14.8 planning - Composition Analysis (January-Feburary)

release post

Helpful Links 🔗

Click to expand...

How we work
Slack channel: #g_secure-composition-analysis
Bug Board
Performance Indicators
Planning Board for checking Deliverable/~~Stretch/~~"Next Patch Release"
Dev workflow Board for checking workflowscheduling and workflowready for development
Backend Board
SCA Categories Board
All Secure Issues
All CA Issues
All Backend CA issues
All Frontend CA issues
CA priorities for the year 2022

Context

Capacity variations

This includes planned OOO, internships, conferences and other initiatives outside of groupcomposition analysis.

backend => 70%
- Fabien: 50% (PTO)
- Igor: ~80% (Kid at home)
- Tetiana: 100%
- Adam: 50% (reaction rotation)
frontend

Items slipping from the previous release

This is a rough list of the items that may have a significant impact on that release (no need to be an exhaustive list).

...

Product Goals in priority order

Q4 - auto-remediation, display dependency path mvc, start on LF replacement research and SBOM step 1

Always

Feature	Links	Notes
Reaction rotation	responsibilities	triage incoming bugs, security, customers, community contributions. use timeboxing.
infradev	infradev issues	must do within SLO
security	P1 P2	must do within SLO, start with P1, if none move to P2, if none move to P3. P3 can miss SLO for now
bugs	P1 P2	filled in as we have space
upkeep tools	update and scan our tools as updates are available	high priority - update tools if applicable and desired (we have intentionally decided against some specific updates)

TOP SPOTS

Feature	Links	Notes
EPIC: Auto-Remediation: auto-create merge request	BLOCKED	BLOCKED
EPIC: Show paths to dependencies MVC	Show `vulnerable package`
EPIC: SBOM MVC - 1: ISBOM	issue
EPIC: Engineering Research: How do we advance alternate license scanning	FOSS POC
Help S&P / GitLab

GOALS

Feature	Links	Notes
De-duplication / aggregation	issue
test work	all issues - this milestone issues	keep incrementally improving out testing, do 1 per
15.0 Deprecations and Removals - SCA	Remove deprecated DS_DEFAULT_ANALYZERS variable Lock down remove bundler-audit License Compliance terminology migration Remove `ci_max_artifact_size_license_management` column in the plan_limits table Move Security vendored templates into the Jobs subdir Remove Retire.js

Stretch

Feature	Links	Notes
⬆️Refactor configuration page	Unification of backend for CE & EE	high priority - partner with frontend
OKR-Personal Growth project		please try to put some time against this
OKR-hiring		please prioritize this is you are tapped to help
OKR-psychological safety training	here and here	try to make some time for this
OKR-UX	TBD	TBD
OKR-QA	TBD	TBD
OKR-error budget	TBD	TBD

Please work the above in order. If something of a higher category comes in you can feel free to swap it for a lower item (cc Nicole and Oliver). If it does not fall into one of the above and you think it can wait please place in %Backlog - if you feel it should be strongly considered for an upcoming release please place in %Next 1-3 releases

Feel free to use the following message Product has determined that our current priority is related to finishing off two of our longstanding projects (automatic remediation mr creation by bot and show dependency paths) and starting on our next two projects (SBOM and replacing license finder). Upvoting and commenting on issues is the best way to make sure it is considered high priority as backlog items begin to be brought back in.

Edited Feb 23, 2022 by Nicole Schwartz