Merge branch 'deprecate_retire_js_analyzer' into 'master'

Deprecate retire.js analyzer See merge request gitlab-org/gitlab!80501

Merge branch 'deprecate_retire_js_analyzer' into 'master'
Deprecate retire.js analyzer See merge request gitlab-org/gitlab!80501
7408e873 · Russell Dickenson · f22725d3 · d77224c1 · 7408e873 · 7408e873
Commit 7408e873 authored Feb 15, 2022 by Russell Dickenson
4 changed files
--- a/data/deprecations/14-8-deprecation-secure-dependency-scanning-retire-js.yml
+++ b/data/deprecations/14-8-deprecation-secure-dependency-scanning-retire-js.yml
+- name: "Retire-JS Dependency Scanning tool" # The name of the feature to be deprecated
+  announcement_milestone: "14.8" # The milestone when this feature was first announced as deprecated.
+  announcement_date: "2022-02-22" # The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
+  removal_milestone: "15.0" # The milestone when this feature is planned to be removed
+  breaking_change: true
+  body: | # Do not modify this line, instead modify the lines below.
+    As of 14.8 the retire.js job is being deprecated from Dependency Scanning. It will continue to be included in our CI/CD template while deprecated. We are removing retire.js from Dependency Scanning on May 22, 2022 in GitLab 15.0. JavaScript scanning functionality will not be affected as it is still being covered by Gemnasium.
+
+    If you have explicitly excluded retire.js using DS_EXCLUDED_ANALYZERS you will need to clean up (remove the reference) in 15.0. If you have customized your pipeline's Dependency Scanning configuration related to the `retire-js-dependency_scanning` job you will want to switch to gemnasium-dependency_scanning before the removal in 15.0, to prevent your pipeline from failing. If you have not used the DS_EXCLUDED_ANALYZERS to reference retire.js, or customized your template specifically for retire.js, you will not need to take action.
+# The following items are not published on the docs page, but may be used in the future.
+  stage: secure # (optional - may be required in the future) String value of the stage that the feature was created in. e.g., Growth
+  tiers: ultimate # (optional - may be required in the future) An array of tiers that the feature is available in currently.  e.g., [Free, Silver, Gold, Core, Premium, Ultimate]
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/350510 # (optional) This is a link to the deprecation issue in GitLab
+  documentation_url: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/analyzers.html # (optional) This is a link to the current documentation page
+  image_url: # (optional) This is a link to a thumbnail image depicting the feature
+  video_url: # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
+  removal_date: "2022-05-22" # (optional - may be required in the future) YYYY-MM-DD format. This should almost always be the 22nd of a month (YYYY-MM-22), the date of the milestone release when this feature is planned to be removed
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -1028,6 +1028,20 @@ For more information, check the [summary section of the deprecation issue](https

 **Planned removal milestone: 15.0 (2022-05-22)**

+### Retire-JS Dependency Scanning tool
+
+WARNING:
+This feature will be changed or removed in 15.0
+as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
+Before updating GitLab, review the details carefully to determine if you need to make any
+changes to your code, settings, or workflow.
+
+As of 14.8 the retire.js job is being deprecated from Dependency Scanning. It will continue to be included in our CI/CD template while deprecated. We are removing retire.js from Dependency Scanning on May 22, 2022 in GitLab 15.0. JavaScript scanning functionality will not be affected as it is still being covered by Gemnasium.
+
+If you have explicitly excluded retire.js using DS_EXCLUDED_ANALYZERS you will need to clean up (remove the reference) in 15.0. If you have customized your pipeline's Dependency Scanning configuration related to the `retire-js-dependency_scanning` job you will want to switch to gemnasium-dependency_scanning before the removal in 15.0, to prevent your pipeline from failing. If you have not used the DS_EXCLUDED_ANALYZERS to reference retire.js, or customized your template specifically for retire.js, you will not need to take action.
+
+**Planned removal milestone: 15.0 (2022-05-22)**
+
 ### Support for gRPC-aware proxy deployed between Gitaly and rest of GitLab

 WARNING:

--- a/doc/user/application_security/dependency_scanning/analyzers.md
+++ b/doc/user/application_security/dependency_scanning/analyzers.md
@@ -35,6 +35,9 @@ maintained by GitLab, but users can also integrate their own **custom images**.
 WARNING:
 The `bundler-audit` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#bundler-audit-dependency-scanning-tool).

+WARNING:
+The `retire.js` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#retire-js-dependency-scanning-tool).
+
 ## Official default analyzers

 Any custom change to the official analyzers can be achieved by using a

--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -389,7 +389,8 @@ The following analyzers are executed, each of which have different behavior when
   Does not support multiple lockfiles. When multiple lockfiles exist, `bundler-audit`
   analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.

-We execute both analyzers because they use different sources of vulnerability data. The result is more comprehensive analysis than if only one was executed.
+WARNING:
+The `bundler-audit` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#bundler-audit-dependency-scanning-tool).

 #### Python

@@ -421,6 +422,8 @@ The following analyzers are executed, each of which have different behavior when
 From GitLab 14.8 the `Gemnasium` analyzer scans supported JavaScript projects for vendored libraries
 (that is, those checked into the project but not managed by the package manager).

+WARNING:
+The `retire.js` analyzer is deprecated and will be removed in GitLab 15.0 since it duplicates the functionality of the `gemnasium` analyzer. For more information, read the [deprecation announcement](../../../update/deprecations.md#retire-js-dependency-scanning-tool).
 We execute both analyzers because they use different sources of vulnerability data. The result is more comprehensive analysis than if only one was executed.

 #### PHP, Go, C, C++, .NET, C&#35;