Update spotbugs major version in SAST templates
Description
As discussed in this comment, we're unable to bump SpotBugs to v6 for the stable CI template as it contains a breaking change that was not approved. As a result, the default SpotBugs job will remain on v5 for the 18.x milestones.
We have bumped Spotbugs to v6 in the latest CI template as part of the %18.0 release: !188953 (merged)
For context v6 was released as part of Add JDK 21 to SpotBugs-based SAST analyzer (#448708 - closed)
JDK 21 requires manual pin to SpotBugs v6
If users need JDK21 support, they must manually pin to SpotBugs v6 by following these steps.
Related
Add JDK 21 to SpotBugs-based SAST analyzer (#448708 - closed) • Jason Leasure • 17.9 • On track
Implementation plan
-
In %18.0 only bump Spotbugs to v6in the latest CI template. -
Update documentation to highlight differences between v6andv5- Anyone who wants JDK 21 needs to use
v6 - MR: Add notes for spotbugs jdk21 support (!188957 - merged)
- Anyone who wants JDK 21 needs to use
-
Leave a comment on #448708 (comment 2331107183) pointing to the updated user docs -
Highlight to SAST team that we should provide the same support for v5beforev6is bumped in the stable CI template and more users use-
Update SASTBot with note to manually backport SpotBugs v5: https://gitlab.com/gitlab-org/security-products/analyzers/sast-analyzer-deps-bot/-/merge_requests/30+ -
Raise this in the team meeting
-
-
In %19.0bump Spotbugs tov6in the stable CI template.- Created issue to track this Bump SpotBugs in the stable CI template for %19.0 (#537375)
Edited by Adam Cohen