13.12 Analyzer Updates (public issue)
THIS ISSUE DUPLICATES A PRIVATE INTERNAL RELEASE ISSUE PURELY FOR PUBLIC VISIBLITY https://gitlab.com/gitlab-org/security-products/release/-/issues/110
Prepare
SAST
-
Check the analyzers list and make sure it includes the analyzers/languages recently added.
Dependency Scanning
-
Check the analyzers list and make sure it includes the analyzers/languages recently added.
Check upstream updates
Static Analysis Analyzers
Please scrutinize the following dependencies according to our the guidance listed in the handbook.
-
brakeman - Needs to be updated version 5.0.1. Deferred to %14.0 - [-] phpcs-security-audit - phpcs-security-audit is on the latest version at 2.0.1
-
security-code-scan - Needs to be updated version 5.1.0. Deferred to %14.0
- [-] bandit uses the latest version 1.7.0.
- [-] eslint uses the latest version 7.25.0
-
eslint package.json and other dependencies babel version update: gitlab-org/security-products/analyzers/eslint!77 (merged) -
mobSF has been updated to v3.4.3 - [-] SAST template for MobSF version
- [-] flawfinder already uses the latest 2.0.15
- [-] gosec already uses the latest v2.7.0
- [-] sobelow already uses the latest 0.11.1
- [-] kubesec already uses the latest 2.11.0
-
nodejs-scan update njsscan to 0.2.6 -
secrets update gitleaks to 7.5.0
-
pmd-apex gitlab-org/security-products/analyzers/pmd-apex!58 (merged) -
spotbugs gitlab-org/security-products/analyzers/spotbugs!97 (merged)
Container Scanning Analyzers
For each upstream scanner having an available update, please open a dedicated issue with ./script/update_scanner_issue.rb
template.
For each upstream scanner having an available update, please open a dedicated issue with ./script/update_scanner_issue.rb
template.
License Compliance
Dependency Scanning Analyzers
Post release
QA
-
Check latest QA Orchestrator pipeline and ensure all pipelines are successful.