Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / Scorecards Biweekly / 15 Dec 2022
OpenSSF / Scorecards Biweekly / 15 Dec 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Scorecards Biweekly Sync (December 15, 2022)

Description

https://github.com/ossf/scorecard#connect-with-the-scorecards-community

A

Shall we start.

A

I cannot hear how.

A

Naveen, were you saying something: I couldn't hear you, but it might be me.

B

No I can't hear nothing either: okay, cool.

A

In the meantime, please add your your name to the foreign to the meeting notes. I think it's only the four of us, so it's probably gonna be quick. I, don't see any item agent agenda items.

C

Hello, hey.

A

Hi Michael.

A

um Let me try to share my screen. uh Michael was saying that There Is No Agenda items. It's not not the best, not the best.

C

Day.

A

But.

C

Yeah I thought I'd come on and say hello.

A

um

C

That's not sure if there'll be more attendees or not.

D

um

A

So for anyone who's new to the meeting, please add your name as well and then let's get started.

B

Okay so.

A

Can you see me? Yes, we can I.

D

Can't wait: yeah um Lauren. We want to record at least those two releases.

D

Sorry the release of the scorecard we want to just one at least even if we don't somebody else comes in, looks at it'll be nice to know that we released uh the scorecard and the action we need to capture that.

A

Yeah, that's true.

D

I see the number of tabs in yours and I'm like.

B

Yes, I know it's crazy.

A

I guess: let's get started, um I think we have one new guest today Michael. Do you want to introduce yourself.

C

Sure hi I'm Marco garad I I work for Google I'm, the engine manager for for devs.dev, so where suddenly a consumer of scorecard State and interested in learning more and getting more involved.

A

Yeah welcome uh um I hope we can collaborate more definitely on what data we feed to you and how we present it to users and maybe also improve the checks based on feedback that you get I'm sure you get maybe more than we get. That would be very useful to feed that back in at some point.

C

Certainly, yes, I think that that would be good. We do get email from people um yeah.

A

Cool any question from uh from Michael anyone.

D

Oh, what is like, like obviously I'm, not I, don't work for Google. So what is depths? Are Dev I, don't know how that how Jesus? Definitely there gets the data from scorecard, but do you have any specific plans of? Can you share what you are thinking in the future.

C

um uh uh Yeah so I guess we do uh collect the scorecards data currently from the the bigquery, but uh also working on using the API.

C

um We certainly sort of collect that and present it for for projects, um improving the the presentation there and um channeling feedback, I think as well as one of the areas that we want to improve.

D

Because we.

C

Have a contact us sort of link and we do get you know, hey my projects scorecard result. Has these things that I'd like to see better, um so we try and pass that along, but um uh certainly also interested in scorecard badges um and and for any of the particular checks ways that we see that across the ecosystem. So.

D

Be nice that if you integrated with the API, because the bigquery and API there's a delay so obviously using the API would be better or option. Yeah.

C

Yeah this this work on that currently exactly.

A

Okay cool, um so let's uh anyone has any project updates.

D

um I am working on the um the action for using the API to very similar to what came with the with them. With the osv like hey, can you go down the rabbit, hole and figure out? What are the?

D

What are the vulnerabilities, but here this is something that um one of the one of the interns within Google we're trying to do figuring out hey if their dependency changes are now tell me, what's the score of that uh using scorecard, but I'm not planning to use the existing action for that, because it needs pull request access and causing all the problems um I'm trying to think of using building another action within this scorecard action just so that if people want they can use that um I will present this.

D

Probably by next next meeting, I'll probably have a working demo that I can present.

A

So what do you mean by all the problems, with the pull request.

D

um Remember um we disabled scorecard action, pull requests because it could have, it could have right tokens and people can have problems with that and also the second problem is if we, if this check, is part of the scorecard action or that action that one single check people run off tokens because we do a bunch of Tanks within scorecard when we run people run out of tokens.

D

So if you have it as another sub action, it's it's not going to do any of scorecard things, but it's just going to take the dependency differences and go hit the API and get the score for them, and it should be more configurable. So essentially, I can say: hey ignore this. This dependency, because I know it's bad, but I do know that or I'm only interested um in this in this area of score, I, don't care about fuzzing.

D

um Just give me score for these things, um something like that so that right now we are Flying. Blind, uh like customers are flying blind as to hey I'm, bringing this new dependency.

D

What happened how's it score like this I think would be helpful.

A

Yeah, let me answer to the the pull request, so the one that we I so I disabled last week uh scorecard action on a pull request. Target still, but it still works on pull requests you, the all the tokens will be entered, so you don't get that problem. Correct.

D

But the second point is like: if we enable with pull requests because scorecard runs for uses tokens, we there's a throttling of the tokens we. The idea of this is: they should not have to use any of those things, because we're just going to get the difference in dependencies and go hit. The scorecard API for just the score of that was what are the new Divinity that came in and what to score on them. That's all. It is, and at least my thought process not to have any failure.

D

Success have them have that as a message in the uh in the pull request, so people get to decide and later based on response. We designed without all that's my initial thought process just to do a demonstration for this group, so that then we can get feedback as hey, which way do we want to go blah blah blah. That's what I'm working on.

A

Cool.

A

Yeah I personally I would like if we could get it as part of the the existing action, so that people get it when they install score.

B

I understand but.

A

I understand the configuration options, so I think Jeff has a work in progress document yeah. We want to add some configuration options all right, so it's.

D

Cool, that's why I'm just demoring this out, just as an initial to get some hey? Is this good or not, uh then we can we can iterate or we can make it Alpha. We can I trade. We can figure out multiple ways to solve this, but my holidays are this.

A

Very cool anyone has any thoughts or feedback for azim about this project like it's, it's really cool I think to be able to expose to users what the dependencies do and in fact, at Google will do something similar, which Spencer enabled recently so we're also exploring the same line of uh you know using scorecard on your dependencies.

A

Any first thoughts for uh for for Naveen.

A

Foreign.

A

So I think, if you enable scorecard today the scorecard action on a pull request, you will get those osvs for free. Yes, in other annotations, on pull request, so I haven't tried it, but you could do it because.

D

Inline as an annotation to a pull request. Yes,.

A

Because sorry, if integration just does this for free for us, so we don't have to handle it.

D

ah That is cool, that is cool yeah.

A

We haven't really advertised it, we haven't properly tested it, but you you could try it with like a vulnerable dependency, enables for Cardinal pull request, and you should see it. um You should see it. The GitHub should show it to you cool.

A

All.

B

Right, if there's no further.

A

Questions, oh.

B

I'll just say like convincing convincing users that they should care about. The score of their dependencies is like one of the critical things we can do to.

D

But the sorry I'm going down the rabbit hole um I spoke to I spoke to a few users in the Linux Foundation member Summit. They want to draw data learned you're, aware of that they wanted to write that they don't want scores. They don't want us calculating schools.

B

Hey whoever's screen sharing is uh leaking proprietary information just to Friendly heads up.

A

Oh was I, sharing my hands ice cream. You were just giving you.

B

A friendly answer.

A

uh Thank you. There was no nothing, it's just about open source, so it was fun, but thank you.

D

So I was saying that raw data people like raw data more than us giving scores. So that's something that people want.

A

So, when you say raw data, do you mean the raw raw raw data that we have? uh You know in a separate folder, or do you mean, like the results that we have today without scores, but with all the meaningful information extracted like um I, don't know like I, don't know if that question makes sense.

D

uh It does make sense.

D

I, don't know the answer to be honest right, but they said hey. We don't want you giving us scores like like we take. We ding somebody for negative two for here negative four, for here uh we decide that and they don't want that. And ideally that means whatever we we do, plus or minus. We need to be in two different buckets uh what we come up with and then they decide whether is this a plus or a minus.

A

Yeah so I think we have um so we have a a document that we we want to share. um Broadly I. Think we'll do that in January, uh where we basically want to give more. um You know more information about criticality and things like this, so that people could maybe look at the critical alerts like the medium alerts and make this more. You know easy to uh to display and I think that's something that devs.dev team also told us.

A

They would like to see because score are too like it's hard to it's, how to make sense out of scores. uh It's not always clear what they mean. uh So do you think that's something that would help. um Maybe we should share the we need to share the document first, but it's basically a way to to make the results that we have today more structured.

A

So, instead of just having details that are strings, we can add more information such as you know the path, uh the criticality of the alert, even within the same check, you can have different criticality for different results, uh having a way to explain how to remediate very fast, depending on the exact alert that you received.

A

Things like this and I, don't know if that's sort of there, what they're asking like to have more basically more more results, yeah more.

D

Raw results that they can that they can. This is um this: is somebody from a bank who specifically wanted to use this, but they said hey. We wanted Raw results, so they can. We can manipulate and make decisions for ourselves.

A

Okay, yeah, that makes sense, I, think that's the direction that we are taking and uh we should definitely share that Doc in 2000, like in January in the next meeting. uh I think I shared the doc with most of the people, including unavin, but we.

D

Haven't.

A

Yet shared it more broadly, yeah.

D

Yeah um so um I know, but that's something that'll be nice for people who wanted to use this.

A

Trying yeah absolutely I think that's the uh the reason why we. We also want to do this because it's difficult to automate decisions I like for people to make sense of the data uh because of just having we just have strings today right in the details.

A

Cool, so that's good news. At least that looks like we're going in the right direction. uh Jeff I think it's. uh You can take it away. Talk about criticality support, oh.

B

Yeah so I just wanted to relay a concern. I haven't talked to Caleb yet, um but essentially I think, there's they're getting some more contributors uh on that project and they're, mostly in like um Australia time zone. So I, don't know if, like yeah, like I, know like Lauren, you've helped out on reviewing All-Star PRS, like you know, for all the go projects that we have here in openssf I feel like we can help out with reviewing PRS from other projects. Even if we're not maintainers um so I was just thinking.

B

You know we have a lot of um experts in this group. uh You know do we do we want to have some kind of like review, review or pool or review sharing, where we can help out reviewing PRS on other projects that maybe only have one person working on it.

B

um So just throwing that out there any thoughts there.

D

I think it makes sense um the only problem with this. Unless you you know what are the nuts and or you have to know to an extent before you, you can point out basic stuff yeah, but the intricacies of why somebody made a decision unless you have some in-depth knowledge and becomes harder. My two cents on that.

B

Yeah I agree, I think it's mostly I think it would still need a review from the the maintainer okay, okay.

D

Right.

B

I, don't know I'm I'm, just brainstorming out loud here with you, because you're right like we can't, we wouldn't want things to just get merged. Yeah.

D

I wouldn't want somebody else to come to score god and be like okay. Now, this.

B

Can be yeah but like just for code, yes type of view, I, don't know so um I'll chat with Caleb, because this was in um our criticality scores. Part of this critical reporting Group, which happened this morning. So um I'll chat with Caleb and see what he thinks too, and maybe we can have some kind of uh you know, sharing pool in the future, but just wanted to throw that out. You out there to see if um anybody's interested, yeah.

D

uh Two totally different things: um Brian, Russell and I- are presenting in the cloud security ground uh about scorecard and also um sorry I'm going blank um in a another European conference, I forgot what that is just going going blind. um That is.

D

On the first step, sorry in fast Dam and in Cloud security con, we are going to be presenting uh about kurukaya.

B

Oh, which Dev room ah security, okay,.

A

Anyone else has something to share.

A

Otherwise, yeah I can just announce that we we uh released earlier this week, score called I, think it's 4.1.0 and we also released the GitHub action to mirror the changes that we released in the men's scorecard repo.

A

This will include all the OS sorry, the osv scanner integration, so hopefully people will be able to see the results uh both in the Chrome job, in the action on the CLI and so on and so forth.

A

If no one else has anything I guess we can end um I think the next meeting is in. Let me see uh January uh I think we would like to have someone to be the moderator. Is anyone interested.

D

I can take that generally. Do you know what date it is.

A

I suppose it's like the 14th or something 13th.

B

The 12th.

D

Okay,.

A

Foreign.

D

One thing that we also, we should probably plan for like q1 release or like whatever we're working on we'll be having a degree. State I spoke about this last um last uh last meeting having a release date helps and figuring out what, like example, if and that what I'm going to demonstrate next week it'll be nice. If we decide hey it'll, be nice. If we skip pulling all these changes and do a One release, um it'll be nice. um We should probably talk about this in the next meeting.

A

Sounds good so I guess we ended early today thanks everyone for coming happy, Holidays, happy.

B

New Year.