debian-mirror-gitlab/data/deprecations/14-8-sast-analyzer-removals.yml

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

45 lines
4 KiB
YAML
Raw Normal View History

2022-04-04 11:22:00 +05:30
- name: "SAST analyzer consolidation and CI/CD template changes"
announcement_milestone: "14.8"
announcement_date: "2022-02-22"
2022-08-13 15:12:31 +05:30
removal_milestone: "15.4"
removal_date: "2022-09-22"
2022-04-04 11:22:00 +05:30
breaking_change: true
reporter: connorgilbert
body: | # Do not modify this line, instead modify the lines below.
GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities.
We are reducing the number of analyzers used in GitLab SAST as part of our long-term strategy to deliver a better and more consistent user experience.
2022-08-13 15:12:31 +05:30
Streamlining the set of analyzers will also enable faster [iteration](https://about.gitlab.com/handbook/values/#iteration), better [results](https://about.gitlab.com/handbook/values/#results), and greater [efficiency](https://about.gitlab.com/handbook/values/#efficiency) (including a reduction in CI runner usage in most cases).
2022-04-04 11:22:00 +05:30
2022-08-13 15:12:31 +05:30
In GitLab 15.4, GitLab SAST will no longer use the following analyzers:
2022-04-04 11:22:00 +05:30
- [ESLint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (JavaScript, TypeScript, React)
- [Gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Go)
- [Bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Python)
2022-07-16 23:28:13 +05:30
NOTE:
2023-01-13 00:05:48 +05:30
This change was originally planned for GitLab 15.0 and was postponed to GitLab 15.4.
See [the removal notice](./removals.md#sast-analyzer-consolidation-and-cicd-template-changes) for further details.
2022-07-16 23:28:13 +05:30
2022-04-04 11:22:00 +05:30
These analyzers will be removed from the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replaced with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
2023-01-13 00:05:48 +05:30
Effective immediately, they will receive only security updates; other routine improvements or updates are not guaranteed.
After these analyzers reach End of Support, no further updates will be provided.
2022-04-04 11:22:00 +05:30
We will not delete container images previously published for these analyzers; any such change would be announced as a [deprecation, removal, or breaking change announcement](https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-removals-and-breaking-changes).
We will also remove Java from the scope of the [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) analyzer and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
This change will make it simpler to scan Java code; compilation will no longer be required.
2022-08-13 15:12:31 +05:30
This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml). Note that the SpotBugs-based analyzer will continue to cover Groovy, Kotlin, and Scala.
If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on:
- whether youve excluded the Semgrep-based analyzer from running in the past.
- which analyzer first discovered the vulnerabilities shown in the projects Vulnerability Report.
See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.
2022-04-04 11:22:00 +05:30
2022-07-16 23:28:13 +05:30
If you applied customizations to any of the affected analyzers or if you currently disable the Semgrep analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352554#breaking-change).
2022-04-04 11:22:00 +05:30
# The following items are not published on the docs page, but may be used in the future.
stage: Secure
tiers: [Free, Silver, Gold, Core, Premium, Ultimate]
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352554