13.11 planning - Composition Analysis (Mar-Apr)
SCA Kickoff Playlist
Secure, Composition Analysis -devopssecure groupcomposition analysis @gitlab-org/secure/composition-analysis-be @gitlab-org/secure/frontend
Category | Direction | Epic | Maturity | Priority |
---|---|---|---|---|
~"Category:Dependency Scanning" | Direction | Epic | maturityviable -> maturitycomplete | priority3 |
~"Category:License Compliance" | Direction | Epic | maturityviable | maintenance |
🔗
Helpful Links Click to expand...
- How we work
- Slack channel: #g_secure-composition-analysis
- Bug Board
- Performance Indicators
-
Planning Board for checking Deliverable/
Stretch/"Next Patch Release" - Dev workflow Board for checking workflowscheduling and workflowready for development
- Backend Board
- SCA Categories Board
- All Secure Issues
- All CA Issues
- All Backend CA issues
- All Frontend CA issues
- CA priorities for the year 2021
- 13.10 Planning Issue
Context
Capacity variations
This includes planned OOO, internships, conferences and other initiatives outside of groupcomposition analysis.
Items slipping from previous release
This is a rough list of the items that may have a significant impact on that release (no need to be an exhaustive list).
...
Product Goals in priority order
Please work them in order! If you feel I should add priority labels or something to them instead let me know!
TOP PRIORITIES
Feature | Links | Notes |
---|---|---|
|
|
It is important we promptly address security findings within the remediation window. for 13.11 if it isn't P1/S1 or infradev it can wait. |
|
High Company Priority | |
|
None this release that I know of | It is important we keep to our commitments, if we commit to finishing something for a customer on a specific date it gets top priority. Please do not commit dates to customers without going through @NicoleSchwartz |
|
issues | If we can't use our own product, how can we expect customers to? For right now this should focus on Dependency Scanning and Container Scanning. |
|
Remove License-Management.gitlab-ci.yml completely - blog - release post 13.11 - release post 14
|
items we want to remove in 14.0 |
|
issue #287691 & issue #215483 - blog - release post 13.11 - release post 14 | items we want to deprecate in 14.0 |
|
epic | We want to have consistent exit behaviour across all of secure to match customer expectations |
STRETCH PRIORITIES
Feature | Links | Notes |
---|---|---|
Self-Hosted / Partner Cloud Support - OpenShift | epic and issues | containers with admin known issue - lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
Improve enable/disable and config (setup) | epic | frequent customer ask and enterprise readiness canvas lite |
AR | Auto-Remediation: auto-create merge request | Work until at blocked point |
AR | Auto-Remediation - Show available solutions in Project Security Dashboard | this should not be blocked and be releaseable |
CMS PM & UX | ||
UI polish and system performance to improve SUS | issue Product OKRs | OKR |
OKRs | SCA BE OKRs | OKR |
FYI / LOWER PRIORITIES
Click here to expand and see lower priorities in order
Feature | Links | Notes |
---|---|---|
|
Auto Remediation: user awareness when solutions are available in merge request | this should not be blocked and be releasable |
|
This will hopefully satisfy the Top customer ask - unless this slips the bot and associated work should finish in 13.6, and the priority for enhancements to adding package managers and improving UI will drop lower | |
|
|
We should be a stable and not buggy experience. period. we should have tests to help us avoid regressions and benchmark ourselves |
|
epic - Issues | product organization ask |
|
epic | if this is finally off hold, our goal will be to as quickly as possible release LicenseFinder and Klair and Clair into Core, with a blog post, and encourage community contributions to make them better. We'll also want the new simple MR widget (export json artifacts). |
|
issues | We need to know more about how our users use the product and what our product is doing to better prioritize bugs, requests and work. Also, product organization ask. |
|
issues | Product organization ask & Stage Goal to progress Maturity levels and OKR? |
|
Epic:Dependency Scanning - Viable to Complete - dependency list issues and ~"Category:Dependency Scanning" issues | lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). Product organization ask & Stage Goal to progress Maturity levels and OKR? |
|
epics - issues | Users want to be able to make bulk changes to multiple projects and groups within their instance. lower priority at the moment BECAUSE IS BLOCKED, focus on the stuff above this but this is upcoming (design etc). frequent customer ask and enterprise readiness move up to high once unblocked |
|
issue | related to top customer ask. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). heard more often from customers recently. |
|
epic | ??? moved to ~"group::container security" but tbd if we need to finish it up - lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). heard more often from customers recently. |
|
Would it make sense to write LicenseFinder features in gemnasium (primary level license discovery)? lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
epic | lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
Epic:Enable Secure Stage Third Party Integrations - issue(s) | We help keep customers happy by playing well with others we need to maintain and improve the way our technology parters integrate. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
Epic: License Compliance - Viable to Complete - issue(s) | Currently in maintenance mode only. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
epic | lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
document | How many "no" can we flip to "yes"? Work to harmonize languages across Secure, and cover top 5 languages and package managers coverage within GitLab, users of GitLab, GitHub, and the internet. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
Also known as offline, air-gap, limited connectivity, etc. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). We met MVC needs but will circle back to finish up as well as make improvements where we can. | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
epic | lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
document | How many "no" can we flip to "yes"? Work to harmonize languages across Secure, and cover top 5 languages and package managers coverage within GitLab, users of GitLab, GitHub, and the internet. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
|
Also known as offline, air-gap, limited connectivity, etc. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). We met MVC needs but will circle back to finish up as well as make improvements where we can. | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) | |
|
lower priority at the moment, focus on the stuff above this but this is upcoming (design etc) |
Rules for Labels
Click to expand...
- An issue must have a devops label devopssecure
- An issue must have a group label groupcomposition analysis
- An issue must have one of these type labels ~feature ~bug documentation ~tooling ~"tooling::pipelines" ~"tooling::workflow" test meta and since ~backstage got deprecated just always use featureaddition unless you feel like thinking about it, then you have the option of ~"feature::maintenance".
- An issue should have one or more Categories if possible Category:Container Scanning ~"Category:Dependency Scanning" ~"Category:License Compliance"
- An issue should have backend frontend UX as appropriate
- Most of our issues should have GitLab Ultimate Enterprise Edition until we move OSS scanners to Core
- When work is in progress, it should have a workflow label
- If possible, it should belong to an epic
- If possible it should be in a milestone
- We have some additional labels that you may also want to use if you believe they apply
- ~"secure:blocked" if your issue is blocked (also "relate" the blocked issue as "blocked by"
- secure:refinement-backend secure:refinement-frontend
- initiatives like AST Leadership product metrics secure offline scanning
Issue Prep & Cleanup
Click to expand...
Selecting items for the release
Our Sensing Mechanisms and Performance Indicators are included below in the details.
Ongoing cleanup for issues not following rules
Milestone specific cleanup
Issue Cleanup
- Missing devopssecure list
- No Deliverable no Stretch and not in prep so needs to be bumped board
- Missing ~"GitLab Ultimate
- Missing ~"Enterprise Edition"
- Not frontend or backend or assigned to QA, Product or Tech Writing issues
- No type, and also not a meta or cross all secure groups list
- No epic issues
- No category list
Edited by Nicole Schwartz