2020-05-11 - Triage report for "group::composition analysis"
Hi, @NicoleSchwartz @gonzoyumo @nmccorrison @kmann
This is a group or stage level triage report that aims to summarize the feature proposals and bugs which have not been scheduled or triaged. For more information please refer to the handbook:
Scheduling the workload is a collaborative effort by the Product Managers and Engineering Managers for that group. Please work together to provide a best estimate on priority and milestone assignments. For each issue please:
- Determine if the issue should be closed if it is no longer relevant or a duplicate.
- If it is still relevant please assign either a best estimate versioned milestone, the %Backlog or the %Awaiting further demand milestone.
- Specifically for ~bug, if there is no priority or clarity on a versioned milestone, please add a Priority label. Priority labels have an estimate SLO attached to them and help team members and the wider community understand roughly when it will be considered to be scheduled.
- Once a milestone has been assigned please check off the box for that issue.
- Please work with your team to complete the list by the due date set.
Feature Proposal Section
For the following feature proposals. Please either close or assign either a versioned milestone, the %Backlog or the %Awaiting further demand milestone.
feature with customer
Unscheduled- #216645 (closed) "Create issue" is an option under security but not license. ~"Category:License Compliance", customer, devopssecure, feature, groupcomposition analysis, license check, security
- #216082 (closed) Support specifying java version at scan time for the gemnasium-maven analyzer ~"Category:Dependency Scanning", backend, customer, devopssecure, feature, groupcomposition analysis, workflowplanning breakdown
feature (non-customer)
Unscheduled- #217023 (closed) Evaluate how best to add support for C / C++ / C# to Dependency Scanning ~"Category:Dependency Scanning", devopssecure, feature, groupcomposition analysis
- #216918 (closed) Make Retire.js ignore local dependencies ~"Category:Dependency Scanning", devopssecure, feature, groupcomposition analysis, workflowplanning breakdown
- #216790 (closed) Store new scan object in db Category:Container Scanning, Category:DAST, ~"Category:Dependency Scanning", Enterprise Edition, backend, cross-group, devopssecure, feature, groupcomposition analysis, workflowdesign
- #216588 (closed) User awareness of projects with vulnerability-check UX, devopssecure, feature, groupcomposition analysis
- #215933 (closed) Move license-management project to analyzers/license-finder ~"Category:License Compliance", Enterprise Edition, backend, devopssecure, feature, groupcomposition analysis
- #215635 Consider a unified component section UX, devopssecure, feature, groupcomposition analysis
- #215622 (closed) Allow specific dependency with a wrong license to look accepted ~"Category:License Compliance", devopssecure, feature, groupcomposition analysis
- #215471 (closed) Update all Secure analyzer alpine Docker images to include /etc/nsswitch.conf file ~"Accepting merge requests", backend, ~"backstage", devopssecure, feature, groupcomposition analysis, ~"technical debt"
- #214673 (closed) Components as First Class objects ~"Category:Dependency Scanning", ~"Category:License Compliance", dependency list, devopssecure, feature, groupcomposition analysis
- #214159 (closed) Security Products without a Pipeline Category:Container Scanning, Category:DAST, ~"Category:Dependency Scanning", Category:SAST, devopssecure, feature, groupcomposition analysis
- #213591 (closed) Group dependencies by location in the Dependency List devopssecure, feature, groupcomposition analysis
- #213087 (closed) Add CS_VULNERABILITY_THRESHOLD var to Container Scanning Category:Container Scanning, Enterprise Edition, backend, ~"backstage", devopssecure, feature, groupcomposition analysis
- #212462 (closed) Clarify in the UI how a container rescan actually works Category:DAST, devopssecure, feature, groupcomposition analysis
- #212388 (closed) Ship offline copy of SPDX catalogue for omnibus ~"Category:License Compliance", devopssecure, feature, groupcomposition analysis
- #209935 Parse Security and License Compliance reports after CI job is finished, not when Pipeline is completed backend, devopssecure, feature, groupcomposition analysis
- #205576 (closed) Add a repo setting for defaulting to "Allow commits from members who can merge to the target branch." devopssecure, feature, groupcomposition analysis
- #204745 (closed) Document process to update security scanners to new version of Go Category:Container Scanning, ~"Category:Dependency Scanning", Category:SAST, backend, ~"backstage", devopssecure, documentation, feature, groupcomposition analysis, security
- #13695 (closed) enable dependency scanning to work without included source dists ~"Category:Dependency Scanning", Enterprise Edition, auto updated, backend, devopssecure, feature, groupcomposition analysis, workflowproblem validation
- #10993 (closed) Add version requirement information to dependency list for Bill of Materials ~"Accepting merge requests", Enterprise Edition, backend, dependency list, devopssecure, feature, groupcomposition analysis
- #10673 (closed) Show the detailed status of security testing in the merge request ~"Accepting merge requests", Category:Vulnerability Management, Enterprise Edition, GitLab Ultimate, ~"S3", UX, UX scorecard-rec, backend, devopssecure, direction, feature, frontend, groupcomposition analysis, merge requests, security reports, workflowblocked
Unscheduled UX Debt Issues
- #213707 (closed) Display approval rules on security configuration page UI UX, UX debt, devopssecure, frontend, groupcomposition analysis, workflowdesign
Bug Section
For the following bugs. Please either close or assign either a versioned milestone, the %Backlog or the %Awaiting further demand milestone and ensure that a priority label is set.
Heatmap for all bugs
Bugs for their priority and severity label are counted here. Every bug should have severity and priority labels applied. Please take a look at the bugs which fall into the columns indicating that the priority or severity labels are currently missing.
~S1 | ~S2 | ~S3 | ~S4 | No severity | |
---|---|---|---|---|---|
~P1 | 0 | 1 | 0 | 0 | 0 |
~P2 | 0 | 3 | 7 | 0 | 0 |
~P3 | 0 | 2 | 6 | 6 | 0 |
~P4 | 0 | 0 | 1 | 8 | 0 |
No priority | 0 | 0 | 0 | 0 | 2 |
Unscheduled ~bug (non-customer)
- #216793 (closed) SAST or Dependency Scanning output truncated on failure ~"Category:Dependency Scanning", Category:SAST, ~"bug", devopssecure, groupcomposition analysis
Heatmap for ~missed-SLO bugs
~S1 | ~S2 | ~S3 | ~S4 | |
---|---|---|---|---|
~P1 | 0 | 1 | 0 | 0 |
~P2 | 0 | 1 | 0 | 0 |
~P3 | 0 | 0 | 0 | 0 |
~P4 | 0 | 0 | 0 | 0 |
This is a group level triage report that aims to collate the latest bug reports (for frontend and otherwise) and feature proposals. For more information please refer to the handbook:
If assignees or people mentioned in this individual triage report need to be amended, please edit group_definition.rb.