13.8 planning - Composition Analysis (Dec-Jan)
SCA Kickoff Playlist
Secure, Composition Analysis -devopssecure groupcomposition analysis @gitlab-org/secure/composition-analysis-be @gitlab-org/secure/frontend
Category | Direction | Epic | Maturity | Priority |
---|---|---|---|---|
~"Category:Dependency Scanning" | Direction | Epic | maturityviable -> maturitycomplete | priority3 |
~"Category:License Compliance" | Direction | Epic | maturityviable | maintenance |
🔗
Helpful Links Click to expand...
- How we work
- Slack channel: #g_secure-composition-analysis
- Bug Board
- Performance Indicators
-
Planning Board for checking Deliverable/
Stretch/"Next Patch Release" - Dev workflow Board for checking workflowscheduling and workflowready for development
- Backend Board
- SCA Categories Board
- All Secure Issues
- All CA Issues
- All Backend CA issues
- All Frontend CA issues
- CA priorities for the year 2020
- CA priorities for the year 2021
- 13.7 Planning Issue
- 13.9 Planning Issue
Context
Capacity variations
This includes planned OOO, internships, conferences and other initiatives outside of groupcomposition analysis.
- Reaction Rotation
- Security reports
- Responsible to check for updates (new versions of languages, package managers, check all dependencies)
- Bug triage
-
backend => ~45%
- Fabien: 50%
- Igor: 50%
- Tetiana: 0% maintainer trainee programm(50%) + reaction rotation
- Adam: 75%
- Olivier: 50%
-
frontend
Items slipping from previous release
This is a rough list of the items that may have a significant impact on that release (no need to be an exhaustive list).
...
Product Goals in priority order
Please work them in order! If you feel I should add priority labels or something to them instead let me know!
TOP PRIORITIES
Feature | Links | Notes |
---|---|---|
|
None this release that I know of | It is important we keep to our commitments, if we commit to finishing something for a customer on a specific date it gets top priority. Please do not commit dates to customers without going through @NicoleSchwartz |
|
issues | If we can't use our own product, how can we expect customers to? For right now this should focus on Dependency Scanning and Container Scanning. |
|
|
This will hopefully satisfy the Top customer ask |
|
This will hopefully satisfy the Top customer ask - unless this slips the bot and associated work should finish in 13.6, and the priority for enhancements to adding package managers and improving UI will drop lower | |
|
epic and issues | containers with admin known issue - lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
FYI / LOWER PRIORITIES
Click here to expand and see lower priorities in order
Feature | Links | Notes |
---|---|---|
|
|
We should be a stable and not buggy experience. period. we should have tests to help us avoid regressions and benchmark ourselves |
|
epic | frequent customer ask and enterprise readiness canvas lite |
|
epic - Issues | product organization ask |
|
This will hopefully satisfy the Top customer ask - unless this slips the bot and associated work should finish in 13.6, and the priority for enhancements to adding package managers and improving UI will drop lower | |
|
epic - issues | MR Approvals (Security Gates) today are confusing and complex. We want to make it easier to understand and implement. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
epic | if this is finally off hold, our goal will be to as quickly as possible release LicenseFinder and Klair and Clair into Core, with a blog post, and encourage community contributions to make them better. We'll also want the new simple MR widget (export json artifacts). |
|
issues | We need to know more about how our users use the product and what our product is doing to better prioritize bugs, requests and work. Also, product organization ask. |
|
issues | Product organization ask & Stage Goal to progress Maturity levels and OKR? |
|
Epic:Dependency Scanning - Viable to Complete - dependency list issues and ~"Category:Dependency Scanning" issues | lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). Product organization ask & Stage Goal to progress Maturity levels and OKR? |
|
epics - issues | Users want to be able to make bulk changes to multiple projects and groups within their instance. lower priority at the moment BECAUSE IS BLOCKED, focus on the stuff above this but this is upcoming (design etc). frequent customer ask and enterprise readiness move up to high once unblocked |
|
issue | related to top customer ask. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). heard more often from customers recently. |
|
epic | ??? moved to ~"group::container security" but tbd if we need to finish it up - lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). heard more often from customers recently. |
|
Would it make sense to write LicenseFinder features in gemnasium (primary level license discovery)? lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
epic | lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
Epic:Enable Secure Stage Third Party Integrations - issue(s) | We help keep customers happy by playing well with others we need to maintain and improve the way our technology parters integrate. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
the foundation
|
- Epic: Offline secure scanning for self-hosted instances
- Epic: air-gapped (offline) License Compliance Post-MVC
- issues
Rules for Labels
Click to expand...
- An issue must have a devops label devopssecure
- An issue must have a group label groupcomposition analysis
- An issue must have one of these type labels ~feature ~bug documentation ~tooling ~"tooling::pipelines" ~"tooling::workflow" test meta and since ~backstage got deprecated just always use featureaddition unless you feel like thinking about it, then you have the option of ~"feature::maintenance".
- An issue should have one or more Categories if possible Category:Container Scanning ~"Category:Dependency Scanning" ~"Category:License Compliance"
- An issue should have backend frontend UX as appropriate
- Most of our issues should have GitLab Ultimate Enterprise Edition until we move OSS scanners to Core
- When work is in progress, it should have a workflow label
- If possible, it should belong to an epic
- If possible it should be in a milestone
- We have some additional labels that you may also want to use if you believe they apply
- ~"secure:blocked" if your issue is blocked (also "relate" the blocked issue as "blocked by"
- secure:refinement-backend secure:refinement-frontend
- initiatives like AST Leadership product metrics secure offline scanning
Issue Prep & Cleanup
Click to expand...
Selecting items for the release
Our Sensing Mechanisms and Performance Indicators are included below in the details.
Milestone specific cleanup
Issue Cleanup
- Missing devopssecure list
- No Deliverable no Stretch and not in prep so needs to be bumped board
- Missing ~"GitLab Ultimate
- Missing ~"Enterprise Edition"
- check for feature/bug orphans
- Not frontend or backend or assigned to QA, Product or Tech Writing issues
- No category, and also not a meta or cross all secure groups list
- No epic issues
Ongoing cleanup for issues not following rules