-name:"Retire-JSDependencyScanningtool"# The name of the feature to be deprecated
announcement_milestone:"14.8"# The milestone when this feature was first announced as deprecated.
announcement_date:"2022-02-22"# The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
removal_milestone:"15.0"# The milestone when this feature is planned to be removed
breaking_change:true
body:|# Do not modify this line, instead modify the lines below.
As of 14.8 the retire.js job is being deprecated from Dependency Scanning. It will continue to be included in our CI/CD template while deprecated. We are removing retire.js from Dependency Scanning on May 22, 2022 in GitLab 15.0. JavaScript scanning functionality will not be affected as it is still being covered by Gemnasium.
If you have explicitly excluded retire.js using DS_EXCLUDED_ANALYZERS you will need to clean up (remove the reference) in 15.0. If you have customized your pipeline's Dependency Scanning configuration related to the `retire-js-dependency_scanning` job you will want to switch to gemnasium-dependency_scanning before the removal in 15.0, to prevent your pipeline from failing. If you have not used the DS_EXCLUDED_ANALYZERS to reference retire.js, or customized your template specifically for retire.js, you will not need to take action.
# The following items are not published on the docs page, but may be used in the future.
stage:secure# (optional - may be required in the future) String value of the stage that the feature was created in. e.g., Growth
tiers:ultimate# (optional - may be required in the future) An array of tiers that the feature is available in currently. e.g., [Free, Silver, Gold, Core, Premium, Ultimate]
issue_url:https://gitlab.com/gitlab-org/gitlab/-/issues/350510# (optional) This is a link to the deprecation issue in GitLab
documentation_url:https://docs.gitlab.com/ee/user/application_security/dependency_scanning/analyzers.html# (optional) This is a link to the current documentation page
image_url:# (optional) This is a link to a thumbnail image depicting the feature
video_url:# (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
removal_date:"2022-05-22"# (optional - may be required in the future) YYYY-MM-DD format. This should almost always be the 22nd of a month (YYYY-MM-22), the date of the milestone release when this feature is planned to be removed
@@ -992,6 +992,20 @@ For more information, check the [summary section of the deprecation issue](https
**Planned removal milestone: 15.0 (2022-05-22)**
### Retire-JS Dependency Scanning tool
WARNING:
This feature will be changed or removed in 15.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
As of 14.8 the retire.js job is being deprecated from Dependency Scanning. It will continue to be included in our CI/CD template while deprecated. We are removing retire.js from Dependency Scanning on May 22, 2022 in GitLab 15.0. JavaScript scanning functionality will not be affected as it is still being covered by Gemnasium.
If you have explicitly excluded retire.js using DS_EXCLUDED_ANALYZERS you will need to clean up (remove the reference) in 15.0. If you have customized your pipeline's Dependency Scanning configuration related to the `retire-js-dependency_scanning` job you will want to switch to gemnasium-dependency_scanning before the removal in 15.0, to prevent your pipeline from failing. If you have not used the DS_EXCLUDED_ANALYZERS to reference retire.js, or customized your template specifically for retire.js, you will not need to take action.
**Planned removal milestone: 15.0 (2022-05-22)**
### Support for gRPC-aware proxy deployed between Gitaly and rest of GitLab
@@ -35,6 +35,9 @@ maintained by GitLab, but users can also integrate their own **custom images**.
WARNING:
The `bundler-audit` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#bundler-audit-dependency-scanning-tool).
WARNING:
The `retire.js` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#retire-js-dependency-scanning-tool).
## Official default analyzers
Any custom change to the official analyzers can be achieved by using a
@@ -389,7 +389,8 @@ The following analyzers are executed, each of which have different behavior when
Does not support multiple lockfiles. When multiple lockfiles exist, `bundler-audit`
analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.
We execute both analyzers because they use different sources of vulnerability data. The result is more comprehensive analysis than if only one was executed.
WARNING:
The `bundler-audit` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#bundler-audit-dependency-scanning-tool).
#### Python
...
...
@@ -421,6 +422,8 @@ The following analyzers are executed, each of which have different behavior when
From GitLab 14.8 the `Gemnasium` analyzer scans supported JavaScript projects for vendored libraries
(that is, those checked into the project but not managed by the package manager).
WARNING:
The `retire.js` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#retire-js-dependency-scanning-tool).
We execute both analyzers because they use different sources of vulnerability data. The result is more comprehensive analysis than if only one was executed.
