17.0 Secure:Composition Analysis retrospective
This is an asynchronous retrospective for the 17.0 release, following the process described in the handbook.
This issue is private (confidential) to the Secure:Composition Analysis group, plus anyone else who worked with the group during 17.0, to ensure everyone feels comfortable sharing freely. On 2024-05-26, in preparation for the Sec Section 17.0 Retrospective, the issue will be opened up to the public, as long as everyone is comfortable with this. You're free to use internal notes or redact any comments that contain information that you'd like to stay private before that date.
Please look at back at your experiences working on this release, ask yourself
👍 what went well this release?👎 what didn’t go well this release?📈 what can we improve going forward?🌟 what praise do you have for the group?
and honestly describe your thoughts and feelings below.
If there is anything you are not comfortable sharing here, please message your manager directly. Note, however, that 'Emotions are not only allowed in retrospectives, they should be encouraged', so we'd love to hear from you here if possible.
Process
The retrospective process is split into multiple steps:
- Reporting feedback during the development of the release
- Voting for items we want to focus on
- Discussing top voted items
- Bubbling up some selected items to the company wide retrospective
- Review merged MR ratio of features, maintenance, bugs and undefined
Reporting feedback
For each point you want to raise, please create a new discussion with the relevant emoji, so that others can weigh in with their perspectives, and so that we can easily discuss any follow-up action items in-line.
Voting
A week before the synchronous meetings, voting is opened. Please vote for the items you consider more important and want to discuss in a sync meeting.
Discussing
We hold one US/EMEA and one APAC meeting to discuss voted items synchronously.
Bubbling up
Retro DRI will report selected items into the company wide retrospective and be responsible for creating follow-up issues.
This issue was created automatically by this project.
Review MR ratios
As part of cross functional dashboard review, review what types of MR's were merged.
Issues we shipped (Deliverable)
- Spike: Extract swift package information from lock file (-)
- Implement Proxy Interfacer for Handling NPM Data from deps.dev and repo data sources (3)
- Dependency Scanning major version 5 (2)
- Container Scanning major version 7 (2)
- Publish Android Dependency Scanning Component to CI Catalog (1)
- [Spike] Testing Composition Analysis CI Components (Android) (-)
- [Spike] investigate upstream CDX generator for Swift (-)
- [Spike] Investigate Swift security advisory (-)
- Create Android Dependency Scanning CI Component (2)
- Remove cyclonedx override from container scanning sboms (2)
- Create scheduled pipelines to run cargo feeder and exporter (5)
-
[Feature flag] Cleanup
container_scanning_continuous_vulnerability_scans
(1) - [CS For Registry] Add registry event info to metadata source to SBOM in CS (1)
- [CS For Registry] Add CS pipeline event on registry push (2)
- [FE] [CS For Registry] Add security configuration setting with feature flag (2)
- [CS For Registry] Add security configuration setting with feature flag (3)
- Remove Dependency Scanning report generation from the Container Scanning analyzer (2)
-
Remove the
dependency_files
property from the Security Report Schema (3) - Remove Grype from Container Scanning (3)
- Remove License Scanning CI templates (2)
- Remove deprecated Dependency Scanning jobs (1)
- Remove support for Container Scanning 4 (-)
- Set DS_EXPERIMENTAL_GRADLE_BUILTIN_PARSER to true by default in gemnasium-maven (2)
- Remove Dependency Scanning and License Scanning support for sbt 1.0.x (1)
- [Feature flag] Cleanup security_auto_fix (2)
- Discover Cells 1.0 impact for composition_analysis (-)
- Remove unused gitlab:dependency_scanning metadata properties (2)
- Update default version of maven and remove support for maven 3.6.3 from gemnasium (1)
- Bash script to download license-db export files does not download all files (-)
- FE: Create "Container registry vulnerabilities"tab (5)
More issues - the list above only includes deliverables!
Issues that slipped
- Add support for Golang pseudo versions in License Scanning (semver_dialects limitation)
- Follow-up: remove source_package_name from sbom_components
- Total deliverables closed: 30
- Total issues closed: 45 (weight: 63)
- Total MRs merged: 96