SAST Deprecation: Support for .NET 2.1

Deprecation Summary

The GitLab SAST Security Code Scan analyzer scans .NET code for security vulnerabilities. For technical reasons, the analyzer must first build the code to scan it.

In GitLab versions prior to 15.0, the default analyzer image (version 2) includes support for:

• .NET 2.1
• .NET 3.0 and .NET Core 3.0
• .NET Core 3.1
• .NET 5.0

In GitLab 15.0, we will change the default major version for this analyzer from version 2 to version 3. This change:

• Adds severity values for vulnerabilities along with other new features and improvements.
• Removes .NET 2.1 support.
• Adds support for .NET 6.0, Visual Studio 2019, and Visual Studio 2022.

Version 3 was announced in GitLab 14.6 and made available as an optional upgrade.

If you rely on .NET 2.1 support being present in the analyzer image by default, you must take action as detailed below.

Breaking Change

This is a breaking change in default behavior only if you use .NET 2.1.

To continue to use .NET 2.1, you can use the pin the version of the Security Code Scan analyzer to remain on major version 2, which supports .NET 2.1, by using the snippet below. However, this version will not receive routine updates, and we are not able to provide support for .NET 2.1 projects.

include:
  - template: Security/SAST.gitlab-ci.yml

security-code-scan-sast:
  variables:
    SAST_ANALYZER_IMAGE_TAG: 2

Affected Topology

All deployment types (~SaaS and self-managed) are affected.

Affected Tier

All tiers (GitLab Free, GitLab Premium, GitLab Ultimate) are affected.

Checklist

• mention your stage's stable counterparts on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.

  • To see who the stable counterparts are for a product team visit product categories
    • If there is no stable counterpart listed for Sales/CS please mention @timtams
    • If there is no stable counterpart listed for Support please mention @gitlab-com/support/managers
    • If there is no stable counterpart listed for Marketing please mention @cfoster3

• mention your GPM so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.

• Customer Success stable counterparts: @bmiller1, @brianwald, @chloe

• Support stable counterpart: @greg

• Marketing stable counterpart: @cblake2000

• Director, Product Management: @hbenson

Note: Required and optional reviewers were already @-mentioned on the Deprecation MR (!80470 (merged)).

Deprecation Milestone

%14.8

Planned Removal Milestone

%15.0

Links

• Update Security Code Scan analyzer default vers... (#350935 - closed)

Deprecation Announcement:

• Documentation: https://docs.gitlab.com/ee/update/deprecations#sast-support-for-net-21
• MR: Deprecation: SAST support for .NET 2.1 (!80470 - merged)