►
From YouTube: Scorecards Biweekly Sync (February 23, 2023)
A
A
B
B
A
C
A
D
Yeah
they
mean
these
are
just
updates,
no
discussion.
So
since
last,
since
last
meeting
mentioned
we're,
gonna
do
a
release
so
that
what
that
happened,
the
operations
funding
that
we
discussed
last
time
has
been
fulfilled
by
the
Linux
foundation.
So
thank
you
for
them
other
than
that
I'm,
just
working
on
on
code
and
I'll
be
merging
the
contributor
ladder
PR
that
I've
been
discussing.
I've
got
some
good
feedback
on
that
on
the
on
the
issue
and
Incorporated
those
updates.
D
A
E
Hey
yeah
yeah,
so
this
issue
is
about
how
are
fuzzing
check
currently
works,
so
we
in
order
to
check
whether
our
project
is
being
fuzzed
and
can
be
scored
for
fuzzling
or
not.
We
check
for
the
presence
of
three
fuzzers
and
we
check
it
slightly
differently
so
for
cluster
fuzz
light,
we
look
for
a
Docker
file
that
is
used
by
by
cluster
fuzz
light
to
run
the
fuzzer
there's
one
fuzz,
which
I
I'm,
not
I,
don't
recall
off.
E
E
Yamls,
and
the
idea
here
is
that
or
like
the
the
the
question
I
kind
of
wanted
to
raise
is
like,
should
we
maybe
like
look
at
a
different
source
of
information
so
that
git
repo
like
there
are
project,
yamls
and
I?
Think
we
like
currently
just
like,
do
a
text
search
for
the
name
of
the
project,
and
it's
not
clear
when
the
like
fuzzing
was
last
run
or
anything
like
that.
We
just
know
whether
the
project
config
is
configured
to
like
run
an
OSS
fuzz.
E
B
E
A
At
least
I
have
looked
at
this
before
raghav,
probably
not
related
to
this,
but
also
first
provides
a
way
to
get
coverage.
This
coverage
have
the
stuff.
It
was
usually
coverage
as
a
item
or
looking
at
this,
specifically
not
the
something
related,
but
they
provide
a
way
to
get
the
coverage
for
OSS
files
that
you
can
obviously
include
in
your
first
details.
Does
that
provide
some
of
the
information
that
you're
looking
for.
A
A
So
obviously
they
do
have
that
as
an
API.
They
have
it
as
a
a
TCS
bucket,
providing
all
those
information,
so
we
should
be
able
to
get
that
and
provide
that
all
of
our
chain.
Obviously
your
game
has
that
information.
So,
but
it's
publicly
available
it's
not
it's
not
private,
anything
it's
publicly
available,
so
he
like
that
team
obviously
has
that
information.
I've
worked
on
that
in
the
past.
A
A
A
B
A
B
A
Not
around
Matt
do
you
want
to
discuss
about
the
specific
thing,
and
we
also
have
another
demo
that
I'm
working
I'm
going
to
demonstrate,
and
so
we
want
to
be
cognizant
by
the
time
of
how
long
do
you
think
yours
will
take,
would
would
15
minutes
be
good.
15
20
minutes
be
good
for
your
demo
and
questions
yeah.
F
It's
more
like
a
an
overview
of
where
the
the
s-bombs
are
headed
in
terms
of
being
being
able
to
map
salsa
type
data,
and
things
like
that
and
and
outputs
of
from
tools
like
scorecard,
All-Star
2
and
be
included
in
as
bombs
in
the
future,
within
the
with
the
context
of
a
CI,
CD
type
of
pipelines.
So
I
don't
really
have
a
demo,
because
it's
basically
a
spec
that
will
Pro
will
probably
GA
in
April
I
just
want
to
give
you
some
early,
a
heads
up
of
where
things
are
going.
F
Let
me
I'll
share
so
I
have
so.
Let
me
just
start
by
saying:
I
work
in
the
open
technology
team
at
IBM
people,
I,
I,
attend
I've,
attended,
probably
every
work
group
or
Sig
and
open
stuff
at
one
point
or
another
before
it
was
even
a
foundation.
I
I
comment
in
the
backgrounds
like
that:
I
just
try
to
figure
out
where
we
should,
where
you
know
we
should
pay
attention
and
where
and
where
we
should,
where
we
should
contribute
and
try
to
rustle
up
people
where
we
have.
F
We've
talked
them
and
taking
their
research
work
and
contributing
to
scorecards
that
so
that's
kind
of
where
I'm
at
and
I
also
work
on
standards
and
and
one
of
the
standards
I
work
on
I,
backed
into
is
Cyclone
DX
as
an
s-bomb
standard,
and
so
I'll
just
share
portions
of
of
some
of
the
proposals
that
were
used
to
to
get
a
lot
of
the
conversation
started
about
where
I
want
to
do
with
the
next
version
of
cycle
ndx.
So
let
me
share.
F
Okay,
okay,
you
know
try
to
make
this
bigger,
so
this
was
so.
There
was
always
a
concept
of
something
called
formulation
in
in
s-bombs,
and
today,
s-bombs
are,
you
know,
have
a
set
of
use
cases
I.
Think
Cyclone
Dex
has
a
catalog
of
at
least
15
use
cases
for
what
you
can
use
an
s-bomb
for
and
that's
grown
with.
One
point
dramatically
in
1.5
you'll
see
things
through
machine
learning
and
and
formulation
of
the
two
big
things
in
the
future:
we'll
see,
crypto,
graphic
and
Quantum
type,
Cipher
type
information
being
recorded
as
well
for
1.6.
F
So
in
terms
of
formulation,
this
is
the
first
time
we've
captured
kind
of
an
instance
model.
Typically,
us
bombs
were
based
upon
more
of
a
static
dependency
relationship
for
a
final
output
or
artifact
an
executable,
a
product
or
component,
or
something
like
that.
So
basically
I
had
to
do
logic.
Education
there
there
they
wanted
to
go
this
direction,
but
we
wanted
the
goals
to
represent
modern
CI,
CD
pipelines,
intercom
formulations.
So
again
I'm
thinking
you
know
this
presentation
is
probably
going
to
be.
It
was
at
the
sci
work
group.
F
F
So
you
see
Fresca
here
so
hopefully
you're
familiar
with
Fresca,
which
is
a
representation
of
salsa
going
on,
and
the
goal
of
the
s-bomb
is
to
be
able
to
record
salsa
level,
three
spec
information
in
the
next
version
and
then
support
things
like
kubeflow
as
well,
because
we
know
we're
taking
on
ML
models
and
things
like
that
and
to
be
able
to
describe
how
models
are
formed
through
data
training
and
things
like
that,
and
we
have
a
concept
of
yeah.
For
for
the
first
time
we
actually
have
to
capture
a
runtime
stack
AKA.
F
They
called
the
executor,
but
I'm
actually
revamping
the
spec
today
to
actually
have
any
type
of
at
any
any
level
or
degree
of
specificity.
You
want
to
put
into
your
thing
again
being
Fresca
and
I
I
have
background
in
techton
a
couple
of
people
I
work
with
my
team
who
work
on
techton
and
they've,
been
their
maintainers
and
very
influential
there
and
techcon.
We
love
it.
F
Fresca
picked
it
and
it's
awesome
for
us
and
I
also
try
to
show
it's
to
the
group
that
it
has
lots
of
Outreach
and
derivative
work,
and
it's
reflective
of
a
lot
of
what's
going
on
in
terms
of
other
CI
CD
systems
and
I.
Try
to
point
out
that
we
have
some.
We
have
some
very
complex
things.
We
need
to
capture
in
an
s-bomb
in
terms
of
resources.
We
have
events
and
triggers
at
different
things.
We
have
various
tasks
that
are
more
like
graphs
between
them,
they're
conditional
statements.
F
We
have
workspaces,
we
have
various
resources
to
bring
in
and
services
we
attach,
and
we
have
you
know
we
have
actually
outputs
and
inputs
instant
data,
and
this
is
kind
of
where
tooling
comes
in,
because
many
of
our
pipelines
we're
using
we're
putting
in
scorecard,
for
example,
in
many
of
our
pipelines,
and
there's
been
discussion
at
Fresca.
Putting
a
scorecard
and
things
like
that,
so
the
question
is:
if
we
put
in
our
pipelines,
how
do
we?
F
How
do
we
produce
the
evidence
and
things
we
need
to
do
in
the
context
of
an
s-bomb,
perhaps
from
from
from
scorecard
so
I
know
that
I've
been
pushing
to
my
people
and
I'm
very
pleased
to
see
it
was
that
Microsoft
I
can't
remember?
Who
specifically
did
it
bad
with
names,
but
the
you
know
seeing
things
like
oscow
up
here:
Oscar
format,
something
like
that.
F
So
if
you
produce
control
output
for
for
for
things,
we
need
to
have
a
common
language
for
what
controls
are
producing
relative
to
salsa.
So
I
think
that
even
even
more
importantly,
going
forward,
you
know
cross
work.
Group
dialogue
needs
to
happen
across
project.
Dialogue
needs
to
happen
to
make
sure
that
Fresca
is
producing
output,
that
the
salsa
team
spect
team,
endorses,
and
that
you
know
it
factors
in
things
like
our
tooling
does
in
terms
of
scorecard
Etc.
F
In
terms
of
like
things
like
ml,
like
I
mentioned
earlier
and
it'll
be
comprised
of
a
graph
of
tasks,
and
you
describe,
you
basically
create
a
task
dependency
graph
with
conditions
between
them
that
you
know.
Basically,
you
can
map
artifacts,
saying
the
output
of
this
task
and
the
scorecard
results,
or
whatever
is
used
to
determine.
Should
we
run
the
next
task?
Would
be
captured
as
well
more
specificity,
and
this
is
kind
of
still
I
I'll
show
you
a
graphical
view
of
the
current
schema
that
I'm
working
on,
but
you
know
it's
all
based.
F
It's
all
task
based,
there's
a
concept
of
events
and
triggers
to
determine
if
tasks
should
be
run
or
not
run
based
upon
output
of
the
previous
task
or
an
external
condition
happening.
A
a
automated
automation,
a
a
bot
kicks
it
off
a
web
hook,
Picks
It,
Off
Etc
that
you
have
a
concept
of
inputs
and
outputs
that
make
sense,
adding
the
concept
of
schema.
F
So
if
you
do
adopt
formats
like
oscow,
we
can
say
you
produce
evidence
or
something
of
that
in
this
format,
so
that
if
people
want
to
parse
that
they
can
and
things
like,
metrics
and
evidence,
things
that
we
see
captured
already
as
part
of
tecton
and
other
kubernetes
type
Services
resources,
and
we
have
concepts
of
additional
concepts
of
different
types
of
components.
So
the
concept
of
declarative
systems,
orchestration
of
declarative
systems
can
eventually
be
captured
as
well.
So
in
terms
of
practicality,
I
can
show
you
kind
of
where
it's
at
again.
F
F
F
So
if
you
want
to
point
to
external
URLs
and
things
like
that
and
qualify
them,
you
can,
and
so
this
this
is
a
reduced
view
perhaps,
but
they
also
include
so
basically
through
inheritance
model,
plymorphism
and
Json
schema,
you
can
see
the
trigger
you
can
see.
It's
kicked
off
by
events.
You
can
capture
the
source
and
Target.
So
again
you
can
figure
out
who
who
ran
your
tool
or
who
who
kicked
out
the
task
that
ran
your
tool
and
you
capture
things
like
inputs
like
what
step
specifically
ran
it.
F
You
can
actually
capture
the
command
that
was
run
in
the
in
the
container
image.
If
you
will
to
to
execute
your
your
tool
and
then
you're
expected
to
record
your
inputs
and
outputs,
so
the
inputs,
your
tool,
we
capture
things
like
environment
variables,
properties,
data
and
things
like
that,
and
we
capture
output,
things
like
logs
evidence,
metrics,
like
I,
showed
in
the
on
the
slide,
and
then
we
have
your
tools.
Arrays,
you
can
actually
create
tools,
references
you
can
say
this
task
explicitly.
F
F
So
I
think
that
you
just
want
to
raise
awareness
that
this
is
happening
now
and
I
would
love
to
have
our
tooling
lead
the
way
and,
if
I
can
help
it
and
and
convince
Carolyn
and
others
from
IBM
to
help
me
with
it
that
we
can
put
these
things
on
our
on
our
radar
and
help
roll
up.
Our
sleeves,
like
I,
said
I
was
pleased
to
see
oscow
discussed
recently
and
that's
what
prompted
me
to
put
myself
on
the
agenda
today.
A
F
A
Thanks
man,
thank
you
share
my
screen,
but
the
next
item
I
want
to
discuss,
is
Implement
School
record
action
for
dependencies,
so
the
whole
motivation
for
this
is
for
people
who
are
new
to
this
is
we
are
right
now
Flying,
Blind,
anytime,
there's
a
PR
that
comes
in
with
the
new
independency
change.
We
get.
We
get.
We
get
only
things
like
we
get
things
like.
Oh
yeah.
Is
that
vulnerability
or
not,
but
would
it
be
nice
to
get
a
scorecard
resolved
for
every
new
dependency
added
problem?
A
We
lack
the
ability
to
see
this
is
a
newly
added
dependencies
to
a
project.
Okay,
at
this
moment,
this
is
only
for
GitHub,
but
later
we
should
be
able
to
expand
it
to
others.
Just
want
to
set
them
contact
straight.
There
are
tools
available
for
identify
potential
vulnerabilities,
but
having
a
scorecard
for
new
dependency
like
I
mentioned,
would
be
helpful.
A
What
I
mean
is,
would
it
be
nice
to
have
a
PR
com,
and
which
is
here,
are
the
scorecard
results
for
any
of
the
newly
added
dependencies,
but
as
I
want
to
usually
again?
All
of
these
are
right
now,
I
want
to
see
all
the
vulnerabilities
on
top
and
I
want
to
see
any
new
dependency
added
dependency,
the
last
candidate.
That's
that
you
see
right
here
or
I'll
get
into
a
demo
and
the
checks
what
do
the
score
for
each
one
of
them?
A
What
do
you
see
out
of
the
box
right
now?
Here?
Is
the
critical
and
the
high
scores
within
scorecard
much,
and
this
would
be
nice
for
anybody
to
go
see.
Okay.
This
is
something
that
makes
makes
sense
whether
or
not
whether
should
we
add
this
new
dependency
how's.
This
possible
right
now,
dependency,
analysis,
API,
provides
a
dependency
analysis.
So
essentially
you
give
two
commit
charts
and
there's
one
API
call:
there's
only
one
API
call
to
get
out
and
says:
hey
Kimmy,
give
me
newly
added
dependencies
removed,
updated
all
of
that.
A
A
What
is
the,
what
is
this
entire
entitled
to?
What
changes
is
it
required?
It
requires
a
pull
request
right
access
to
go
able
to
write
a
pull
requests,
just
sending
some
context
rate,
but
the
goal
is
not
to
use
our
existing
GitHub
action.
It
is
to
create
another,
get
up
action.
We'll
talk
about
the
motives
behind
that
a
little
bit
used.
A
Okay,
yes,
it
is
we'll
talk
about
that.
Okay,
but
but
that's
a
good
question
so
right
now
at
this
moment
it
will
do
that,
but
I
just
want
to.
It
will
do
that.
That's
a
good
question!
Okay!
The
usual
question
is,
why
not
add
as
code
comments
in
the
pr
next
to
the
code,
because
it's
much
more
easier
right,
I've
got
this
new
dependency
go
ahead.
Dump
the
comment
over
there
it'll
be
great
to
do
that.
A
A
A
There,
what
are
the
three
requisites
for
this
there's
a
dependency
graph
API,
that's
a
setting
within
the
repository
that
needs
to
be
enabled
on,
or
to
do
this
will
it
work
for
private
repos?
Yes,
as
long
as
the
API
is
enabled,
obviously,
for
that
API
to
enable,
if
it's
a
private
opacity,
you
need
to
pay
for
that.
That's
very
similar
to
running
scorecard
action.
If
you
want
to
add
the
security
dashboard,
you
need
to
pay,
for
that.
A
Does
it
require
personal
access?
Token?
No,
unless
you're
hitting
the
personal
unless
you're
hitting
the
private
repository,
it
does
not
require
any
of
that.
Can
I
customize
the
checks
that
are
being
shown.
Yes
by
default
right
now,
I'm
dumping,
the
five
of
them
I,
don't
want
to
dump
all
17
of
them,
but
but
it's
configurable
to
go,
get
what
checks
every
user
want?
It's
a
it's
a
it's
a
file!
Change
for
that!
A
Let
me
make
it
a
little
big
for
people
who
don't
know
who
can't
see
it.
Puris
and
horses
have
death
organization.
So
this
is
a
this
is
usually
where
we
do
tests
to
make
sure
how
things
are
I,
don't
want
to
make
sure
so
so
I
can
repeat
this
test.
So
what
happens
is
this
is
a
bar
check
Jeff,
your
question
specifically:
so
if
I
see
this
scorecard
dependency
analysis
just
a
minute
Laurent
and
it
it
comes
up
with
the
tick
mark
Lauren.
Do
you
have
a
question.
A
A
And
scorecard
results
comes
with
for
this
particular
dependency.
Here's
like,
if
you
want
to
go
hit
this
up
to
go,
see
what
it
is.
You
can
go
see
this,
and
it
also
provides
the
date
because
being
like,
when
was
the
last
check
done
and
it
dumps
the
like.
I
mentioned
the
critical
and
the
high
high
checks
learned
anytime,
you
feel,
can
unmute
and
talk
more
than
happy
to
answer
any
of
your
questions.
So
this
is
a
python
dependency,
but
just
not
python
dependency
just
want
to
show
something.
A
This
is
running
my
own
scorecard
action
as
you
can
see,
I
included
the
originals
and
scorecard
action
dependency
analysis
at
Main,
and
it
comes
back
and
gives
scorecard
results
for
the
new
get
up
action
being
added.
So
it's
not
just
like
I
mentioned
it's
just
not
for
Google
python,
even
forget
about
actions,
so
it
comes
back
and
showcases
what
it
is
on
this.
This
is
one
example
on
this
in
other
example,
that
I
want
to
show
right
now
over
here
is.
A
A
C
A
D
Oh
yeah,
I
guess
when
I
was
thinking
of
the
status
check.
I
was
thinking
more
from
the
outside
I,
see
now
that
you
can
just
fail
the
the
Run
essentially
and
that's
that's
kind
of
like
a
failing.
The
status
check,
which
kind
of
brings
me
to
just
a
suggestion
for
the
future
that
you
know
if
this
is
not
super
configurable
or
like.
D
A
A
D
E
C
E
E
It
might
also
be
good
to
have
like
a
like
a
iterative
strategy
with
like
the
the
interface
here.
So
like
inline
inline
comments
that
I
think
there
are
like
some
workarounds.
Even
though
you
don't
get
comment
lines,
you
might
be
able
to
like
look
at
the
commit
diff
or
something
and
get
a
diff
URL
yeah.
A
A
Right
so
so,
like
absolutely
I
agree
like
I,
my
goal
is
like
not
make
this
gener
not
make
this
GitHub
specific,
make
it
generic
enough.
So
we
can
go,
build
an
app
or
gitlab
provided
today
and
provide
to
anybody.
Provide
that
as
an
option
but
like
the
initial
I
think
I
was
thinking,
is
go,
provide
this
but
keep
adding
getting
feedback
from
real
customers
say
this
is
nice.
This
is
not
nice
and
that's
why
I
didn't
want
to
go
down
the
rabbit
hole
of
policy.
A
Thanks
cool
cool
just
to
know,
if
I
I
it's
the
model,
this
is
all
the
code.
This
is
nothing
big.
This
is
not
super
complicated,
there's,
no
magic
per
se,
so
so
this
is
the.
This
is
the
chunk
of
code,
there's
about
300
lines
of
code
and
there's
a
typed
file,
but
that's
all
this
is
the
there's
no
and
the
motivation
to
keep
this
separate
from
the
we
just
it's
to
keep
it
separate
from
my
existing
action.
A
A
A
So
I
would
need
any
help
with
getting
a
domain
so
that
then
we
can
go
open
and
at
six
door
salsa
on
all
those
organizations
just
start
getting
some
feedback
of
how
this
is
and
also
a
part
of
this
I'm,
also
going
to
like
I,
also
adding
tests
in
osis
of
tests
for
different
different
kinds
of
repositories
to
make
sure
it
is.
But,
like
I
mentioned,
it's
single,
simple
API
call
to
look
it
up,
and
one
API
call
to
security.
Scorecards.
A
E
A
F
A
Okay
so
just
think
I
thought
I,
Brian,
Russell
who's
on
this
call
and
I
I'm
going
to
be
we're
going
to
be
talking
in
a
couple
of
upcoming
conferences
in
order
to
shout
out
to
Shameless
Vlog,
please,
for
me
we
are
doing
it
in
SoCal
Linux
Expo
in
March,
and
we
are
also
doing
it
in
RSA
in
April,
in
Moscow
and
Center
in
San
Francisco.
Just
letting
people
know
about
that
foreign.
A
A
A
Rca
has
a
lot
more,
stricter
conformance
that
we
have
to
follow
through
how
the
slide
deck
should
be,
and
all
of
that
it's
going
to
be
fun.
Sorry
I
stopped
my
share.
I'm
going
to
go
back
to
my
issue.
Okay,
I'll.
Add
a
link
to
my
slide
deck
over
here,
S2,
so
that
anybody
who
couldn't
come
to
this
meeting
is
able
to
go
through
the
slide
deck
on
the
specifically.