debian-mirror-gitlab/data/removals/15_4/15-4-sast-analyzer-consolidation.yml

- name: "SAST analyzer consolidation and CI/CD template changes"
  announcement_milestone: "14.8"
  announcement_date: "2022-02-22"
  removal_milestone: "15.4"
  removal_date: "2022-09-22"
  breaking_change: true
  reporter: connorgilbert
  stage: Secure
  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352554
  body: |  # (required) Do not modify this line, instead modify the lines below.
    We have replaced the GitLab SAST [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) for certain languages in GitLab 15.4 as part of our long-term strategy to deliver a more consistent user experience, faster scan times, and reduced CI minute usage.

    Starting from GitLab 15.4, the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) uses [Semgrep-based scanning](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#transition-to-semgrep-based-scanning) instead of the following analyzers:

    - [ESLint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) for JavaScript, TypeScript, React
    - [Gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) for Go
    - [Bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) for Python
    - [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) for Java

    We will no longer make any updates to the ESLint-, Gosec-, and Bandit-based analyzers.
    The SpotBugs-based analyzer will continue to be used for Groovy, Kotlin, and Scala scanning.

    We won't delete container images previously published for these analyzers, so older versions of the CI/CD template will continue to work.

    If you changed the default GitLab SAST configuration, you may need to update your configuration as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352554#actions-required).
# The following items are not published on the docs page, but may be used in the future.
  tiers: [Free, Silver, Gold, Core, Premium, Ultimate]
  documentation_url: https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#transition-to-semgrep-based-scanning  # (optional) This is a link to the current documentation page
  image_url:  # (optional) This is a link to a thumbnail image depicting the feature
  video_url:  # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
New upstream version 15.4.2+ds1 2022-10-11 01:57:18 +05:30			`- name: "SAST analyzer consolidation and CI/CD template changes"`
			`announcement_milestone: "14.8"`
			`announcement_date: "2022-02-22"`
			`removal_milestone: "15.4"`
			`removal_date: "2022-09-22"`
			`breaking_change: true`
			`reporter: connorgilbert`
			`stage: Secure`
			`issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352554`
			`body: \| # (required) Do not modify this line, instead modify the lines below.`
			`We have replaced the GitLab SAST [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) for certain languages in GitLab 15.4 as part of our long-term strategy to deliver a more consistent user experience, faster scan times, and reduced CI minute usage.`

			`Starting from GitLab 15.4, the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) uses [Semgrep-based scanning](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#transition-to-semgrep-based-scanning) instead of the following analyzers:`

			`- [ESLint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) for JavaScript, TypeScript, React`
			`- [Gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) for Go`
			`- [Bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) for Python`
			`- [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) for Java`

			`We will no longer make any updates to the ESLint-, Gosec-, and Bandit-based analyzers.`
			`The SpotBugs-based analyzer will continue to be used for Groovy, Kotlin, and Scala scanning.`

			`We won't delete container images previously published for these analyzers, so older versions of the CI/CD template will continue to work.`

			`If you changed the default GitLab SAST configuration, you may need to update your configuration as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352554#actions-required).`
			`# The following items are not published on the docs page, but may be used in the future.`
			`tiers: [Free, Silver, Gold, Core, Premium, Ultimate]`
			`documentation_url: https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#transition-to-semgrep-based-scanning # (optional) This is a link to the current documentation page`
			`image_url: # (optional) This is a link to a thumbnail image depicting the feature`
			`video_url: # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg`