16.6 Secure:Composition Analysis retrospective
This is an asynchronous retrospective for the 16.6 release, following the process described in the handbook.
This issue is private (confidential) to the Secure:Composition Analysis group, plus anyone else who worked with the group during 16.6, to ensure everyone feels comfortable sharing freely. On 2023-11-26, in preparation for the Sec Section 16.6 Retrospective, the issue will be opened up to the public, as long as everyone is comfortable with this. You're free to use internal notes or redact any comments that contain information that you'd like to stay private before that date.
Please look at back at your experiences working on this release, ask yourself
👍 what went well this release?👎 what didn’t go well this release?📈 what can we improve going forward?🌟 what praise do you have for the group?
and honestly describe your thoughts and feelings below.
If there is anything you are not comfortable sharing here, please message your manager directly. Note, however, that 'Emotions are not only allowed in retrospectives, they should be encouraged', so we'd love to hear from you here if possible.
Process
The retrospective process is split into multiple steps:
- Reporting feedback during the development of the release
- Voting for items we want to focus on
- Discussing top voted items
- Bubbling up some selected items to the company wide retrospective
- Review merged MR ratio of features, maintenance, bugs and undefined
Reporting feedback
For each point you want to raise, please create a new discussion with the relevant emoji, so that others can weigh in with their perspectives, and so that we can easily discuss any follow-up action items in-line.
Voting
A week before the synchronous meetings, voting is opened. Please vote for the items you consider more important and want to discuss in a sync meeting.
Discussing
We hold one US/EMEA and one APAC meeting to discuss voted items synchronously.
Bubbling up
Retro DRI will report selected items into the company wide retrospective and be responsible for creating follow-up issues.
This issue was created automatically by this project.
Review MR ratios
As part of cross functional dashboard review, review what types of MR's were merged.
Issues we shipped (Deliverable)
- CVSS field of Vulnerability is not parsed (1)
- Send metrics to Reliability Mimir server (3)
- Container scanning fails for images that do not have an operating system (-)
- Update semver_dialects gem to support deb operating system package versions (3)
- Add support for wolfi purl type (3)
- Fix cbl-mariner purl_type support (1)
- Export License-DB GCP metrics to license-db Prometheus server (5)
- Enable logs ingestion by Reliability team (3)
- CVS on advisory DB changes (GA) (5)
- Store Container Scanning image and operating system in sbom_sources table (3)
- Essential metrics for CVS on advisory DB change (3)
- Allow filtering of container scan findings where a fix will not be released (-)
- Performance test of advisory scans (5)
- Migrate Security Findings Webview from HTML to Vue (5)
- [Feature flag] Cleanup compressed_package_metadata_synchronization (-)
- Include the CVSS information in the CSV export (5)
- Update Gemnasium dependency scanner to emit a report with a CVSS vector (5)
- Dependency Scanning and License Scanning Java 21 SBT Support (5)
- Monitor Gitlab::AppJsonLogger.error messages related to composition analysis features (3)
- Add workaround in Container Scanning to allow us to update Trivy without first downloading java-db (3)
- Add offline tests for Container Scanning (-)
More issues - the list above only includes deliverables!
Issues that slipped
- [FE] - Remove CVS toggle as part of Generally Available (GA) support for Continuous Vulnerability Scans
- [Feature flag] Rollout of
global_dependency_scanning_on_advisory_ingestion
- Ingest source package name from SBOM component properties
- Enable GA support of CVS
- Removes pm_package_versions and pm_package_version_licenses
- Total deliverables closed: 21
- Total issues closed: 33 (weight: 67)
- Total MRs merged: 69