Release Gemnasium v4

Why are we doing this work

Per process new major releases of GitLab come with new major releases of the Secure analyzer projects.

We have to release Gemnasium v4, and update the Dependency Scanning CI template to use it starting from GitLab 16.0.

Relevant links

TODO: link to relevant doc sections for the release process

Non-functional requirements

• Documentation: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
• Feature flag:
• Performance:
• Testing:
  • Integration tests for the new CI template, which uses the new images with tag :4.
  • Non-regression tests for the old CI template, which uses the existing images with tag :3.

Implementation plan

• Release Gemnasium v4.
  1. Create v4 branch from master.
     • Upgrade Go module to gemnasium/v4.
     • Add a pre-release to the changelog.
  2. Merge breaking changes into v4, and publish pre-releases. See &9609 (closed)
  3. Create v3 branch from master
  4. Make v3 a protected branch if needed.
     • Maintainers and @group_2452873_bot are allowed to merge.
     • No one is allowed to push and merge.
  5. Create a daily scheduled pipeline for v3.
  6. Merge v4 into master.
  7. Merge the changelog entries of all the pre-releases, and publish v4.0.0.
• Update DS_MAJOR_VERSION to 4 in CI template.
• Update user documentation.
  • Update references to Docker images.

NOTES

• The documentation doesn't cover DS_MAJOR_VERSION.
• The specs of the CI templates don't reference the image names.
• The CI templates used by Gemnasium already supports version branches. See https://gitlab.com/gitlab-org/security-products/ci-templates/-/blob/d37268eb93d50f5b546caeaf4d3f78ea0d837978/includes-dev/docker.yml#L85

Verification steps

On GitLab 16.x, run a new pipeline in a project where the Dependency Scanning CI template is included.

• If this is a Java project, the gemnasium-maven-dependency_scanning job successfully runs the gemnasium-maven:4 image.
• If this is a Python project, the gemnasium-python-dependency_scanning job successfully runs the gemnasium-python:4 image.
• In other projects, the gemnasium-dependency_scanning job successfully runs the gemnasium-maven:4 image.

Pipelines

• Pipelines are created for new commits pushed to v4.
• Images with tag 4 are pushed to the official registry when PUBLISH_IMAGES is set.
• Pipelines are created for new commits pushed to v3.
• Images with tag 3 are pushed to the official registry when PUBLISH_IMAGES is set.
• There's a daily scheduled pipeline for v3, and the last run is successful.

Project settings

• v3 is protected, and we can't directly push to that branch.
• v4 is protected, and we can't directly push to that branch.