14.0 Analyzer Updates (public issue)

THIS ISSUE DUPLICATES A PRIVATE INTERNAL RELEASE ISSUE PURELY FOR PUBLIC VISIBLITY https://gitlab.com/gitlab-org/security-products/release/-/issues/111

Prepare

@twoodham:

SAST

• Check the analyzers list and make sure it includes the analyzers/languages recently added.

---

@gonzoyumo:

Dependency Scanning

• Check the analyzers list and make sure it includes the analyzers/languages recently added.

Check upstream updates

Static Analysis Analyzers

Please scrutinize the following dependencies according to our the guidance listed in the handbook.

@rossfuhrman:

• brakeman
• phpcs-security-audit
• security-code-scan

@ssarka:

• bandit already has the latest version: https://pypi.org/project/bandit/#history
• eslint: gitlab-org/security-products/analyzers/eslint!81 (merged)
• eslint package.json and other dependencies: gitlab-org/security-products/analyzers/eslint!81 (merged)
• mobSF already has the latest version

@dsearles:

• flawfinder: gitlab-org/security-products/analyzers/flawfinder!56 (merged)
• gosec: gitlab-org/security-products/analyzers/gosec!108 (merged)
• [-] sobelow (already at the latest (0.11.1)).

@zrice:

• kubesec
• nodejs-scan
• secrets

@theoretick:

• pmd-apex gitlab-org/security-products/analyzers/pmd-apex!61 (merged)
• spotbugs gitlab-org/security-products/analyzers/spotbugs!101 (merged)

---

@thiagocsf:

Container Scanning Analyzers

For each upstream scanner having an available update, please open a dedicated issue with ./script/update_scanner_issue.rb template.

• trivy

---

@gonzoyumo:

For each upstream scanner having an available update, please open a dedicated issue with ./script/update_scanner_issue.rb template.

License Compliance

• License Finder

Dependency Scanning Analyzers

• bundler-audit
• retire.js

Post release

QA

• Check latest QA Orchestrator pipeline and ensure all pipelines are successful.