Transition plan - Nicole Schwartz - Composition Analysis Off-boarding

Overview

This issue will serve as a tracker for the transition from Senior PM with Secure - Composition Analysis to new company.

This information is intended for Sam White @sam.white as the acting PM but also written with the intent that the new permanent person can utilize this issue as well.

Transition Overview

Effective Date: 2022-05-06
Announcement Date: 2022-04-16

PM Composition Analysis Responsibilities

Current role Duties:
- Assignee: DRI group decisions (A or B etc)
  - known upcoming choice - deciding to go OSS or roll our own for License Compliance
- Assignee: mr / bug triage reports read and make changes if needed
- Assignee: Sales requests
- Assignee: Support requests
- Assignee: Release planning
- Assignee: Monthly Release Kickoff call
- Assignee: Release post content blocks
  - RP issues
  - top
  - primaries
  - secondary
- Assignee: Deprecations
  - deprecation issues
  - deprecation MRs
- Assignee: Removals
  - removal issues
  - Removal MRs
- Assignee: Breaking Changes
  - Breaking Changes issues
  - Breaking Changes MRs
- Assignee: Monthly Metrics reporting

Meetings

click to expand

Weekly 1:1 w/EM - FYI @brytannia will be @gonzoyumo when he is out
Weekly 1:1 w/Manager
every other week: Quality 1:1 @willmeek

Note I generally read the meeting agenda before and do NOT attend every week the meetings below

Mostly on the "Secure Stage Calendar"

Monday: Weekly Secure::Composition Analysis Group Meeting
Wednesday: Sec Section Weekly Meeting
Wednesday: Sec Section Coffee Chat
Thursday: Composition Analysis Show & Tell
Thursday: Secure & Protect PM Team Meeting
Thursday: Product-Marketing sync up
Monthly: Composition Analysis group retrospective
Quarterly: Iteration meeting hosted by @brytannia
IDK: "Secure & Protect UX" weekly, every other week? monthly?

Opening Tasks

click to expand

Create transition issue
Share issue with Manager
Once announcement is final move to Product Project
Add retrospective thread for updates to template

Timeline

Week 1

click to expand

Update direction page dependency scanning - mr
Update direction page license compliance - mr
Share issue in your impacted channels
Update 2022 plan with Explanation of why priorities are what they are
Clearly define dependency scanning to complete
Update stages.yml - MR
Monthly Kick Off - MR

Week 2

Schedule syncs with Transition Parties (if needed)
Transition any customer calls scheduled to new PM
Transition any documents, open problem/solution validation
Transition open release post MRs
Share planning issues
Bulk update issues

Updates

click to expand

Update triage report assignment in this policy - mr
Update Team Retrospective Assignments in this repo - MR
Organization Retrospective could not find assuming /issue_templates/product-development-retro.md - MR
Team member checkboxes
- no longer exists but updated .gitlab/issue_templates/Sec-Section-PI-Review.md - MR
Update any www-gitlab-com CODEOWNERS for direction pages - mr

Skip

click to expand

assuming will be done when IT offboards me

Update reporting structure in Bamboo
Update team yml files to reflect changes in role, managers, and specialty if needed
Update Team/Group/Stage Project permissions
Consult EM and UX counterparts on group-specific pages or auto-generated issues that need to be updated.
- Consult EMs to add and remove from Google groups as needed

could not find my name anywhere

Update policy used for issues generated in the Product group.
Product Issue Templates - SKIP - reviewed and nothing popped out as i would expect my name in it

Cleaning

Nicole Goals

Relevant Documents

Useful Links

Important Projects

Exit Codes / Unification and Consistency - 1. everyone always makes a report on sucess or failure 2. all secure and protect 16.0 give same codes for sucess and failure, and always sucess is if it technilogically completed even if it finds things 3. Add a ???? (post job?) that determines if the findings are new or old, if for some reason cheap scans haven't happened yet this should be used to accomplish same where new findings on old things are found, NOT surfaced in MR, Surfaced in Security Center, but new new are surfaced in MR ALSO add a summary data like "0 new" or "3 new - 1 crit, 2 high" 4. have post-job data be the data that is shown in MR to reduce noise 5. enhance scan result policies to do the halt pipeline/fail pipeline nonsense based off this data OR if too hard let users enable a variable that then has the post scan job output failure codes specific to "new findings" if they want to break stuff that way (policy more ideal)
Scan Result Policies enhance so that it can work with License Compliance (allow deny), then enhance so exceptions can be specific to a dependency, then so it can be specific to a dependency AND version (or range), then so it can also send an audit event on approval (who approved the override, which type), then add comment on override!
Scan Result Policies enhance so that it can work with Dependency Scanning where exceptions can be specific to a dependency, then so it can be specific to a dependency AND version (or range), then so it can also send an audit event on approval (who approved the override, which type), then add comment on override!
Scan Result Policies enhance so that it can prevent NAMED dependencies instead of just severities/CVSS/etc, then enhance so it can be NAMED dependency AND version (or range), then so it can also send an audit event on approval (who approved the override, which type), then add comment on override!
https://gitlab.com/gitlab-com/alliances/alliances/-/issues/261+ `@jkander should be getting access to mailchimp and allowing that to be leveraged to work with our partners
Design & Spike - associate Dependency and Conta... (gitlab-org/gitlab#348655 - closed)
split build and analyze - Composition Analysis Container Infrastructure c... (gitlab-org&7860 - closed)
Replace License Finder
Dependency Scanning to Complete
Error Budget
Automatic remediation bot is blocked on token issue once unblocked need to bot auto-create merge request - status evaluation (gitlab-org/gitlab#343392 - closed) then address any findings then https://gitlab.com/gitlab-org/gitlab/-/issues/343393+
search take this and apply to dependency list
grouping
Cheap Scans - Placeholder Dependency Scanning (gitlab-org/gitlab#349926 - closed)
workspaces
Provide additional Project Dependency context a... (gitlab-org&2626)
TAM interaction guide
15.0 blog
Request Database / Data Storage - Public Artifact Metadata/Risk - and Request Database / User Specific Dependencies - related handbook page
Group License Management Blocked by workspaces and likely need Sam White to get dependency information into database first and need matt williams to figure out optimized search first and need dependency list to use database not artifacts.
User feedback on Dependency List (gitlab-org/gitlab#218517 - closed)
User feedback on License Compliance (gitlab-org/gitlab#218521 - closed)

Useful Queries

click to expand

Scisense / Periscope

click to expand

Kibana / Grafana / elasticsearch

click to expand

https://log.gprd.gitlab.net/app/dashboards#/view/8d81d330-9028-11ec-a649-b7cbb8e4f62e?_g=h@c823129

Handbook Pages

click to expand

Unofficial

click to expand

Partners / Alliances / Third-Party

click to expand

Other

What I add to many backlog issues

### Note to wider-community, sales, support and customer success

As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.

If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.

Closing Tasks

Mark all tasks as complete
Update template with retrospective thread items
Close Issue

Edited May 06, 2022 by Nicole Schwartz