From c06fca1afe35ace53a0f251e45d1d492587ab7ca Mon Sep 17 00:00:00 2001
From: Olivier Gonzalez <52092-gonzoyumo@users.noreply.gitlab.com>
Date: Mon, 22 Jan 2024 08:37:09 +0000
Subject: [PATCH] Deprecate Dependency Scanning incorrect SBOM metadata
 properties

---
 ...dency-scanning-incorrect-sbom-medatada.yml | 20 +++++++++++++++
 doc/update/deprecations.md                    | 25 +++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 data/deprecations/16-9-dependency-scanning-incorrect-sbom-medatada.yml

diff --git a/data/deprecations/16-9-dependency-scanning-incorrect-sbom-medatada.yml b/data/deprecations/16-9-dependency-scanning-incorrect-sbom-medatada.yml
new file mode 100644
index 000000000000..2c562febac1a
--- /dev/null
+++ b/data/deprecations/16-9-dependency-scanning-incorrect-sbom-medatada.yml
@@ -0,0 +1,20 @@
+- title: "Dependency Scanning incorrect SBOM metadata properties"
+  removal_milestone: "17.0"
+  announcement_milestone: "16.9"
+  breaking_change: true
+  reporter: gonzoyumo
+  stage: Secure
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/438779
+  body: |  # (required) Don't change this line.
+    GitLab 17.0 removes support for the following metadata properties in CycloneDX SBOM reports:
+
+    - `gitlab:dependency_scanning:input_file`
+    - `gitlab:dependency_scanning:package_manager`
+
+    These were added in GitLab 15.7 to the SBOM produced by Dependency Scanning. However, these properties were incorrect and didn't align with the [GitLab CycloneDX property taxonomy](https://docs.gitlab.com/ee/development/sec/cyclonedx_property_taxonomy.html).
+    The following correct properties were added in GitLab 15.11 to address this:
+
+    - `gitlab:dependency_scanning:input_file:path`
+    - `gitlab:dependency_scanning:package_manager:name`
+
+    The incorrect properties were kept for backward compatibility. They are now deprecated and will be removed in 17.0.
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 7a7cac197405..500cbb40e62d 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -402,6 +402,31 @@ To help avoid being impacted by this breaking change, create new access tokens w
 
 <div class="deprecation breaking-change" data-milestone="17.0">
 
+### Dependency Scanning incorrect SBOM metadata properties
+
+<div class="deprecation-notes">
+- Announced in GitLab <span class="milestone">16.9</span>
+- Removal in GitLab <span class="milestone">17.0</span> ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/438779).
+</div>
+
+GitLab 17.0 removes support for the following metadata properties in CycloneDX SBOM reports:
+
+- `gitlab:dependency_scanning:input_file`
+- `gitlab:dependency_scanning:package_manager`
+
+These were added in GitLab 15.7 to the SBOM produced by Dependency Scanning. However, these properties were incorrect and didn't align with the [GitLab CycloneDX property taxonomy](https://docs.gitlab.com/ee/development/sec/cyclonedx_property_taxonomy.html).
+The following correct properties were added in GitLab 15.11 to address this:
+
+- `gitlab:dependency_scanning:input_file:path`
+- `gitlab:dependency_scanning:package_manager:name`
+
+The incorrect properties were kept for backward compatibility. They are now deprecated and will be removed in 17.0.
+
+</div>
+
+<div class="deprecation breaking-change" data-milestone="17.0">
+
 ### Dependency Scanning support for sbt 1.0.X
 
 <div class="deprecation-notes">
-- 
GitLab