diff options
Diffstat (limited to 'data/deprecations/15-9-sast-analyzer-consolidation.yml')
-rw-r--r-- | data/deprecations/15-9-sast-analyzer-consolidation.yml | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/data/deprecations/15-9-sast-analyzer-consolidation.yml b/data/deprecations/15-9-sast-analyzer-consolidation.yml new file mode 100644 index 00000000000..9bbeb36b597 --- /dev/null +++ b/data/deprecations/15-9-sast-analyzer-consolidation.yml @@ -0,0 +1,36 @@ +- title: "SAST analyzer coverage changing in GitLab 16.0" # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters." + announcement_milestone: "15.9" # (required) The milestone when this feature was first announced as deprecated. + removal_milestone: "16.0" # (required) The milestone when this feature is planned to be removed + breaking_change: true # (required) Change to false if this is not a breaking change. + reporter: connorgilbert # (required) GitLab username of the person reporting the change + stage: secure # (required) String value of the stage that the feature was created in. e.g., Growth + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/390416 # (required) Link to the deprecation issue in GitLab + body: | # (required) Do not modify this line, instead modify the lines below. + GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities. + + We're reducing the number of supported analyzers used by default in GitLab SAST. + This is part of our long-term strategy to deliver a faster, more consistent user experience across different programming languages. + + Starting in GitLab 16.0, the GitLab SAST CI/CD template will no longer use the following analyzers, and they will enter End of Support status: + + - [Security Code Scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) (.NET) + - [PHPCS Security Audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP) + + We'll remove these analyzers from the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replace them with GitLab-supported detection rules and the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep). + Effective immediately, these analyzers will receive only security updates; other routine improvements or updates are not guaranteed. + After these analyzers reach End of Support, no further updates will be provided. + However, we won't delete container images previously published for these analyzers or remove the ability to run them by using a custom CI/CD pipeline job. + + We will also remove Scala from the scope of the [SpotBugs-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep). + This change will make it simpler to scan Scala code; compilation will no longer be required. + This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml). + Note that the SpotBugs-based analyzer will continue to cover Groovy and Kotlin. + + If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on: + + - whether you've excluded the Semgrep-based analyzer from running in the past. + - which analyzer first discovered the vulnerabilities shown in the project's Vulnerability Report. + + See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details. + + If you applied customizations to any of the affected analyzers or if you currently disable the Semgrep analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/390416#breaking-change). |