Sec: Proposed Removals in 14.0

This issue covers the entire Sec section (Secure & Protect).

Proposal

We are soon approaching the %14.0 release. As per our deprecation and removal process, we need to provide multiple releases pre-deprecation of anything we are removing. The current understanding is 14.0 is expected in May 2021

Please propose features that we should consider removing in %14.0

• Split Build & Analyze Phase
• Remove start.sh script from Container Scanning
  • already removed with klar v3.0.1 as part of Ensure default CMD works as intended
• GitLab WAF (modsecurity) - to be deprecated in %13.6 and removed in %14.0
• Clair/Klar scanning engine - to be deprecated in %13.9 and replaced by default in %14.0

Fuzzing

• Use the .gitlab folder for configuration file(MR)
• #300687 (closed)

Composition Analysis

BLOG POST!!! gitlab-com/www-gitlab-com!73001 (diffs)

OLD

• #14692 (closed)
• removal of ci variable for database #215483 (closed)
• remove License-Management.gitlab-ci.yml
  • "License-Management template was altered and now we have backward compatibility between License Scanning and License Management."
• Remove needs: [] from License Scanning vendored template
  • "The default template behaviour of license scanning is changing to remove needs: [] which means that the License Scanning job will no longer start before other stages finish. Starting only when it's stage started was determined to be the more expected behaviour."
• Gemnasium scanning multiple files - new architecture do we know yet?
• Always generate secure scanning report regardless of success or failure
  • "In order to have the most information available, we will be generating a scanning report wether the job succeeds or fails."
• removal of retire.js \[alternate, drop retire.js to core but only use the DB + gemnasium for non-core)
• Remove scanner, category fields from vulnerabilities, in Security reports
  • "We added .scan.scanner and .scan.type to the security reports as described in #202053 (closed), and are now removing .vulnerabilities[].scanner and .vulnerabilities[].category, for these are now redundant."
• Migrate from DS_DEFAULT_ANALYZERS to DS_EXCLUDED_ANALYZERS
  • "Previously if you want to avoid running one particular DS analyzer, you needed to remove it from the long string of analyzers and use that to set the DS_DEFAULT_ANALYZERS somewhere in your project's CI template. We determined it should be easier for a user to avoid running a particular analyzer without the risk of losing out on getting to use newly added analyzers. As a result we ask you to migrate from DS_DEFAULT_ANALYZERS to DS_EXCLUDED_ANALYZERS when it is available."

Dynamic Analysis

1. Removal of legacy domain validation for DAST ❌
2. Removal and/or changes of config options and env variables for DAST ❌
3. Rename of env variables for DAST ❌

Static Analysis

Plan is to announce deprecations in 13.9, implement in 13.9/10 and remove in 14.0

Epic for Static Analysis removals: &5408 (closed)

1. SAST_DEFAULT_ANALYZERS to SAST_EXCLUDED_ANALYZERS ✅ Planned in 13.9
2. Deprecating SAST analyzer SAST_GOSEC_CONFIG variable in favor of custom rulesets ✅ Planned in 13.10
3. Deprecating SAST_ANALYZER_IMAGE_TAG ✅ Planned in 13.10
4. Independent Versions - Pin Static Analysis analyzers and tools to the minor version ✅ Planned in 13.10
5. Remove secret_detection_default_branch job from Secret-Detection ✅ Planned in 13.10