Skip to content

ci: remove retire.js from Dependency Scanning CI

Takuya Noguchi requested to merge tnir-remove-retire-js-on-dependency-scanning-CI into main

What does this MR do?

Removes retire.js scanner from Dependency Scanning CI.

retire.js scanner was deprecated in %14.8 and removed in %15.0. See also gitlab#289830 (closed).

We are getting deprecation warning message like https://gitlab.com/gitlab-org/gitlab-ui/-/jobs/2480884580

[...]
$ echo "This job was deprecated in GitLab 14.8 and removed in GitLab 15.0"
This job was deprecated in GitLab 14.8 and removed in GitLab 15.0
$ echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/289830"
For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/289830
$ exit 1
Uploading artifacts for failed job
Uploading artifacts...
WARNING: gl-dependency-scanning-report.json: no matching files 
ERROR: No files to upload                          
Cleaning up project directory and file based variables
ERROR: Job failed: exit code 1

Does this MR meet the acceptance criteria?

Conformity

  • Code review guidelines.
  • GitLab UI's contributing guidlines.
  • [n/a] If it changes a Pajamas-compliant component's look & feel, the MR has been reviewed by a UX designer.
  • [n/a] If it changes GitLab UI's documentation guidelines, the MR has been reviewed by a Technical Writer.
  • [n/a] If the MR changes a component's API, integration MR(s) have been opened in the following projects to ensure that the @gitlab/ui package can be upgraded quickly after the changes are released:
  • [n/a] Added the ~"component:*" label(s) if applicable.

Accessibility

n/a

References

Official docs

https://docs.gitlab.com/ee/update/removals.html#retire-js-dependency-scanning-tool

Retire-JS Dependency Scanning tool

This is a breaking change. Review the details carefully before upgrading.

We have removed support for retire.js from Dependency Scanning as of May 22, 2022 in GitLab 15.0. JavaScript scanning functionality will not be affected as it is still being covered by Gemnasium.

If you have explicitly excluded retire.js using the DS_EXCLUDED_ANALYZERS variable, then you will be able to remove the reference to retire.js. If you have customized your pipeline’s Dependency Scanning configuration related to the retire-js-dependency_scanning job, then you will want to switch to gemnasium-dependency_scanning. If you have not used the DS_EXCLUDED_ANALYZERS to reference retire.js, or customized your template specifically for retire.js, you will not need to take any action.

Edited by Takuya Noguchi

Merge request reports