From 8177ab55d3df45c8a264ba5c1f154250f4386eb2 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 16 May 2022 00:08:05 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- .../15_0/15-0-sast-spotbugs-java-8.yml | 28 +++++++++++++++++++ doc/update/removals.md | 16 +++++++++++ 2 files changed, 44 insertions(+) create mode 100644 data/removals/15_0/15-0-sast-spotbugs-java-8.yml diff --git a/data/removals/15_0/15-0-sast-spotbugs-java-8.yml b/data/removals/15_0/15-0-sast-spotbugs-java-8.yml new file mode 100644 index 00000000000..c6e59bf4b0f --- /dev/null +++ b/data/removals/15_0/15-0-sast-spotbugs-java-8.yml @@ -0,0 +1,28 @@ +- name: "Out-of-the-box SAST (SpotBugs) support for Java 8" + announcement_milestone: "14.8" + announcement_date: "2022-02-22" + removal_milestone: "15.0" + removal_date: "2022-05-22" + breaking_change: false + reporter: connorgilbert + stage: Secure + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352549 + body: | # (required) Do not modify this line, instead modify the lines below. + The [GitLab SAST SpotBugs analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) scans [Java, Scala, Groovy, and Kotlin code](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks) for security vulnerabilities. + For technical reasons, the analyzer must first compile the code before scanning. + Unless you use the [pre-compilation strategy](https://docs.gitlab.com/ee/user/application_security/sast/#pre-compilation), the analyzer attempts to automatically compile your project's code. + + In GitLab versions prior to 15.0, the analyzer image included Java 8 and Java 11 runtimes to facilitate compilation. + + As of GitLab 15.0, we've: + + - Removed Java 8 from the analyzer image to reduce the size of the image. + - Added Java 17 to the analyzer image to make it easier to compile with Java 17. + - Changed the default Java version from Java 8 to Java 17. + + If you rely on Java 8 being present in the analyzer environment, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352549#breaking-change). +# The following items are not published on the docs page, but may be used in the future. + tiers: [Free, Silver, Gold, Core, Premium, Ultimate] + documentation_url: https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks # (optional) This is a link to the current documentation page + image_url: # (optional) This is a link to a thumbnail image depicting the feature + video_url: # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg diff --git a/doc/update/removals.md b/doc/update/removals.md index b56ab14cb71..9877064f562 100644 --- a/doc/update/removals.md +++ b/doc/update/removals.md @@ -291,6 +291,22 @@ changes to your code, settings, or workflow. Allowing expired personal access tokens to be used is unusual from a security perspective and could create unusual situations where an expired key is unintentionally able to be used. Unexpected behavior in a security feature is inherently dangerous and so we now do not let expired personal access tokens be used. +### Out-of-the-box SAST (SpotBugs) support for Java 8 + +The [GitLab SAST SpotBugs analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) scans [Java, Scala, Groovy, and Kotlin code](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks) for security vulnerabilities. +For technical reasons, the analyzer must first compile the code before scanning. +Unless you use the [pre-compilation strategy](https://docs.gitlab.com/ee/user/application_security/sast/#pre-compilation), the analyzer attempts to automatically compile your project's code. + +In GitLab versions prior to 15.0, the analyzer image included Java 8 and Java 11 runtimes to facilitate compilation. + +As of GitLab 15.0, we've: + +- Removed Java 8 from the analyzer image to reduce the size of the image. +- Added Java 17 to the analyzer image to make it easier to compile with Java 17. +- Changed the default Java version from Java 8 to Java 17. + +If you rely on Java 8 being present in the analyzer environment, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352549#breaking-change). + ### Pseudonymizer WARNING: