Deprecate build support for Spotbugs
Deprecation Summary
The SpotBugs SAST analyzer can perform a build when the artifacts to be scanned aren't present. While this usually works well for simple projects, it can fail on more complex builds.
From GitLab 18.0, to resolve SpotBugs analyzer build failures, you should:
- Pre-compile the project.
- Pass the artifacts you want to scan to the analyzer.
Note: This is not a change to any currently-provided functionality.
Documentation
- Deprecation notice: Deprecate support for SpotBugs build (!178678 - merged)
- Migration guidelines: n/a
Product Usage
Fully supporting builds creates the following challenges:
- Support burden. Build failures can happen for a multitude of reasons. Each support request needs to be investigated in detail, typically with several cycles of messages between users, support, and engineering.
- JDK versions. We can only support a limited number of JDK versions. If a user build requires a version that we don't support, they are already not covered.
- Increased CI minutes usage. Users typically run their own build to produce the artifacts that are released. Additional CI minutes are utilized when the Spotbugs analyzer needs to repeat the build process as part of the scan.
- Non-deterministic results. The artifacts produced by separate build jobs may be different, and so can the report from Spotbugs. This means that the report could contain results that don't correspond to the artifacts used in production.
Breaking Change?
No. Building the artifacts as part of scanning still happens when necessary. What is changing is the recommendation on how to address failures in this build.
Affected Customers
-
GitLab.com -
Self-managed -
Dedicated
Deprecation Milestone
Planned Removal Milestone
Links
Checklists
Timeline
Rollout Plan
DRIs:
-
Engineers:
@engineer(s) -
Engineering Manager: @thiagocsf
-
Determine how to migrate users still using the existing functionality -
Document ways to migrate with the tooling available -
Automate any users who have not yet migrated, but ensure it's a two-way door decision
Communication Plan
DRIs:
- Product Manager: @connorgilbert
Add links to the relevant merge requests.
- As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule:
17.8, 17.9, 17.10, 17.11, 18.0–17.9is the third milestone preceding the major release):-
A deprecation announcement entry has been created so the deprecation will appear in release posts and on the general deprecation page. -
Documentation has been updated to mark the feature as deprecated.
-
- On the major milestone:
-
The deprecated item has been removed. -
If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change. -
Document the migration plan for users, clearly outlining the actions they need to take to mitigate the impact of the breaking change.
-
Development
DRIs:
- Engineers:
@engineer(s) - Engineering Manager:
@EM
Approvals
-
Product Manager @connorgilbert -
Engineering Manager @thiagocsf -
Senior Engineering Manager / Director @twoodham -
Group / Director of Product Management @sarahwaldner
Mentions (as applicable)
-
Product Designer: None -
Tech Writer @rdickenson / @phillipwells -
Software Engineering in Test @willmeek -
Any other stable counterparts based on the product categories: -
Add Sales/CS counterpart or mention @timtams -
Add Support counterpart or mention @gitlab-com/support/managers -
Add Marketing counterpart or mention @cfoster3
-
Labels
-
This issue is labeled deprecation, and with the relevant ~devops::,~group::, and~Category:labels. -
This issue is labeled breaking change if the removal of the deprecated item will be a breaking change. - It's not a breaking change.