Bump major version of Container Scanning analyzer
Why are we doing this work
All the pinned analyzer versions have been deprecated.
This means we need to:
- bump the major version on the CS analyzer in %15.0.
- maintain a pipeline for the current major version for at least 2 years to:
- Keep updating the advisory database in the images; and
- Be able to release updates should we need to backport fixes
In scope for this issue are items 1 and 1.1 above. Item 1.2 can be done when and if we need to backport anything to the previous version. Ended-up doing all items, so this ended-up being more like a weight:3 instead of the original 2.
Relevant links
Non-functional requirements
As per the notice:
Users of GitLab 12.0-14.10 will continue to experience analyzer updates as normal until the release of GitLab 15.0, following which all newly fixed bugs and newly released features in the new major versions of the analyzers will not be available in the deprecated versions because we do not backport bugs and new features as per our maintenance policy.
As required security patches will be backported within the latest 3 minor releases.
Also, per our statement of support:
Unless otherwise specified in your support contract, we support the current major version and previous two major versions only
-
Documentation: -
Image versions and examples in https://docs.gitlab.com/ee/user/application_security/container_scanning/
-
-
Feature flag: -
Performance: -
Testing:
Implementation plan
-
Bump the analyzer version to 5.0.0
. -
Update the CI template to use CS_ANALYZER_IMAGE: registry.gitlab.com/security-products/container-scanning:5
-
Create a v4.x
branch with the same protections as the default branch. This will be used in the future when we need to backport changes to v4. -
Add or update the schedule that triggers DB updates to include all major versions listed in TRIGGER_DB_UPDATE_FOR_MAJOR_VERSIONS
.