chore(sprintOrg): Conduct Sprint Retrospective/Planning Session (9/24)

[lolaapenna]

Sprint 8/24 Retrospective - 27th August 2024

Duration Jul 29 - Aug 23

Planned Epics

1. Heureka Use Case Demo
2. Greenhouse plugin Utility
3. Implement Kubernetes Container Scanner
4. Implement Service Views
5. Issue-Centric Views
6. Implement Component Views
7. Implement Image Registry Scanner
8. Implement Heureka NVD Advisory Scanner
9. Implement Authentication
10. Implement Filter Queries for Heureka Objects

Closed Epics:

• Greenhouse plugin Utility
• Implement Filter Queries for Heureka Objects
• Implement Component Views
• Issue-Centric Views

Touched Epics:

• Implement Kubernetes Container Scanner
• Implement Service Views
• Implement Image Registry Scanner
• Implement Heureka NVD Advisory Scanner
• Implement Authentication
• Heureka Use Case Demo

Untouched Epics

• None

Sprint 9/24 Planning

Duration Aug 24 - Sep 20

Availability:

• Dustin, David, Michael, Max: 9-13 September, away due to the Narwahl Workshop in Walldorf

Rolled-over Epics – Touched Epics from 8/24

• Implement Kubernetes Container Scanner
• Implement Service Views
• Implement Image Registry Scanner
• Implement Heureka NVD Advisory Scanner
• Implement Authentication
• Heureka Use Case Demo

Moved Epics – Untouched Epics from 8/24

• None

Planned Epics

1. Heureka Use Case Demo
2. Implement Service Views
3. Implement Image Registry Scanner
4. Implement Heureka NVD Advisory Scanner
5. Implement Authentication
6. Implement Kubernetes Container Scanner
7. Implement Service Repository Matches
8. Implement Heureka Issue Matches
9. Heureka Core UI Implementations
10. Implement Component Instances list view

Side Notes: FW: -Seed User ticket -one time scan to insert data.

[lolaapenna]

ORA backlog planning

• Features + Milestone - umbrella issues 1-3 sprint
• Takt 10 issues.
• The meeting will occur last Friday of the sprint where we will plan for the incoming sprint. (The last Wednesday of our sprint will be us preparing for it.)

[lolaapenna]

For ORA Backlog

Milestone: PoC Feature: Asset & Issue (Vulnerability) Discovery

Heureka PoC Demo

• Showcasing the Asset and Vulnerability Discovery feature of Heureka

Heureka PoC Implementation UI

• Implement Service Views
• Heureka Core UI Implementations
• Implement Component Instances list view

Heureka

• Implement Image Registry Scanner

• Implement Heureka NVD Advisory Scanner

• Implement Kubernetes Container Scanner

• Implement Heureka Issue Matches

• Implement Authentication

[lolaapenna]

Takt 10

Epics

• Activity Management
• Remediation Tracking
• Evidence Management

Features GH Backend Plugin (connecting Heureka core and Heureka scanners) (Refined) Scanner Blueprint Remediation Tracking

• Activity Management
• Remediation Tracking

[lolaapenna]

Epics

• Activity Management

• Remediation Tracking

• Evidence Management

• GH Backend Plugin (connecting Heureka core and Heureka scanners)

• (Refined) Scanner Blueprint

[lolaapenna]

Refined PoC - Deployment + fully functional GH plugins with possibility to use multiple scanners reporting to Heureka - Epics: interconnection of plugins FE/BE, Deployment,scanners and core-GH enablement (config interface, env vars), enable multiple clusters for the scanners (design discussion needed).

enable use in GH

Refine Issue Matcher - historical tracking (poc - we wipe db after every scan) - epic: scan tracking, authentication done, created-by relation attribute to the entities (other attributes too)

---

Takt 10 Features/Milestones:

1. Refined PoC: Solve the limitations of the PoC Epics:

   • Implement interconnection of Heureka Core and Scanners in GH
   • Enable Multiple Clusters for the Scanners
   • Deployment of the Scanners

2. Refined Issue Matcher: Enhance the Issue Matcher service Epics:

   • Implement 'created-by' Relationship on all Entities (new relationships emerging from the issue matcher service)
   • Implement Historial Tracking

Context The feature addresses the limitations of the current PoC

The PoC focuses on asset and issue discovery, providing vulnerability insights for Kubernetes and container images. Key components include:

Kubernetes Scanners: Identifying Kubernetes assets Image Registry Scanners: Identifying image assets NVD Integration: Fetching published CVEs. Issue Matcher Service: Match CVEs to affected component versions and UI Implementations: Component, service, and issue match views equipped with search and filter capabilities

The Limitations

• Interconnectivity of the scanners and heureka core in GH
• Not all clusters can be scanned
• The issue matcher History tracking is not enabled leading to database wipes after each scan to avoid duplicate matches.