We [previously announced that we'll increment analyzer major versions](https://docs.gitlab.com/ee/update/deprecations#secure-and-protect-analyzer-major-version-update) in %15.0. The versions that are deprecated are listed in the [announcement](https://docs.gitlab.com/ee/update/deprecations#secure-and-protect-analyzer-major-version-update). Note that: - SAST, IaC Scanning, and Secret Detection are in scope. - Security Code Scan does _not_ need to be bumped because SCS v3 is already scheduled to become the default version in 15.0, and v2 is the current default version in previous versions of GitLab. - Code Quality is **not** in scope. (Note: Reasoning behind this change included the schema version changes and an effort to improve [efficiency](https://about.gitlab.com/handbook/values/#efficiency)+ability to [iterate](https://about.gitlab.com/handbook/values/#iteration) by constraining the support matrix for newer analyzer versions.) ### Tasks: #### Analyzers - [x] Open MRs for the following analyzers, bumping their major versions: - [x] kics | https://gitlab.com/gitlab-org/security-products/analyzers/kics/-/merge_requests/36 - [x] secret detection | https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/merge_requests/156 - [x] flawfinder | https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/merge_requests/78 - [x] nodejs-scan | https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan/-/merge_requests/116 - [x] semgrep | https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/merge_requests/114 - [x] brakeman | https://gitlab.com/gitlab-org/security-products/analyzers/brakeman/-/merge_requests/102 - [x] mobsf | https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/-/merge_requests/49 - [x] phpcs-security-audit | https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit/-/merge_requests/66 - [x] pmd-apex | https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex/-/merge_requests/85 - [x] sobelow | https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/merge_requests/76 - [x] spotbugs | https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/merge_requests/138 - [x] kubesec | https://gitlab.com/gitlab-org/security-products/analyzers/kubesec/-/merge_requests/62 - [x] Open MRs to README's to indicate these analyzers are now in terminal maintenance mode, with no new major version. - [x] bandit | https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/merge_requests/94 - [x] gosec | https://gitlab.com/gitlab-org/security-products/analyzers/gosec/-/merge_requests/154 - [x] eslint | https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/merge_requests/105 #### Templates - [x] Open an MR for the Secret-Detection and Secret-Detection.latest template bumping the analyzer version | Secret Detection: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86715 and Secret-Detection.latest: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87570 - [x] Open an MR for the SAST-IaC and SAST-IaC.latest template bumping the analyzer version | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87316 - [x] Open an MR for the SAST and SAST.latest templates bumping the analyzer versions | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87292 Both sets of tasks are ready for development but the template MRs should not be merged until a day or two before 15.0 is completed. The analyzer MRs to bump the major version can be merged any time during 15.0.