Remove DAST support in the Common Go Library
Summary
DAST no longer relies on the common library to generate its reports, and DAST-specific code should be removed from common.
Further details
These should be removed from the common library:
-
zap_plugin_id
identifier type -
vulnerabilities[].location.site_area
key - top-level keys
scanned_urls
,io_error_urls
, andtarget_url
The wasc
identifier type should not be removed because it's generic and could be used by some analyzer projects.
See gitlab-org/security-products/analyzers/common!39 (merged)
There is no need to upgrade the common library in the Go projects depending on it, but we need to make sure these projects still compile.
Improvements
The goal is simply to reduce the complexity of the common
library, and clearly communicate it's no longer used by DAST.
Risks
We should be careful not to remove code that is used by the analyzer projects of SAST, Dependency Scanning or Container Scanning, otherwise compilation of the Go project will break after upgrading to a new version of common
.
To mitigate this, we should recompile all analyzer projects with the branch of the common library where DAST has been removed. See 204783-remove-dast
branch of the analyzer projects and the corresponding pipelines.
Involved components
https://gitlab.com/gitlab-org/security-products/analyzers/common/
Optional: Intended side effects
None.
Optional: Missing test coverage
None.