►
From YouTube: Scorecards Biweekly Sync (December 15, 2022)
A
A
Let
me
try
to
share
my
screen.
Michael
was
saying
that
There
Is
No
Agenda
items.
It's
not
not
the
best,
not
the
best.
C
A
B
D
Sorry
the
release
of
the
scorecard
we
want
to
just
one
at
least
even
if
we
don't
somebody
else
comes
in,
looks
at
it'll
be
nice
to
know
that
we
released
the
scorecard
and
the
action
we
need
to
capture
that.
A
I
guess:
let's
get
started,
I
think
we
have
one
new
guest
today
Michael.
Do
you
want
to
introduce
yourself.
A
Yeah
welcome
I
hope
we
can
collaborate
more
definitely
on
what
data
we
feed
to
you
and
how
we
present
it
to
users
and
maybe
also
improve
the
checks
based
on
feedback
that
you
get
I'm
sure
you
get
maybe
more
than
we
get.
That
would
be
very
useful
to
feed
that
back
in
at
some
point.
A
Cool
any
question
from
from
Michael
anyone.
D
C
C
C
Have
a
contact
us
sort
of
link
and
we
do
get
you
know,
hey
my
projects
scorecard
result.
Has
these
things
that
I'd
like
to
see
better,
so
we
try
and
pass
that
along,
but
certainly
also
interested
in
scorecard
badges
and
and
for
any
of
the
particular
checks
ways
that
we
see
that
across
the
ecosystem.
So.
D
A
Okay
cool,
so
let's
anyone
has
any
project
updates.
D
I
am
working
on
the
the
action
for
using
the
API
to
very
similar
to
what
came
with
the
with
them.
With
the
osv
like
hey,
can
you
go
down
the
rabbit,
hole
and
figure
out?
What
are
the?
D
What
are
the
vulnerabilities,
but
here
this
is
something
that
one
of
the
one
of
the
interns
within
Google
we're
trying
to
do
figuring
out
hey
if
their
dependency
changes
are
now
tell
me,
what's
the
score
of
that
using
scorecard,
but
I'm
not
planning
to
use
the
existing
action
for
that,
because
it
needs
pull
request
access
and
causing
all
the
problems
I'm
trying
to
think
of
using
building
another
action
within
this
scorecard
action
just
so
that
if
people
want
they
can
use
that
I
will
present
this.
D
Remember
we
disabled
scorecard
action,
pull
requests
because
it
could
have,
it
could
have
right
tokens
and
people
can
have
problems
with
that
and
also
the
second
problem
is
if
we,
if
this
check,
is
part
of
the
scorecard
action
or
that
action
that
one
single
check
people
run
off
tokens
because
we
do
a
bunch
of
Tanks
within
scorecard
when
we
run
people
run
out
of
tokens.
D
So
if
you
have
it
as
another
sub
action,
it's
it's
not
going
to
do
any
of
scorecard
things,
but
it's
just
going
to
take
the
dependency
differences
and
go
hit
the
API
and
get
the
score
for
them,
and
it
should
be
more
configurable.
So
essentially,
I
can
say:
hey
ignore
this.
This
dependency,
because
I
know
it's
bad,
but
I
do
know
that
or
I'm
only
interested
in
this
in
this
area
of
score,
I,
don't
care
about
fuzzing.
D
Just
give
me
score
for
these
things,
something
like
that
so
that
right
now
we
are
Flying.
Blind,
like
customers
are
flying
blind
as
to
hey
I'm,
bringing
this
new
dependency.
A
D
But
the
second
point
is
like:
if
we
enable
with
pull
requests
because
scorecard
runs
for
uses
tokens,
we
there's
a
throttling
of
the
tokens
we.
The
idea
of
this
is:
they
should
not
have
to
use
any
of
those
things,
because
we're
just
going
to
get
the
difference
in
dependencies
and
go
hit.
The
scorecard
API
for
just
the
score
of
that
was
what
are
the
new
Divinity
that
came
in
and
what
to
score
on
them.
That's
all.
It
is,
and
at
least
my
thought
process
not
to
have
any
failure.
D
Success
have
them
have
that
as
a
message
in
the
in
the
pull
request,
so
people
get
to
decide
and
later
based
on
response.
We
designed
without
all
that's
my
initial
thought
process
just
to
do
a
demonstration
for
this
group,
so
that
then
we
can
get
feedback
as
hey,
which
way
do
we
want
to
go
blah
blah
blah.
That's
what
I'm
working
on.
A
A
D
Cool,
that's
why
I'm
just
demoring
this
out,
just
as
an
initial
to
get
some
hey?
Is
this
good
or
not,
then
we
can
we
can
iterate
or
we
can
make
it
Alpha.
We
can
I
trade.
We
can
figure
out
multiple
ways
to
solve
this,
but
my
holidays
are
this.
A
Very
cool
anyone
has
any
thoughts
or
feedback
for
azim
about
this
project
like
it's,
it's
really
cool
I
think
to
be
able
to
expose
to
users
what
the
dependencies
do
and
in
fact,
at
Google
will
do
something
similar,
which
Spencer
enabled
recently
so
we're
also
exploring
the
same
line
of
you
know
using
scorecard
on
your
dependencies.
A
Any
first
thoughts
for
for
for
Naveen.
A
A
A
A
B
D
But
the
sorry
I'm
going
down
the
rabbit
hole
I
spoke
to
I
spoke
to
a
few
users
in
the
Linux
Foundation
member
Summit.
They
want
to
draw
data
learned
you're,
aware
of
that
they
wanted
to
write
that
they
don't
want
scores.
They
don't
want
us
calculating
schools.
B
Hey
whoever's
screen
sharing
is
leaking
proprietary
information
just
to
Friendly
heads
up.
D
A
So,
when
you
say
raw
data,
do
you
mean
the
raw
raw
raw
data
that
we
have?
You
know
in
a
separate
folder,
or
do
you
mean,
like
the
results
that
we
have
today
without
scores,
but
with
all
the
meaningful
information
extracted
like
I,
don't
know
like
I,
don't
know
if
that
question
makes
sense.
D
I,
don't
know
the
answer
to
be
honest
right,
but
they
said
hey.
We
don't
want
you
giving
us
scores
like
like
we
take.
We
ding
somebody
for
negative
two
for
here
negative
four,
for
here
we
decide
that
and
they
don't
want
that.
And
ideally
that
means
whatever
we
we
do,
plus
or
minus.
We
need
to
be
in
two
different
buckets
what
we
come
up
with
and
then
they
decide
whether
is
this
a
plus
or
a
minus.
A
Yeah
so
I
think
we
have
so
we
have
a
a
document
that
we
we
want
to
share.
Broadly
I.
Think
we'll
do
that
in
January,
where
we
basically
want
to
give
more.
You
know
more
information
about
criticality
and
things
like
this,
so
that
people
could
maybe
look
at
the
critical
alerts
like
the
medium
alerts
and
make
this
more.
You
know
easy
to
to
display
and
I
think
that's
something
that
devs.dev
team
also
told
us.
A
They
would
like
to
see
because
score
are
too
like
it's
hard
to
it's,
how
to
make
sense
out
of
scores.
It's
not
always
clear
what
they
mean.
So
do
you
think
that's
something
that
would
help.
Maybe
we
should
share
the
we
need
to
share
the
document
first,
but
it's
basically
a
way
to
to
make
the
results
that
we
have
today
more
structured.
A
So,
instead
of
just
having
details
that
are
strings,
we
can
add
more
information
such
as
you
know
the
path,
the
criticality
of
the
alert,
even
within
the
same
check,
you
can
have
different
criticality
for
different
results,
having
a
way
to
explain
how
to
remediate
very
fast,
depending
on
the
exact
alert
that
you
received.
D
Raw
results
that
they
can
that
they
can.
This
is
this:
is
somebody
from
a
bank
who
specifically
wanted
to
use
this,
but
they
said
hey.
We
wanted
Raw
results,
so
they
can.
We
can
manipulate
and
make
decisions
for
ourselves.
A
Okay,
yeah,
that
makes
sense,
I,
think
that's
the
direction
that
we
are
taking
and
we
should
definitely
share
that
Doc
in
2000,
like
in
January
in
the
next
meeting.
I
think
I
shared
the
doc
with
most
of
the
people,
including
unavin,
but
we.
D
D
Yeah
so
I
know,
but
that's
something
that'll
be
nice
for
people
who
wanted
to
use
this.
A
Trying
yeah
absolutely
I
think
that's
the
the
reason
why
we.
We
also
want
to
do
this
because
it's
difficult
to
automate
decisions
I
like
for
people
to
make
sense
of
the
data
because
of
just
having
we
just
have
strings
today
right
in
the
details.
A
Cool,
so
that's
good
news.
At
least
that
looks
like
we're
going
in
the
right
direction.
Jeff
I
think
it's.
You
can
take
it
away.
Talk
about
criticality
support,
oh.
B
Yeah
so
I
just
wanted
to
relay
a
concern.
I
haven't
talked
to
Caleb
yet,
but
essentially
I
think,
there's
they're
getting
some
more
contributors
on
that
project
and
they're,
mostly
in
like
Australia
time
zone.
So
I,
don't
know
if,
like
yeah,
like
I,
know
like
Lauren,
you've
helped
out
on
reviewing
All-Star
PRS,
like
you
know,
for
all
the
go
projects
that
we
have
here
in
openssf
I
feel
like
we
can
help
out
with
reviewing
PRS
from
other
projects.
Even
if
we're
not
maintainers
so
I
was
just
thinking.
B
You
know
we
have
a
lot
of
experts
in
this
group.
You
know
do
we
do
we
want
to
have
some
kind
of
like
review,
review
or
pool
or
review
sharing,
where
we
can
help
out
reviewing
PRS
on
other
projects
that
maybe
only
have
one
person
working
on
it.
D
I
think
it
makes
sense
the
only
problem
with
this.
Unless
you
you
know
what
are
the
nuts
and
or
you
have
to
know
to
an
extent
before
you,
you
can
point
out
basic
stuff
yeah,
but
the
intricacies
of
why
somebody
made
a
decision
unless
you
have
some
in-depth
knowledge
and
becomes
harder.
My
two
cents
on
that.
D
B
B
Can
be
yeah
but
like
just
for
code,
yes
type
of
view,
I,
don't
know
so
I'll
chat
with
Caleb,
because
this
was
in
our
criticality
scores.
Part
of
this
critical
reporting
Group,
which
happened
this
morning.
So
I'll
chat
with
Caleb
and
see
what
he
thinks
too,
and
maybe
we
can
have
some
kind
of
you
know,
sharing
pool
in
the
future,
but
just
wanted
to
throw
that
out.
You
out
there
to
see
if
anybody's
interested,
yeah.
D
D
B
Oh,
which
Dev
room
security,
okay,.
A
Otherwise,
yeah
I
can
just
announce
that
we
we
released
earlier
this
week,
score
called
I,
think
it's
4.1.0
and
we
also
released
the
GitHub
action
to
mirror
the
changes
that
we
released
in
the
men's
scorecard
repo.
A
This
will
include
all
the
OS
sorry,
the
osv
scanner
integration,
so
hopefully
people
will
be
able
to
see
the
results
both
in
the
Chrome
job,
in
the
action
on
the
CLI
and
so
on
and
so
forth.
A
If
no
one
else
has
anything
I
guess
we
can
end
I
think
the
next
meeting
is
in.
Let
me
see
January
I
think
we
would
like
to
have
someone
to
be
the
moderator.
Is
anyone
interested.
D
A
D
One
thing
that
we
also,
we
should
probably
plan
for
like
q1
release
or
like
whatever
we're
working
on
we'll
be
having
a
degree.
State
I
spoke
about
this
last
last
last
meeting
having
a
release
date
helps
and
figuring
out
what,
like
example,
if
and
that
what
I'm
going
to
demonstrate
next
week
it'll
be
nice.
If
we
decide
hey
it'll,
be
nice.
If
we
skip
pulling
all
these
changes
and
do
a
One
release,
it'll
be
nice.
We
should
probably
talk
about
this
in
the
next
meeting.