SAST Deprecation: Support for .NET 2.1
Deprecation Summary
The GitLab SAST Security Code Scan analyzer scans .NET code for security vulnerabilities. For technical reasons, the analyzer must first build the code to scan it.
In GitLab versions prior to 15.0, the default analyzer image (version 2) includes support for:
- .NET 2.1
- .NET 3.0 and .NET Core 3.0
- .NET Core 3.1
- .NET 5.0
In GitLab 15.0, we will change the default major version for this analyzer from version 2 to version 3. This change:
- Adds severity values for vulnerabilities along with other new features and improvements.
- Removes .NET 2.1 support.
- Adds support for .NET 6.0, Visual Studio 2019, and Visual Studio 2022.
Version 3 was announced in GitLab 14.6 and made available as an optional upgrade.
If you rely on .NET 2.1 support being present in the analyzer image by default, you must take action as detailed below.
Breaking Change
This is a breaking change in default behavior only if you use .NET 2.1.
To continue to use .NET 2.1, you can use the pin the version of the Security Code Scan analyzer to remain on major version 2, which supports .NET 2.1, by using the snippet below. However, this version will not receive routine updates, and we are not able to provide support for .NET 2.1 projects.
include:
- template: Security/SAST.gitlab-ci.yml
security-code-scan-sast:
variables:
SAST_ANALYZER_IMAGE_TAG: 2
Affected Topology
All deployment types (~SaaS and self-managed) are affected.
Affected Tier
All tiers (GitLab Free, GitLab Premium, GitLab Ultimate) are affected.
Checklist
-
mention your stage's stable counterparts on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager. - To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams
- If there is no stable counterpart listed for Support please mention
@gitlab-com/support/managers
- If there is no stable counterpart listed for Marketing please mention
@cfoster3
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
-
mention your GPM so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change. -
Customer Success stable counterparts: @bmiller1, @brianwald, @chloe
-
Support stable counterpart: @greg
-
Marketing stable counterpart: @cblake2000
-
Director, Product Management: @hbenson
Note: Required and optional reviewers were already @-mentioned on the Deprecation MR (!80470 (merged)).
Deprecation Milestone
Planned Removal Milestone
Links
Deprecation Announcement: