summaryrefslogtreecommitdiff
path: root/data/deprecations/16-0-mobsf-android-manifests.yml
diff options
context:
space:
mode:
Diffstat (limited to 'data/deprecations/16-0-mobsf-android-manifests.yml')
-rw-r--r--data/deprecations/16-0-mobsf-android-manifests.yml16
1 files changed, 3 insertions, 13 deletions
diff --git a/data/deprecations/16-0-mobsf-android-manifests.yml b/data/deprecations/16-0-mobsf-android-manifests.yml
index c3bca0a6db1..fb06112d26e 100644
--- a/data/deprecations/16-0-mobsf-android-manifests.yml
+++ b/data/deprecations/16-0-mobsf-android-manifests.yml
@@ -6,17 +6,7 @@
stage: Secure
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/408396
body: |
- We'll change how the MobSF-based analyzer in GitLab SAST handles multi-module Android projects.
- This analyzer only runs if you [enable Experimental features](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) for SAST.
+ **Update:** We previously announced a change to how the MobSF-based GitLab SAST analyzer would scan multi-module Android projects.
+ We've cancelled that change, and no action is required.
- The analyzer currently searches for `AndroidManifest.xml` files and scans only the first one it finds.
- This manifest often is not the main manifest for the app, so the scan checks less of the app's source code for vulnerabilities.
-
- Starting in GitLab 16.0, the analyzer will always use `app/src/main/AndroidManifest.xml` as the manifest, and use `app/src/main/` as the project root directory.
- The new behavior matches standard Android project layouts and addresses bug reports from customers, so we expect it will improve scan coverage for most apps.
-
- If you relied on the previous behavior, you can [pin the MobSF analyzer](https://docs.gitlab.com/ee/user/application_security/sast/#pinning-to-minor-image-version) to version 4.0.0, which uses the old behavior.
- Then, please comment on [the deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/408396) so we can consider new configuration options to accommodate your use case.
-
- This change doesn't affect scans you run in GitLab 15.11 or previous versions, since this change is only included in the [new major version](#secure-analyzers-major-version-update) of the MobSF-based analyzer.
- documentation_url: https://docs.gitlab.com/ee/user/application_security/sast/
+ Instead of changing which single module would be scanned, we [improved multi-module support](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/-/merge_requests/73).
View Lorry Controller Status