Secure Composition Analysis Priorities calendar year 2022

Release Planning Issues

• 14.4
• 14.5
• 14.6 (November-December)
• 14.7 (December-January)
• 14.8 (January-Feburary)
• 14.9 (Feburary-March)
• 14.10 (March-April)
• 15.0 (April-May)
• 15.1 (May-June)
• 15.2 June-July
• 15.3 July-August
• 15.4 August-September
• 15.5 September-October

2021 Year End (Oct-Nov-Dec)

We should focus on cleaning up the accumulated technical debt, bugs, etc that accumulated while we were helping out with company-wide priorities and lending a hand to other groups. We should also be finishing our research so we are ready to dive back into major features come the new year. I need to keep an eye on items we need to progress so there is time to announce their removal for 15.0 so we are not stuck with them until 16.0. I hope people also take some vacation as well as have time to work on growth projects. Let's tidy up and rest up so we're in a good place come January!

2022 Wish List / Thoughts

deck

video

Current Top Priorities

The normal

As always we will need to keep up with incoming infradev, uptime, security items, bugs, tool maintenance, and test failures. This includes our reaction rotation. If we don't have a quality solution that is dependendable (by keeping on top of technical debt, maintinance, bugs and security) customers will not be able to trust or love our solution.

UBI/FIPS

Company-wide priority with timelines because of external agency audits.

In the epic we have noted that there are many limitations - but because we need to remove certain tooling (like adsf) we will ONLY support the latest GitLab Composition Analysis supported language and package manager.

In the future we will make work arounds available by making the binaries available at specific request for other languages for customers to build onto containers.

Dependency Paths MVC

The current focus is on the MVC of show dependency paths.

This is part of the objective to bring Dependency Scanning to complete.

After this epic if desired we will be able to re-run our Category Maturity Scoring (CMS) with UX to determine if we squeek over the line to complete, or what is holding us back.

MR Widget

Company-wide initiative to improve the MR experience. We have committed to updating the License Compliance widget.

To release users must be able to know

• Am I blocked? (Merge request approval)
• If yes, why am I blocked (license, and from what dependency)
• what are the policies

Bonus -know all new introduced licenses, denied most important, followed by unknown, followed by approved

SBOM - ISBOM & MVC

We should be allowing for manual download of CyloneDX for Dependencies and Container scans per project. SBOM is a need for regulated customers, an ask from a United States Executive Order standpoint, related to secure supply chain work, and also a frequent item customers are requiring.

Replace License Finder

After a long hiatus, we finally are replacing the license finder. I would like us to have decided if we are writing or our or swapping in a new OSS tool, a SWAG timeline, and a high-level plan to get us to License Finder Parity + Dependency Scanning parity and take into consideration security orchestration and workspaces so we can quickly leverage that for the policies.

It is important we consider which path we are going to use going forward, and that that choice will support all of the planned/requested features as outlined on the direction page.

Container Infrastructure calendar year 2022 plan

We need to progress splitting build and analyze, among other things, in order to unblock and unlock customer-requested features and efficiency improvements.

Next

Depending on how the first bit of the year goes obviously impacts the remainder of the year but at a high level I currently the wish list (we can't do it all) is (not in order)

Click to expand

• re-run our CMS scoring with UX to determine if we squeek over the line to complete, or what is holding us back after MVC dependency paths
• Depedendency Scanning to Complete
• Dependency Paths post MVC

• Exit Codes / Unification and Consistency - 1. everyone always makes a report on sucess or failure 2. all secure and protect 16.0 give same codes for sucess and failure, and always sucess is if it technilogically completed even if it finds things 3. Add a ???? (post job?) that determines if the findings are new or old, if for some reason cheap scans haven't happened yet this should be used to accomplish same where new findings on old things are found, NOT surfaced in MR, Surfaced in Security Center, but new new are surfaced in MR ALSO add a summary data like "0 new" or "3 new - 1 crit, 2 high" 4. have post-job data be the data that is shown in MR to reduce noise 5. enhance scan result policies to do the halt pipeline/fail pipeline nonsense based off this data OR if too hard let users enable a variable that then has the post scan job output failure codes specific to "new findings" if they want to break stuff that way (policy more ideal)
• Scan Result Policies enhance so that it can work with License Compliance (allow deny), then enhance so exceptions can be specific to a dependency, then so it can be specific to a dependency AND version (or range), then so it can also send an audit event on approval (who approved the override, which type), then add comment on override!
• Scan Result Policies enhance so that it can work with Dependency Scanning where exceptions can be specific to a dependency, then so it can be specific to a dependency AND version (or range), then so it can also send an audit event on approval (who approved the override, which type), then add comment on override!
• Scan Result Policies enhance so that it can prevent NAMED dependencies instead of just severities/CVSS/etc, then enhance so it can be NAMED dependency AND version (or range), then so it can also send an audit event on approval (who approved the override, which type), then add comment on override!
• https://gitlab.com/gitlab-com/alliances/alliances/-/issues/261+ `@jkander should be getting access to mailchimp and allowing that to be leveraged to work with our partners
• Design & Spike - associate Dependency and Conta... (gitlab-org/gitlab#348655 - closed)
• split build and analyze - Composition Analysis Container Infrastructure c... (gitlab-org&7860 - closed)
• Replace License Finder
• Dependency Scanning to Complete
• Error Budget
• Automatic remediation bot is blocked on token issue once unblocked need to bot auto-create merge request - status evaluation (gitlab-org/gitlab#343392 - closed) then address any findings then https://gitlab.com/gitlab-org/gitlab/-/issues/343393+
• search take this and apply to dependency list
• grouping
• Cheap Scans - Placeholder Dependency Scanning (gitlab-org/gitlab#349926 - closed)
• workspaces
• Provide additional Project Dependency context a... (gitlab-org&2626)
• TAM interaction guide
• 15.0 blog
• Request Database / Data Storage - Public Artifact Metadata/Risk - and Request Database / User Specific Dependencies - related handbook page
• Group License Management Blocked by workspaces and likely need Sam White to get dependency information into database first and need matt williams to figure out optimized search first and need dependency list to use database not artifacts.
• User feedback on Dependency List (gitlab-org/gitlab#218517 - closed)
• User feedback on License Compliance (gitlab-org/gitlab#218521 - closed)

• eval trivy for DS scan
• Automatic remediation: creation of MR by bot Blocked, we may need to take on the work
• SBOM Usability Improvements
• Always have a report
• Automatic Remediation Expand Package Managers
• Cheap Scans (use SBOM to check new vuln db updates and alert on results, no pipeline needed)
• Automatically Dismiss or Close could be also Policy
• Configure in UI enhancements
• Dependency Firewall (Policy)
• Efficiencies (cache, skip run, skip build, skip files)
• Enable in UI improvements
• Formalize Internal Support Standard
• grouping
• Language expansion (DS+LC+AR) & harmonization with GitLab top + internal + cross-section
• License Compliance - smart rules
• More information (Dev dependency etc)
• Offline revisit - not everything works offline (some languages in LC)
• On-Demand Scans
• OpenShift revisit (not everything works in OS like LC)
• Package Hunter can we produtize it?
• Policy (When to alert, when to auto dismiss)
• Reduce noise (grouping/aggregation and/or policy and/or auto close)
• Risk (EOL, recent version, maintainer country, etc) + Database
• Search
• Filter (dependency list)
• pre-filter (skip scanning) settings
• post-filter (ignore results) settings - maybe use policies / auto close work with matt wilson and sam white
• SBOM post-MVC
• Scheduled Scans
• Sign our own Containers
• Unification of Package Managers DS & LC - i.e. try to cover all the same languages and package managers, then check against rest of secure, then check against top GitLab languages, then check again top reported languages.
• Namespaces migration
• Workspaces migration
• Get away from pipeline yml configuration, there must be a better way, would reduce if not elimminate the issue with being able ti view (accurately) if things are enabled for projects as well as bulk enable across groups or workspaces

Things I am aware of but we will not have time or resources for

• .net
• monorepos
• advanced psudoanon data to help make an informed decisions (upgrade success/fail etc)

Notes

Old 2021 planning issue