Add latest changes from gitlab-org/gitlab@master

11 files changed, 92 insertions, 1 deletions

diff --git a/doc/user/application_security/cve_id_request.md b/doc/user/application_security/cve_id_request.md
new file mode 100644
index 00000000000..94cacf2882f
--- /dev/null
+++ b/doc/user/application_security/cve_id_request.md
@@ -0,0 +1,69 @@
+---
+type: tutorial
+stage: Secure
+group: Vulnerability Research
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+---
+
+# CVE ID Requests
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41203) in GitLab 13.4, only for public projects on GitLab.com.
+
+As part of [GitLab's role as a CVE Numbering Authority](https://about.gitlab.com/security/cve)
+([CNA](https://cve.mitre.org/cve/cna.html)), you may request
+[CVE](https://cve.mitre.org/index.html) identifiers from GitLab to track
+vulnerabilities found within your project.
+
+## Overview
+
+CVE identifiers track specific vulnerabilities within projects. Having a CVE assigned to a
+vulnerability in your project helps your users stay secure and informed. For example,
+[dependency scanning tools](../application_security/dependency_scanning/index.md)
+can detect when vulnerable versions of your project are used as a dependency.
+
+## Conditions
+
+If the following conditions are met, a **Request CVE ID** button appears in your issue sidebar:
+
+- The project is hosted in GitLab.com.
+- The project is public.
+- You are a maintainer of the project.
+- The issue is confidential.
+
+## Submitting a CVE ID Request
+
+Clicking the **Request CVE ID** button in the issue sidebar takes you to the new issue page for
+[GitLab's CVE project](https://gitlab.com/gitlab-org/cves).
+
+![CVE ID request button](img/cve_id_request_button.png)
+
+Creating the confidential issue starts the CVE request process.
+
+![New CVE ID request issue](img/new_cve_request_issue.png)
+
+You are required to fill in the issue description, which includes:
+
+- A description of the vulnerability
+- The project's vendor and name
+- Impacted versions
+- Fixed versions
+- The vulnerability type (a [CWE](https://cwe.mitre.org/data/index.html) identifier)
+- A [CVSS v3 vector](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
+
+## CVE Assignment
+
+GitLab triages your submitted CVE ID request and communicates with you throughout the CVE validation
+and assignment process.
+
+![CVE ID request communication](img/cve_request_communication.png)
+
+Once a CVE identifier is assigned, you may use and reference it as you see fit.
+
+Details of the vulnerability submitted in the CVE ID request are published according to your
+schedule. It's common to request a CVE for an unpatched vulnerability, reference the assigned CVE
+identifier in release notes, and later publish the vulnerability's details after the fix is
+released.
+
+Separate communications notify you when different stages of the publication process are complete.
+
+![CVE ID request publication communication](img/cve_request_communication_publication.png)
diff --git a/doc/user/application_security/img/cve_id_request_button.png b/doc/user/application_security/img/cve_id_request_button.png
new file mode 100644
index 00000000000..15707ba9eb2
--- /dev/null
+++ b/doc/user/application_security/img/cve_id_request_button.png
diff --git a/doc/user/application_security/img/cve_request_communication.png b/doc/user/application_security/img/cve_request_communication.png
new file mode 100644
index 00000000000..0766b371c11
--- /dev/null
+++ b/doc/user/application_security/img/cve_request_communication.png
diff --git a/doc/user/application_security/img/cve_request_communication_publication.png b/doc/user/application_security/img/cve_request_communication_publication.png
new file mode 100644
index 00000000000..9e34c217e13
--- /dev/null
+++ b/doc/user/application_security/img/cve_request_communication_publication.png
diff --git a/doc/user/application_security/img/new_cve_request_issue.png b/doc/user/application_security/img/new_cve_request_issue.png
new file mode 100644
index 00000000000..a342c73992e
--- /dev/null
+++ b/doc/user/application_security/img/new_cve_request_issue.png
diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md
index edc0310667c..d509176f2b2 100644
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -247,7 +247,9 @@ You can create an issue for a vulnerability by visiting the vulnerability's page
 This creates a [confidential issue](../project/issues/confidential_issues.md) in the project the
 vulnerability came from, and pre-populates it with some useful information taken from the vulnerability
 report. Once the issue is created, you are redirected to it so you can edit, assign, or comment on
-it.
+it. CVE identifiers can be requested from GitLab by clicking the
+[_CVE ID Request_ button](cve_id_request.md) that is enabled for maintainers of
+public projects on GitLab.com
 
 Upon returning to the group security dashboard, the vulnerability now has an associated issue next
 to the name.
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index cddb2ab3188..8fc45425060 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -122,6 +122,7 @@ The following table depicts the various user permission levels in a project.
 | Manage Feature Flags **(PREMIUM)**                |         |            | ✓           | ✓        | ✓      |
 | Create/edit/delete metrics dashboard annotations  |         |            | ✓           | ✓        | ✓      |
 | Run CI/CD pipeline against a protected branch     |         |            | ✓ (*5*)     | ✓        | ✓      |
+| Request a CVE ID **(FREE ONLY)**                  |         |            |             | ✓        | ✓      |
 | Use environment terminals                         |         |            |             | ✓        | ✓      |
 | Run Web IDE's Interactive Web Terminals **(ULTIMATE ONLY)** |     |      |             | ✓        | ✓      |
 | Add new team members                              |         |            |             | ✓        | ✓      |
diff --git a/doc/user/project/index.md b/doc/user/project/index.md
index da09b9d598e..c79f2be1d3f 100644
--- a/doc/user/project/index.md
+++ b/doc/user/project/index.md
@@ -37,6 +37,8 @@ When you create a project in GitLab, you'll have access to a large number of
   - [Signing commits](gpg_signed_commits/index.md): use GPG to sign your commits
   - [Deploy tokens](deploy_tokens/index.md): Manage project-based deploy tokens that allow permanent access to the repository and Container Registry.
 - [Web IDE](web_ide/index.md)
+- [CVE ID Requests](../application_security/cve_id_request.md): Request a CVE identifier to track a
+  vulnerability in your project.
 
 **Issues and merge requests:**
 
diff --git a/doc/user/project/settings/img/cve_id_request_toggle.png b/doc/user/project/settings/img/cve_id_request_toggle.png
new file mode 100644
index 00000000000..53ec804922c
--- /dev/null
+++ b/doc/user/project/settings/img/cve_id_request_toggle.png
diff --git a/doc/user/project/settings/index.md b/doc/user/project/settings/index.md
index 3be54a5c940..395d4bf30c5 100644
--- a/doc/user/project/settings/index.md
+++ b/doc/user/project/settings/index.md
@@ -100,6 +100,16 @@ Some features depend on others:
 - Metrics dashboard access requires reading both project environments and deployments.
   Users with access to the metrics dashboard can also access environments and deployments.
 
+#### Disabling the CVE ID request button
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41203) in GitLab 13.4, only for public projects on GitLab.com.
+
+In applicable environments, a [**Create CVE ID Request** button](../../application_security/cve_id_request.md)
+is present in the issue sidebar. The button may be disabled on a per-project basis by toggling the
+setting **Enable CVE ID requests in the issue sidebar**.
+
+![CVE ID Request toggle](img/cve_id_request_toggle.png)
+
 #### Disabling email notifications
 
 Project owners can disable all [email notifications](../../profile/notifications.md#gitlab-notification-emails)
diff --git a/doc/user/shortcuts.md b/doc/user/shortcuts.md
index 4d65cc61bd5..c34d5be5899 100644
--- a/doc/user/shortcuts.md
+++ b/doc/user/shortcuts.md
@@ -40,6 +40,13 @@ for example comments, replies, issue descriptions, and merge request description
 | ---------------------------------------------------------------------- | ----------- |
 | <kbd>↑</kbd>                                                           | Edit your last comment. You must be in a blank text field below a thread, and you must already have at least one comment in the thread. |
 | <kbd>⌘</kbd> (Mac) / <kbd>Ctrl</kbd> + <kbd>Shift</kbd> + <kbd>p</kbd> | Toggle Markdown preview, when editing text in a text field that has **Write** and **Preview** tabs at the top. |
+| <kbd>⌘</kbd> (Mac) / <kbd>Ctrl</kbd> + <kbd>b</kbd>                    | Bold the selected text (surround it with `**`). |
+| <kbd>⌘</kbd> (Mac) / <kbd>Ctrl</kbd> + <kbd>i</kbd>                    | Italicize the selected text (surround it with `_`). |
+| <kbd>⌘</kbd> (Mac) / <kbd>Ctrl</kbd> + <kbd>k</kbd>                    | Add a link (surround the selected text with `[]()`). |
+
+NOTE: **Note:**
+The shortcuts for editing in text fields are always enabled, even when
+other keyboard shortcuts are disabled as explained above.
 
 ## Project