diff --git a/doc/administration/gitlab_duo_self_hosted/_index.md b/doc/administration/gitlab_duo_self_hosted/_index.md index e0691b66d6e25b050ed4ead2e55d7e45b8faace6..47c4d7230adcad7bcdae0fd8f5d78945c112b9ae 100644 --- a/doc/administration/gitlab_duo_self_hosted/_index.md +++ b/doc/administration/gitlab_duo_self_hosted/_index.md @@ -86,7 +86,7 @@ when GitLab hosts and connects to those models through the cloud-based [AI gatew | [Refactor Code](../../user/gitlab_duo_chat/examples.md#refactor-code-in-the-ide) | {{< icon name="check-circle-filled" >}} Yes | GitLab 17.9 and later | Generally available | | [Fix Code](../../user/gitlab_duo_chat/examples.md#fix-code-in-the-ide) | {{< icon name="check-circle-filled" >}} Yes | GitLab 17.9 and later | Generally available | | [Root Cause Analysis](../../user/gitlab_duo_chat/examples.md#troubleshoot-failed-cicd-jobs-with-root-cause-analysis) | {{< icon name="check-circle-filled" >}} Yes | GitLab 17.10 and later | Beta | -| [Vulnerability Explanation](../../user/application_security/vulnerabilities/_index.md#vulnerability-explanation) | {{< icon name="check-circle-filled" >}} Yes | GitLab 18.1.2 and later | Beta | +| [Vulnerability Explanation](../../user/application_security/analyze/duo.md) | {{< icon name="check-circle-filled" >}} Yes | GitLab 18.1.2 and later | Beta | For more examples of a question you can ask, see [Ask about GitLab](../../user/gitlab_duo_chat/examples.md). @@ -113,7 +113,7 @@ For more examples of a question you can ask, see | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | ---------------------- | --- | | [GitLab Duo for the CLI](../../editor_extensions/gitlab_cli/_index.md#gitlab-duo-for-the-cli) | {{< icon name="check-circle-filled" >}} Yes | GitLab 18.1.2 and later | Beta | | [GitLab Duo Agent Platform](../../user/duo_agent_platform/_index.md) | {{< icon name="check-circle-filled" >}} Yes | GitLab 18.4 and later | Experiment | -| [Vulnerability Resolution](../../user/application_security/vulnerabilities/_index.md#vulnerability-resolution) | {{< icon name="check-circle-filled" >}} Yes | GitLab 18.1.2 and later | Beta | +| [Vulnerability Resolution](../../user/application_security/remediate/duo.md) | {{< icon name="check-circle-filled" >}} Yes | GitLab 18.1.2 and later | Beta | | [GitLab Duo and SDLC trends Dashboard](../../user/analytics/duo_and_sdlc_trends.md) | {{< icon name="check-circle-filled" >}} Yes | GitLab 17.9 and later | Beta | ## Configuration types diff --git a/doc/policy/early_access_program/_index.md b/doc/policy/early_access_program/_index.md index d59078fbc6f4f992a34782c58e7bf141bc77e5fd..8c75e8dc070122a9f484ef3409c637720c7f519f 100644 --- a/doc/policy/early_access_program/_index.md +++ b/doc/policy/early_access_program/_index.md @@ -17,7 +17,7 @@ These features may not be ready for production use and follow the [Experimental | Name | Status | Included date | Provide feedback | |---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|---------------|------------------| -| [GitLab Duo Vulnerability Resolution](../../user/application_security/vulnerabilities/_index.md#vulnerability-resolution) | [Beta](../development_stages_support.md#beta) | 2024-10-02 | [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/476553) | +| [GitLab Duo Vulnerability Resolution](../../user/application_security/remediate/duo.md) | [Beta](../development_stages_support.md#beta) | 2024-10-02 | [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/476553) | | [GitLab Duo Issue Description Generation](../../user/project/issues/managing_issues.md#populate-an-issue-with-issue-description-generation) | [Experiment](../development_stages_support.md#experiment) | 2024-10-02 | [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/409844) | | [Gitaly on K8s](../../administration/gitaly/kubernetes.md) | [Beta](../development_stages_support.md#beta) | 2025-02-25 | [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/520544) | diff --git a/doc/user/application_security/analyze/_index.md b/doc/user/application_security/analyze/_index.md index bebaa3e6bce2b83a35c330f67450f087aaea1158..d39a57ec0b4ccd3453120c013e17a1813293fe5d 100644 --- a/doc/user/application_security/analyze/_index.md +++ b/doc/user/application_security/analyze/_index.md @@ -89,7 +89,7 @@ this information to help analyze a vulnerability. The following tips may also help you analyze a vulnerability: -- Use [GitLab Duo Vulnerability Explanation](../vulnerabilities/_index.md#vulnerability-explanation) +- Use [GitLab Duo Vulnerability Explanation](duo.md) to help explain the vulnerability and suggest a remediation. Available only for vulnerabilities detected by SAST. - Use [security training](../vulnerabilities/_index.md#view-security-training-for-a-vulnerability) diff --git a/doc/user/application_security/analyze/duo.md b/doc/user/application_security/analyze/duo.md new file mode 100644 index 0000000000000000000000000000000000000000..167063a2ba0757d7c6a887ef9b1588cba7d2fd7e --- /dev/null +++ b/doc/user/application_security/analyze/duo.md @@ -0,0 +1,79 @@ +--- +stage: Security Risk Management +group: Security Insights +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: Explain vulnerabilities with AI +description: TODO +--- + +{{< details >}} + +- Tier: Ultimate +- Add-on: GitLab Duo Enterprise, GitLab Duo with Amazon Q +- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated + +{{< /details >}} + +{{< collapsible title="Model information" >}} + +- LLM: Anthropic [Claude 3.7 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-7-sonnet) +- LLM for Amazon Q: Amazon Q Developer +- Available on [GitLab Duo with self-hosted models](../../../administration/gitlab_duo_self_hosted/_index.md): Yes + +{{< /collapsible >}} + +{{< history >}} + +- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/10368) in GitLab 16.0 as an [experiment](../../../policy/development_stages_support.md#experiment) on GitLab.com. +- Promoted to [beta](../../../policy/development_stages_support.md#beta) status in GitLab 16.2. +- [Generally available](https://gitlab.com/groups/gitlab-org/-/epics/10642) in GitLab 17.2. +- Changed to require GitLab Duo add-on in GitLab 17.6 and later. + +{{< /history >}} + +GitLab Duo Vulnerability Explanation can help you with a vulnerability by using a large language model to: + +- Summarize the vulnerability. +- Help developers and security analysts to understand the vulnerability, how it could be exploited, and how to fix it. +- Provide a suggested mitigation. + +Other features can help you [resolve vulnerabilities with suggested fixes](../remediate/duo.md). + + [Watch an overview](https://www.youtube.com/watch?v=MMVFvGrmMzw&list=PLFGfElNsQthZGazU1ZdfDpegu0HflunXW) + +Prerequisites: + +- You must have the GitLab Ultimate subscription tier. +- Have a paid GitLab Duo Enterprise seat. +- [GitLab Duo](../../gitlab_duo/turn_on_off.md) must be enabled for the group or instance. +- You must be a member of the project. +- The vulnerability must be from a SAST scanner. + +To explain the vulnerability: + +1. On the left sidebar, select **Search or go to** and find your project. +1. Select **Secure** > **Vulnerability report**. +1. Optional. To remove the default filters, select **Clear** ({{< icon name="clear" >}}). +1. Above the list of vulnerabilities, select the filter bar. +1. In the dropdown list that appears, select **Tool**, then select all the values in the **SAST** category. +1. Select outside the filter field. The vulnerability severity totals and list of matching vulnerabilities are updated. +1. Select the SAST vulnerability you want explained. +1. Do one of the following: + + - Select the text below the vulnerability description that reads _You can also use AI by asking GitLab Duo Chat to explain this vulnerability and a suggested fix._ + - In the upper right, from the **Resolve with merge request** dropdown list, select **Explain vulnerability**, then select **Explain vulnerability**. + - Open GitLab Duo Chat and use the [explain a vulnerability](../../gitlab_duo_chat/examples.md#explain-a-vulnerability) command by typing `/vulnerability_explain`. + +The response is shown on the right side of the page. + +On GitLab.com this feature is available. By default, it is powered by the Anthropic [`claude-3-haiku`](https://docs.anthropic.com/en/docs/about-claude/models#claude-3-a-new-generation-of-ai) +model. We cannot guarantee that the large language model produces results that are correct. Use the +explanation with caution. + +### Data shared with third-party AI APIs for Vulnerability Explanation + +The following data is shared with third-party AI APIs: + +- Vulnerability title (which might contain the filename, depending on which scanner is used). +- Vulnerability identifiers. +- Filename. diff --git a/doc/user/application_security/remediate/_index.md b/doc/user/application_security/remediate/_index.md index 8a62e639ba96699d2126a25f08f11fccf6d9e6cd..4514dae7102bbf06b99c6eef65e2147a7cde162a 100644 --- a/doc/user/application_security/remediate/_index.md +++ b/doc/user/application_security/remediate/_index.md @@ -47,10 +47,8 @@ effective. For some vulnerabilities detected by SAST, GitLab can: -- [Explain the vulnerability](../vulnerabilities/_index.md#vulnerability-explanation), using GitLab - Duo Chat. -- [Resolve the vulnerability](../vulnerabilities/_index.md#vulnerability-resolution), using GitLab - Duo Chat. +- [Explain the vulnerability](../analyze/duo.md) using GitLab Duo. +- [Resolve the vulnerability](duo.md) using GitLab Duo. - Provide the complete data path from input to the vulnerable line of code, if you're using GitLab Advanced SAST. diff --git a/doc/user/application_security/remediate/duo.md b/doc/user/application_security/remediate/duo.md new file mode 100644 index 0000000000000000000000000000000000000000..8939a0bdc7997675d189bbbc8ecc3895550350ab --- /dev/null +++ b/doc/user/application_security/remediate/duo.md @@ -0,0 +1,218 @@ +--- +stage: Security Risk Management +group: Security Insights +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: Resolve vulnerabilities with AI +description: TODO +--- + +{{< details >}} + +- Tier: Ultimate +- Add-on: GitLab Duo Enterprise, GitLab Duo with Amazon Q +- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated + +{{< /details >}} + +{{< collapsible title="Model information" >}} + +- LLM for GitLab Self-Managed, GitLab Dedicated: Anthropic [Claude 3.5 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-sonnet) +- LLM for GitLab.com: Anthropic [Claude 3.7 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-7-sonnet) +- LLM for Amazon Q: Amazon Q Developer +- Available on [GitLab Duo with self-hosted models](../../../administration/gitlab_duo_self_hosted/_index.md): Yes + +{{< /collapsible >}} + +GitLab Duo Vulnerability Resolution helps you automatically resolve security vulnerabilities. + + [Watch an overview](https://www.youtube.com/watch?v=VJmsw_C125E&list=PLFGfElNsQthZGazU1ZdfDpegu0HflunXW) + +## Use AI assistance responsibly + +As with all AI-based systems, we can't guarantee that the large language model produces correct results every time. +You should always review the proposed change before merging it. When reviewing, check that: + +- Your application's existing functionality is preserved. +- The vulnerability is resolved in accordance with your organization's standards. + +## Prerequisites + +- You must have the GitLab Ultimate subscription tier and GitLab Duo Enterprise. +- You must be a member of the project. +- The vulnerability must be a SAST finding from a supported analyzer: + - Any [GitLab-supported analyzer](../sast/analyzers.md). + - A properly integrated third-party SAST scanner that reports the vulnerability location and a CWE Identifier for each vulnerability. +- The vulnerability must be of a [supported type](#supported-vulnerabilities-for-vulnerability-resolution). + +Learn more about [how to enable all GitLab Duo features](../../gitlab_duo/turn_on_off.md). + +## Supported vulnerabilities for Vulnerability Resolution + +To ensure that suggested resolutions are high-quality, Vulnerability Resolution is available for a specific set of vulnerabilities. +The system decides whether to offer Vulnerability Resolution based on the vulnerability's Common Weakness Enumeration (CWE) identifier. + +We selected the current set of vulnerabilities based on testing by automated systems and security experts. +We are actively working to expand coverage to more types of vulnerabilities. + +
View the complete list of supported CWEs for Vulnerability Resolution + + +
+ +## Data shared with third-party AI APIs for Vulnerability Resolution + +The following data is shared with third-party AI APIs: + +- Vulnerability name +- Vulnerability description +- Identifiers (CWE, OWASP) +- Entire file that contains the vulnerable lines of code +- Vulnerable lines of code (line numbers) + +## Workflows + +Vulnerablilty Resolution is available in different workflows. You can: + +- Resolve existing vulnerabilities from the Vulnerability Report. +- Resolve vulnerabilities in the context of a merge request. + +### Resolve an existing vulnerability from the Vulnerability Report + +{{< history >}} + +- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/10779) in GitLab 16.7 as an [experiment](../../../policy/development_stages_support.md#experiment) on GitLab.com. +- Changed to beta in GitLab 17.3. +- Changed to require GitLab Duo add-on in GitLab 17.6 and later. + +{{< /history >}} + +#### Find vulnerabilities that support Vulnerability Resolution + +{{< history >}} + +- Vulnerability Resolution activity icon [introduced](https://gitlab.com/groups/gitlab-org/-/epics/15036) in GitLab 17.5 with a flag named [`vulnerability_report_vr_badge`](https://gitlab.com/gitlab-org/gitlab/-/issues/486549). Disabled by default. +- [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171718) in GitLab 17.6. +- [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/503568) in GitLab 18.0. Feature flag `vulnerability_report_vr_badge` removed. + +{{< /history >}} + +{{< alert type="flag" >}} + +The availability of Vulnerability Resolution activity icon is controlled by a feature flag. +For more information, see the history. + +{{< /alert >}} + +To resolve a vulnerability: + +1. On the left sidebar, select **Search or go to** and find your project. +1. Select **Secure** > **Vulnerability report**. +1. Optional. To remove the default filters, select **Clear** ({{< icon name="clear" >}}). +1. Above the list of vulnerabilities, select the filter bar. +1. In the dropdown list that appears, select **Activity**, then select **Vulnerability Resolution available** in the **GitLab Duo (AI)** category. +1. Select outside the filter field. The vulnerability severity totals and list of matching vulnerabilities are updated. +1. Select the SAST vulnerability you want resolved. + - A blue icon is shown next to vulnerabilities that support Vulnerability Resolution. + +#### Resolve the selected vulnerability + +After you've selected a vulnerability that supports resolution: + +1. In the upper-right corner, select **Resolve with AI**. If this project is a public project be aware that creating an MR will publicly expose the vulnerability and offered resolution. To create the MR privately, [create a private fork](../../project/merge_requests/confidential.md), and repeat this process. +1. Add an additional commit to the MR. This forces a new pipeline to run. +1. After the pipeline is complete, on the [pipeline security tab](../detect/security_scanning_results.md), confirm that the vulnerability no longer appears. +1. On the vulnerability report, [manually update the vulnerability](../vulnerability_report/_index.md#change-status-of-vulnerabilities). + +A merge request containing the AI remediation suggestions is opened. Review the suggested changes, +then process the merge request according to your standard workflow. + +Provide feedback on this feature in [issue 476553](https://gitlab.com/gitlab-org/gitlab/-/issues/476553). + +### Resolve a vulnerability in a merge request + +{{< history >}} + +- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/14862) in GitLab 17.6. +- [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175150) in GitLab 17.7. +- [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/185452) in GitLab 17.11. Feature flag `resolve_vulnerability_in_mr` removed. + +{{< /history >}} + +You can use GitLab Duo Vulnerability Resolution in a merge request to fix vulnerabilities before they're merged. +Vulnerability Resolution automatically creates a merge request suggestion comment that resolves the vulnerability finding. + +To resolve a vulnerability finding: + +1. On the left sidebar, select **Search or go to** and find your project. +1. Select **Merge requests**. +1. Select a merge request. + - Vulnerability findings supported by Vulnerability Resolution are indicated by the tanuki AI icon ({{< icon name="tanuki-ai" >}}). +1. Select the supported findings to open the security finding dialog. +1. In the lower-right corner, select **Resolve with AI**. + +A comment containing the AI remediation suggestions is opened in the merge request. Review the suggested changes, then apply the merge request suggestion according to your standard workflow. + +Provide feedback on this feature in [issue 476553](https://gitlab.com/gitlab-org/gitlab/-/issues/476553). + +## Troubleshooting + +Vulnerability Resolution sometimes cannot generate a suggested fix. Common causes include: + +- False positive detected: + - Before proposing a fix, the AI model assesses whether the vulnerability is valid. It may judge that the vulnerability is not a true vulnerability, or isn't worth fixing. + - This can happen if the vulnerability occurs in test code. Your organization might still choose to fix vulnerabilities even if they happen in test code, but models sometimes assess these to be false positives. + - If you agree that the vulnerability is a false-positive or is not worth fixing, you should [dismiss the vulnerability](../vulnerabilities/_index.md#vulnerability-status-values) and [select a matching reason](../vulnerabilities/_index.md#vulnerability-dismissal-reasons). + - To customize your SAST configuration or report a problem with a GitLab SAST rule, see [SAST rules](../sast/rules.md). +- Temporary or unexpected error: + - The error message may state that `an unexpected error has occurred`, `the upstream AI provider request timed out`, `something went wrong`, or a similar cause. + - These errors may be caused by temporary problems with the AI provider or with GitLab Duo. + - A new request may succeed, so you can try to resolve the vulnerability again. + - If you continue to see these errors, contact GitLab for assistance. +- `Resolution target could not be found in the merge request, unable to create suggestion` error: + - This error may occur when the target branch has not run a full security scan pipeline. See the [merge request documentation](../detect/security_scanning_results.md). diff --git a/doc/user/application_security/sast/evaluation_guide.md b/doc/user/application_security/sast/evaluation_guide.md index 45e0bc5aa2a0efbc78cd4404f42e09313ce200f8..c07e84ae132e42a4717aafcca77e2236ca7d83e5 100644 --- a/doc/user/application_security/sast/evaluation_guide.md +++ b/doc/user/application_security/sast/evaluation_guide.md @@ -43,7 +43,7 @@ If you're comparing GitLab SAST to another product, you may find that some of it - [Secret detection](../secret_detection/_index.md) finds leaked secrets in your code. - [Security policies](../policies/_index.md) allow you to force scans to run or require that vulnerabilities are fixed. - [Vulnerability management and reporting](../vulnerability_report/_index.md) manages the vulnerabilities that exist in the codebase and integrates with issue trackers. -- GitLab Duo [vulnerability explanation](../vulnerabilities/_index.md#vulnerability-explanation) and [vulnerability resolution](../vulnerabilities/_index.md#vulnerability-resolution) help you remediate vulnerabilities quickly by using AI. +- GitLab Duo [vulnerability explanation](../analyze/duo.md) and [vulnerability resolution](../remediate/duo.md) help you remediate vulnerabilities quickly by using AI. ## Choose a test codebase @@ -99,5 +99,5 @@ After you choose a codebase to test with, you're ready to conduct the test. You - If you're using GitLab Advanced SAST, you can use the [Scanner filter](../vulnerability_report/_index.md#scanner-filter) to show results only from that scanner. 1. Review vulnerability results. - Check the [code flow view](../vulnerabilities/_index.md#vulnerability-code-flow) for GitLab Advanced SAST vulnerabilities that involve tainted user input, like SQL injection or path traversal. - - If you have GitLab Duo Enterprise, [explain](../vulnerabilities/_index.md#vulnerability-explanation) or [resolve](../vulnerabilities/_index.md#vulnerability-resolution) a vulnerability. + - If you have GitLab Duo Enterprise, [explain](../analyze/duo.md) or [resolve](../remediate/duo.md) a vulnerability. 1. To see how scanning works as new code is developed, create a new merge request that changes application code and adds a new vulnerability or weakness. diff --git a/doc/user/application_security/vulnerabilities/_index.md b/doc/user/application_security/vulnerabilities/_index.md index 03efceec36666dbf1d686948dcee08c7cad938f6..4d48ed8949156254f346aedf265a8a0a9ea74550 100644 --- a/doc/user/application_security/vulnerabilities/_index.md +++ b/doc/user/application_security/vulnerabilities/_index.md @@ -38,282 +38,6 @@ For further details on this additional data, see [vulnerability risk assessment If the scanner determined the vulnerability to be a false positive, an alert message is included at the top of the vulnerability's page. -## Vulnerability Explanation - -{{< details >}} - -- Tier: Ultimate -- Add-on: GitLab Duo Enterprise, GitLab Duo with Amazon Q -- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated - -{{< /details >}} - -{{< collapsible title="Model information" >}} - -- LLM: Anthropic [Claude 3.7 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-7-sonnet) -- LLM for Amazon Q: Amazon Q Developer -- Available on [GitLab Duo with self-hosted models](../../../administration/gitlab_duo_self_hosted/_index.md): Yes - -{{< /collapsible >}} - -{{< history >}} - -- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/10368) in GitLab 16.0 as an [experiment](../../../policy/development_stages_support.md#experiment) on GitLab.com. -- Promoted to [beta](../../../policy/development_stages_support.md#beta) status in GitLab 16.2. -- [Generally available](https://gitlab.com/groups/gitlab-org/-/epics/10642) in GitLab 17.2. -- Changed to require GitLab Duo add-on in GitLab 17.6 and later. - -{{< /history >}} - -GitLab Duo Vulnerability Explanation can help you with a vulnerability by using a large language model to: - -- Summarize the vulnerability. -- Help developers and security analysts to understand the vulnerability, how it could be exploited, and how to fix it. -- Provide a suggested mitigation. - - [Watch an overview](https://www.youtube.com/watch?v=MMVFvGrmMzw&list=PLFGfElNsQthZGazU1ZdfDpegu0HflunXW) - -Prerequisites: - -- You must have the GitLab Ultimate subscription tier. -- Have a paid GitLab Duo Enterprise seat. -- [GitLab Duo](../../gitlab_duo/turn_on_off.md) must be enabled for the group or instance. -- You must be a member of the project. -- The vulnerability must be from a SAST scanner. - -To explain the vulnerability: - -1. On the left sidebar, select **Search or go to** and find your project. -1. Select **Secure** > **Vulnerability report**. -1. Optional. To remove the default filters, select **Clear** ({{< icon name="clear" >}}). -1. Above the list of vulnerabilities, select the filter bar. -1. In the dropdown list that appears, select **Tool**, then select all the values in the **SAST** category. -1. Select outside the filter field. The vulnerability severity totals and list of matching vulnerabilities are updated. -1. Select the SAST vulnerability you want explained. -1. Do one of the following: - - - Select the text below the vulnerability description that reads _You can also use AI by asking GitLab Duo Chat to explain this vulnerability and a suggested fix._ - - In the upper right, from the **Resolve with merge request** dropdown list, select **Explain vulnerability**, then select **Explain vulnerability**. - - Open GitLab Duo Chat and use the [explain a vulnerability](../../gitlab_duo_chat/examples.md#explain-a-vulnerability) command by typing `/vulnerability_explain`. - -The response is shown on the right side of the page. - -On GitLab.com this feature is available. By default, it is powered by the Anthropic [`claude-3-haiku`](https://docs.anthropic.com/en/docs/about-claude/models#claude-3-a-new-generation-of-ai) -model. We cannot guarantee that the large language model produces results that are correct. Use the -explanation with caution. - -### Data shared with third-party AI APIs for Vulnerability Explanation - -The following data is shared with third-party AI APIs: - -- Vulnerability title (which might contain the filename, depending on which scanner is used). -- Vulnerability identifiers. -- Filename. - -## Vulnerability Resolution - -{{< details >}} - -- Tier: Ultimate -- Add-on: GitLab Duo Enterprise, GitLab Duo with Amazon Q -- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated - -{{< /details >}} - -{{< collapsible title="Model information" >}} - -- LLM for GitLab Self-Managed, GitLab Dedicated: Anthropic [Claude 3.5 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-sonnet) -- LLM for GitLab.com: Anthropic [Claude 3.7 Sonnet](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-7-sonnet) -- LLM for Amazon Q: Amazon Q Developer -- Available on [GitLab Duo with self-hosted models](../../../administration/gitlab_duo_self_hosted/_index.md): Yes - -{{< /collapsible >}} - -{{< history >}} - -- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/10779) in GitLab 16.7 as an [experiment](../../../policy/development_stages_support.md#experiment) on GitLab.com. -- Changed to beta in GitLab 17.3. -- Changed to require GitLab Duo add-on in GitLab 17.6 and later. - -{{< /history >}} - -Use GitLab Duo Vulnerability resolution to automatically create a merge request that -resolves the vulnerability. By default, it is powered by the Anthropic [`claude-3.5-sonnet`](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-sonnet) model. - -We can't guarantee that the large language model produces correct results. -You should always review the proposed change before merging it. When reviewing, check that: - -- Your application's existing functionality is preserved. -- The vulnerability is resolved in accordance with your organization's standards. - - [Watch an overview](https://www.youtube.com/watch?v=VJmsw_C125E&list=PLFGfElNsQthZGazU1ZdfDpegu0HflunXW) - -Prerequisites: - -- You must have the GitLab Ultimate subscription tier and GitLab Duo Enterprise. -- You must be a member of the project. -- The vulnerability must be a SAST finding from a supported analyzer: - - Any [GitLab-supported analyzer](../sast/analyzers.md). - - A properly integrated third-party SAST scanner that reports the vulnerability location and a CWE Identifier for each vulnerability. -- The vulnerability must be of a [supported type](#supported-vulnerabilities-for-vulnerability-resolution). - -Learn more about [how to enable all GitLab Duo features](../../gitlab_duo/turn_on_off.md). - -To resolve the vulnerability: - -1. On the left sidebar, select **Search or go to** and find your project. -1. Select **Secure** > **Vulnerability report**. -1. Optional. To remove the default filters, select **Clear** ({{< icon name="clear" >}}). -1. Above the list of vulnerabilities, select the filter bar. -1. In the dropdown list that appears, select **Activity**, then select **Vulnerability Resolution available** in the **GitLab Duo (AI)** category. -1. Select outside the filter field. The vulnerability severity totals and list of matching vulnerabilities are updated. -1. Select the SAST vulnerability you want resolved. - - A blue icon is shown next to vulnerabilities that support Vulnerability Resolution. -1. In the upper-right corner, select **Resolve with AI**. If this project is a public project be aware that creating an MR will publicly expose the vulnerability and offered resolution. To create the MR privately, [create a private fork](../../project/merge_requests/confidential.md), and repeat this process. -1. Add an additional commit to the MR. This forces a new pipeline to run. -1. After the pipeline is complete, on the [pipeline security tab](../detect/security_scanning_results.md), confirm that the vulnerability no longer appears. -1. On the vulnerability report, [manually update the vulnerability](../vulnerability_report/_index.md#change-status-of-vulnerabilities). - -A merge request containing the AI remediation suggestions is opened. Review the suggested changes, -then process the merge request according to your standard workflow. - -Provide feedback on this feature in [issue 476553](https://gitlab.com/gitlab-org/gitlab/-/issues/476553). - -### Supported vulnerabilities for Vulnerability Resolution - -To ensure that suggested resolutions are high-quality, Vulnerability Resolution is available for a specific set of vulnerabilities. -The system decides whether to offer Vulnerability Resolution based on the vulnerability's Common Weakness Enumeration (CWE) identifier. - -We selected the current set of vulnerabilities based on testing by automated systems and security experts. -We are actively working to expand coverage to more types of vulnerabilities. - -
View the complete list of supported CWEs for Vulnerability Resolution - - -
- -### Troubleshooting - -Vulnerability Resolution sometimes cannot generate a suggested fix. Common causes include: - -- False positive detected: - - Before proposing a fix, the AI model assesses whether the vulnerability is valid. It may judge that the vulnerability is not a true vulnerability, or isn't worth fixing. - - This can happen if the vulnerability occurs in test code. Your organization might still choose to fix vulnerabilities even if they happen in test code, but models sometimes assess these to be false positives. - - If you agree that the vulnerability is a false-positive or is not worth fixing, you should [dismiss the vulnerability](#vulnerability-status-values) and [select a matching reason](#vulnerability-dismissal-reasons). - - To customize your SAST configuration or report a problem with a GitLab SAST rule, see [SAST rules](../sast/rules.md). -- Temporary or unexpected error: - - The error message may state that `an unexpected error has occurred`, `the upstream AI provider request timed out`, `something went wrong`, or a similar cause. - - These errors may be caused by temporary problems with the AI provider or with GitLab Duo. - - A new request may succeed, so you can try to resolve the vulnerability again. - - If you continue to see these errors, contact GitLab for assistance. - -### Data shared with third-party AI APIs for Vulnerability Resolution - -The following data is shared with third-party AI APIs: - -- Vulnerability name -- Vulnerability description -- Identifiers (CWE, OWASP) -- Entire file that contains the vulnerable lines of code -- Vulnerable lines of code (line numbers) - -## Vulnerability Resolution in a merge request - -{{< details >}} - -- Tier: Ultimate -- Add-on: GitLab Duo Enterprise -- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated - -{{< /details >}} - -{{< history >}} - -- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/14862) in GitLab 17.6. -- [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175150) in GitLab 17.7. -- [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/185452) in GitLab 17.11. Feature flag `resolve_vulnerability_in_mr` removed. - -{{< /history >}} - -Use GitLab Duo Vulnerability resolution to automatically create a merge request suggestion comment that -resolves the vulnerability finding. By default, it is powered by the Anthropic [`claude-3.5-sonnet`](https://console.cloud.google.com/vertex-ai/publishers/anthropic/model-garden/claude-3-5-sonnet) model. - -To resolve the vulnerability finding: - -1. On the left sidebar, select **Search or go to** and find your project. -1. Select **Merge requests**. -1. Select a merge request. - - Vulnerability findings supported by Vulnerability Resolution are indicated by the tanuki AI icon ({{< icon name="tanuki-ai" >}}). -1. Select the supported findings to open the security finding dialog. -1. In the lower-right corner, select **Resolve with AI**. - -A comment containing the AI remediation suggestions is opened in the merge request. Review the suggested changes, then apply the merge request suggestion according to your standard workflow. - -Provide feedback on this feature in [issue 476553](https://gitlab.com/gitlab-org/gitlab/-/issues/476553). - -### Troubleshooting - -Vulnerability Resolution in a merge request sometimes cannot generate a suggested fix. Common causes include: - -- False positive detected: - - Before proposing a fix, the AI model assesses whether the vulnerability is valid. It may judge that the vulnerability is not a true vulnerability, or isn't worth fixing. - - This can happen if the vulnerability occurs in test code. Your organization might still choose to fix vulnerabilities even if they happen in test code, but models sometimes assess these to be false positives. - - If you agree that the vulnerability is a false-positive or is not worth fixing, you should [dismiss the vulnerability](#vulnerability-status-values) and [select a matching reason](#vulnerability-dismissal-reasons). - - To customize your SAST configuration or report a problem with a GitLab SAST rule, see [SAST rules](../sast/rules.md). -- Temporary or unexpected error: - - The error message may state that `an unexpected error has occurred`, `the upstream AI provider request timed out`, `something went wrong`, or a similar cause. - - These errors may be caused by temporary problems with the AI provider or with GitLab Duo. - - A new request may succeed, so you can try to resolve the vulnerability again. - - If you continue to see these errors, contact GitLab for assistance. -- `Resolution target could not be found in the merge request, unable to create suggestion` error: - - This error may occur when the target branch has not run a full security scan pipeline. See the [merge request documentation](../detect/security_scanning_results.md). - ## Vulnerability code flow {{< details >}} diff --git a/doc/user/application_security/vulnerability_report/_index.md b/doc/user/application_security/vulnerability_report/_index.md index d1c8c3cf6cebdf0309d6924d06ee7938033f073a..11ae7bfd7ac42c776e66b20a26f11d179030bdb6 100644 --- a/doc/user/application_security/vulnerability_report/_index.md +++ b/doc/user/application_security/vulnerability_report/_index.md @@ -13,21 +13,6 @@ description: Filtering, grouping, exporting, and manual addition. {{< /details >}} -{{< history >}} - -- Vulnerability Resolution activity icon [introduced](https://gitlab.com/groups/gitlab-org/-/epics/15036) in GitLab 17.5 with a flag named [`vulnerability_report_vr_badge`](https://gitlab.com/gitlab-org/gitlab/-/issues/486549). Disabled by default. -- [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171718) in GitLab 17.6. -- [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/503568) in GitLab 18.0. Feature flag `vulnerability_report_vr_badge` removed. - -{{< /history >}} - -{{< alert type="flag" >}} - -The availability of Vulnerability Resolution activity icon is controlled by a feature flag. -For more information, see the history. - -{{< /alert >}} - The vulnerability report provides a consolidated view of security vulnerabilities found in your codebase. Sort vulnerabilities by severity, report type, scanner (for projects only), and other attributes to determine which issues need attention first. Track vulnerabilities through their diff --git a/doc/user/gitlab_duo/choose_path.md b/doc/user/gitlab_duo/choose_path.md index ad4d135e09ea9c419574ea1443c8d410463acc39..80f4e32b573fe12a7d8a63bf624c68def3747a44 100644 --- a/doc/user/gitlab_duo/choose_path.md +++ b/doc/user/gitlab_duo/choose_path.md @@ -64,7 +64,7 @@ Follow this path to learn how to: - Automatically generate fix suggestions - Create merge requests to address security issues -[Start here: Vulnerability explanation and resolution →](../application_security/vulnerabilities/_index.md#vulnerability-explanation) +[Start here: Vulnerability explanation and resolution →](../application_security/analyze/duo.md) {{< /tab >}} @@ -129,7 +129,7 @@ When you're ready to maximize your productivity with GitLab Duo: - **[GitLab Duo Self-Hosted](../../administration/gitlab_duo_self_hosted/_index.md)** - Host LLMs on your own infrastructure - **[GitLab Duo Agent Platform](../duo_agent_platform/_index.md)** - Automate tasks in your development workflow -- **[Vulnerability Resolution](../application_security/vulnerabilities/_index.md#vulnerability-resolution)** - Automatically generate merge requests to fix security issues +- **[Vulnerability Resolution](../application_security/remediate/duo.md)** - Automatically generate merge requests to fix security issues ## Best practices diff --git a/doc/user/gitlab_duo/feature_summary.md b/doc/user/gitlab_duo/feature_summary.md index bbf020478a08c04ff019d45e7c77aa0e6e8412da..4045a72a263e6c959fc194adf0730693ab07fd6a 100644 --- a/doc/user/gitlab_duo/feature_summary.md +++ b/doc/user/gitlab_duo/feature_summary.md @@ -32,8 +32,8 @@ are available on GitLab Self-Managed only. | [Discussion Summary](../discussions/_index.md#summarize-issue-discussions-with-duo-chat) | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled" >}} Yes | | [Code Review](../project/merge_requests/duo_in_merge_requests.md#have-gitlab-duo-review-your-code) | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled" >}} Yes 1 | | [Root Cause Analysis](../gitlab_duo_chat/examples.md#troubleshoot-failed-cicd-jobs-with-root-cause-analysis) | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled" >}} Yes | -| [Vulnerability Explanation](../application_security/vulnerabilities/_index.md#vulnerability-explanation) 3 | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled" >}} Yes | -| [Vulnerability Resolution](../application_security/vulnerabilities/_index.md#vulnerability-resolution) 3 | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled" >}} Yes | +| [Vulnerability Explanation](../application_security/analyze/duo.md) 3 | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled" >}} Yes | +| [Vulnerability Resolution](../application_security/remediate/duo.md) 3 | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled" >}} Yes | | [GitLab Duo and SDLC trends](../analytics/duo_and_sdlc_trends.md) 3 | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled">}} Yes | | [Merge Commit Message Generation](../project/merge_requests/duo_in_merge_requests.md#generate-a-merge-commit-message) | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled" >}} Yes | | [GitLab Duo for the CLI](../../editor_extensions/gitlab_cli/_index.md#gitlab-duo-for-the-cli) | {{< icon name="dash-circle" >}} No | {{< icon name="dash-circle" >}} No | {{< icon name="check-circle-filled" >}} Yes | {{< icon name="check-circle-filled" >}} Yes 2 | diff --git a/doc/user/gitlab_duo/use_cases.md b/doc/user/gitlab_duo/use_cases.md index 286c3a52df8ec58936a2a9123be5002d1485ff82..81f4167ea2008bfd22f2b9cd1efe305be9cde026 100644 --- a/doc/user/gitlab_duo/use_cases.md +++ b/doc/user/gitlab_duo/use_cases.md @@ -555,7 +555,7 @@ introduces a security vulnerability with a [buffer overflow](https://en.wikipedi printf("Contents of region: %s\n", region); ``` -[SAST security scanners](../application_security/sast/analyzers.md) can detect and report the problem. Use [Vulnerability Explanation](../application_security/vulnerabilities/_index.md#vulnerability-explanation) to understand the problem. +[SAST security scanners](../application_security/sast/_index.md) can detect and report the problem. Use [Vulnerability Explanation](../application_security/analyze/duo.md) to understand the problem. Vulnerability Resolution helps to generate an MR. If the suggested changes do not fit requirements, or might lead to problems, you can use Code Suggestions and Chat to refine. For example: diff --git a/doc/user/gitlab_duo_chat/examples.md b/doc/user/gitlab_duo_chat/examples.md index 8360383cbac86e8b502079518464f4403cba9c50..442f5b02fe368b22506a71f9f7778df53f283089 100644 --- a/doc/user/gitlab_duo_chat/examples.md +++ b/doc/user/gitlab_duo_chat/examples.md @@ -754,7 +754,7 @@ To troubleshoot a failed CI/CD job from the job log: You can ask GitLab Duo Chat to explain a vulnerability when you are viewing a SAST vulnerability report. -For more information, see [Explaining a vulnerability](../application_security/vulnerabilities/_index.md#vulnerability-explanation). +For more information, see [Explaining a vulnerability](../application_security/analyze/duo.md). ## Create a new conversation @@ -844,7 +844,7 @@ These commands are dynamic and are available only in the GitLab UI when using Du | ---------------------- | ------------------------------------------------------------------------------------------------------------------ | ---- | | /summarize_comments | Generate a summary of all comments on the current issue | Issues | | /troubleshoot | [Troubleshoot failed CI/CD jobs with Root Cause Analysis](#troubleshoot-failed-cicd-jobs-with-root-cause-analysis) | Jobs | -| /vulnerability_explain | [Explain current vulnerability](../application_security/vulnerabilities/_index.md#vulnerability-explanation) | Vulnerabilities | +| /vulnerability_explain | [Explain current vulnerability](../application_security/analyze/duo.md) | Vulnerabilities | ### IDE