debian-mirror-gitlab/data/deprecations/14-8-sast-analyzer-removals.yml

- name: "SAST analyzer consolidation and CI/CD template changes"
  announcement_milestone: "14.8"
  announcement_date: "2022-02-22"
  removal_milestone: "15.4"
  removal_date: "2022-09-22"
  breaking_change: true
  reporter: connorgilbert
  body: |  # Do not modify this line, instead modify the lines below.
    GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities.

    We are reducing the number of analyzers used in GitLab SAST as part of our long-term strategy to deliver a better and more consistent user experience.
    Streamlining the set of analyzers will also enable faster [iteration](https://about.gitlab.com/handbook/values/#iteration), better [results](https://about.gitlab.com/handbook/values/#results), and greater [efficiency](https://about.gitlab.com/handbook/values/#efficiency) (including a reduction in CI runner usage in most cases).

    In GitLab 15.4, GitLab SAST will no longer use the following analyzers:

    - [ESLint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (JavaScript, TypeScript, React)
    - [Gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Go)
    - [Bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Python)

    NOTE:
    This change was originally planned for GitLab 15.0 and has been postponed.

    These analyzers will be removed from the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replaced with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
    They will no longer receive routine updates, except for security issues.
    We will not delete container images previously published for these analyzers; any such change would be announced as a [deprecation, removal, or breaking change announcement](https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-removals-and-breaking-changes).

    We will also remove Java from the scope of the [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) analyzer and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
    This change will make it simpler to scan Java code; compilation will no longer be required.
    This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml). Note that the SpotBugs-based analyzer will continue to cover Groovy, Kotlin, and Scala.

    If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on:

    - whether you’ve excluded the Semgrep-based analyzer from running in the past.
    - which analyzer first discovered the vulnerabilities shown in the project’s Vulnerability Report.

    See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.

    If you applied customizations to any of the affected analyzers or if you currently disable the Semgrep analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352554#breaking-change).
# The following items are not published on the docs page, but may be used in the future.
  stage: Secure
  tiers: [Free, Silver, Gold, Core, Premium, Ultimate]
  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352554
-												New upstream version 14.8.5+ds1
											
										
										
											2022-04-04 11:22:00 +05:30
+								- name: "SAST analyzer consolidation and CI/CD template changes"
 								  announcement_milestone: "14.8"
 								  announcement_date: "2022-02-22"
-												New upstream version 15.2.2+ds1
											
										
										
											2022-08-13 15:12:31 +05:30
+								  removal_milestone: "15.4"
 								  removal_date: "2022-09-22"
-												New upstream version 14.8.5+ds1
											
										
										
											2022-04-04 11:22:00 +05:30
+								  breaking_change: true
 								  reporter: connorgilbert
 								  body: |  # Do not modify this line, instead modify the lines below.
 								    GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities.
 								    We are reducing the number of analyzers used in GitLab SAST as part of our long-term strategy to deliver a better and more consistent user experience.
-												New upstream version 15.2.2+ds1
											
										
										
											2022-08-13 15:12:31 +05:30
+								    Streamlining the set of analyzers will also enable faster [iteration](https://about.gitlab.com/handbook/values/#iteration), better [results](https://about.gitlab.com/handbook/values/#results), and greater [efficiency](https://about.gitlab.com/handbook/values/#efficiency) (including a reduction in CI runner usage in most cases).
-												New upstream version 14.8.5+ds1
											
										
										
											2022-04-04 11:22:00 +05:30
-												New upstream version 15.2.2+ds1
											
										
										
											2022-08-13 15:12:31 +05:30
+								    In GitLab 15.4, GitLab SAST will no longer use the following analyzers:
-												New upstream version 14.8.5+ds1
											
										
										
											2022-04-04 11:22:00 +05:30
 								    - [ESLint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (JavaScript, TypeScript, React)
 								    - [Gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Go)
 								    - [Bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Python)
-												New upstream version 15.0.4+ds1
											
										
										
											2022-07-16 23:28:13 +05:30
+								    NOTE:
 								    This change was originally planned for GitLab 15.0 and has been postponed.
-												New upstream version 14.8.5+ds1
											
										
										
											2022-04-04 11:22:00 +05:30
+								    These analyzers will be removed from the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replaced with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
 								    They will no longer receive routine updates, except for security issues.
 								    We will not delete container images previously published for these analyzers; any such change would be announced as a [deprecation, removal, or breaking change announcement](https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-removals-and-breaking-changes).
 								    We will also remove Java from the scope of the [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) analyzer and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
 								    This change will make it simpler to scan Java code; compilation will no longer be required.
-												New upstream version 15.2.2+ds1
											
										
										
											2022-08-13 15:12:31 +05:30
+								    This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml). Note that the SpotBugs-based analyzer will continue to cover Groovy, Kotlin, and Scala.
 								    If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on:
 								    - whether you’ve excluded the Semgrep-based analyzer from running in the past.
 								    - which analyzer first discovered the vulnerabilities shown in the project’s Vulnerability Report.
 								    See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.
-												New upstream version 14.8.5+ds1
											
										
										
											2022-04-04 11:22:00 +05:30
-												New upstream version 15.0.4+ds1
											
										
										
											2022-07-16 23:28:13 +05:30
+								    If you applied customizations to any of the affected analyzers or if you currently disable the Semgrep analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352554#breaking-change).
-												New upstream version 14.8.5+ds1
											
										
										
											2022-04-04 11:22:00 +05:30
+								# The following items are not published on the docs page, but may be used in the future.
 								  stage: Secure
 								  tiers: [Free, Silver, Gold, Core, Premium, Ultimate]
 								  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352554