Skip to content

Making life support status clear for license compliance

Nicole Schwartz requested to merge schwartz-direction-secure-sca-license into master

Why is this change being made?

Normal direction page update, making it clear where current priorities are

I wanted to let you know, based on 1 developer assisting (for 1-2 cycles) threat insights and 1 developer being assigned 100% for 3+ cycles manage import - and accounting for reaction rotation and our desire to work through all high priority performance, security and reliability issues (infrasev/secure/bugs/tech debt) the composition analysis team should be considered doing life support only in both categories. I am going to push any timelines for maturity out significantly, as update my direction pages.

I would like to note we are already behind the competitors and will continue to fall behind, making it more difficult to catch up as we get farther and farther behind. We need to finish Auto Remediation bot as well as Show details (dependency tree) MVC before we could re-evaulaute maturity of Dependency Scanning. This now will for sure be delayed. Customers will be impacted and upset by not having proper SBOM (which will also impact the container scanning category) which impacts regulated and government employees right now due to the recent executive order, and license finder will continue to be a disappointment and pain point for prospects which has caused multiple recent escalations. SBOM was set to follow dependency scanning maturity. Finally our grouping and aggregation and policy work, which many customers were looking forward to (they call it false positives but it’s not, it’s overwhelm) will be at an unknown timeline instead of being able to following SBOM.

In addition I am concerned if 100% of our work is cleanup we will really not be the type of team a developer wants to work on or with. we had some really great and interesting work planned for q4/q1 which will now be impacted as the bug cleanup and test cleanup is going to run longer.

I assume all of this was taken into account when deciding what teams to take from (for manage import) and the impact of delaying category maturity, SBOM and License Finder but wanted to make this clear interally and externally that there will not be new features coming from the composition analysis group.

As soon as we have taken on all of the security, bug, tech debt items and have finished aiding others teams as required we will look at;

  1. finishing auto remediation bot current epic, then icing that project while it awaits a SEG
  2. progressing Depedency Scanning to complete by doing the MVC of showing paths
  3. starting data storage work to enable doing SBOM artifacts
  4. looking to replace license finder

Author Checklist

  • Provided a concise title for the MR
  • Added a description to this MR explaining the reasons for the proposed change, per say-why-not-just-what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
  • Assign reviewers for this change to the correct DRI(s)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the "Maintained by" section in on the page being edited.
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies.
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR.
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.
Edited by Nicole Schwartz

Merge request reports