Sec: Proposed Removals in 14.0
This issue covers the entire Sec section (Secure & Protect).
Proposal
We are soon approaching the %14.0 release. As per our deprecation and removal process, we need to provide multiple releases pre-deprecation of anything we are removing. The current understanding is 14.0 is expected in May 2021
Please propose features that we should consider removing in %14.0
Split Build & Analyze Phase-
Remove start.sh script from Container Scanning- already removed with klar
v3.0.1
as part of Ensure default CMD works as intended
- already removed with klar
- GitLab WAF (modsecurity) - to be deprecated in %13.6 and removed in %14.0
- Clair/Klar scanning engine - to be deprecated in %13.9 and replaced by default in %14.0
Fuzzing
Composition Analysis
BLOG POST!!! gitlab-com/www-gitlab-com!73001 (diffs)
OLD
- #14692 (closed)
- removal of ci variable for database #215483 (closed)
-
remove License-Management.gitlab-ci.yml
- "
License-Management
template was altered and now we have backward compatibility betweenLicense Scanning
andLicense Management
."
- "
-
Remove needs: [] from License Scanning vendored template
- "The default template behaviour of license scanning is changing to remove
needs: []
which means that the License Scanning job will no longer start before other stages finish. Starting only when it's stage started was determined to be the more expected behaviour."
- "The default template behaviour of license scanning is changing to remove
- Gemnasium scanning multiple files - new architecture do we know yet?
-
Always generate secure scanning report regardless of success or failure
- "In order to have the most information available, we will be generating a scanning report wether the job succeeds or fails."
removal of retire.js \[alternate, drop retire.js to core but only use the DB + gemnasium for non-core)
-
Remove scanner, category fields from vulnerabilities, in Security reports
- "We added
.scan.scanner
and.scan.type
to the security reports as described in #202053 (closed), and are now removing.vulnerabilities[].scanner
and.vulnerabilities[].category
, for these are now redundant."
- "We added
-
Migrate from DS_DEFAULT_ANALYZERS to DS_EXCLUDED_ANALYZERS
- "Previously if you want to avoid running one particular DS analyzer, you needed to remove it from the long string of analyzers and use that to set the
DS_DEFAULT_ANALYZERS
somewhere in your project's CI template. We determined it should be easier for a user to avoid running a particular analyzer without the risk of losing out on getting to use newly added analyzers. As a result we ask you to migrate from DS_DEFAULT_ANALYZERS to DS_EXCLUDED_ANALYZERS when it is available."
- "Previously if you want to avoid running one particular DS analyzer, you needed to remove it from the long string of analyzers and use that to set the
Dynamic Analysis
-
Removal of legacy domain validation for DAST
❌ -
Removal and/or changes of config options and env variables for DAST
❌ -
Rename of env variables for DAST
❌
Static Analysis
Plan is to announce deprecations in 13.9, implement in 13.9/10 and remove in 14.0
Epic for Static Analysis removals: &5408 (closed)
-
SAST_DEFAULT_ANALYZERS to SAST_EXCLUDED_ANALYZERS
✅ Planned in 13.9 -
Deprecating SAST analyzer
SAST_GOSEC_CONFIG
variable in favor of custom rulesets✅ Planned in 13.10 -
Deprecating
SAST_ANALYZER_IMAGE_TAG
✅ Planned in 13.10 - Independent Versions - Pin Static Analysis analyzers and tools to the minor version
✅ Planned in 13.10 -
Remove secret_detection_default_branch job from Secret-Detection
✅ Planned in 13.10
Edited by Lucas Charles