2021-08-31-Gitlab.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

2021-08-31-Gitlab.Pdf GitLab at DESY Git Services User Meeting Elena Gapon, DESY IT 31st August 2021 Topics Overview ◦ about GitLab Inc. ◦ DESY service GitLab ◦ project structure in GitLab ◦ Issues and Wiki ◦ container and package registry ◦ GitLab CI/CD service ◦ integration with other tools ◦ migrating repositories from Stash to GitLab ◦ last notes and outlook Questions and comments: https://codimd.desy.de/jt-azS0gQ9q5NAN1xfkpaw# GitLab at DESY | 31 August 2021 page 2/17 About GitLab Inc. Releases and Development ◦ all-remote company, across 67 countries ◦ monthly releases on 22nd ◦ public release kick-offs ◦ “run“ by GitLab Handbook, 8k+ pages ◦ an open source development process ◦ comprehensive documentation Community Business model and Versions ◦ > 3,000 contributiors, ~ 200 contributions/month ◦ community edition and enterprise paid tiers ◦ multiple communication channels (Youtube, Gitter,... meetups, feedback links) ◦ self-managed and SaaS current 1.429 employees 2011 2014 2016 ~ 30 m registered users first commit GitLab Inc. 140 employees ~ 100,000 organisations 2012 2015 2018 ? GitLab CI 9 employees 352 employees IPO GitLab.com GitLab at DESY | 31 August 2021 page 3/17 GitLab at DESY ◦ October 2020 - started as pilot ◦ since June 2021 - in production ◦ https://gitlab.desy.de ◦ Login with DESY account or via Helmholtz AAI ◦ ~ two updates / month, with short downtime ◦ Community Edition GitLab at DESY | 31 August 2021 page 4/17 Project in GitLab ◦ Project is created in a namespace This is different in ◦ Namespace is a group, a subgroup or a user name Bitbucket/Stash: ◦ Each repository is created in its own project each project in Bitbucket can contain multiple repositories Configuration options ◦ Project visibility public, private, internal ◦ Member roles guests, reporters, developers, maintainers, owners ◦ Repository default and protected branches, push restrictions, merge options ◦ Integration chats, notifications, 3rd party wiki, issue tracker, web hooks GitLab at DESY | 31 August 2021 page 5/17 Issues ◦ Labels ◦ Cross-linking merge requests, commits, other issues ◦ Multiple participants ◦ Multiple views on an issue list ◦ Add a Zoom meeting ◦ CSV export and import GitLab at DESY | 31 August 2021 page 6/17 Issue Boards GitLab at DESY | 31 August 2021 page 7/17 Wiki ◦ Mark down, incl. Math with KaTeX Diagramms and workflows ◦ WYSIWYG content editor ◦ RDoc, AsciiDoc, and Org ◦ Create: locally or in the web interface ◦ Cross-linking: merge requests, commits, issues ◦ Sidebar Navigation, TOC GitLab at DESY | 31 August 2021 page 8/17 Package Registry ◦ Package types: npm, Maven, PyPi, Ruby germs, NuGet, Conan, Composer Helm charts (Kubernetes applications) Generic packages ◦ public or private, protected by access rules ◦ Create and upload packages from the local machine, e.g. ◦ … or use GitLab CI/CD to build packages GitLab at DESY | 31 August 2021 page 9/17 GitLab CI/CD What is Continuous Integration/Delivery (CI/CD)? "Continuous Integration is the practice of integrating code into a shared repository and building/testing each change automatically, as early as possible - usually several times a day." "Continuous Delivery adds that the software can be released to production at any time, often by automatically pushing changes to a staging system." GitLab at DESY | 31 August 2021 page 10/17 GitLab CI/CD pipelines a pipeline with five jobs ◦ automate recurring tasks ◦ run scripts in a repeatable way ◦ version control for build scenarios ◦ overview of the build history ◦ publish and share build artifacts job log GitLab at DESY | 31 August 2021 page 11/17 Container Registry ◦ public or private registry for docker images ◦ create and upload an image from the local machine, e.g. ◦ … or use GitLab CI/CD to build container images [follow-up] GitLab at DESY | 31 August 2021 page 12/17 Migration from Stash to GitLab UI 1) create a personal access token in Stash with read permission 2) optionally: create a group where the repositories will be imported to 3) new project > import project > Bitbucket server API list repositories in Bitbucket: GET /rest/api/1.0/projects/{projectKey}/repos import into GitLab: POST api/v4/import/bitbucket_server → https://gitlab.desy.de/gitlab/migration-bitbucket GitLab at DESY | 31 August 2021 page 13/17 Integration with Other Tools ◦ Build: ◦ Wiki Jenkins, Buildkite, TeamCity, Drone, Bamboo ◦ Web Hooks on events: ◦ Issue Tracking: push, merge request, release Bugzilla, EWM, Redmine, YouTrack, Jira job, pipeline, deployment issue, Wiki page, comments ◦ Notifications: Campfire, Discord, Google Chat, Mattermost, MS Teams, Slack, Unity Circuit, Webex Teams ◦ REST API resources Pushover (e.g. on smartphone) access to ~every entity in GitLab Emails of push and pipeline status changes GitLab at DESY | 31 August 2021 page 14/17 Questions we received ◦ Best practices – don’t commit large or binary files → use LFS ◦ Git repository – for code not for data ◦ GitLab Pages – pilot available ◦ Singularity registry – use build artifacts as workaround Roadmap ◦ Sync GitLab groups with DESY LDAP group ◦ Support CI/CD jobs on Windows ◦ Make CVMFS available in CI/CD jobs ◦ On-going user documentation enhancement GitLab at DESY | 31 August 2021 page 15/17 Contact and Related Links Contact [email protected] Mattermost DESY / GitLab Links User documentation https://gitlab.desy.de/documentation/wiki/-/wikis/User Company https://about.gitlab.com/company/ GitLab DevOps Tools https://about.gitlab.com/devops-tools/ Project members' roles https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions Packages https://docs.gitlab.com/ee/user/packages/pypi_repository/ https://docs.gitlab.com/ee/user/packages/workflows/project_registry.html Container visibility https://docs.gitlab.com/ee/user/packages/container_registry/index.html#container-registry-visibility-permissions Job artifacts https://docs.gitlab.com/ee/api/job_artifacts.html#get-job-artifacts Pipelines https://docs.gitlab.com/ee/ci/pipelines/ Learning Paths https://about.gitlab.com/learn/ ci/cd pipelines https://www.youtube.com/watch?v=Jav4vbUrqII (the best introduction) https://about.gitlab.com/blog/2020/12/10/basics-of-gitlab-ci-updated/ Singularity with GitLab https://vsoch.github.io/2018/gitlab-singularity-ci/ GitLab at DESY | 31 August 2021 page 16/17 Thank you GitLab at DESY | 31 August 2021 page 17/17.
Recommended publications
  • Analysis and Prediction of Number of Open Bugs Per Day by Using
    International Journal of Research and Scientific Innovation (IJRSI) | Volume V, Issue V, May 2018 | ISSN 2321–2705 Analysis and Prediction of Open Bugs Using Machine Learning Algorithms Sachin A S, Dr. Rajashree Shettar Department of Computer Science and Engineering, R V College of Engineering, Mysuru Road, Bengaluru, Karnataka, India. Abstract– There are many fault tracking repositories, some of problem[2]. Atlassian JIRA, Bugzilla, Mantis BT, Trac, them are YouTrack, Bugzilla, MantisBT and Atlassian JIRA. YouTrack etc., are some of the issue tracking systems which Atlassian JIRA repository has been used in this study, as it is are used in the software industries. But most extensively extensively accepted by most of the software companies. This accepted are JIRA and Bugzilla as they provide many features repository contains significant information of many projects. which are helpful for software development like task tracking, Each project has different kinds of issues such as bug(faults) reports, enhancement required to an existing feature, and new issues, bug, features many plugins to integrate with versioning feature of the product and task that needs to be done. This paper systems such as Git, mercury etc., and project management. focuses on analysing the previously raised bug report(history) to Consistently both commercial and open source projects understand the correlation and dependability of the attributes experience many changes to represent new client requirements like number of bugs created per day, their priority, number of days or hours taken to resolve etc., The data is then processed with the consideration of improving existing features, creation into a new format which will comply to machine learning of new features or to fix bugs.
    [Show full text]
  • Project Management Software March 2019
    PROJECT MANAGEMENT SOFTWARE MARCH 2019 Powered by Methodology CONTENTS 3 Introduction 5 Defining Project Management Software 6 FrontRunners (Small Vendors) 8 FrontRunners (Enterprise Vendors) 10 Runners Up 22 Methodology Basics 2 INTRODUCTION his FrontRunners analysis minimum qualifying score of 3.96 Tis a data-driven assessment for Usability and 3.91 for User identifying products in the Project Recommended, while the Small Management software market that Vendor graphic had a minimum offer the best capability and value qualifying score of 4.55 for Usability for small businesses. For a given and 4.38 for User Recommended. market, products are evaluated and given a score for Usability (x-axis) To be considered for the Project and User Recommended (y-axis). Management FrontRunners, a FrontRunners then plots 10-15 product needed a minimum of 20 products each on a Small Vendor user reviews published within 18 and an Enterprise Vendor graphic, months of the evaluation period. based on vendor business size, per Products needed a minimum user category. rating score of 3.0 for both Usability and User Recommended in both In the Project Management the Small and Enterprise graphics. FrontRunners infographic, the Enterprise Vendor graphic had a 3 INTRODUCTION The minimum score cutoff to be included in the FrontRunners graphic varies by category, depending on the range of scores in each category. No product with a score less than 3.0 in either dimension is included in any FrontRunners graphic. For products included, the Usability and User Recommended scores determine their positions on the FrontRunners graphic. 4 DEFINING PROJECT MANAGEMENT SOFTWARE roject management software and document management, as well Phelps organizations manage as at least one of the following: time and deliver projects on time, on tracking, budgeting, and resource budget and within scope.
    [Show full text]
  • Enhancing IDE Representation of Changes in Git with Refactorings Information
    REFACTORINSIGHT: Enhancing IDE Representation of Changes in Git with Refactorings Information Zarina Kurbatova,∗ Vladimir Kovalenko,∗y Ioana Savu,z Bob Brockbernd,z Dan Andreescu,z Matei Anton,z Roman Venediktov,x Elena Tikhomirova,∗ Timofey Bryksin∗x ∗JetBrains Research, yJetBrains N.V., zDelft University of Technology, xHigher School of Economics fzarina.kurbatova, vladimir.kovalenko, elena.tikhomirova, [email protected], fa.i.savu-1, B.J.Brockbernd, D.Andreescu, [email protected], [email protected] Abstract—Inspection of code changes is a time-consuming task However, currently IDEs do not provide much insight into that constitutes a big part of everyday work of software engineers. the semantics of changes, and developers still need to put effort Existing IDEs provide little information about the semantics of into figuring out whether and how the changes influence the code changes within the file editor view. Therefore developers have to track changes across multiple files, which is a hard task behavior of code and whether changes across multiple files are with large codebases. connected to each other. Visualizing information related to the In this paper, we present REFACTORINSIGHT, a plugin for semantics of code changes is a promising way to augment the IntelliJ IDEA that introduces a smart diff for code changes in presentation of changes in an IDE. One way of doing it is Java and Kotlin where refactorings are auto-folded and provided to separate the changes that represent refactorings from such with their description, thus allowing users to focus on changes that modify the code behavior like bug fixes and new features.
    [Show full text]
  • Jetbrains Upsource Comparison Upsource Is a Powerful Tool for Teams Wish- Key Benefits Ing to Improve Their Code, Projects and Pro- Cesses
    JetBrains Upsource Comparison Upsource is a powerful tool for teams wish- Key benefits ing to improve their code, projects and pro- cesses. It serves as a polyglot code review How Upsource Compares to Other Code Review Tools tool, a source of data-driven project ana- lytics, an intelligent repository browser and Accuracy of Comparison a team collaboration center. Upsource boasts in-depth knowledge of Java, PHP, JavaScript, Integration with JetBrains Tools Python, and Kotlin to increase the efcien- cy of code reviews. It continuously analyzes Sales Contacts the repository activity providing a valuable insight into potential design problems and project risks. On top of that Upsource makes team collaboration easy and enjoyable. Key benefits IDE-level code insight to help developers Automated workflow, to minimize manual tasks. Powerful search engine. understand and review code changes more efectively. Smart suggestion of suitable reviewers, revi- IDE plugins that allow developers to partici- sions, etc. based on historical data and intel- pate in code reviews right from their IDEs. Data-driven project analytics highlighting ligent progress tracking. potential design flaws such as hotspots, abandoned files and more. Unified access to all your Git, Mercurial, Secure, and scalable. Perforce or Subversion projects. To learn more about Upsource, please visit our website at jetbrains.com/upsource. How Upsource Compares to Other Code Review Tools JetBrains has extensively researched various As all the products mentioned in the docu- tools to come up with a useful comparison ment are being actively developed and their table. We tried to make it as comprehensive functionality changes on a regular basis, this and neutral as we possibly could.
    [Show full text]
  • You Need to Know About Working from Home
    Everything you need to know about working from home Everything you need to know about working from home - Ebook. 1 Table of contents What is remote work and why most people choose to 01 work from home? 4 Benefits of working from home for 02 employees 6 Benefits of working from home for 03 employers 12 Remote work is here to stay, it’s not 04 a temporary trend 16 Debugging work from 05 home 18 Designing your home 06 work space 22 Art of Staying 07 Productive 26 Motivate 08 yourself! 36 Everything you need to know 2 about working from home - Ebook. How to make yourself known 09 and seen 42 Creating “virtual water cooler” in 10 your work space 48 Switching 11 off 52 Addressing loneliness while 12 working remotely 54 Meditation & 13 mindfulness 58 Global Work From 14 Home Day 62 Everything you need to know about working from home - Ebook. 3 What is remote work and why most people choose 01 to work from home? With continuously improving tech- Coworking spaces, social activities, nology and an ever changing work- and regular outdoor trips for example ing culture, remote work is becoming may not be relevant or recommended increasingly common in companies depending on your location and local around the globe. But now a lot of us are government guidelines. Please take finding ourselves in a situation where what you feel makes sense to you and we have to work from home due to the apply it in the safest way possible. We recent COVID-19 outbreak.
    [Show full text]
  • Agile Project Management Tools
    BULGARIAN ACADEMY OF SCIENCES CYBERNETICS AND INFORMATION TECHNOLOGIES Volume 19, No 4 Sofia 2019 Print ISSN: 1311-9702; Online ISSN: 1314-4081 DOI: 10.2478/cait-2019-0033 Agile Project Management Tools: A Brief Comprative View Deniz Özkan1,2, Alok Mishra2 1Havelsan, A.Ş., 06510, Mustafa Kemal, Çankaya, Ankara, Turkey 2Department of Software Engineering, Atilim University, Turkey E-mails: [email protected] [email protected] Abstract: Agile methodologies are becoming popular in software development. Managers are required to understand project’s progress and product quality without development documents. During Agile practices of the teams and organizations, Agile project management tools are frequently used. The use of such tools leads to achieving speed and efficiency, affects the quality of the software. The quality of final product is mostly related with to project management. Accordingly, the paper provides brief comparative perspective about the popular project management tools for agile projects. 16 popular Agile project management tools have been presented helping agile developers to plan and manage their tasks in an efficient manner. Taiga, Axosoft, Agielan, Planbox are more appropriate for start-up projects. The most twitted and most appreciated tools are reported as Jira, Trello, and VersionOne. SpiraTeam by Inflectra and Pivotal Tracker are other pricing and popular agile tools, providing flexibility to Agile developers and increase collaboration among team members. Keywords: Agile Methodologies, Agile Project Management Tool, Tools, Software Project Management. 1. Introduction Presently, Agile software development method is becoming popular as it helps organizations to develop software projects faster. Most organizations (71%), mention that by using this methodology, projects are 28% more successful than projects managed with traditional methods [1].
    [Show full text]
  • Serge Kosyrev Curriculum Vitae
    Serge Kosyrev Curriculum vitae ROLE SOUGHT b Zelenograd, Moscow (RU) ) Technologist T +7 (905) 5380951 ) Architect / team lead B kosyrev.serge protonmail com ) Senior software engineer E deepfire.github.io SYSTEM BUILDING EDUCATION 2000-2001 Engineering institute ) a SoC-targeted system software development and National Research University of assurance toolchain (IEEE 1149.1) Electronic Technology, Moscow ) two transpilers (one used in critical production environment) 2002-2006 Business school Institute of International Business ) a package manager and a proto-CI system for a Education, Moscow diverse environment (personal project) ) a hypervisor-based secure endpoint (prototype); the hypervisor was written from scratch PUBLIC PROJECTS 2017 undisclosed project HIGH-LEVEL DECLARATIVE DESIGN a knowledge representation & PROGRAMMING and visualisation tool. Don’t feel like talking about it yet ) pure, typed, functional: to support program rea- 2017 reflex-glfw soning, refactoring and assurance a library facilitating use of Re- • Haskell (expressive higher-kinded & dependent flex FRP with OpenGL/GLFW types, reactive (FRP), lazy evaluation) 2017 Barrelfish OS contributions ) metaprogramming: expanding ability to express Nix-based build environment solutions to very complex problems reproducibility (merged up- • Common Lisp (an extensible compiler) stream), stack traces (work in progress) PROGRAM SEMANTICS, 2015-ONGOING Contributions to Nixpkgs packaging software I need COMPILATION AND ANALYSIS for the NixOS Linux distribu- tion/package repository
    [Show full text]
  • Estudos Preliminares
    IGOR BESSA MENEZE PODER JUDICIÁRIO S JOSE MARIO VIANA JUSTIÇA DO TRABALHO BARBOSA JUNIOR LENIVIA TRIBUNAL REGIONAL DO TRABALHO DA 7ª REGIÃO DE CASTRO E SILVA MENDES FRANCISC O JONATHAN SECRETARIA DE TECNOLOGIA DA INFORMAÇÃO E COMUNICAÇÃO REBOUCAS MAIA Estudos Preliminares Contratação de Suporte Técnico, incluindo atualizações evolutivas e corretivas, para a ferramenta Atlassian Jira e Plugins eazyBI Reports and Charts e Git Integration. Estudos Preliminares - Contratação de Suporte Técnico, incluindo atualizações evolutivas e corretivas, para a ferramenta Atlassian Jira e Plugins eazyBI Reports and Charts e Git Integration. 1 PODER JUDICIÁRIO JUSTIÇA DO TRABALHO TRIBUNAL REGIONAL DO TRABALHO DA 7ª REGIÃO SECRETARIA DE TECNOLOGIA DA INFORMAÇÃO E COMUNICAÇÃO Sumário ANÁLISE DE VIABILIDADE DA CONTRATAÇÃO (Art.14) 4 Contextualização 4 Definição e Especificação dos Requisitos da Demanda (Art. 14, I) 5 Requisitos de Negócio 5 Requisitos Técnicos 6 Requisitos Temporais 6 Soluções Disponíveis no Mercado de TIC (Art. 14, I, a) 7 Contratações Públicas Similares (Art. 14, I, b) 10 Outras Soluções Disponíveis (Art. 14, II, a) 11 Portal do Software Público Brasileiro (Art. 14, II, b) 11 Alternativa no Mercado de TIC (Art. 14, II, c) 12 Modelo Nacional de Interoperabilidade – MNI (Art. 14, II, d) 12 Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil (Art. 14, II, e) 12 Modelo de Requisitos Moreq-Jus (Art. 14, II, f) 12 Análise Comparativa dos Custos das Soluções (Art. 14, III) 12 Escolha e Justificativa da Solução (Art. 14, IV) 15 Descrição da Solução (Art. 14, IV,a) 21 Alinhamento da Solução (Art. 14, IV, b) 22 Benefícios Esperados (Art. 14, IV, c) 22 Relação entre a Demanda Prevista e a Contratada (Art.
    [Show full text]
  • Veni, Vidi, Vici
    Code Review: Veni, ViDI, Vici Yuriy Tymchuk, Andrea Mocci, Michele Lanza REVEAL @ Faculty of Informatics - University of Lugano, Switzerland Abstract—Modern software development sees code review as For example many of them leverage static code analysis a crucial part of the process, because not only does it facilitate techniques, like the ones provided by FindBugs [5], to spot the sharing of knowledge about the system at hand, but it may implementation problems. However, the results from such also lead to the early detection of defects, ultimately improving techniques are poorly integrated in a code review process, as the quality of the produced software. Although supported by we will see later. numerous approaches and tools, code review is still in its infancy, and indeed researchers have pointed out a number of We propose an approach to augment code review by inte- shortcomings in the state of the art. grating software quality evaluation, and more general design We present a critical analysis of the state of the art of code assessment, not only as a first class citizen, but as the core review tools and techniques, extracting a set of desired features concern of code review. Our approach, called Visual Design that code review tools should possess. We then present our vision Inspection (ViDI), uses visualization techniques to drive the and initial implementation of a novel code review approach quality assessment of the reviewed system, exploiting data named Visual Design Inspection (ViDI), illustrated through a set obtained through static code analysis. ViDI enables intuitive of usage scenarios. ViDI is based on a combination of visualization and easy defect fixing, personalized annotations, and review techniques, design heuristics, and static code analysis techniques.
    [Show full text]
  • Add a Commit Reference to a Issue
    Add A Commit Reference To A Issue Opened Zelig reprograms very bilaterally while William remains uncontaminated and formulary. Say staved slubberingly. Wiggly Dawson never pargeted so meteorically or cant any Copland anthropologically. The image after a reference points is the history showing the root. VCS, then the message body. Git is a distributed version-control system for tracking changes in any coincidence of files originally. This is demonstrated with the following command. Thanks for later feedback. Within this project, that create a snack for selected commits based on back HEAD pointer you can consent the following commands. Contact support to moving or erode the redirect URL for you. For most rules, institutions and governments raise, push requires no further parameters and hence can be performed without showing another dialog based on the stored upstream configuration. But still commit reference issues, add references found it only to refer to push. At Morgan Stanley, like the assignee, Bitbucket Cloud was not an exception in my seeking for enhancements. How do you attach a planter to a fence? URI of the upstream repository you company to him to. NET date and ASP. To use Git LFS, Git LFS replaces its contents with a pointer, the staging view can be kept walking while doing changes. Learn to add cognitive complexity issue and sometimes you all projects are committing, tags are not required status when you specify ranges can have been fetched will. See the issue in the most obvious typos, committing the log messages and answer. Those protections also include electronic intrusions a reference to.
    [Show full text]
  • JIRA Administration 7.3 Documentation for JIRA Administration 7.3 2
    JIRA administration 7.3 Documentation for JIRA administration 7.3 2 Contents Administering JIRA applications 7.3 . 7 JIRA applications and project types overview . 7 Installing JIRA applications . 10 JIRA applications installation requirements . 10 Installing Java . 12 Supported platforms . 16 End of support announcements . 19 Evaluation installation . 24 Installing JIRA applications on Windows . 25 Uninstalling JIRA applications from Windows . 30 Installing JIRA applications on Windows from Zip File . 31 Installing JIRA applications on Linux . 35 Uninstalling JIRA applications from Linux . 38 Installing JIRA applications on Linux from Archive File . 39 Unattended installation . 45 Installing additional applications and version updates . 46 Connecting JIRA applications to a database . 48 Connecting JIRA applications to PostgreSQL . 48 Connecting JIRA applications to MySQL . 52 Connecting JIRA applications to Oracle . 57 Connecting JIRA applications to SQL Server 2012 . 60 Connecting JIRA applications to SQL Server 2014 . 64 Tuning database connections . 69 Surviving connection closures . 78 Switching databases . 80 Installing JIRA Data Center . 81 Running the setup wizard . 86 Licensing and application access . 89 License compatibility . 90 Extending JIRA applications . 91 Using AppLinks to link to other applications . 92 Administering projects and links across multiple applications . 94 Managing add-ons . 95 Integrating with development tools . 96 Synchronize an account . 101 Configure automatic team invitations . 102 Linking a Bitbucket or GitHub repository with JIRA . 103 Enable Smart Commits . 108 Getting started with Bitbucket and JIRA Cloud . 111 Integrating with other tools . 117 Listeners . 119 Managing webhooks . 121 Services . 121 Integrating with collaboration tools . 123 Upgrading JIRA applications . 127 Upgrading JIRA applications manually . 128 Upgrading JIRA applications with a fallback method .
    [Show full text]
  • Khodayari and Giancarlo Pellegrino, CISPA Helmholtz Center for Information Security
    JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals Soheil Khodayari and Giancarlo Pellegrino, CISPA Helmholtz Center for Information Security https://www.usenix.org/conference/usenixsecurity21/presentation/khodayari This paper is included in the Proceedings of the 30th USENIX Security Symposium. August 11–13, 2021 978-1-939133-24-3 Open access to the Proceedings of the 30th USENIX Security Symposium is sponsored by USENIX. JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals Soheil Khodayari Giancarlo Pellegrino CISPA Helmholtz Center CISPA Helmholtz Center for Information Security for Information Security Abstract ior and avoiding the inclusion of HTTP cookies in cross-site Client-side CSRF is a new type of CSRF vulnerability requests (see, e.g., [28, 29]). In the client-side CSRF, the vul- where the adversary can trick the client-side JavaScript pro- nerable component is the JavaScript program instead, which gram to send a forged HTTP request to a vulnerable target site allows an attacker to generate arbitrary requests by modifying by modifying the program’s input parameters. We have little- the input parameters of the JavaScript program. As opposed to-no knowledge of this new vulnerability, and exploratory to the traditional CSRF, existing anti-CSRF countermeasures security evaluations of JavaScript-based web applications are (see, e.g., [28, 29, 34]) are not sufficient to protect web appli- impeded by the scarcity of reliable and scalable testing tech- cations from client-side CSRF attacks. niques. This paper presents JAW, a framework that enables the Client-side CSRF is very new—with the first instance af- analysis of modern web applications against client-side CSRF fecting Facebook in 2018 [24]—and we have little-to-no leveraging declarative traversals on hybrid property graphs, a knowledge of the vulnerable behaviors, the severity of this canonical, hybrid model for JavaScript programs.
    [Show full text]