Bump SAST Analyzer major version for 17.0 and remove deprecated analyzers
Why are we doing this work?
Version 4 of all SAST analyzers has been deprecated. The analyzers that will not be removed in 17.0 must be bumped to the next major version.
Analyzers to bump from v4 to v5:
The version must be updated in:
- https://gitlab.com/components/sast/-/blob/main/templates/sast.yml?ref_type=heads#L8
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
The jobs for the analyzers that are to be removed should also be updated so that they no longer run be default.
The jobs should be updated in the following way
nodejs-scan-sast:
extends: .sast-analyzer
script:
- echo "This job was deprecated in GitLab 16.8 and removed in GitLab 17.0"
- echo "For more information see https://docs.gitlab.com/ee/update/deprecations.html#sast-analyzer-coverage-changing-in-gitlab-170"
- exit 1
rules:
- when: never
The analyzers to be removed are:
- flawfinder
- nodejs scan
- phpcs
- brakeman
- mobsf-android-sast
- mobsf-ios-sast
- Remove kotlin from spotbugs job
The analyzer should be removed from:
- https://gitlab.com/components/sast/-/blob/main/templates/sast.yml?ref_type=heads#L8
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml
Relevant links
Implementation Plan
-
Remove replaced analyzers - !151632 (merged) -
SAST.latest.gitlab-ci.yml -
Brakeman -
Flawfinder -
MobSF iOS and android -
NodeJS Scan -
PHPCS
-
-
SAST.gitlab-ci.yml -
Brakeman -
Flawfinder -
MobSF iOS and android -
NodeJS Scan -
PHPCS
-
-
components/sast/templates/sast.yml -
Brakeman -
Flawfinder -
MobSF iOS and android -
NodeJS Scan -
PHPCS
-
-
-
Bump each analyzer version -
semgrep - gitlab-org/security-products/analyzers/semgrep!405 (merged) -
kubesec - gitlab-org/security-products/analyzers/kubesec!103 (merged) -
pmd-apex - gitlab-org/security-products/analyzers/pmd-apex!127 (merged) -
sobelow - gitlab-org/security-products/analyzers/sobelow!114 (merged) -
spotbugs - gitlab-org/security-products/analyzers/spotbugs!197 (merged) -
kics - gitlab-org/security-products/analyzers/kics!103 (merged)
-
-
Bump analyzer in all templates - !151316 (merged) -
https://gitlab.com/components/sast/-/blob/main/templates/sast.yml?ref_type=heads#L8 -
https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml -
https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml -
https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.gitlab-ci.yml -
https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml -
https://gitlab.com/gitlab-org/gitlab/-/blob/d26f0216b161953570bc97f5a63100140bd1ebe9/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
-
-
Update documentation - !152361 (merged) -
Remove analyzers from SAST documentation -
Brakeman -
Flawfinder -
MobSF iOS and android -
NodeJS Scan -
PHPCS
-
-
Update each analyzer projects README to show as removed -
Brakeman - Add maintenance notice (gitlab-org/security-products/analyzers/brakeman!150 - merged) • Craig Smith -
Flawfinder - Add maintenance notice (gitlab-org/security-products/analyzers/flawfinder!127 - merged) • Craig Smith -
MobSF iOS and android - Add maintenance notice (gitlab-org/security-products/analyzers/mobsf!107 - merged) • Craig Smith -
NodeJS Scan - Add maintenance notice (gitlab-org/security-products/analyzers/nodejs-scan!163 - merged) • Craig Smith -
PHPCS - Add maintenance notice (gitlab-org/security-products/analyzers/phpcs-security-audit!109 - merged) • Craig Smith
-
-
Edited by Craig Smith