Changing MobSF-based SAST analyzer behavior in multi-module Android projects
For guidance on the overall deprecations, removals and breaking changes workflow, please visit Breaking changes, deprecations, and removing features
Deprecation Summary
We'll change how the MobSF-based analyzer in GitLab SAST handles multi-module Android projects. This analyzer only runs if you enable Experimental features for SAST.
The analyzer currently searches for AndroidManifest.xml files and scans only the first one it finds.
This manifest often is not the main manifest for the app, so the scan checks less of the app's source code for vulnerabilities.
Starting in GitLab 16.0, the analyzer will always use app/src/main/AndroidManifest.xml as the manifest, and use app/src/main/ as the project root directory.
The new behavior matches standard Android project layouts and addresses bug reports from customers, so we expect it will improve scan coverage for most apps.
If you relied on the previous behavior, you can pin the MobSF analyzer to version 4.0.0, which uses the old behavior. Then, please comment on this deprecation issue so we can consider new configuration options to accommodate your use case.
This change doesn't affect scans you run in GitLab 15.11 or previous versions, since this change is only included in the new major version of the MobSF-based analyzer.
Breaking Change
See above:
If you relied on the previous behavior, you can pin the MobSF analyzer to version 4.0.0, which uses the old behavior. Then, please comment on this deprecation issue so we can consider new configuration options to accommodate your use case.
Affected Topology
Any GitLab SAST pipeline that uses the MobSF-based analyzer. This analyzer is not on by default; it only runs if the SAST_EXPERIMENTAL_FEATURES CI/CD variable is explicitly set to true.
Affected Tier
Free, Premium, Ultimate
Checklists
Labels
-
This issue is labeled deprecation, and with the relevant ~devops::,~group::, and~Category:labels. -
This issue is labeled breaking change if the removal of the deprecated item will be a breaking change.
Timeline
Please add links to the relevant merge requests.
- As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule:
14.8, 14.9, 14.10, 15.0–14.8is the third milestone preceding the major release):-
A deprecation announcement entry has been created so the deprecation will appear in release posts and on the general deprecation page. !117733 (merged) - [ N/A ] Documentation has been updated to mark the feature as deprecated.
-
-
On or before the major milestone: A removal entry has been created so the removal will appear on the removals by milestones page and be announced in the release post. - On the major milestone:
-
The deprecated item has been removed. -
If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change.
-
Mentions
-
Your stage's stable counterparts have been @mentionedon this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.- To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams - If there is no stable counterpart listed for Support please mention
@gitlab-com/support/managers - If there is no stable counterpart listed for Marketing please mention
@cfoster3
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
-
Your GPM has been @mentionedso that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.
Mentions
- Support: @cmutua
- CS: @bmiller1 @sam @brianwald
- Marketing: @BrianMason
- Product: @hbenson