Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / 12.9 Release Kickoff / 14 Feb 2020
GitLab / 12.9 Release Kickoff / 14 Feb 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: GitLab 12.9 Kickoff - Secure:Composition Analysis

Description

GitLab 12.9 Kickoff for the Secure Stage, Composition Analysis team

A

Hi, so my name is Nicole Schwarz and I'm. The p.m. for the composition, analysis team with insecure and we're about to go over our twelve nine items for the kickoff that our direction level or release post level, and then we can go over any questions after we go through them. So the first one I've got is that we're going to work on supporting air-gapped dependency scanning for JavaScript through our retired at Jas analyzer.

A

So we have a lot of different analyzers that make up our dependency scanning category and for this particular 12.9, we're going to concentrate on documenting and fixing some items to make sure that this will work in a limited connectivity or no connectivity environment. There's a couple of caches here that you can read about with sassed and some of our other tools and are already air-gap support which involve you having to download all the analyzers in advance and do some configuration work. But we're going to have all of that documented as part of this issue.

A

The next one is we're going to be working on the design for allowing container scanning to scan multiple container images in a single change, and so right now you could have a change that impacts multiple images, but we can't iterate through and scan all of those images, and so we're going to fix that flaw that we've got and then the last direction level item we have is we're going to start a problem, validation on what do users want and expect from being able to manage license compliance of the group and instance level.

A

So if you are interested in this topic at all, please comment in this issue so that you can participate in the questions we're going to ask. Maybe when we get to prototyping you'd, be able to help us click through and give us feedback on that. So I would just love to know your scenarios and situations. So please comment on that issue and then the last item we've got is actually a deprecation, and so this one won't affect most people.

A

But if you have written any scripts to be parsing, our common report, format or if you are a third party that has written an integration into our secure area, using the report format we're going to be changing away from the CVE property, we haven't exactly decided what it's going to change to, but the main goal of this is we're, calling it a CVE which actually has a very distinct definition and meaning, and it is not a CDE and so we're causing a lot of confusion and consternation by having a field name that doesn't represent the actual content of that field, and so we're hoping to be able to pick a new, more descriptive name.

A

We're going to look at data migration if that's possible and all sorts of other implications. So if you have written any kind of scripting or integration, you'll probably want to follow along in this issue, you can also feel free to comment with your thoughts and, if you've run into this confusion, we definitely want to hear from you around what would help. So that's my four items: does anybody have any questions about? Why we're doing these or any questions about more about what the outcomes going to be nope nope?

A

Thank you.