Remove yarn-audit Dependency Scanning
What does this MR do and why?
This MR follows-up the discussions in #412732 (closed).
This removes the yarn-audit (npm-audit) dependency scan configuration as this scanner is no longer maintained and redundant with the default Dependency Scanning scanner. This scanner is also not part of our public offering and this project is the only one at GitLab using it.
This was initialy introduced with !73158 (merged) with the rationale:
yarn auditis intended to complement our existing node.js dependency scanning job based on the gemnasium analyzer. The gemnasium analyzer alerts on dependencies that are affected by an advisory in the gemnasium db, which contains mostly advisories from NVD. To also alert on advisories from https://npmjs.com/advisories,yarn auditis added.
This is no longer relevant as NPM has been acquired by GitHub and advisories are publicly accessible at https://github.com/advisories, which is a source of data for our Dependency Scanning feature. A quick benchmark for currently active vulnerabilities also demonstrate it is not worth maintaining this tool in addition of our default offering.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Merge request reports
Activity
changed milestone to %16.1
assigned to @gonzoyumo
Pipeline Changes
This merge request contains changes to the pipeline configuration for the GitLab project.
Please consider the effect of the changes in this merge request on the following:
- Effects on different pipeline types
- Effects on non-canonical projects:
gitlab-fosssecuritydev- personal forks
- Effects on pipeline performance
Please consider communicating these changes to the broader team following the communication guideline for pipeline changes
Reviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer maintenanceworkflow / maintenancepipelines for CI, Danger Ash McKenzie (
@ashmckenzie) (UTC+10, 14 hours ahead of@gonzoyumo)David Dieulivol (
@ddieulivol) (UTC+2, 6 hours ahead of@gonzoyumo)Engineering Productivity Reviewer review is optional for Engineering Productivity Rohit Shambhuni (
@rshambhuni) (UTC+5.5, 9.5 hours ahead of@gonzoyumo)Engineering Productivity Reviewer review is optional for Engineering Productivity Nao Hashizume (
@nao.hashizume) (UTC-7, 3 hours behind@gonzoyumo)To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot, based on their timezone. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
If needed, you can retry the
danger-reviewjob that generated this comment.Generated by
- Resolved by David Dieulivol
@ddieulivol could you please review this MR?
I've also asked on #security in case appsec would like to chime in: https://gitlab.slack.com/archives/C248YCNCW/p1685648612845609 (internal).
- Last reply by David Dieulivol
requested review from @ddieulivol
Allure report
allure-report-publishergenerated test report!e2e-test-on-gdk:
expand test summary
+-----------------------------------------------------------------------+ | suites summary | +------------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +------------------+--------+--------+---------+-------+-------+--------+ | Create | 8 | 0 | 1 | 0 | 9 | ✅ | | Plan | 4 | 0 | 0 | 0 | 4 | ✅ | | Monitor | 4 | 0 | 0 | 0 | 4 | ✅ | | Govern | 2 | 0 | 0 | 0 | 2 | ✅ | | Manage | 1 | 0 | 0 | 0 | 1 | ✅ | | Framework sanity | 0 | 0 | 1 | 0 | 1 | ➖ | | Data Stores | 2 | 0 | 0 | 1 | 2 | ❗ | +------------------+--------+--------+---------+-------+-------+--------+ | Total | 21 | 0 | 2 | 1 | 23 | ❗ | +------------------+--------+--------+---------+-------+-------+--------+
Resolved by David Dieulivolcc @gitlab-com/gl-security/appsec for review
- Last reply by Ethan Strike
@ddieulivol, thanks for approving this merge request.This is the first time the merge request is approved. To ensure full test coverage, a new pipeline will be started shortly.
For more info, please refer to the following links:
added pipeline:mr-approved label
enabled an automatic merge when the pipeline for 2ba12867 succeeds
mentioned in commit be617d9a
added workflowstaging-canary label
added workflowcanary label and removed workflowstaging-canary label
added workflowstaging label and removed workflowcanary label
added workflowproduction label and removed workflowstaging label
added workflowpost-deploy-db-staging label and removed workflowproduction label
added workflowpost-deploy-db-production label and removed workflowpost-deploy-db-staging label
added releasedcandidate label
added releasedpublished label and removed releasedcandidate label
