Deprecate DAST_HTML_REPORT, DAST_XML_REPORT, and DAST_MARKDOWN_REPORT for DAST
Overview
In 16.0 we will be dropping support for ZAP customization variables reports that are configured via the environment variables: DAST_HTML_REPORT, DAST_XML_REPORT, and DAST_MARKDOWN_REPORT
These reports are:
- No longer valuable as authentication is completed via browser-based DAST
- Browser based DAST is now running passive attacks
- GitLab's vulnerability report and pipeline reports provide a single source of truth.
To ensure a smooth transition, we should emit a deprecation notice when the DAST engine is called with any of these values set.
"Use of the DAST_HTML_REPORT, DAST_XML_REPORT, and DAST_MARKDOWN_REPORT are deprecated and will no longer work in GitLab 16.0. You can view reports in the pipeline page in GitLab."
-
Add deprecation notice to code -
Add conditional into DAST engine so that the values are ignored if DAST version is >=4. This way, when we bump the version, we do not need to immediately remove the code. -
@derekferguson publish deprecation notice
Edited by Seth Berger