馃敻 15.0 Readiness - Secure
### Support Stable Counterparts
- @greg :sunglasses: (Static Analysis Group, Threat Insights Group, Vulnerability Research Group)
- @kategrechishkina (Dynamic Analysis Group)
- Katrin (Composition Analysis Group)
### Removals / Breaking Changes
- Secure and Protect analyzer major version update
- generates reports that are subject to stringent schema validation
- No longer updated after 15.0:
- API Security: version 1
- Container Scanning: version 4
- Coverage-guided fuzz testing: version 2
- Dependency Scanning: version 2
- Dynamic Application Security Testing (DAST): version 2
- Infrastructure as Code (IaC) Scanning: version 1
- License Scanning: version 3
- Secret Detection: version 3
- Static Application Security Testing (SAST): version 2 of [all analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks), except `gosec` which is currently at version 3
- `bandit`: version 2
- `brakeman`: version 2
- `eslint`: version 2
- `flawfinder`: version 2
- `gosec`: version 3
- `kubesec`: version 2
- `mobsf`: version 2
- `nodejs-scan`: version 2
- `phpcs-security-audit`: version 2
- `pmd-apex`: version 2
- `security-code-scan`: version 2
- `semgrep`: version 2
- `sobelow`: version 2
- `spotbugs`: version 2
- Starting in GitLab 14.8, new versions of GitLab Secure and Protect analyzers are published to a new registry location under `registry.gitlab.com/security-products`. In a future release, we will stop publishing images to `registry.gitlab.com/gitlab-org/security-products/analyzers`. Once this happens, you must take action if you manually pull images and push them into a separate registry.
- See the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/352564) for more details.
- In GitLab 15.0, we will change the default major version for the SAST Analyzer for .NET from version 2 to version 3. This removes .NET 2.1 support. If you rely on .NET 2.1 support being present in the analyzer image by default, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352553#breaking-change).
- We are reducing the number of analyzers used in GitLab SAST as part of our long-term strategy to deliver a better and more consistent user experience. In GitLab 15.0, GitLab SAST will no longer use the following analyzers:
- [ESLint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (JavaScript, TypeScript, React)
- [Gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Go)
- [Bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Python)
- The API Fuzzing configuration snippet is now being generated client-side and does not require an API request anymore. We are therefore deprecating the `apiFuzzingCiConfigurationCreate` mutation which isn't being used in GitLab anymore. :green_heart:
- In GitLab 15.0, we will Remove Java 8 from the SAST analyzer image to reduce its size. If you rely on Java 8 being present in the analyzer environment, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352549#breaking-change).
- We deprecated legacy names for approval status of license policy (blacklisted, approved) in the `managed_licenses` API but they are still used in our API queries and responses. They will be removed in 15.0.
- As of 14.8 the retire.js job is being deprecated from Dependency Scanning. If you have explicitly excluded retire.js using DS_EXCLUDED_ANALYZERS you will need to clean up (remove the reference) in 15.0.
- For those using Dependency Scanning for Python projects, we are deprecating the default `gemnasium-python:2` image which uses Python 3.6 as well as the custom `gemnasium-python:2-python-3.9` image which uses Python 3.9. The new default image as of GitLab 15.0 will be for Python 3.9 as it is a [supported version](https://endoflife.date/python) and 3.6 [is no longer supported](https://endoflife.date/python).
- For users using Python 3.6, as of GitLab 15.0 you will no longer be able to use the default template for dependency scanning. You will need to switch to use the deprecated `gemnasium-python:2` analyzer image. If you are impacted by this, please comment in [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/351503) so we can extend the removal if needed.
- We are removing bundler-audit from Dependency Scanning on May 22, 2022 in 15.0. After this removal, Ruby scanning functionality will not be affected as it is still being covered by Gemnasium.
- The `projectFingerprint` field in the [PipelineSecurityReportFinding](https://docs.gitlab.com/ee/api/graphql/reference/index.html#pipelinesecurityreportfinding)
GraphQL object is being deprecated. This field contains a "fingerprint" of security findings used to determine uniqueness. The method for calculating fingerprints has changed, resulting in different values. Going forward, the new values will be exposed in the UUID field. Data previously available in the projectFingerprint field will eventually be removed entirely.
## Review
* :small_red_triangle: There will definitely be questions about this / if a customer doesn鈥檛 know about this it will have a large impact.
* :small_orange_diamond: There will be some questions about it / if a customer isn鈥檛 immediately aware they will be annoyed but the steps for moving forward are easy enough
* :sparkle: Very few customers use this feature / we鈥檒l receive minimal questions on this / the steps for working around this are trivial
| Deprecation | Issue | Predicted Impact |
| ------ | ------ | ------ |
| bundler-audit Dependency Scanning tool | https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4206 | :small_orange_diamond: |
| Dependency Scanning default Java version change to 17 | https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4205 | :small_orange_diamond: |
| Dependency Scanning Python 3.9 and 3.6 image deprecation | https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4204 | :small_orange_diamond: |
| Retire.js Dependency Scanning job deprecation | https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4203 | :small_orange_diamond: |
| Java 8 Spotbugs SAST support | https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4202 | :small_orange_diamond: |
| Deprecate ESLint Gosec, Bandit SAST scanners | https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4201 | :small_orange_diamond: |
| SAST support for .NET 2.1 | https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4200 | :small_orange_diamond: |
| GitLab Secure and Protect analyzers published to a new registry location | https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4199 | :small_orange_diamond: |
| Secure & Protect scanners major version update & deprecation | https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/4198 | :small_orange_diamond: |
epic