ID of the vulnerability
+  """
+  id: ID!
+
+  """
+  The JSON location metadata for the vulnerability. Its format depends on the
+  type of the security scan that found the vulnerability
+  """
+  location: JSON
+
+  """
+  Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST)
+  """
+  reportType: VulnerabilityReportType
+
+  """
+  Severity of the vulnerability (INFO, UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL)
+  """
+  severity: VulnerabilitySeverity
+
+  """
+  State of the vulnerability (DETECTED, DISMISSED, RESOLVED, CONFIRMED)
+  """
+  state: VulnerabilityState
+
+  """
+  Title of the vulnerability
+  """
+  title: String
+
+  """
+  URL to the vulnerability's details page
+  """
+  vulnerabilityPath: String
+}
+
+"""
+The connection type for Vulnerability.
+"""
+type VulnerabilityConnection {
+  """
+  A list of edges.
+  """
+  edges: [VulnerabilityEdge]
+
+  """
+  A list of nodes.
+  """
+  nodes: [Vulnerability]
+
+  """
+  Information to aid in pagination.
+  """
+  pageInfo: PageInfo!
+}
+
+"""
+An edge in a connection.
+"""
+type VulnerabilityEdge {
+  """
+  A cursor for use in pagination.
+  """
+  cursor: String!
+
+  """
+  The item at the end of the edge.
+  """
+  node: Vulnerability
+}
+
+"""
+The type of the security scan that found the vulnerability.
+"""
+enum VulnerabilityReportType {
+  CONTAINER_SCANNING
+  DAST
+  DEPENDENCY_SCANNING
+  SAST
+}
+
+"""
+The severity of the vulnerability.
+"""
+enum VulnerabilitySeverity {
+  CRITICAL
+  HIGH
+  INFO
+  LOW
+  MEDIUM
+  UNKNOWN
+}
+
+"""
+The state of the vulnerability.
+"""
+enum VulnerabilityState {
+  CONFIRMED
+  DETECTED
+  DISMISSED
+  RESOLVED
 }
\ No newline at end of file

doc/api/graphql/reference/gitlab_schema.json

@@ -11224,6 +11224,16 @@
           ],
           "possibleTypes": null
         },
+        {
+          "kind": "SCALAR",
+          "name": "JSON",
+          "description": "Represents untyped JSON",
+          "fields": null,
+          "inputFields": null,
+          "interfaces": null,
+          "enumValues": null,
+          "possibleTypes": null
+        },
         {
           "kind": "OBJECT",
           "name": "Label",
@@ -18163,6 +18173,59 @@
               "isDeprecated": false,
               "deprecationReason": null
             },
+            {
+              "name": "vulnerabilities",
+              "description": "Vulnerabilities reported on the project. Available only when feature flag `first_class_vulnerabilities` is enabled.",
+              "args": [
+                {
+                  "name": "after",
+                  "description": "Returns the elements in the list that come after the specified cursor.",
+                  "type": {
+                    "kind": "SCALAR",
+                    "name": "String",
+                    "ofType": null
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "before",
+                  "description": "Returns the elements in the list that come before the specified cursor.",
+                  "type": {
+                    "kind": "SCALAR",
+                    "name": "String",
+                    "ofType": null
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "first",
+                  "description": "Returns the first _n_ elements from the list.",
+                  "type": {
+                    "kind": "SCALAR",
+                    "name": "Int",
+                    "ofType": null
+                  },
+                  "defaultValue": null
+                },
+                {
+                  "name": "last",
+                  "description": "Returns the last _n_ elements from the list.",
+                  "type": {
+                    "kind": "SCALAR",
+                    "name": "Int",
+                    "ofType": null
+                  },
+                  "defaultValue": null
+                }
+              ],
+              "type": {
+                "kind": "OBJECT",
+                "name": "VulnerabilityConnection",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
             {
               "name": "webUrl",
               "description": "Web URL of the project",
@@ -25498,6 +25561,364 @@
           ],
           "possibleTypes": null
         },
+        {
+          "kind": "OBJECT",
+          "name": "Vulnerability",
+          "description": "Represents a vulnerability.",
+          "fields": [
+            {
+              "name": "description",
+              "description": "Description of the vulnerability",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "id",
+              "description": "GraphQL ID of the vulnerability",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "NON_NULL",
+                "name": null,
+                "ofType": {
+                  "kind": "SCALAR",
+                  "name": "ID",
+                  "ofType": null
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "location",
+              "description": "The JSON location metadata for the vulnerability. Its format depends on the type of the security scan that found the vulnerability",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "JSON",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "reportType",
+              "description": "Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST)",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "ENUM",
+                "name": "VulnerabilityReportType",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "severity",
+              "description": "Severity of the vulnerability (INFO, UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL)",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "ENUM",
+                "name": "VulnerabilitySeverity",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "state",
+              "description": "State of the vulnerability (DETECTED, DISMISSED, RESOLVED, CONFIRMED)",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "ENUM",
+                "name": "VulnerabilityState",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "title",
+              "description": "Title of the vulnerability",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "vulnerabilityPath",
+              "description": "URL to the vulnerability's details page",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "inputFields": null,
+          "interfaces": [
+
+          ],
+          "enumValues": null,
+          "possibleTypes": null
+        },
+        {
+          "kind": "OBJECT",
+          "name": "VulnerabilityConnection",
+          "description": "The connection type for Vulnerability.",
+          "fields": [
+            {
+              "name": "edges",
+              "description": "A list of edges.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "LIST",
+                "name": null,
+                "ofType": {
+                  "kind": "OBJECT",
+                  "name": "VulnerabilityEdge",
+                  "ofType": null
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "nodes",
+              "description": "A list of nodes.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "LIST",
+                "name": null,
+                "ofType": {
+                  "kind": "OBJECT",
+                  "name": "Vulnerability",
+                  "ofType": null
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "pageInfo",
+              "description": "Information to aid in pagination.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "NON_NULL",
+                "name": null,
+                "ofType": {
+                  "kind": "OBJECT",
+                  "name": "PageInfo",
+                  "ofType": null
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "inputFields": null,
+          "interfaces": [
+
+          ],
+          "enumValues": null,
+          "possibleTypes": null
+        },
+        {
+          "kind": "OBJECT",
+          "name": "VulnerabilityEdge",
+          "description": "An edge in a connection.",
+          "fields": [
+            {
+              "name": "cursor",
+              "description": "A cursor for use in pagination.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "NON_NULL",
+                "name": null,
+                "ofType": {
+                  "kind": "SCALAR",
+                  "name": "String",
+                  "ofType": null
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "node",
+              "description": "The item at the end of the edge.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "OBJECT",
+                "name": "Vulnerability",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "inputFields": null,
+          "interfaces": [
+
+          ],
+          "enumValues": null,
+          "possibleTypes": null
+        },
+        {
+          "kind": "ENUM",
+          "name": "VulnerabilityReportType",
+          "description": "The type of the security scan that found the vulnerability.",
+          "fields": null,
+          "inputFields": null,
+          "interfaces": null,
+          "enumValues": [
+            {
+              "name": "SAST",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "DEPENDENCY_SCANNING",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "CONTAINER_SCANNING",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "DAST",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "possibleTypes": null
+        },
+        {
+          "kind": "ENUM",
+          "name": "VulnerabilitySeverity",
+          "description": "The severity of the vulnerability.",
+          "fields": null,
+          "inputFields": null,
+          "interfaces": null,
+          "enumValues": [
+            {
+              "name": "INFO",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "UNKNOWN",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "LOW",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "MEDIUM",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "HIGH",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "CRITICAL",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "possibleTypes": null
+        },
+        {
+          "kind": "ENUM",
+          "name": "VulnerabilityState",
+          "description": "The state of the vulnerability.",
+          "fields": null,
+          "inputFields": null,
+          "interfaces": null,
+          "enumValues": [
+            {
+              "name": "DETECTED",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "DISMISSED",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "RESOLVED",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "CONFIRMED",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "possibleTypes": null
+        },
         {
           "kind": "OBJECT",
           "name": "__Directive",

doc/api/graphql/reference/index.md

@@ -1354,3 +1354,18 @@ Autogenerated return type of UpdateSnippet
 | Name  | Type  | Description |
 | ---   |  ---- | ----------  |
 | `createSnippet` | Boolean! | Indicates the user can perform `create_snippet` on this resource |
+
+## Vulnerability
+
+Represents a vulnerability.
+
+| Name  | Type  | Description |
+| ---   |  ---- | ----------  |
+| `description` | String | Description of the vulnerability |
+| `id` | ID! | GraphQL ID of the vulnerability |
+| `location` | JSON | The JSON location metadata for the vulnerability. Its format depends on the type of the security scan that found the vulnerability |
+| `reportType` | VulnerabilityReportType | Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST) |
+| `severity` | VulnerabilitySeverity | Severity of the vulnerability (INFO, UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL) |
+| `state` | VulnerabilityState | State of the vulnerability (DETECTED, DISMISSED, RESOLVED, CONFIRMED) |
+| `title` | String | Title of the vulnerability |
+| `vulnerabilityPath` | String | URL to the vulnerability's details page |

doc/development/contributing/style_guides.md

 # Style guides
+## Editor/IDE styling standardization
+
+We use [EditorConfig](https://editorconfig.org/) to automatically apply certain styling
+standards before files are saved locally. Most editors/IDEs will honor the `.editorconfig`
+settings automatically by default. If your editor/IDE does not automatically support `.editorconfig`,
+we suggest investigating to see if a plugin exists. For instance here is the
+[plugin for vim](https://github.com/editorconfig/editorconfig-vim).
+
 ## Pre-commit static analysis
 You're strongly advised to install

doc/development/database_review.md

@@ -124,6 +124,8 @@ the following preparations into account.
 - Follow the [guidelines on dropping columns](what_requires_downtime.md#dropping-columns).
 - Generally it's best practice (but not a hard rule) to remove indexes and foreign keys in a post-deployment migration.
   - Exceptions include removing indexes and foreign keys for small tables.
+- If you're adding a composite index, another index might become redundant, so remove that in the same migration.
+  For example adding `index(column_A, column_B, column_C)` makes the indexes `index(column_A, column_B)` and `index(column_A)` redundant.
 ### How to review for database

doc/development/testing_guide/end_to_end/index.md

@@ -166,6 +166,10 @@ environment, you can use the [GitLab Development Kit (GDK)](https://gitlab.com/g
 Please refer to the instructions in the [QA README](https://gitlab.com/gitlab-org/gitlab/tree/master/qa/README.md#how-can-i-use-it)
 and the section below.
+### Running tests that require special setup
+
+Learn how to perform [tests that require special setup or consideration to run on your local environment](running_tests_that_require_special_setup.md).
+
 ## How do I write tests?
 In order to write new tests, you first need to learn more about GitLab QA

doc/development/testing_guide/end_to_end/running_tests_that_require_special_setup.md

+# Running tests that require special setup
+
+## Jenkins spec
+
+The [`jenkins_build_status_spec`](https://gitlab.com/gitlab-org/gitlab/blob/163c8a8c814db26d11e104d1cb2dcf02eb567dbe/qa/qa/specs/features/ee/browser_ui/3_create/jenkins/jenkins_build_status_spec.rb) spins up a Jenkins instance in a docker container based on an image stored in the [GitLab-QA container registry](https://gitlab.com/gitlab-org/gitlab-qa/container_registry).
+The docker image it uses is preconfigured with some base data and plugins.
+The test then configures the GitLab plugin in Jenkins with a URL of the GitLab instance that will be used
+to run the tests. Unfortunately, the GitLab Jenkins plugin does not accept ports so `http://localhost:3000` would
+not be accepted. Therefore, this requires us to run GitLab on port 80 or inside a docker container.
+
+To start a docker container for GitLab based on the nightly image:
+
+```shell
+docker run \
+  --publish 80:80 \
+  --name gitlab \
+  --hostname localhost \
+  gitlab/gitlab-ee:nightly
+```
+
+To run the tests from the `/qa` directory:
+
+```shell
+CHROME_HEADLESS=false bin/qa Test::Instance::All http://localhost -- qa/specs/features/ee/browser_ui/3_create/jenkins/jenkins_build_status_spec.rb
+```
+
+The test will automatically spinup a docker container for Jenkins and tear down once the test completes.
+
+However, if you need to run Jenkins manually outside of the tests, use this command:
+
+```shell
+docker run \
+  --hostname localhost \
+  --name jenkins-server \
+  --env JENKINS_HOME=jenkins_home \
+  --publish 8080:8080 \
+  registry.gitlab.com/gitlab-org/gitlab-qa/jenkins-gitlab:version1
+```
+
+Jenkins will be available on `http://localhost:8080`.
+
+Admin username is `admin` and password is `password`.
+
+It is worth noting that this is not an orchestrated test. It is [tagged with the `:orchestrated` meta](https://gitlab.com/gitlab-org/gitlab/blob/163c8a8c814db26d11e104d1cb2dcf02eb567dbe/qa/qa/specs/features/ee/browser_ui/3_create/jenkins/jenkins_build_status_spec.rb#L5)
+only to prevent it from running in the pipelines for live environments such as Staging.
+
+### Troubleshooting
+
+If Jenkins docker container exits without providing any information in the logs, try increasing the memory used by
+the Docker Engine.

doc/user/application_security/index.md

@@ -62,7 +62,7 @@ The scanning tools and vulnerabilities database are updated regularly.
 | Secure scanning tool                                         | Vulnerabilities database updates          |
 |:-------------------------------------------------------------|-------------------------------------------|
 | [Container Scanning](container_scanning/index.md)            | Uses `clair`. The latest `clair-db` version is used for each job by running the [`latest` docker image tag](https://gitlab.com/gitlab-org/gitlab/blob/438a0a56dc0882f22bdd82e700554525f552d91b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L37). The `clair-db` database [is updated daily according to the author](https://github.com/arminc/clair-local-scan#clair-server-or-local). |
-| [Dependency Scanning](dependency_scanning/index.md)          | Relies on `bundler-audit` (for Rubygems), `retire.js` (for NPM packages), and `gemnasium` (GitLab's own tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated at least once a week. |
+| [Dependency Scanning](dependency_scanning/index.md)          | Relies on `bundler-audit` (for Rubygems), `retire.js` (for NPM packages), and `gemnasium` (GitLab's own tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated at least once a week. See our [current measurement of time from CVE being issued to our product being updated](https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update). |
 | [Dynamic Application Security Testing (DAST)](dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/master/Dockerfile#L1). The scanning rules are downloaded at scan runtime. |
 | [Static Application Security Testing (SAST)](sast/index.md)  | Relies exclusively on [the tools GitLab wraps](sast/index.md#supported-languages-and-frameworks). The underlying analyzers are updated at least once per month if a relevant update is available. The vulnerabilities database is updated by the upstream tools. |
@@ -240,6 +240,15 @@ An approval is optional when a license report:
 - Contains no software license violations.
 - Contains only new licenses that are `approved` or unknown.
+## Working in an offline environment
+
+It is possible to run most of the GitLab security scanners when not
+connected to the internet, in what is sometimes known as an offline,
+limited connectivity, Local Area Network (LAN), Intranet, or "air-gap"
+environment.
+
+Read how to [operate the Secure scanners in an offline environment](offline_deployments/index.md).
+
 ## Outdated security reports
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/4913) in GitLab 12.7.

doc/user/application_security/offline_deployments/index.md

+---
+type: reference, howto
+---
+
+# Offline deployments
+
+This document describes how to operate Secure scanners offline.
+
+## Overview
+
+It is possible to run most of the GitLab security scanners when not
+connected to the internet, in what is sometimes known as an offline,
+limited connectivity, Local Area Network (LAN), Intranet, or "air-gap"
+environment.
+
+In this situation, the GitLab instance can be one, or more, servers and services running in a network that can talk to one another, but have zero, or perhaps very restricted access to the internet. Assume anything within the GitLab instance and supporting infrastrusture (private maven repository for example) can be accessed via local network connection. Assume any files from the internet must come in via physical media (USB drive, hard drive).
+
+GitLab scanners generally will connect to the internet to download the
+latest sets of signatures, rules, and patches. A few extra steps are necessary
+to configure the tools to not do this and to still function properly.
+
+### Container registries and package repositories
+
+At a high-level, each of the security analyzers are delivered as Docker
+containers and reference various package repositories. When you run a job on
+an internet-connected GitLab installation, GitLab checks the GitLab.com-hosted
+container registry and package repositories to ensure that you have
+the latest versions.
+
+In an air-gapped environment, this must be disabled so that GitLab.com is not
+queried. Because the GitLab.com registry and repositories are not available,
+you must update each of the scanners to either reference a different,
+internally-hosted registry or provide access to the individual scanner images.
+
+You must also ensure that your app has access to common package repos
+that are not hosted on GitLab.com, such as npm, yarn, or rubygems. Packages
+from these repos can be obtained by temporarily connecting to a network or by
+mirroring the packages inside your own offline network.
+
+### Scanner signature and rule updates
+
+When connected to the internet, some scanners will reference public databases
+for the latest sets of signatures and rules to check against. Without connectivity,
+this is not possible. Depending on the scanner, you must therefore disable
+these automatic update checks and either use the databases that they came
+with or manually update those databases.
+
+## Specific scanner instructions
+
+Each individual scanner may be slightly different than the steps described
+above. You can find more info at each of the pages below:
+
+- [Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-air-gapped-installation)
+- [SAST offline directions](../sast/index.md#gitlab-sast-in-an-offline-air-gapped-installation)
+- [DAST offline directions](../dast/index.md#running-dast-in-an-offline-air-gapped-installation)

doc/user/clusters/applications.md

@@ -297,6 +297,25 @@ Ingress with the recent changes.
 ![Disabling WAF](../../topics/web_application_firewall/img/guide_waf_ingress_save_changes_v12_9.png)
+##### Viewing Web Application Firewall traffic
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
+
+You can view Web Application Firewall traffic by navigating to your project's
+**Security & Compliance > Threat Monitoring** page.
+
+From there, you can see tracked over time:
+
+- The total amount of traffic to your application.
+- The proportion of traffic that is considered anomalous by the Web Application
+  Firewall's default [OWASP ruleset](https://www.modsecurity.org/CRS/Documentation/).
+
+If a significant percentage of traffic is anomalous, it should be investigated
+for potential threats, which can be done by
+[examining the application logs](#web-application-firewall-modsecurity).
+
+![Threat Monitoring](img/threat_monitoring_v12_9.png)
+
 ### JupyterHub
 > - Introduced in GitLab 11.0 for project-level clusters.

doc/user/gitlab_com/index.md

@@ -88,11 +88,14 @@ or over the size limit, you can [reduce your repository size with Git](../projec
 ## IP range
-GitLab.com, CI/CD, and related services are deployed into Google Cloud Platform (GCP). Any
-IP based firewall can be configured by looking up all
-[IP address ranges or CIDR blocks for GCP](https://cloud.google.com/compute/docs/faq#where_can_i_find_product_name_short_ip_ranges).
-[Static endpoints](https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/97) are being considered.
+GitLab.com is using the IP range `34.74.90.64/28` for traffic from its Web/API
+fleet. You can expect connections from webhooks or repository mirroring to come
+from those IPs and whitelist them.
+For connections from CI/CD runners we are not providing static IP addresses.
+All our runners are deployed into Google Cloud Platform (GCP) - any IP based
+firewall can be configured by looking up all
+[IP address ranges or CIDR blocks for GCP](https://cloud.google.com/compute/docs/faq#where_can_i_find_product_name_short_ip_ranges).
 ## Maximum number of webhooks

doc/user/profile/notifications.md

@@ -159,6 +159,9 @@ In most of the below cases, the notification will be sent to:
 - Subscribers: anyone who manually subscribed to the issue, merge request, or epic **(ULTIMATE)**
 - Custom: Users with notification level "custom" who turned on notifications for any of the events present in the table below
+NOTE: **Note:**
+To minimize the number of notifications that do not require any action, from [GitLab 12.9 onwards](https://gitlab.com/gitlab-org/gitlab/issues/616), eligible approvers are no longer notified for all the activities in their projects. To receive them they have to change their user notification settings to **Watch** instead.
+
 | Event                  | Sent to |
 |------------------------|---------|
 | New issue              |         |

doc/user/project/merge_requests/cherry_pick_changes.md

@@ -21,6 +21,20 @@ where you can choose to either:
 - Cherry-pick the changes directly into the selected branch.
 - Create a new merge request with the cherry-picked changes.
+### Cherry-pick tracking
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2675) in GitLab 12.9.
+
+When you cherry-pick a merge commit, GitLab will output a system note to the related merge
+request thread crosslinking the new commit and the existing merge request.
+
+![Cherry-pick tracking in Merge Request timeline](img/cherry_pick_mr_timeline_v12_9.png)
+
+Each deployment's [list of associated merge requests](../../../api/deployments.md#list-of-merge-requests-associated-with-a-deployment) will include cherry-picked merge commits.
+
+NOTE: **Note:**
+We only track cherry-pick executed from GitLab (both UI and API). Support for [tracking cherry-picked commits through the command line](https://gitlab.com/gitlab-org/gitlab/issues/202215) is planned for a future release.
+
 ## Cherry-picking a commit
 You can cherry-pick a commit from the commit details page: