[15.0] Remove bundler-audit analyzer

Deprecation Summary

Dependency Scanning uses bundler-audit and gemnasium for analyzing ruby projects. bundler-audit was added because it has a different advisory source from gemnasium: ruby-advisory-db. However, the gemnasium advisory database gemnasium-db is now a superset of ruby-advisory-db. This has made bundler-audit redundant.

This change will only affect users that are using the analyzer directly either through changing the CI configuration for Dependency Scanning to use bundler-audit directly or by using the bundler-audit docker image in a job.

Breaking Changes

• Dependency Scanning job bundler-audit-dependency_scanning will no longer be available: https://gitlab.com/gitlab-org/gitlab/blob/14-5-stable-ee/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml#L127
• bundler-audit container registry and containers (e.g. registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:$TAG) will no longer be available

Affected Topology

Both self-managed and saas users will be affected.

Affected Tier

• Ultimate

Checklist

• @mention your stage's stable counterparts on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.
  • To see who the stable counterparts are for a product team visit product categories
    • If there is no stable counterpart listed for Sales/CS please mention @timtams
    • If there is no stable counterpart listed for Support please @mention @gitlab-com/support/managers
    • If there is no stable counterpart listed for Marketing please mention @williamchia

Deprecation Milestone

14.6

Planned Removal Milestone

15.0

Implementation Plan

• update GitLab project (!86704 (merged))
  • update docs to remove bundler-audit mentions: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
  • remove job integration test for Bundler 2.1.4, and remove mentions of this test from the docs:
    • remove 2.1.4 in the Tested Versions cell of the Bundler row in this table: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#obtaining-dependency-information-by-parsing-lockfiles
    • remove Bundler row from this table: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#obtaining-dependency-information-by-running-a-package-manager-to-generate-a-parsable-file
  • remove bundler-audit from the Dependency Scanning CI template https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml and corresponding specs
• archive bundler-audit project
  • note: the decision to archive the project has been postponed so that the docker image can continue getting automatic rebuilds
  • update bundler audit analyzer README.md to say that this project is no longer used and will be removed in 3 months.
  • create issue to archive bundler-audit project (#362242 (closed))
• remove tests and mentions of the analyzer from other projects
  • specs in https://gitlab.com/gitlab-org/security-products/security-report-schemas
  • support for templated job in https://gitlab.com/gitlab-org/security-products/ci-templates/-/blob/master/includes-dev/qa-dependency_scanning.yml
• update handbook page (https://about.gitlab.com/handbook/engineering/development/sec/secure/composition-analysis) (gitlab-com/www-gitlab-com!104032 (merged))
  • remove analyzer and upstream project from reaction rotation support list and links (e.g. vuln dashboard)
  • remove analyzer mentions
• archive the bundler-audit mirror project https://gitlab.com/gitlab-org/security-products/dependencies/bundler-audit
• create removal announcement (which is a different yml than a deprecation)