[15.0] Remove Retire.js analyzer from Dependency Scanning
Proposal
Once Gemnasium can report all the vulnerabilities reported by retire.js analyzer, the latter can be removed to reduce maintenance cost.
Implementation plan
-
update GitLab project (!86704 (merged)) -
update docs to remove retire.js
mentions: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/ -
remove retire.js
from the Dependency Scanning CI template https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml and corresponding specs
-
-
archiveretire.js
project- note: the decision to archive the project has been postponed so that the docker image can continue getting automatic rebuilds
-
update retire.js analyzer README.md
to say that this project is no longer used and is slated to be archived. -
create issue to archive project - #362242 (closed)
-
remove tests and mentions of the analyzer from other projects -
update handbook page (https://about.gitlab.com/handbook/engineering/development/sec/secure/composition-analysis) (gitlab-com/www-gitlab-com!104032 (merged)) -
remove analyzer and upstream project from reaction rotation support list and links (e.g. vuln dashboard) -
remove analyzer mentions
-
-
archive the retire.js
mirror project https://gitlab.com/gitlab-org/security-products/dependencies/retire.js -
create removal announcement (which is a different yml than a deprecation)
Edited by Igor Frenkel