[Feature flag] Cleanup `global_dependency_scanning_on_advisory_ingestion`
Summary
This issue is to cleanup the global_dependency_scanning_on_advisory_ingestion
feature flag, after the feature flag has been enabled by default for an appropriate amount of time in production.
Once this flag is removed,
-
dependency_scanning_on_advisory_ingestion
can still be used to turn off Continuous Vulnerability Scanning (CVS) for Dependency Scanning. - CVS is always performed globally. The opt-in behavior introduced when CVS was an experimental feature is no longer available.
This has been discussed in !135574 (comment 1631306808).
Owners
- Team: groupcomposition analysis
- Most appropriate slack channel to reach out to:
#g_secure-composition-analysis
- Best individual to reach out to: @fcatteau
- PM: @johncrowley
Stakeholders
Expectations
What might happen if this goes wrong?
See #427424 (closed)
In mixed deployments, pending PackageMetadata::AdvisoryScanWorker
jobs can no longer process by Sidekiq nodes where the old opt-in behavior (CVS XP) is no longer supported.
This might trigger errors but should have no consequences since the GlobalAdvisoryScanWorker
worker is still in place; it implements CVS GA and is a superset of the AdvisoryScanWorker
.
Cleaning up the feature flag
-
Create a merge request to remove <feature-flag-name>
feature flag. Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry.
-
-
Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status <merge-commit-of-cleanup-mr>
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
If not already done, clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete <feature-flag-name> --dev
-
/chatops run feature delete <feature-flag-name> --staging
-
/chatops run feature delete <feature-flag-name>
-
-
Close this rollout issue.
Implementation plan
- Update backend.
- Remove
global
param from finder, and corresponding scope from SBOM occurrence model - Remove
global
param from theAdvisoryScanner
and `GlobalAdvisoryScanWorker (CVS GA). - Remove
global
param from theTrackCvsService
. Keep event action of global scans. - Remove feature flag definition.
- Remove
AdvisoryScanWorker
, which implements CVS XP. - Remove
AdvisoryScanWorker
from queues. - Remove code that pushes
global_dependency_scanning_on_advisory_ingestion
anddependency_scanning_on_advisory_ingestion
to the frontend.
- Remove
- Update frontend.
- Remove toggle.
- Remove the logic that shows the toggle depending on how the flags are set.
The security project setting will be removed from the DB schema in a follow-up MR.
The doc updates is covered by Document that CVS for DS becomes GA (!135574 - merged).