Create data migration to automatically resolve findings from removed SAST analyzers
As part of the %17.0 consolidation of SAST analyzers, we plan to have a data migration clean up findings from analyzers that have been removed. This is to mitigate confusion related to any findings that are not produced by the new analyzer. The new analyzer may not create the same finding because:
- The relevant rule cannot, for technical reasons, be migrated to Semgrep-based scanning.
- The relevant rule has been removed from the ruleset or not converted/translated/migrated because we have judged that it doesn't provide sufficient security value.
- The old analyzer stopped creating the finding due to a previous update (unrelated to analyzer consolidation) and the finding just still remains.
Note that this migration will resolve findings, not dismiss them. By design, resolved findings will be reopened if an analyzer finds the same problem again at the same location. (Dismissed findings don't do this.)
Scope
The migration should resolve findings in all analyzers that have been removed, including those removed in previous releases before 17.0. See the deprecation notices for a list of previous and upcoming changes:
Timing
This migration must only be released in 17.0, not an earlier version. It also must be timed such that it does not take effect on GitLab.com until the SAST.gitlab-ci.yml
template is updated to remove the affected analyzers.
Technical plan and tasks
Needs to be determined
Note: This is a type of automatic resolution, but it is not the same as the SAST feature that's specifically called automatic vulnerability resolution, which cleans up findings when rules are disabled or deleted.