13.2 planning - Composition Analysis
Links
-
13.2 - Planning Board for checking Deliverable/
Stretch/"Next Patch Release" -
13.2 - Dev workflow Board for checking workflowscheduling and workflowready for development
Context
Capacity variations
This includes planned OOO, internships, conferences and other initiatives outside of groupcomposition analysis.
Items slipping from previous release
This is a rough list of the items that may have a significant impact on that release (no need to be an exhaustive list).
...
Product Goals in priority order
Please work them in order! If you feel I should add priority labels like ~P1 or something to them instead let me know!
Product Metrics
We need to know more about how our users use the product and what our product is doing to better prioritize bugs, requests and work.
Remove Docker-in-Docker DinD
epic: Remove Docker-in-Docker (DinD) for all secure analyzers / scans
Epic: Offline secure scanning for self-hosted instances
Also known as offline, air-gap, limited connectivity, etc.
This spans across teams, but this is part of being the boring solution that helps you be more secure and we need to keep moving the needle
Performance, Reliability, Availability and Quality
We should be a stable and not buggy experience. period. we should have tests to help us avoid regressions and benchmark ourselves I try to put in a few of each of the below to keep slow and steady progress
- ~P1 ~S1 (~P2 ~S2 if no p1/s2, etc) or any previous placed ~bug bug(s)
- ~performance issue
- reliability issues
- ~availability issues
- ~"technical debt"/~backstage issue(s)
- test (helping quality enhance our testing) issue(s)
- UX debt UI polish or ~"UX Bug" item UX Debt issue(s) or UI Polish issue(s) or UX Bug issue(s)
AST Leadership
We wish to become recognized as a leader in Application Security Testing (AST)
Epic: Dependency Scanning category vision
Maturity Level: Viable
Next Maturity Level: 2021-01-31 Epic:Dependency Scanning - Viable to Complete
- dependency list issues and ~"Category:Dependency Scanning" issues
Epic: Suggested Solution (was Auto Remediation)
This spans across teams, but this is part of being the boring solution that helps you be more secure and we need to keep moving the needle
Epic: Suggested Solution (was Auto-remediation) UX foundation
Epic: Dependency Scanning - Minimal to Viable
Epic: License Compliance category vision
License Scanning /Maturity Level: Viable
Next Maturity Level: 2021-02-31 Epic: License Compliance - Viable to Complete
- ~"Category:License Compliance" issue(s)
Epic: Container Scanning category vision
Maturity Level: Viable
Next Maturity Level: 2021-02-31 Epic: Container Scanning - Viable to Complete
Epic:Enable Secure Stage Third Party Integrations
Partner OnboardingThis spans across teams, but this is a really frequent ask and we need to position ourselves to enable these integrations so they are where we want and how we want and aren't disparate and haphazard
GitLab on GitLab
Dogfooding seeking people to use our Dependency Scanner issues
.Net Core and Framework support
dependency list aka Software Bill of Materials or SBoM
Policy Settings
epic Currently with groupcompliance
Languages
Work to harmonize languages across Secure, and cover top 5 languages and package managers coverage within GitLab, users of GitLab, GitHub, and the internet.
OSS Scanners to Core
epic on hold
Rules for Labels
- An issue must have a devops label devopssecure
- An issue must have a group label groupcomposition analysis
- An issue must have one of these type labels ~feature ~bug ~backstage documentation meta
- An issue should have one or more Categories if possible Category:Container Scanning ~"Category:Dependency Scanning" ~"Category:License Compliance"
- An issue should have backend frontend UX as appropriate
- Most of our issues should have GitLab Ultimate Enterprise Edition but i usually forget
- When work is in progress, it should have a workflow label
- If possible, it should belong to an epic
- If possible it should be in a milestone
- We have some additional labels that you may also want to use if you believe they apply
- ~"secure:blocked" if your issue is blocked (also "relate" the blocked issue as "blocked by"
- secure:refinement-backend secure:refinement-frontend
- initiatives like AST Leadership product metrics secure offline scanning