36 lines
3.8 KiB
YAML
36 lines
3.8 KiB
YAML
- title: "SAST analyzer coverage changing in GitLab 16.0" # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
|
|
announcement_milestone: "15.9" # (required) The milestone when this feature was first announced as deprecated.
|
|
removal_milestone: "16.0" # (required) The milestone when this feature is planned to be removed
|
|
breaking_change: true # (required) Change to false if this is not a breaking change.
|
|
reporter: connorgilbert # (required) GitLab username of the person reporting the change
|
|
stage: secure # (required) String value of the stage that the feature was created in. e.g., Growth
|
|
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/390416 # (required) Link to the deprecation issue in GitLab
|
|
body: | # (required) Do not modify this line, instead modify the lines below.
|
|
GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application_security/sast/analyzers/) to scan code for vulnerabilities.
|
|
|
|
We're reducing the number of supported analyzers used by default in GitLab SAST.
|
|
This is part of our long-term strategy to deliver a faster, more consistent user experience across different programming languages.
|
|
|
|
Starting in GitLab 16.0, the GitLab SAST CI/CD template will no longer use the following analyzers, and they will enter End of Support status:
|
|
|
|
- [Security Code Scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) (.NET)
|
|
- [PHPCS Security Audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP)
|
|
|
|
We'll remove these analyzers from the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replace them with GitLab-supported detection rules and the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
|
|
Effective immediately, these analyzers will receive only security updates; other routine improvements or updates are not guaranteed.
|
|
After these analyzers reach End of Support, no further updates will be provided.
|
|
However, we won't delete container images previously published for these analyzers or remove the ability to run them by using a custom CI/CD pipeline job.
|
|
|
|
We will also remove Scala from the scope of the [SpotBugs-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
|
|
This change will make it simpler to scan Scala code; compilation will no longer be required.
|
|
This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml).
|
|
Note that the SpotBugs-based analyzer will continue to cover Groovy and Kotlin.
|
|
|
|
If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on:
|
|
|
|
- whether you've excluded the Semgrep-based analyzer from running in the past.
|
|
- which analyzer first discovered the vulnerabilities shown in the project's Vulnerability Report.
|
|
|
|
See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.
|
|
|
|
If you applied customizations to any of the affected analyzers or if you currently disable the Semgrep analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/390416#breaking-change).
|