SAST image is not updated
Summary
The official GitLab SAST image is not updated regularly, and can even regress.
Steps to reproduce
This was spotted by a scheduled pipeline on a test project. To fix this project red master, we had to retrograde the expected output format (which was updated 5 months ago from 2.2
to 2.3
).
@fcatteau merged the change to make the master of this project green again, but he raised a strange case, where we had to switch back to 2.2
from 2.3
.
Example Project
https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules/
What is the current bug behavior?
The latest SAST image (12-9-stable
as of today) is actually older than the 12-7-stable
one. It can have a lot of side effects to use this version.
What is the expected correct behavior?
SAST is rebuilt at least once per month. The build is currently a manual action that probably no one is assigned to do.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Output of checks
Not relevant.
Results of GitLab environment info
Not relevant.
Results of GitLab application Check
Not relevant.
Possible fixes
Short term
- Rebuild SAST and deploy a fresh version of
12-9-stable
- Re-update QA expectations
Long term
- Trust our pipeline
- Remove the manual trigger
- Rebuild the image regularly with scheduled pipelines
- Reprioritize #207128 (closed)
/cc @twoodham and @tmccaslin for prioritazation