[15.0] Remove bundler-audit analyzer
Deprecation Summary
Dependency Scanning uses bundler-audit and gemnasium for analyzing ruby projects. bundler-audit
was added because it has a different advisory source from gemnasium
: ruby-advisory-db. However, the gemnasium advisory database gemnasium-db is now a superset of ruby-advisory-db
. This has made bundler-audit
redundant.
This change will only affect users that are using the analyzer directly either through changing the CI configuration for Dependency Scanning to use bundler-audit
directly or by using the bundler-audit
docker image in a job.
Breaking Changes
- Dependency Scanning job
bundler-audit-dependency_scanning
will no longer be available: https://gitlab.com/gitlab-org/gitlab/blob/14-5-stable-ee/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml#L127 -
bundler-audit
container registry and containers (e.g.registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:$TAG
) will no longer be available
Affected Topology
Both self-managed and saas users will be affected.
Affected Tier
- Ultimate
Checklist
-
@mention your stage's stable counterparts on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager. - To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams
- If there is no stable counterpart listed for Support please @mention
@gitlab-com/support/managers
- If there is no stable counterpart listed for Marketing please mention
@williamchia
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
Deprecation Milestone
14.6
Planned Removal Milestone
15.0
Implementation Plan
-
update GitLab project (!86704 (merged)) -
update docs to remove bundler-audit
mentions: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/ -
remove job integration test for Bundler 2.1.4
, and remove mentions of this test from the docs:-
remove 2.1.4
in theTested Versions
cell of theBundler
row in this table: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#obtaining-dependency-information-by-parsing-lockfiles -
remove Bundler
row from this table: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#obtaining-dependency-information-by-running-a-package-manager-to-generate-a-parsable-file
-
-
remove bundler-audit
from the Dependency Scanning CI template https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml and corresponding specs
-
-
archive bundler-audit project- note: the decision to archive the project has been postponed so that the docker image can continue getting automatic rebuilds
-
update bundler audit analyzer README.md
to say that this project is no longer used and will be removed in 3 months. -
create issue to archive bundler-audit project (#362242 (closed))
-
remove tests and mentions of the analyzer from other projects -
update handbook page (https://about.gitlab.com/handbook/engineering/development/sec/secure/composition-analysis) (gitlab-com/www-gitlab-com!104032 (merged)) -
remove analyzer and upstream project from reaction rotation support list and links (e.g. vuln dashboard) -
remove analyzer mentions
-
-
archive the bundler-audit
mirror project https://gitlab.com/gitlab-org/security-products/dependencies/bundler-audit -
create removal announcement (which is a different yml than a deprecation)
Edited by Igor Frenkel