SAST Deprecation: Out-of-the-box Java 8 support in SpotBugs
Deprecation Summary
The GitLab SAST SpotBugs analyzer scans Java, Scala, Groovy, and Kotlin code for security vulnerabilities. For technical reasons, the analyzer must first compile the code before scanning. Unless you use the pre-compilation strategy, the analyzer attempts to automatically compile your project's code.
In GitLab versions prior to 15.0, the analyzer image includes Java 8 and Java 11 runtimes to facilitate compilation.
In GitLab 15.0, we will:
- Remove Java 8 from the analyzer image to reduce the size of the image.
- Add Java 17 to the analyzer image to make it easier to compile with Java 17.
If you rely on Java 8 being present in the analyzer environment, you must take action as detailed below.
Breaking Change
This is a breaking change in default behavior only if you use Java 8.
To continue to use Java 8, you can use the pre-compilation strategy instead of relying on the analyzer's automatic compilation process.
Affected Topology
All deployment types (~SaaS and self-managed) are affected.
Affected Tier
All tiers (GitLab Free, GitLab Premium, GitLab Ultimate) are affected.
Checklist
-
mention your stage's stable counterparts on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager. - To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams
- If there is no stable counterpart listed for Support please mention
@gitlab-com/support/managers
- If there is no stable counterpart listed for Marketing please mention
@cfoster3
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
-
mention your GPM so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change. -
Customer Success stable counterparts: @bmiller1, @brianwald, @chloe
-
Support stable counterpart: @greg
-
Marketing stable counterpart: @cblake2000
-
Director, Product Management: @hbenson
Note: Required and optional reviewers were already @-mentioned on the Deprecation MR (!80473 (merged)).
Deprecation Milestone
Planned Removal Milestone
Links
- Update spotbugs default java versions to includ... (#347067 - closed)
- Remove java 8 from spotbugs (#353646 - closed)
Deprecation Announcement: