summaryrefslogtreecommitdiff
path: root/data/deprecations/15-9-sast-analyzer-consolidation.yml
diff options
context:
space:
mode:
Diffstat (limited to 'data/deprecations/15-9-sast-analyzer-consolidation.yml')
-rw-r--r--data/deprecations/15-9-sast-analyzer-consolidation.yml36
1 files changed, 36 insertions, 0 deletions
diff --git a/data/deprecations/15-9-sast-analyzer-consolidation.yml b/data/deprecations/15-9-sast-analyzer-consolidation.yml
new file mode 100644
index 00000000000..9bbeb36b597
--- /dev/null
+++ b/data/deprecations/15-9-sast-analyzer-consolidation.yml
@@ -0,0 +1,36 @@
+- title: "SAST analyzer coverage changing in GitLab 16.0" # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
+ announcement_milestone: "15.9" # (required) The milestone when this feature was first announced as deprecated.
+ removal_milestone: "16.0" # (required) The milestone when this feature is planned to be removed
+ breaking_change: true # (required) Change to false if this is not a breaking change.
+ reporter: connorgilbert # (required) GitLab username of the person reporting the change
+ stage: secure # (required) String value of the stage that the feature was created in. e.g., Growth
+ issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/390416 # (required) Link to the deprecation issue in GitLab
+ body: | # (required) Do not modify this line, instead modify the lines below.
+ GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities.
+
+ We're reducing the number of supported analyzers used by default in GitLab SAST.
+ This is part of our long-term strategy to deliver a faster, more consistent user experience across different programming languages.
+
+ Starting in GitLab 16.0, the GitLab SAST CI/CD template will no longer use the following analyzers, and they will enter End of Support status:
+
+ - [Security Code Scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) (.NET)
+ - [PHPCS Security Audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP)
+
+ We'll remove these analyzers from the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replace them with GitLab-supported detection rules and the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
+ Effective immediately, these analyzers will receive only security updates; other routine improvements or updates are not guaranteed.
+ After these analyzers reach End of Support, no further updates will be provided.
+ However, we won't delete container images previously published for these analyzers or remove the ability to run them by using a custom CI/CD pipeline job.
+
+ We will also remove Scala from the scope of the [SpotBugs-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
+ This change will make it simpler to scan Scala code; compilation will no longer be required.
+ This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml).
+ Note that the SpotBugs-based analyzer will continue to cover Groovy and Kotlin.
+
+ If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on:
+
+ - whether you've excluded the Semgrep-based analyzer from running in the past.
+ - which analyzer first discovered the vulnerabilities shown in the project's Vulnerability Report.
+
+ See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.
+
+ If you applied customizations to any of the affected analyzers or if you currently disable the Semgrep analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/390416#breaking-change).
View Lorry Controller Status