Composition Analysis 18.0 deprecations, removals and breaking changes

Problem to solve

Prepare for changes that must be done on the major release of GitLab %18.0.

Confirmed (deprecation announced at least in 17.9)

1. license_scanning artifact report type. This was already announced in 16.9 with a removal in 18.0.
   • Deprecation issue: Deprecate the license_scanning artifact report ... (#439301 - closed) • Olivier Gonzalez, John Crowley • 18.0
   • Deprecations and Removals item: https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=18.0#deprecate-license-scanning-cicd-artifact-report-type
   • Removal issue: Remove the license_scanning artifact report type (#439303 - closed) • Unassigned • Backlog
2. Remove license data format v1 - This was already announced in 16.9 with a removal in 18.0.
   • Deprecation issue: Deprecate V1 metadata format for licenses (#438477 - closed) • Thiago Figueiró • 16.9
   • Deprecations and Removals item: https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=18.0#deprecate-license-metadata-format-v1
   • Removal issue: Remove license data for V1 format from the GCP ... (#440535 - closed) • Nick Ilieskou • 18.0 • At risk and Remove support for V1 license format from Rails... (#438478) • Unassigned • 18.6
3. Build support on Dependency Scanning and CI based security scanning with Gemnasium
   • Deprecation issue: Deprecate build support on Dependency Scanning ... (&14146 - closed) • Olivier Gonzalez
   • Deprecations and Removals doc item: WIP
   • Removal issue: Transition to Dependency Scanning with SBOM fro... (&15727) • Olivier Gonzalez
4. CI based security scanning with Trivy (keep sbom generation only) - WILL NOT DO, see #439540 (comment 2317859685)
   • Deprecation issue: Deprecate build support on Dependency Scanning ... (&14146 - closed) • Olivier Gonzalez
   • Deprecations and Removals doc item: NONE
   • Removal issue: NONE
5. Remove public access to development container registries
   • Deprecation issue: Development container registries must be private (#470641 - closed) • Thiago Figueiró • 17.4
   • Deprecations and Removals doc item: https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=18.0#public-use-of-secure-container-registries-is-deprecated
   • Removal issue: Make CA container registries private (#478454 - closed) • Unassigned • 18.0
6. Remove Security Configuration ProjectSetContinuousVulnerabilityScanning
   • Deprecation MR (no issue): !161337 (merged)
   • Deprecations and Removals doc item: none. The GraphQL API mutation has been deprecated in 17.3 in the GraphQL docs only.
   • Removal issue: Remove Security Configuration ProjectSetContinu... (#462364) • Unassigned • Backlog
7. Analyzer Major version bump
   • Deprecation issue: Secure analyzers major version update for 18.0 (#513417 - closed) • Thiago Figueiró • 17.9
   • Deprecations and Removals doc item: https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=18.0#application-security-testing-analyzers-major-version-update
   • Removal issue: CA CI templates and CI/CD components changes fo... (#514102 - closed) • Olivier Gonzalez • 18.0 • On track
8. Change CS_SEVERITY_THRESHOLD default value to medium
   • Deprecation issue: Announce breaking change: set CS_SEVERITY_THRE... (#515358 - closed) • Olivier Gonzalez, John Crowley • 18.0 • At risk
   • Deprecations and Removals doc item: WIP MR: Add announcement for CS default severity thresh... (!179298 - merged) • Olivier Gonzalez, John Crowley+ • 17.9
   • Removal issue: Change CS_SEVERITY_THRESHOLD default value to `... (#516286 - closed) • Unassigned • 18.0

Candidates for discussion

1. Stop ingesting DS security report when SBOM is detected no longer relevant
   • Deprecation issue: TBC
   • Removal issue: Exclude Gemnasium's Dependency Scanning reports... (#398627 - closed) • Unassigned • Backlog • At risk