3 merge requests!162537Backport 17-1: Handle empty ff merge in from train ref strategy,!162233Draft: Script to update Topology Service Gem,!158980Docs: Add notice of Secure UBI Minimal to Micro change
-title:"FIPS-compliantSecureanalyzerswillchangefromUBIMinimaltoUBIMicro"# (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
announcement_milestone:"17.2"# (required) The milestone when this feature was first announced as deprecated.
removal_milestone:"17.3"# (required) The milestone when this feature is planned to be removed
breaking_change:false# (required) Change to false if this is not a breaking change.
reporter:connorgilbert# (required) GitLab username of the person reporting the change
stage:secure# (required) String value of the stage that the feature was created in. e.g., Growth
issue_url:https://gitlab.com/gitlab-org/gitlab/-/issues/471869# (required) Link to the deprecation issue in GitLab
body:|# (required) Do not modify this line, instead modify the lines below.
We're updating the base image of some of the analyzers used to scan your code for security vulnerabilities.
We're only changing the analyzer images that are already based on Red Hat Universal Base Image (UBI), so this change only affects you if you've specifically enabled [FIPS mode](https://docs.gitlab.com/ee/development/fips_compliance.html) for security scanning.
The default images that GitLab security scans use are not affected because they aren't based on UBI.
In GitLab 17.3, we will change the base image of the UBI-based analyzers from UBI Minimal to [UBI Micro](https://www.redhat.com/en/blog/introduction-ubi-micro), which includes fewer unnecessary packages and omits a package manager.
The updated images will be smaller and will be affected by fewer vulnerabilities in packages provided by the operating system.
GitLab's [Statement of Support](https://about.gitlab.com/support/statement-of-support/#ci-cd-templates) excludes undocumented customizations, including those that rely on specific contents of the analyzer image.
For example, installing additional packages in a `before_script` is not a supported modification.
Nevertheless, if you rely on this type of customization, see the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/471869#action-required) to learn how to respond to this change or to provide feedback about your current customizations.
@@ -793,6 +793,29 @@ We are removing the Needs tab from the pipeline view, as it duplicates the infor
<divclass="deprecation "data-milestone="17.3">
### FIPS-compliant Secure analyzers will change from UBI Minimal to UBI Micro
<divclass="deprecation-notes">
- Announced in GitLab <spanclass="milestone">17.2</span>
- Removal in GitLab <spanclass="milestone">17.3</span>
- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/471869).
</div>
We're updating the base image of some of the analyzers used to scan your code for security vulnerabilities.
We're only changing the analyzer images that are already based on Red Hat Universal Base Image (UBI), so this change only affects you if you've specifically enabled [FIPS mode](https://docs.gitlab.com/ee/development/fips_compliance.html) for security scanning.
The default images that GitLab security scans use are not affected because they aren't based on UBI.
In GitLab 17.3, we will change the base image of the UBI-based analyzers from UBI Minimal to [UBI Micro](https://www.redhat.com/en/blog/introduction-ubi-micro), which includes fewer unnecessary packages and omits a package manager.
The updated images will be smaller and will be affected by fewer vulnerabilities in packages provided by the operating system.
GitLab's [Statement of Support](https://about.gitlab.com/support/statement-of-support/#ci-cd-templates) excludes undocumented customizations, including those that rely on specific contents of the analyzer image.
For example, installing additional packages in a `before_script` is not a supported modification.
Nevertheless, if you rely on this type of customization, see the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/471869#action-required) to learn how to respond to this change or to provide feedback about your current customizations.
</div>
<divclass="deprecation "data-milestone="17.3">
### Group vulnerability report by OWASP top 10 2017 is deprecated
