14.9 Secure:Composition Analysis retrospective
This is an asynchronous retrospective for the 14.9 release, following the process described in the handbook.
This issue is private (confidential) to the Secure:Composition Analysis group, plus anyone else who worked with the group during 14.9, to ensure everyone feels comfortable sharing freely. On 2022-03-26, in preparation for the R&D-wide 14.9 Retrospective, the issue will be opened up to the public, as long as everyone is comfortable with this. You're free to redact any comments that contain information that you'd like to stay private before that date.
Please look at back at your experiences working on this release, ask yourself
👍 what went well this release?👎 what didn’t go well this release?📈 what can we improve going forward?🌟 what praise do you have for the group?
and honestly describe your thoughts and feelings below.
If there is anything you are not comfortable sharing here, please message your manager directly. Note, however, that 'Emotions are not only allowed in retrospectives, they should be encouraged', so we'd love to hear from you here if possible.
Process
The retrospective process is split into multiple steps:
- Reporting feedback during the development of the release
- Voting for items we want to focus on
- Discussing top voted items
- Bubbling up some selected items to the company wide retrospective
Reporting feedback
For each point you want to raise, please create a new discussion with the relevant emoji, so that others can weigh in with their perspectives, and so that we can easily discuss any follow-up action items in-line.
Voting
A week before the synchronous meetings, voting is opened. Please vote for the items you consider more important and want to discuss in a sync meeting.
Discussing
We hold one US/EMEA and one APAC meeting to discuss voted items synchronously.
Bubbling up
Retro DRI will report selected items into the company wide retrospective and be responsible for creating follow-up issues.
This issue was created automatically by this project.
Issues we shipped (Deliverable)
- 1 - Update gemnasium to output CycloneDX SBOMs (8)
- Dependency Scanning incorrectly handles nested dependencies in Gradle project (5)
-
Show
vulnerable package
on the finding details page (3) - Dependency Scanning fails when NuGet packages.lock.json contains ProjectReference nodes (1)
- Research FOSS/OSS License Compliance tools and POC it (8)
- Support Java 17 for Dependency Scanning (3)
- Python projects have extra dependencies (2)
More issues - the list above only includes deliverables!
Issues that slipped
- Move Security vendored templates into the Jobs subdir - part 2
- Determine ISBOM manifest file structure
- Remove sbom_survey banner
- Show one
introduced package
on the finding details page - Replace job tests with image tests in gemnasium-maven
- [MR Widget Eng] License compliance V1
- Use new License compliance approval_status [frontend]
- Total deliverables closed: 7
- Total issues closed: 10 (weight: 32)
- Total MRs merged: 39
Metrics
Say/do ratio:
- initial:
- issues: 75%
- weight: 81%
- final:
- issues: 70%
- weight: 82%
Source: https://docs.google.com/spreadsheets/d/1--WF4Q5NZXM1yZRpb1JrB6_5nkApZ2qrzhV-BMUFroQ/edit?pli=1#gid=0