Create a set of guidelines on when to increment the version of DAST
Problem to solve
DAST engineers don't have a consistent approach to working out when to increment the MAJOR
, MINOR
, or PATCH
version of DAST based on the changes being made.
This issue attempts to list a number of common classes of DAST changes. This list will be added to over time, when the list is considered sufficient enough the DAST team will have a conversation about which changes should result in what kind of version change.
Outcomes from the discussion should be documented on the README in DAST repository.
Example changes
- The ZAP base image is updated
- ZAP add-ons are updated (i.e. vulnerabilities updated)
- A new feature is added to DAST. Prior to the change there was no way to achieve the same behaviour (e.g. DAST can be used as a proxy in integration tests)
- A new feature is added to DAST. Prior to the change the same behaviour could be achieved, but it was difficult (e.g. had to pass through magic ZAP configuration parameters)
- New fields are added to the DAST report that will at some point be available in the GitLab Security Dashboard
- A bug is fixed to an existing feature
- Documentation is added under the
docs
folder