Broken filter dropdown in Merge Request Analytics.Some of the notable bug fixes in 14.5 are: Pinning to a previous version prevents you from receiving automatic analyzer updates and require you to manually bump your analyzer version in your CI template. To remain on a specific version of any analyzer, you can pin to a minor version of an analyzer.
However, if you override or customize your own CI template, you need to update your CI configurations. If you include the GitLab managed vendored SAST template ( ) you do not need to do anything to receive these updates. spotbugs updated to version 4.5.0 - MR, Changelog.Various improvements and bugfixes for rulesets.PMD updated to version 6.40.0 - MR, Changelog.We thank for their contributions ( 1, 2, 3) to our Sobelow analzer which enables new detection rules, and opens up the door for future improvements and additional rules in the future.sobelow internal packages updated - MR, Changelog.Phase out support for go version 1.15 because current ginko is not backward compatible.Fix the SBOM generation step in the release action.gosec updated to version 2.9.1 - MR, Changelog.flawfinder internal packages updated to version 2.14.7 - MR, Changelog.various bug fixes for timeouts, crashes, and rule corrections.semgrep updated to version 0.72.0 - MR, Changelog.These updates bring additional coverage, bug fixes, and improvements. Below are the analyzer updates released during 14.5. GitLab Static Analysis is comprised of a set of many security analyzers that the GitLab Static Analysis team actively manages, maintains, and updates.
GitLab-#344107 proposes extracting the full metadata set. In addition, GitLab only extracts the abbreviated metadata, which excludes certain fields.
Any packages already published to the registry must be updated for the change to take effect. Please note that this change applies to new packages only.
If you publish packages that have one or more executable files to install into the $PATH, you can now rely on the GitLab Package Registry to work seamlessly. Without that field, your executables do not work.Īs of this release, GitLab now extracts the abbreviated metadata for npm packages, including the bin field and others.
For example, the bin field defines executables to insert in $PATH. This is especially problematic when npm or Yarn relies on one of those fields. Prior to this release, however, GitLab did not extract all of the relevant metadata detailed in your package.json file. You can use the GitLab Package Registry to publish and share npm packages alongside your source code and pipelines. With this new IaC scanning template, we’ve also made it easy to extend our IaC scanning with additional scanners and welcome community contributions using our secure scanner integration framework. If you’re familiar with GitLab SAST, GitLab’s IaC scanning works exactly the same and supports the same features including a standalone IaC scanning CI configuration file, UI based enablement tool on the Security Configuration Page and support for all our Ultimate tier Vulnerability Management features including Security Dashboards and Merge Request widget. This new IaC scanning capability joins our existing Kubernetes manifest SAST scanner. The initial version of this IaC security scanner supports configuration files for Terraform, Ansible, AWS CloudFormation, and Kubernetes and is based on the open-source Keeping Infrastructure as Code Secure (KICS) project.
Like all our SAST scanners, we’ve chosen to make this capability available for all customers for free to encourage secure coding practices with the rise of IaC. With Gitlab 14.5 we’re introducing security scanning for Infrastructure as Code (IaC) configuration files.