From 003d1ac7cd742ebc7212ed73dacb8195f23c67c9 Mon Sep 17 00:00:00 2001
From: Connor Gilbert <cgilbert@gitlab.com>
Date: Fri, 5 May 2023 16:21:07 -0700
Subject: [PATCH 1/2] Cancel SAST analyzer consolidation for PHP and Scala

---
 .../15-9-sast-analyzer-consolidation.yml      | 29 +++++++++----------
 doc/update/deprecations.md                    | 27 +++++++++--------
 2 files changed, 27 insertions(+), 29 deletions(-)

diff --git a/data/deprecations/15-9-sast-analyzer-consolidation.yml b/data/deprecations/15-9-sast-analyzer-consolidation.yml
index 9bbeb36b59788c1a..57e77292c27e1d32 100644
--- a/data/deprecations/15-9-sast-analyzer-consolidation.yml
+++ b/data/deprecations/15-9-sast-analyzer-consolidation.yml
@@ -11,26 +11,25 @@
     We're reducing the number of supported analyzers used by default in GitLab SAST.
     This is part of our long-term strategy to deliver a faster, more consistent user experience across different programming languages.
 
-    Starting in GitLab 16.0, the GitLab SAST CI/CD template will no longer use the following analyzers, and they will enter End of Support status:
+    Starting in GitLab 16.0, the GitLab SAST CI/CD template will no longer use the [Security Code Scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan)-based analyzer for .NET, and it will enter End of Support status.
+    We'll remove this analyzer from the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replace it with GitLab-supported detection rules for C# in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
 
-    - [Security Code Scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) (.NET)
-    - [PHPCS Security Audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP)
+    Effective immediately, this analyzer will receive only security updates; other routine improvements or updates are not guaranteed.
+    After this analyzer reaches End of Support in GitLab 16.0, no further updates will be provided.
+    However, we won't delete container images previously published for this analyzer or remove the ability to run it by using a custom CI/CD pipeline job.
 
-    We'll remove these analyzers from the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replace them with GitLab-supported detection rules and the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
-    Effective immediately, these analyzers will receive only security updates; other routine improvements or updates are not guaranteed.
-    After these analyzers reach End of Support, no further updates will be provided.
-    However, we won't delete container images previously published for these analyzers or remove the ability to run them by using a custom CI/CD pipeline job.
-
-    We will also remove Scala from the scope of the [SpotBugs-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
-    This change will make it simpler to scan Scala code; compilation will no longer be required.
-    This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml).
-    Note that the SpotBugs-based analyzer will continue to cover Groovy and Kotlin.
-
-    If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on:
+    If you've already dismissed a vulnerability finding from the deprecated analyzer, the replacement attempts to respect your previous dismissal. The system behavior depends on:
 
     - whether you've excluded the Semgrep-based analyzer from running in the past.
     - which analyzer first discovered the vulnerabilities shown in the project's Vulnerability Report.
 
     See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.
 
-    If you applied customizations to any of the affected analyzers or if you currently disable the Semgrep analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/390416#breaking-change).
+    If you applied customizations to the affected analyzer, or if you currently disable the Semgrep-based analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/390416#breaking-change).
+
+    **Update:** We've reduced the scope of this change. We will no longer make the following changes in GitLab 16.0:
+
+    1. Remove support for the analyzer based on [PHPCS Security Audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) and replace it with GitLab-managed detection rules in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
+    1. Remove Scala from the scope of the [SpotBugs-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) and replace it with GitLab-managed detection rules in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
+
+    Work to replace the PHPCS Security Audit-based analyzer is tracked in [issue 364060](https://gitlab.com/gitlab-org/gitlab/-/issues/364060) and work to migrate Scala scanning to the Semgrep-based analyzer is tracked in [issue 362958](https://gitlab.com/gitlab-org/gitlab/-/issues/362958).
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 54f3487ce4fc84b1..264338828dc24f8f 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -1654,29 +1654,28 @@ GitLab SAST uses various [analyzers](https://docs.gitlab.com/ee/user/application
 We're reducing the number of supported analyzers used by default in GitLab SAST.
 This is part of our long-term strategy to deliver a faster, more consistent user experience across different programming languages.
 
-Starting in GitLab 16.0, the GitLab SAST CI/CD template will no longer use the following analyzers, and they will enter End of Support status:
+Starting in GitLab 16.0, the GitLab SAST CI/CD template will no longer use the [Security Code Scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan)-based analyzer for .NET, and it will enter End of Support status.
+We'll remove this analyzer from the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replace it with GitLab-supported detection rules for C# in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
 
-- [Security Code Scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) (.NET)
-- [PHPCS Security Audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP)
-
-We'll remove these analyzers from the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replace them with GitLab-supported detection rules and the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
-Effective immediately, these analyzers will receive only security updates; other routine improvements or updates are not guaranteed.
+Effective immediately, this analyzer will receive only security updates; other routine improvements or updates are not guaranteed.
 After these analyzers reach End of Support, no further updates will be provided.
-However, we won't delete container images previously published for these analyzers or remove the ability to run them by using a custom CI/CD pipeline job.
-
-We will also remove Scala from the scope of the [SpotBugs-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) and replace it with the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
-This change will make it simpler to scan Scala code; compilation will no longer be required.
-This change will be reflected in the automatic language detection portion of the [GitLab-managed SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml).
-Note that the SpotBugs-based analyzer will continue to cover Groovy and Kotlin.
+However, we won't delete container images previously published for this analyzer or remove the ability to run it by using a custom CI/CD pipeline job.
 
-If you've already dismissed a vulnerability finding from one of the deprecated analyzers, the replacement attempts to respect your previous dismissal. The system behavior depends on:
+If you've already dismissed a vulnerability finding from the deprecated analyzer, the replacement attempts to respect your previous dismissal. The system behavior depends on:
 
 - whether you've excluded the Semgrep-based analyzer from running in the past.
 - which analyzer first discovered the vulnerabilities shown in the project's Vulnerability Report.
 
 See [Vulnerability translation documentation](https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#vulnerability-translation) for further details.
 
-If you applied customizations to any of the affected analyzers or if you currently disable the Semgrep analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/390416#breaking-change).
+If you applied customizations to the affected analyzer, or if you currently disable the Semgrep-based analyzer in your pipelines, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/390416#breaking-change).
+
+**Update:** We've reduced the scope of this change. We will no longer make the following changes in GitLab 16.0:
+
+1. Remove support for the analyzer based on [PHPCS Security Audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) and replace it with GitLab-managed detection rules in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
+1. Remove Scala from the scope of the [SpotBugs-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) and replace it with GitLab-managed detection rules in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
+
+Work to replace the PHPCS Security Audit-based analyzer is tracked in [issue 364060](https://gitlab.com/gitlab-org/gitlab/-/issues/364060) and work to migrate Scala scanning to the Semgrep-based analyzer is tracked in [issue 362958](https://gitlab.com/gitlab-org/gitlab/-/issues/362958).
 
 </div>
 
-- 
GitLab


From 167374a0c50f6ddc351971eef0ac93ca0351c495 Mon Sep 17 00:00:00 2001
From: Russell Dickenson <rdickenson@gitlab.com>
Date: Tue, 9 May 2023 13:37:09 +1000
Subject: [PATCH 2/2] Update deprecation notices

---
 doc/update/deprecations.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 264338828dc24f8f..d9f231be8bd33514 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -1658,7 +1658,7 @@ Starting in GitLab 16.0, the GitLab SAST CI/CD template will no longer use the [
 We'll remove this analyzer from the [SAST CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml) and replace it with GitLab-supported detection rules for C# in the [Semgrep-based analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep).
 
 Effective immediately, this analyzer will receive only security updates; other routine improvements or updates are not guaranteed.
-After these analyzers reach End of Support, no further updates will be provided.
+After this analyzer reaches End of Support in GitLab 16.0, no further updates will be provided.
 However, we won't delete container images previously published for this analyzer or remove the ability to run it by using a custom CI/CD pipeline job.
 
 If you've already dismissed a vulnerability finding from the deprecated analyzer, the replacement attempts to respect your previous dismissal. The system behavior depends on:
-- 
GitLab