diff options
Diffstat (limited to 'data/deprecations/14-8-sast-analyzer-removals.yml')
| -rw-r--r-- | data/deprecations/14-8-sast-analyzer-removals.yml | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/data/deprecations/14-8-sast-analyzer-removals.yml b/data/deprecations/14-8-sast-analyzer-removals.yml new file mode 100644 index 00000000000..6bbeee0cd6b --- /dev/null +++ b/data/deprecations/14-8-sast-analyzer-removals.yml @@ -0,0 +1,32 @@ +- name: "SAST analyzer consolidation and CI/CD template changes" + announcement_milestone: "14.8" + announcement_date: "2022-02-22" + removal_milestone: "15.0" + removal_date: "2022-05-22" + breaking_change: true + reporter: connorgilbert + body: | # Do not modify this line, instead modify the lines below. + GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities. + + We are reducing the number of analyzers used in GitLab SAST as part of our long-term strategy to deliver a better and more consistent user experience. + Streamlining the set of analyzers will also enable faster [iteration](https://about.gitlab.com/handbook/values/#iteration), better [results](https://about.gitlab.com/handbook/values/#results), and greater [efficiency](https://about.gitlab.com/handbook/values/#results) (including a reduction in CI runner usage in most cases). + + In GitLab 15.0, GitLab SAST will no longer use the following analyzers: + + - [ESLint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (JavaScript, TypeScript, React) + - [Gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Go) + - [Bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Python) + + These analyzers will be removed from the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replaced with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep). + They will no longer receive routine updates, except for security issues. + We will not delete container images previously published for these analyzers; any such change would be announced as a [deprecation, removal, or breaking change announcement](https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-removals-and-breaking-changes). + + We will also remove Java from the scope of the [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) analyzer and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep). + This change will make it simpler to scan Java code; compilation will no longer be required. + This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml). + + If you applied customizations to any of the affected analyzers, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352554#breaking-change). +# The following items are not published on the docs page, but may be used in the future. + stage: Secure + tiers: [Free, Silver, Gold, Core, Premium, Ultimate] + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352554 |