Static Analysis of legacy Java versions
Problem to solve
GitLab SAST analyzers only support recent version of languages and frameworks. But a lot of legacy systems are still deployed, especially in large financial companies. These applications are still under maintenance and would benefit from having insights about their security posture.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Some of our customers still have Java 5 or Java 6 applications running. They will be eventually upgraded, replaced, or discontinued, but in the meantime, it is necessary to understand their vulnerabilities. This is not something that GitLab currently supports Java 8 to 11.
Proposal
Supporting legacy versions will certainly be a challenge using Spotbugs, as the rules are not backported apparently to older versions (that would support Java 5 or 6).
With an AST engine, we could let these users write their own rules, or even convert some existing ones to work with these legacy systems.
Permissions and Security
TODO
Documentation
TODO
Testing
TODO
What does success look like, and how can we measure that?
- Number of projects using Java 5 or 6 with security findings.