13.12 planning - Composition Analysis (Apr-May)

Secure, Composition Analysis - SCA Kickoff Playlist

devopssecure groupcomposition analysis @gitlab-org/secure/composition-analysis-be @gitlab-org/secure/frontend

Category Direction Epic Maturity Priority
~"Category:Dependency Scanning" Direction Epic maturityviable -> maturitycomplete priority3
~"Category:License Compliance" Direction Epic maturityviable maintenance

Helpful Links 🔗

Click to expand...

Context

Capacity variations

This includes planned OOO, internships, conferences and other initiatives outside of groupcomposition analysis.

  • backend => ~75%

    • Fabien: 60% (1.5 week OOO)
    • Igor: 100% (-1 day ooo)
    • Tetiana: 75% (6 days ooo)
    • Adam: 50% (reaction rotation)

  • frontend

Items slipping from previous release

This is a rough list of the items that may have a significant impact on that release (no need to be an exhaustive list).

...

Product Goals in priority order

Please work them in order! If you feel I should add priority labels or something to them instead let me know!

TOP PRIORITIES

Feature Links Notes
 1️⃣Emergency Triage issues It is important we promptly address security findings within the remediation window. for 13.12 if it isn't P1/S1 or infradev it can wait.
1️⃣Database Performance High Company Priority / Rapid Action focus
🔥🔥14.0 Removals Remove License-Management.gitlab-ci.yml completely - blog - release post 13.12 - release post 14 items we want to remove in 14.0
🔥🔥14.0 Deprecations issue #287691 & issue #215483 - blog - release post 13.12 - release post 14 items we want to deprecate in 14.0

STRETCH PRIORITIES

Feature Links Notes
Improve enable/disable and config (setup) epic frequent customer ask and enterprise readiness canvas lite
️Things we committed to customers None this release that I know of It is important we keep to our commitments, if we commit to finishing something for a customer on a specific date it gets top priority. Please do not commit dates to customers without going through @NicoleSchwartz
️GitLab on GitLab Dogfooding issues If we can't use our own product, how can we expect customers to? For right now this should focus on Dependency Scanning.
backend OKRs SCA BE OKRs OKR
Consistency in default behaviour of AST scanners and jobs epic We want to document the behaviour across all of secure to better set expectations and understanding [no longer using exit code 6 for 14.0]

FYI / LOWER PRIORITIES

Click here to expand and see lower priorities in order
Feature Links Notes
AR Auto-Remediation: auto-create merge request Work until at blocked point
AR Auto-Remediation - Show available solutions in Project Security Dashboard this should not be blocked and be releaseable
Self-Hosted / Partner Cloud Support - OpenShift epic and issues containers with admin known issue - lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
CMS PM & UX
UI polish and system performance to improve SUS OKR
️AR Auto Remediation: user awareness when solutions are available in merge request this should not be blocked and be releasable
️Automatic Remediation - Add package managers This will hopefully satisfy the Top customer ask - unless this slips the bot and associated work should finish in 13.6, and the priority for enhancements to adding package managers and improving UI will drop lower
️Performance, Stability, Reliability, Availability and Quality We should be a stable and not buggy experience. period. we should have tests to help us avoid regressions and benchmark ourselves
️Monitoring Storage Utilization / Responsible Storage Use epic - Issues product organization ask
️OSS Scanners to Core epic if this is finally off hold, our goal will be to as quickly as possible release LicenseFinder and Klair and Clair into Core, with a blog post, and encourage community contributions to make them better. We'll also want the new simple MR widget (export json artifacts).
product metrics issues We need to know more about how our users use the product and what our product is doing to better prioritize bugs, requests and work. Also, product organization ask.
AST Leadership issues Product organization ask & Stage Goal to progress Maturity levels and OKR?
️Dependency Scanning to complete Epic:Dependency Scanning - Viable to Complete - dependency list issues and ~"Category:Dependency Scanning" issues lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). Product organization ask & Stage Goal to progress Maturity levels and OKR?
🛑secure bulk changes epics - issues Users want to be able to make bulk changes to multiple projects and groups within their instance. lower priority at the moment BECAUSE IS BLOCKED, focus on the stuff above this but this is upcoming (design etc). frequent customer ask and enterprise readiness move up to high once unblocked
️Dependency Scanning scan multiple files issue related to top customer ask. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). heard more often from customers recently.
️Replace LicenseFinder? Would it make sense to write LicenseFinder features in gemnasium (primary level license discovery)? lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️Review ORT epic lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
security reports integration / Secure technology Partners Epic:Enable Secure Stage Third Party Integrations - issue(s) We help keep customers happy by playing well with others we need to maintain and improve the way our technology parters integrate. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️~"Category:License Compliance" Epic: License Compliance - Viable to Complete - issue(s) Currently in maintenance mode only. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️Split Build and Analyze epic lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️.Net Core and Framework support lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
dependency list aka Software Bill of Materials or SBoM lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️ Languages document How many "no" can we flip to "yes"? Work to harmonize languages across Secure, and cover top 5 languages and package managers coverage within GitLab, users of GitLab, GitHub, and the internet. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
secure offline scanning Also known as offline, air-gap, limited connectivity, etc. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). We met MVC needs but will circle back to finish up as well as make improvements where we can.
️Improve support for monolith lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️Less false positives or not relevant findings lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️Self-Hosted / Partner Cloud Support - Azure, AWS lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️Split Build and Analyze epic lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️.Net Core and Framework support lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
dependency list aka Software Bill of Materials or SBoM lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️ Languages document How many "no" can we flip to "yes"? Work to harmonize languages across Secure, and cover top 5 languages and package managers coverage within GitLab, users of GitLab, GitHub, and the internet. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
secure offline scanning Also known as offline, air-gap, limited connectivity, etc. lower priority at the moment, focus on the stuff above this but this is upcoming (design etc). We met MVC needs but will circle back to finish up as well as make improvements where we can.
️Improve support for monolith lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️Less false positives or not relevant findings lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)
️Self-Hosted / Partner Cloud Support - Azure, AWS lower priority at the moment, focus on the stuff above this but this is upcoming (design etc)

Rules for Labels

https://gitlab.com/gitlab-org/secure/general/-/blob/master/Software%20Composition%20Analysis/rules-for-labels.md

Issue Prep & Cleanup

https://gitlab.com/gitlab-org/secure/general/-/blob/master/Software%20Composition%20Analysis/milestone-prep.md

Milestone specific cleanup

Issue Cleanup
Edited by Nicole Schwartz