13.7 planning - Composition Analysis (Nov-Dec)
SCA Kickoff Playlist
Secure, Composition Analysis -devopssecure groupcomposition analysis @gitlab-org/secure/composition-analysis-be @gitlab-org/secure/frontend
Category | Direction | Epic | Maturity | Priority |
---|---|---|---|---|
~"Category:Dependency Scanning" | Direction | Epic | maturityviable -> maturitycomplete | priority3 |
~"Category:License Compliance" | Direction | Epic | maturityviable | maintenance |
🔗
Helpful Links Click to expand...
- How we work
- Slack channel: #g_secure-composition-analysis
- Bug Board
- Performance Indicators
-
Planning Board for checking Deliverable/
Stretch/"Next Patch Release" - Dev workflow Board for checking workflowscheduling and workflowready for development
- Backend Board
- SCA Categories Board
- All Secure Issues
- All CA Issues
- All Backend CA issues
- All Frontend CA issues
- CA priorities for the year
- 13.6 Planning Issue
Context
Capacity variations
This includes planned OOO, internships, conferences and other initiatives outside of groupcomposition analysis.
-
Reaction Rotation
- Security reports
- Responsible to check for updates (new versions of languages, package managers, check all dependencies)
- Bug triage
-
backend => ~
- Fabien: %
- Igor:% 50 [reaction rotation 50%]
- Tetiana: % 50 [maintainer 50%]
- Adam: %
- Olivier: %
-
frontend
Items slipping from previous release
This is a rough list of the items that may have a significant impact on that release (no need to be an exhaustive list).
...
Product Goals in priority order
Please work them in order! If you feel I should add priority labels or something to them instead let me know!
TOP PRIORITIES
Feature | Links | Notes |
---|---|---|
|
None this release that I know of | It is important we keep to our commitments, if we commit to finishing something for a customer on a specific date it gets top priority. Please do not commit dates to customers without going through @NicoleSchwartz |
|
issues | If we can't use our own product, how can we expect customers to? For right now this should focus on Dependency Scanning and Container Scanning. |
|
This will hopefully satisfy the Top customer ask - unless this slips the bot and associated work should finish in 13.6 | |
|
epic and issues | containers with admin known issue - lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
|
We should be a stable and not buggy experience. period. we should have tests to help us avoid regressions and benchmark ourselves |
FYI / LOWER PRIORITIES
Click here to expand and see lower priorities in order
Feature | Links | Notes |
---|---|---|
|
epic - Issues | product organization ask |
|
issues | We need to know more about how our users use the product and what our product is doing to better prioritize bugs, requests and work. Data team accomplished their MAU goals. |
|
epic | frequent customer ask and enterprise readiness canvas lite |
|
This will hopefully satisfy the Top customer ask - unless this slips the bot and associated work should finish in 13.6, and the priority for enhancements to adding package managers and improving UI will drop lower | |
|
This will hopefully satisfy the Top customer ask - unless this slips the bot and associated work should finish in 13.6, and the priority for enhancements to adding package managers and improving UI will drop lower | |
|
epic | if this is finally off hold, our goal will be to as quickly as possible release LicenseFinder and Klair and Clair into Core, with a blog post, and encourage community contributions to make them better. We'll also want the new simple MR widget (export json artifacts). |
|
issues | Product organization ask & Stage Goal to progress Maturity levels and OKR? |
|
Epic:Dependency Scanning - Viable to Complete - dependency list issues and ~"Category:Dependency Scanning" issues | lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). Product organization ask & Stage Goal to progress Maturity levels and OKR? |
|
epics - issues | Users want to be able to make bulk changes to multiple projects and groups within their instance. lower priority at the moment BECAUSE IS BLOCKED, focus on the stuff above this but this is upcoming (design etc). frequent customer ask and enterprise readiness move up to high once unblocked |
|
issue | related to top customer ask. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). heard more often from customers recently. |
|
epic | ??? moved to ~"group::container security" but tbd if we need to finish it up - lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). heard more often from customers recently. |
|
Would it make sense to write LicenseFinder features in gemnasium (primary level license discovery)? lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
epic | lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
epic - issues | MR Approvals (Security Gates) today are confusing and complex. We want to make it easier to understand and implement. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
Epic:Enable Secure Stage Third Party Integrations - issue(s) | We help keep customers happy by playing well with others we need to maintain and improve the way our technology parters integrate. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
Epic: License Compliance - Viable to Complete - issue(s) | Currently in maintenance mode only. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
epic | lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
document | How many "no" can we flip to "yes"? Work to harmonize languages across Secure, and cover top 5 languages and package managers coverage within GitLab, users of GitLab, GitHub, and the internet. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
Also known as offline, air-gap, limited connectivity, etc. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). We met MVC needs but will circle back to finish up as well as make improvements where we can. | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
Rules for Labels
Click to expand...
- An issue must have a devops label devopssecure
- An issue must have a group label groupcomposition analysis
- An issue must have one of these type labels ~feature ~bug documentation ~tooling ~"tooling::pipelines" ~"tooling::workflow" test meta and since ~backstage got deprecated just always use featureaddition unless you feel like thinking about it, then you have the option of ~"feature::maintenance".
- An issue should have one or more Categories if possible Category:Container Scanning ~"Category:Dependency Scanning" ~"Category:License Compliance"
- An issue should have backend frontend UX as appropriate
- Most of our issues should have GitLab Ultimate Enterprise Edition until we move OSS scanners to Core
- When work is in progress, it should have a workflow label
- If possible, it should belong to an epic
- If possible it should be in a milestone
- We have some additional labels that you may also want to use if you believe they apply
- ~"secure:blocked" if your issue is blocked (also "relate" the blocked issue as "blocked by"
- secure:refinement-backend secure:refinement-frontend
- initiatives like AST Leadership product metrics secure offline scanning
Issue Prep & Cleanup
Milestone specific cleanup
Issue Cleanup
- Missing devopssecure list
- No Deliverable no Stretch and not in prep so needs to be bumped board
- Missing ~"GitLab Ultimate
- Missing ~"Enterprise Edition"
- check for feature/bug orphans
- Not frontend or backend or assigned to QA, Product or Tech Writing issues
- No category, and also not a meta or cross all secure groups list
- No epic issues
Ongoing cleanup for issues not following rules
Edited by Nicole Schwartz