Add deprecation announcement for Dependendcy Scanning upgrade to GitLab SBOM Vulnerability Scanner

Be sure to link this MR to the relevant deprecation issue(s).

• Deprecation Issue: #501308

This MR adds 3 announcements:

• one global announcement for the main change and the list of all related side effects
• a dedicated announcement for "Dependency Scanning for JavaScript vendored libraries"
• a dedicated announcement for "Resolve a Vulnerability for Dependency Scanning on Yarn projects"

The justification for additional dedicated announcement has been discussed here and here:

If there is no relevant deprecation issue, hit pause and:

• Review the process for deprecating and removing features.
• Connect with the Product Manager DRI.

Deprecation announcements can and should be created and merged into Docs at any time, to optimize user awareness and planning. We encourage confirmed deprecations to be merged as soon as the required reviews are complete, even if weeks ahead of the target milestone's release post. For the announcement to be included in a specific release post and that release's documentation packages, this MR must be reviewed/merged per the due dates below:

10 days (Monday) before the Release Date: Assign this MR to these team members as Reviewer and for Approval (optional unless noted as required):

• Product Marketing: @PMM
• Product Designer(s): @ProductDesigners
• Product Group Manager or Director: @PM - Required
• Engineering Manager: @EM - Required
• Technical writer: @TW - Required

By 11:59 AM PDT 8 days (Wednesday) before the Release Date: EM/PM assigns this MR to the TW reviewer for final review and merge: @EM/PM

By 11:59 PM PDT 6 days (Friday) before the Release Date: TW Reviewer updates Docs by merging this MR to master: @TW

---

Please review:

• The definitions of "Deprecation", "End of Support", and "Removal".
• The guidelines for deprecations.
• The process for creating a deprecation announcement.

They are frequently updated, and everyone should make sure they are aware of the current standards (PM, PMM, EM, and TW).

EM/PM release post item checklist

• Set yourself as the Assignee, meaning you are the DRI.
• For breaking changes:
  • Add the breaking change label to the MR.
  • If the breaking change affects GitLab.com, add window with a value of 1, 2, or 3. The value represents the planned release window for GitLab.com, typically in the three weeks before the major release date. You should intentionally plan this window ahead of time. If you're not sure, ask @swiskow.
• Confirm this MR is labeled release post itemdeprecation
• Follow the process to create a deprecation YAML file.
• [] Add reviewers by the 10th.
• Add scoped devops:: and group:: labels as necessary.
• [] Add the appropriate milestone to this MR.
• If the changes modify log format(addition/deletion/modification) of product feature, tag @gitlab-com/gl-security/engineering-and-research/security-logging team over the GitLab issue/MR.
• When ready to be merged (and no later than the 15th) @mention the TW for final review and merge.

Reviewers

When the content is ready for review, it must be reviewed by a Technical Writer and Engineering Manager, but can also be reviewed by Product Marketing, Product Design, and the Product Leaders for this area. Please use the reviewers feature for all reviews. Reviewers will then approve the MR and remove themselves from Reviewers when their review is complete.

• (Recommended) PMM
• (Optional) Product Designer
• (Optional) Group Manager or Director
• Required review and approval: Technical Writer designated to the corresponding DevOps stage/group.

Tech writer review

After being added as a Reviewer to this merge request, the TW performs their review according to the criteria described below.

Review deprecation MRs with a similar process as regular docs MRs. Add suggestions as needed, @ message the PM to inform them the first review is complete, and remove yourself as a reviewer if it's not ready for merge yet.

Expand for Details

• Title:
  • Length limit: 7 words (not including articles or prepositions).
  • Capitalization: ensure the title is sentence cased.
• Consistency:
  • Ensure that all resources (docs, deprecation, etc.) refer to the feature with the same term / feature name.
• Content:
  • Make sure the deprecation is accurate based on your understanding. Look for typos or grammar mistakes. Work with PM and PMM to ensure a consistent GitLab style and tone for messaging, based on other features and deprecations.
  • Review use of whitespace and bullet lists. Will the deprecation item be easily scannable when published? Consider adding line breaks or breaking content into bullets if you have more than a few sentences.
  • Make sure there aren't acronyms readers may not understand per our Writing style guidelines.
• Links:
  • All links must be full URLs, as the deprecation YAML files are used in two different projects. Do not use relative links. The generated doc is an exception to the relative link rule and currently uses absolute links only.
  • Make sure all links and anchors are correct. Do not link to the H1 (top) anchor on a docs page.
• Code. Make sure any included code is wrapped in code blocks.
• Capitalization. Make sure to capitalize feature names. Stay consistent with the Documentation Style Guidance on Capitalization.
• Blank spaces. Remove unnecessary spaces (end of line spaces, double spaces, extra blank lines, and lines with only spaces).

When the PM indicates it is ready for merge and all issues have been addressed, start the merge process.

Technical writer merge process

The deprecations doc's .md file must be updated before this MR is merged:

1. Check out the MR's branch (in the gitlab-org/gitlab project).
2. From the command line (in the branch), run bin/rake gitlab:docs:compile_deprecations. If you want to double check that it worked, you can run bin/rake gitlab:docs:check_deprecations to verify that the doc is up to date.
3. Commit the updated file and push the changes.
4. Set the merge request to auto-merge, or if the pipeline is already complete, merge.

If you have trouble running the Rake task, check the troubleshooting steps.

data/deprecations/17-9-DS-build-support-and-CI-based-security-scanning copy.yml

+- title: "Build support in Dependency Scanning and CI based security scanning with Gemnasium"
+  # The milestones for the deprecation announcement, and the removal.
+  removal_milestone: "18.0"
+  announcement_milestone: "17.9"
+  # Change breaking_change to false if needed.
+  breaking_change: true
+  window: 1  # Can be 1, 2, or 3 - The window when the breaking change will be deployed on GitLab.com
+  reporter: gonzoyumo  # The GitLab username of the person reporting the change
+  stage: application_security_testing
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/501308
+  # Use the impact calculator https://gitlab-com.gitlab.io/gl-infra/breaking-change-impact-calculator/?
+  impact:  # Can be one of: [critical, high, medium, low]
+  scope: project  # Can be one or a combination of: [instance, group, project]
+  resolution_role: Maintainer  # Can be one of: [Admin, Owner, Maintainer, Developer]
+  manual_task: true  # Can be true or false. Use this to denote whether a resolution action must be performed manually (true), or if it can be automated by using the API or other automation (false).
+  body: |  # (required) Don't change this line.
+   The Dependency Scanning feature based on the Gemnasium analyzer that provides both SBOM report generation and Security Scanning in the CI pipeline is deprecated.
+   It is replaced with the new Dependency Scanning analyzer that is only responsible for detecting dependencies and generating a CycloneDX SBOM report artifact in the CI.
+   The security analysis will no longer be done within this CI job and instead the Dependency Scanning feature will leverage the SBOM based security scanning capabilities built into the GitLab platform.
+
+   This change causes major side-effects and other feature removals that should be carefully reviewed:
+
+   - The [Resolve a vulnerability](https://docs.gitlab.com/ee/user/application_security/vulnerabilities/#resolve-a-vulnerability) feature **for Yarn projects** is not available with the new Dependency Scanning analyzer
+   and it will be removed in 18.0. A replacement feature will be developed with [Auto Remediation vision](https://gitlab.com/groups/gitlab-org/-/epics/759) but there is no guarantee of its availability before 18.0.
+   - The [Dependency Scanning for JavaScript vendored libraries](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#javascript) capability is not available with the new Dependency Scanning analyzer
+   and it will be removed in 18.0. A replacement feature will be developed with [Dependency Scanning on vendored libraries](https://gitlab.com/groups/gitlab-org/-/epics/7186) but there is no guarantee of its availability before 18.0.
+   - As the [Dependency Scanning security report artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning) is not generated by the new Dependency Scanning analyzer, any workflow relying on
+   these particular CI job artifact files - either to modify them before they are uploaded to GitLab or to consume them in another CI job or an external vulnerability management system - will be impacted.
+   The ability to [download Dependency Scanning security scan results via the UI](https://docs.gitlab.com/ee/user/application_security/detect/security_scan_results.html#all-tiers) in this format will be removed in 18.0.
+   Please note that the Dependency Scanning security report artifact itself is not deprecated and GitLab will continue to support these reports for third party integrations.
+   - The existing CI jobs based on the Gemnasium analyzer in the Dependency Scanning CI templates (`Dependency-Scanning.gitlab-ci.yml` and `Dependency-Scanning.latest.gitlab-ci.yml`) are replaced with a new CI job dedicated to
+   the new Dependency Scanning analyzer. As a result, any customization of the Dependency Scanning CI configuration will have to be reviewed and adjusted for the new Dependency Scanning analyzer.
+
+   To assist you with the transition, please follow step by step instructions in the migration guide (TODO: add link).
+
+# ==============================
+# OPTIONAL END-OF-SUPPORT FIELDS
+# ==============================
+#
+# If an End of Support period applies:
+# 1) Share this announcement in the `#spt_managers` Support channel in Slack
+# 2) Mention `@gitlab-com/support` in this merge request.
+#
+  # When support for this feature ends, in XX.YY milestone format.
+  end_of_support_milestone:
+  # Array of tiers the feature is currently available to,
+  # like [Free, Silver, Gold, Core, Premium, Ultimate]
+  tiers: Ultimate
+  # Links to documentation and thumbnail image
+  documentation_url:
+  image_url:
+  # Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
+  video_url: