►
From YouTube: Scorecards Biweekly Sync (July 28, 2022)
A
Okay,
it's
not
free,
usually
people
from
google,
china
and
it
looks
like
this
week.
They
are
going
to
be
welcome
everyone.
I
see
a
couple
of
new
faces.
Do
you
like
to
introduce
yourself
and
also
sorry,
I'm
gonna
share
my
screen.
I
apologize.
I'm
gonna
share
my
screen.
A
A
A
Okay,
sorry,
sorry,
so
we
could
opportunity,
people
can
add
their
names
to
this
list
so
that
we
get
to
know
who's
participating
and
be
helpful
for
us,
like
I
said,
is
there
anybody
who
would
like
to
introduce
yourself
who's
new
to
this
group.
B
Yeah
this
rahul
from
microsoft.
This
is
my
first
time
joining
this
meeting
so
nice
to
meet.
All
of
you
guys
and
I
look
forward
to
working
with
you.
A
Okay,
perfect:
let's
get
into
the
agenda
of
the
meeting.
One
of
the
things
that
I
think
raga
put
in
it
looks
like
raga
was
not
here
today.
If
you
want
to
talk
about
the
tis
supply
chain,
benchmark
looks
like
it's
not
there,
not
here,
we
probably
will
move
this
to
next
meeting.
A
This
pr
got
merged
in
so
essentially
the
scorecard
api
results
should
should
come
out.
I
don't
know
the
exact
date.
Azim
is
working
on
this,
but
the
ajim
is
working
on
integrating
this
into
the
result.
A
But
that
said,
there's
a
enhancement
that
went
into
scorecard
recently
the
scorecard
patches
came
out
so
essentially
that's
an
update
that
I
don't
want
to
take.
It
seems
work
but
as
he
put
in
a
pr
recently
we're
still
in
beta.
A
And
we
are
probably
we
are
going
to
be
using
that
api,
that
endpoint
to
start
serving
the
scorecard
and
I'm
trying
to
see
if
it
is.
This
is
the
recent
change
as
input
and
that
and
we
we
are
going
to
be
utilizing
that
for
our
api.
That
was
one
update
for
me
on
that.
I
also
added
another
item
that
I
want
to
talk
with
the
wrestle
team,
but
the
rest
of
the
maintainers
aren't
there
in
this
call.
So
I'll
probably
push
this
to
our
next
release.
A
But
I'll
just
give
a
highlight
as
to
we
are
my
suggestion
is
to
add
a
release
information
to
the
crowd,
jobs,
which
essentially
means
in
the
api.
We
get
the
release
information
part
of
this
crown
so
that
that
was
my
suggestion
about
this
feature.
A
I
want
to
get
a
buy
in
from
the
I
want
to
get
an
buy-in
and
also
an
opinion
from
the
rest
of
the
like
rest
of
the
team
and
also
if
anybody
else
has
any
opinion
on
this,
just
want
to
pause
right
now
and
let
others
talk.
B
Yeah,
I
agree.
I
think
this
is
a
very
useful
feature
as
we're
discussing
now
that
project
that
I
was
doing
nothing
effected.
If
you
can
get
this
information,
I
think
that
would
be
really
useful.
A
Great,
if
you
don't
like,
can
you
comment
on
this
issue?
It'll,
be
helpful
to
understand
people,
and
also
you
can
mention
why
it'll
be
helpful.
That
way
it
is
easier
to
drive.
Why
does
it
is
easier
to
add
that
use
case
tools
that
makes
us
makes
it
critical
for
us
to
whether
we
want
to
proceed
or
not.
A
If
not,
I'm
going
to
move
on
to
the
next
item,
I'm
going
to
move
this,
I'm
going
to
present
this
again
for
our
next
scorecard
bi-weekly
ayden.
Do
you
want
to
take
it?
Take
it
over,
I'm
gonna
stop.
A
B
But
but
I
think
it
would
be
pretty
helpful
to
my
future
so,
like
I
see
several
new
faces
to
our
meeting
so
I'll,
give
a
brief
introduction
to
my
feature,
like
the
motivation
of
my
feature
is
like
the
current
scorecard.
B
If
we
give
it
a
ripple,
it
checks
the
security
stage
of
the
selected
specified
ripple
and
what
we,
what
we
want
to
do
is
to
shift
the
current
checking
mode
from
checking
the
current
circle
to
checking
the
dependencies
of
the
current
frequency,
so
so
that
the
scorecard
can
help
the
users
to
get
a
better
understanding
of
their
dependencies
of
their
project.
B
So
basically,
we'll
have
the
similar
input
parameters
as
the
package.run
scorecard,
which
is
here.
B
Yeah
yeah,
so
basically,
we
will
give
it
a
context,
and
this
this
is
the
ripple
uri
like
the
osf,
slash
scorecard,
and
we
also
need
to
give
it
a
base
and
a
half.
So
we
can
use
both
like
it
could
be
a
commit
shot
or
like
a
friendship
reference
like
men
or
death,
and
also
they
have,
and
also
we
need
to
specify
the
checks
to
run.
B
This
is
like
similar
to
the
right
scorecard,
where
we
need
to
specify
a
list
of
checks
like
fuzzing
security
policy,
intent
or
license
things
like
that,
like
that
the
api
is
already
here
and
I
think
it
is
ready
for
for
for
for
callers
or
users
to
use,
although,
like
the
current
running
mode
of
this,
is
to
run
the
scorecard
checks
on
average
dependencies,
which
is
a.
A
B
Bit
slow,
but
this
problem
can
be
fixed
with
the
score
guide
api
like
the
red
server,
but
we
can
shift
the
like.
You
know
running
the
scorecard
checks
on
average
tenancy
to
simply
querying
the
rest
api
to
get
the
scorecard
repo
result
for
the
ripples,
and
that
will
you
know
optimize
the
reading
speed
of
the
api
and
it
will.
It
will
be
faster.
A
A
B
A
B
B
The
skullcap
will
perform
all
of
these
security
checks
on
them
and
give
these
results
to
the
user
on
the
dependency
disk
yeah.
This
is
the
purpose
yeah.
So
the
next
thing.
The
next
thing
is
the
cri.
So
basically,
basically
I'm
using
this
cli
in
the
command
line
version
of
the
scroll
card
and
also
in
the
yeah
in
the
scorecard
action.
So
I'm
going
to
show
the
first
demo.
This
is
the
cli.
Let
me
stop
this
sharing
and
switch
to
my
terminal.
B
Does
it
show
it
separate
results
for
each
dependency?
It
will
show
separate
dependencies
like
each
dependency
as
an
entry
like
in
the
result.
B
Yeah,
I
I
I'll
show
you
the
end
to
end
demo
and
you'll
understand
how
how
this
shows.
So
this
is
the
scorecard
folder
and
what
we
can
do
is
to
use
this
scorecard
directly.
This
is
this
is
the
original
usage
of
physical
card
cli,
and
so
I'm
creating
a
new
sub
command
for
the
scorecard,
the
dependency
diff
mode.
B
And
there
are
several
flags
available
for
this
cli
so
to
match
these
inputs
with
the
api's
input
parameters.
The
first
flag
we
need
is
ripple
like
this
is
used
to
specify
the
ripple
we're
going
to
check
my.
B
And
another
thing
is
this:
so
we
can
specify
a
fade
sorry,
we
can
specify
a
base
and
the
hat.
So
I
I'm
using
the
membranes
and
the
depth
branch
as
the
base
and
the
the
hat
for
now.
So
basically,
the
api
will
handle
this
branch
name
reference
and
to
the
latest
commit
to
the
branch.
So
we
can
either
use
the
branch
name
or
the
commit
shop
for
these
two
flags
and
next
flag
might
be
chats.
B
Let's
see
the
maintain
and
the
license,
and
this
I
think
this
command
is
ready.
B
Yeah,
so
this
is
the
like
how
the
command
looks
like
we
need
to
specify
the
like
the
skullcast
experimental
flag,
one
to
use
this
feature,
since
this
is
a
still
a
experimental
one
and
then
the
scorecard
and
dependency
div
to
switch
to
the
supplement
and
the
ripple
and
then
the
base
and
the
hat
and
then
the
checks.
And
since
the
default
output
format
of
this
dli
is
json.
So
I'm
using
a
json
I'm
using
the
json
parser
to
output.
The
result.
B
B
And
so
there
will.
Let's
say
there
are
some
dependency
updates
and
some
removed
ones.
So
I'll
change
this
I'll
change,
this
a
manifest
file
to
a
new
one
and
commit
changes,
and
now
the
desk
branch.
The
step
branch
contains
some
like
new
dependencies
or
some
remove
dependencies,
and
I
can
use
the
cli
to
see
the
like
the
changes.
B
B
B
We
specify
the
checks
here
to
maintain
a
license,
so
we'll
have
the
maintained,
check
and
also
the
license
check
here.
We'll
have
the
score
for
this
check
the
reasons
and
documentation
details.
All
of
the
like.
The
security
result
field
will
be
in
the
in
this
json
result,
and
here
are
the
net
dependency
and
the
next.
B
So
if
the
source
ripple
of
this
dependency
is
a
null
one,
we'll
just
leave
the
scorecast
result
as
a
null,
and
we
also
have
like
removed
remove
dependencies.
B
B
Like
the
usage
of
the
coi-
and
I
have
like
several
questions
in
the
agenda
about
the
cli,
so
I
think
maybe
we
can
talk
about
them
together.
The
first.
The
first
question
is
so
I
I'm
not
sure
if
this
is
like
an
actual
requirement
for
the
user.
I
I'm
not
sure
if
the
user
would
actually
use
this
in
the
command
line.
You
know
to
manually
type
these
two
brand
branches
and
the
text
and
actually
run
this
command.
A
I'm
gonna,
I'm
gonna,
I'm
gonna
take
an
option
to
even
talk
about
this.
We
first
of
all
great
thanks
for
doing
this.
Second
thing
is:
if
we
have
an
api,
we
want
to
be
careful
about
like
if
we
are
sure
about
this.
I
really
really
nice
that
you
made
this
experimental.
So
we
can
do
a
release
with
experimental
and
get
some
feedback
on
this,
especially
with
the
with
the
scorecards
api,
the
rest
endpoint,
and
the
moment
that
comes
on
when
this
one
I'm
hoping
we
could.
A
A
I
can
run
this.
Like
I
mean
anybody
would
be
able
to
run
this,
so
I
personally
feel
it's
a
great
option
to
have
in
the
client
because
it
makes
people
easier
instead
of
them,
having
to
figure
out
how
to
use
the
go
api
to
do
all
the
work.
B
Yes-
and
another
thing
you
might
have
is
like
the
current
output
format
of
this
vi
is
just
json
and
maybe
like
in
the
future.
We
can
add
something
more
like.
We
know
that,
like.
Let
me
just
share
my
screen,
I
know
the
default
output
format
of
skullcard
is
the
you
know,
there's
a
table
there's
a
table
for
that,
and
maybe
we
can
also
support
that
output
for
us
for
the
dependency
div
and
that
might
be,
you
know,
maybe
easier
for
the
users
to
see
the
results.
A
Sorry,
I
think
the
table
format
is
being
like.
We
won't
remove
the
table
format
because
it
is
always
painful
to
maintain
the
table
format,
so
you
want
to
try
this
one
so
yeah
right.
This
is
always
hard,
so
we
can
for
the
sub
command
say
the
output
is
only
going
to
be
json,
because
putting
all
of
this
into
a
table
format
is
extremely
hard,
so
we
could
potentially
you
could
you
could
you
could
add
that
into
your
pr
into
an
issue
say
we're
going
to
do
only
json
for
this,
and
I
people
haven't
been.
A
Let
me,
let
me
be
honest.
People
haven't
been
really
happy
with
tablespoons,
it's
extremely
hard
because,
as
the
data
get
blown
up,
it's
actually
it
gets
wrapped
up
and
it's
extremely
hard
to
read,
but
we
never
thought
when
we
came
to
table
format
initially.
All
of
this
is
going
to
be
an
issue,
so
we
never
thought
that
the
mediation
documentation
all
those
links
and
we
were
going
to
dump
all
the
people
information
in
the
table
format.
That's
what
really
messed
up
the
formatting
which
made
it
really
hard.
B
Yes,
yes
see,
I,
I
think
I'll
just
you
know,
use
the
json
as
the
default.
That's
the
default
format
in
the
first
version
and
maybe
yeah
just
create
a
pr
and
ask,
should
we
add
more
or
let
me
just
stop
which
isn't
yeah
yeah?
Yes,
yes,
yeah.
So
this
is
the
first
issue
with
this
cli
and
before
we
talk
about
the
second
thing:
let's
just
get
the
action
one
to
run
because
it's
pretty
slow
and
we
don't
want
to
wait
for
that.
B
So
let
me
let
me
just
get
the
action
one
to
run
so
the
scorecard
action
dependency.
Visualization
is
basically
another
version
of
this
feature
like
I'm
using
the
api
in
the
action
to
visualize
the
dependencies
result
in
two
ways.
The
first
is
as
a
pr
comment
and
the
second
one
is
ask
annotations,
so
I'll
show
them
separately
later,
but
first,
let's
just
get
this
run.
B
So
we
have
a
depth
range
here,
and
this
is
the
branch.
B
B
B
A
B
So
I
can,
I
can
see
the
dependency
if
and
this
code
and
the
scorecard
result
on
the
dependencies
like
in
a
pr
comment
here
and
also
in
the
annotation
annotations
of
the
file.
So
this
is
gonna,
take
like
three
minutes,
or
maybe
four
minutes
to
finish
this
check.
So
let
me
just
switch
back
to
the
coi
part.
A
I
I
yeah
yeah,
so
I
have
yeah.
A
I
have
a
mostly
if
somebody
has
to
and
probably
add
docs
to
what
is
being
like
bass
and
head
in
the
in
the
dependency
diff
having
that
as
a
doc
would
certainly
help
having
that
in
the
like,
when
I
start
that
that
giving
and
giving
a
specific
example
example
always
plays
better
so
giving
an
example
with
two
different
examples,
one
is
actually
branch
name
and
also
also,
commissioner,
as
two
examples
would
certainly
be
really
helpful.
So
what
is
base
okay
so
so
giving
an
example?
Okay,
that's
nice!
Yes,
I
think
I
think
yeah.
A
I
think
that
is
good,
but
also
specifically
calling
out
of
how
this
would
and
actually
seeing
what
the
dependency
diff
would
provide
would
obviously
be
a
lot
more
helpful
like
yes,
we
assume
that
people
are
going
to
know
what
the
dependency
div
is
so
doing
a
little
bit
of
write-up
as
to
what
the
dependency
diff
is
would
be
a
great
addition
to
this
cli.
B
Yes,
of
course,
yeah
I'll
make
the
dot
part
better
yeah.
This
is
just
because
yeah,
we
still
have
some
discussion.
You
know
about
the
name
of
the
face
flag
and
the
half
flags
in
in
the
prs,
so
yeah
we
haven't
decided,
which
name
to
use
for
these
two
flags,
so
yeah
I'll
definitely
definitely
make
the
dots
more.
You
know
clearer
so
that
the
user
will
understand
how
these
two
flag
works.
B
Yeah.
Let's
let
me
see
if
the
action
already
gives
me
the
result.
B
Oh,
this
is
because
I
just
changed
the
readme
file
for
this,
and
and
I
I'm
not
changing
the
dependencies,
so
I
actually
have
a
previous
result
for
this.
B
Actually
here
so
after
the
check
run,
we'll
see
like
a
visualization
thing
like
this
is
a
common
pr
comment:
that's
left
by
the
github
actions,
so
we
can
see
like
the
dependency
changes,
whether
it's
added
one
updated
one
or
a
removed
one.
So
you
can
see,
there's
there's
one
dependency
per
line
like
this.
B
Gold
clock
is
added
and
it
has
a
aggregate
score
of
9.2
and
this
one
this
this
one
should
be
the
sixth
store,
this
one's
also
added,
and
it
has
a
score
of
2.5
and
for
the
version
zero,
we're
not
providing
this.
You
know
the
aggregation
scores
on
the
removed
ones,
since
it
costs
a
lot
of
time
to
run
the
scope
card
and
the
users
might
not
want
to
know.
B
You
know
too
much
details
about
the
remove
dependencies,
so
this
is
just
a
like
a
design
for
the
vision,
zero
version,
zero
and
if
we
want
to
run
the
checks
on
the
removements,
we
can
definitely
change
this
in
future
versions.
B
A
B
B
Yeah,
I
also
left
some
code
annotations
either
cross-bounding
manifest
file
like
since
the
dependencies
are
go
dependencies.
B
So
we
can
see
some
annotations
in
the
goal
mod
manifest
file,
so
the
annotation
is
generated
on
a
per
check
basis,
so
we
might
see
like
different
annotations
with
the
same
dependency
package,
but
with
the
different
check
items
like
this.
One
is
for
maintain
and
this
one
is
for
license,
but
both
of
the
annotations
are
for
this
go
club
dot
down.
A
I
have
a
question
here:
yeah:
what
about
transitive
dependencies
because,
like
transitor
dependencies
make
a
lot
of
like
I
could
be
bringing
in
an
advancement
dependency.
B
Dependencies
is
also
in
this
result,
but
like
the
our.
A
B
A
B
A
So
so,
if
you're
going
to
add
annotation,
are
you
going
to
add
annotation
to
coda
mod
and
go.some,
because
then
it's
going
to
become,
which
one
should
I
look
for
if,
if
going
with,
the
annotation
is
the
right
approach,
probably
think
of
using
godad
song
yeah,
because
I
think
golotham
has
everything
that
the
gomad
code,
I'm
not
requires
again,
I'm
not
an
expert
to
on
how
the
gold
and
mata
go
that
some
works.
But
I
have
a
little
bit
of
knowledge
to
say.
A
Some
of
this
information
is
there
in
the
godad
sum,
which
is
not
the
negot
mod.
B
Yeah
so
yeah
I'm
going
to
make
this
clearer
so.
B
Current
data
source
api,
the
github
definition
review-
will
use
both
the
manifest
file
and
the
log
file
and
the
reason
I'm
using
I'm
only
using
a
you
know.
Gob
file
is
this
is
a
simpler
for
a
demo
but
yeah.
Definitely
we
can.
We
can
also
see
the
changes
in
the
gold
dot
song.
You
know
the
log
file
and
it
it
does
works
like
the
github
api
does
work
for
a
gold
manifest
file
and
a
gold
log
file.
B
But
I
remember
there
was
one
time
when
I
was
testing
it
on
the
pythons
manifest
file
and
the
python
log
file,
and
it
seems
the
api
just
confused
the
dependencies
in
these
two
files,
like
like
yeah
for
a
python
ecosystem,
like
it
will
put
all
of
the
indirect
dependencies
in
the
like
the
pet
log
pip.log
or
I
I
don't
remember.
The
name
is
the
log
file
of
the
python
package
package
manager
and
the
github
dependency
review.
Api
simply
just
gives
all
of
the
indirect
dependencies
in
the
text.log
file.
B
So
this
is
definitely
something
pretty
confusing,
and
I've
already
showed
a
ticket
to
the
the
team
of
this
api.
To
ask
like
the
details
of
this
api
and
like
is
this
a
bug
or
something
like
will
be
provided
in
the
future
versions,
and
we
do
have
an
issue
on
this
that
says,
maybe
like
in
the
future,
we'll
choose
a
better
data
source
api
to
perform
this
analysis
in
this
visualization,
but
currently
yeah.
B
We
do
have
several
issues
for
for
this
data
source,
api
and
and
of
course,
this
api
will
analysis,
the
go
goemon
and
those
go.
Go
that
sound
together
it
just
it
didn't
tell
whether
this
this
is
a
direct
dependency
or
an
indirect
dependency,
but
all
of
these
dependencies,
which
will
show
here
in
the
annotations
and
in
the
common.
B
B
So
let
me
see
if
there
are
any
yeah.
I
have
several
issues
or
questions
to
discuss
about
this
one.
So
the
first
one
is
like
the
current
configuration
is
to
run
the
visualization
on
every
commit
to
a
pull
request.
B
So
I
remember
naveen
you
talked
about
like
maybe
we
should
make
this
configurable
so
so
I
was
just
thinking.
Should
we
do
that
because
we
have
another
example,
the
code
cuff,
so
basically,
basically
code
cup
will
run
on
every
commit
to
compute
the
you
know
the
coverage
difference
you
know
of
the
of
the
of
the
branch,
the
pr
and
the
and
the
membrane
or
something
so
I
was
thinking.
Should
we
make
this
to
just
leave
this
as
same
as
the
one
or
should
we
make
this?
A
It
all
depends
on
it.
I'm
gonna
come
back
to
the
rest.
End
point
the
moment.
The
resting
point
comes,
you
would
be
we'd,
be
able
to
do
it
for
every
commit,
because
it's
just
rest
calls
it's
it's
to
do
that
it's
and
we
can
also
run
them
concurrently.
We
don't
have
to
be
sequential.
We
should
be
able
to
run
them
concurrently.
A
We
should
be
able
to
get
those
get
the
results
pretty
quickly
up
until
then,
my
situation
would
be
is
running
it
on
every
commit
is
going
to
cost
it's
going
to
it's
going
to
it's
going
to
slow
down
significantly
and
we'd,
be
throttling
you,
I
will
be
hitting
our
api
rate
limits,
and
that
would
be
the
problem
and,
like
you
mentioned
it'll,
be
nice
to
default,
should
be
every
comment.
I'm
not
saying
now,
when
the
recent
point
comes
in
again,
my
two
cents
on
this.
The
second
and
people
should
be
able
to
configure
those.
A
Whether
do
I
really
care
between
comments
or
between
my
last
limit
and
my
head
minus
one.
That's
where
I'll
do
I
care,
but
that
could
be.
That
could
be
an
option
that
we
can.
That
could
be
right
now.
That
could
be
the
default
right
now,
but
later,
as
the
resting
point
comes
in
utilizing,
those
things
utilizing
between
every
comment
would
be
should
become
a
default.
B
Yes,
oh,
I
think,
there's
a
another
thing
I
forgot
to
mention
so
like
in
the
current
implementation
of
the
the
pre-check
submit
proprietary
check,
I'm
using
the
round
tripper
implemented
in
the
scope
ripple.
So
I
know
the
round.
Flipper
has
a
built-in
api
limiter
right
yep.
So
yes,
so
I
haven't
passed.
This
haven't
tested
this
in
the
action,
but
I
think
you
know
if
it
runs
multiple
times
on
a
lot
of
dependencies.
It
might
just
simply
hit
the
api
limit.
A
Yeah,
it's
going
to
hit
the
api
limit
and
it's
going
to
block
yeah
yeah
yeah.
It
gives
it
blocks
based
on
it
figures
out.
What's
the
next
limit
and
blocks
until
then,
because
the
api
api
basically
comes
back
in
this,
how
long
should
we
wait
before
we
go
about
doing
it?
So
the
round
triple
already
aware
of
that.
B
Yeah,
I
I'm
definitely
going
to
test
this
yeah.
I'm
going
to
attack
ted
yeah
make
this
a
test
later
and
let
me
see
if
there
are
any
other
things
you
know
this
should
be
fine.
B
Oh
for
the
for
this,
for
for
this
one,
so
I'm
a
little
concerned
of
the
comment
being
too
long,
or
maybe
we
generate
a
new
comments
every
time.
So
the
like
our
comments
would
just
spam
spam
the
whole
pr,
absolutely
yeah
yeah.
I
just
I
just
found
a
way
to
update
a
previous
comment.
So
we
don't
need
to.
You
know,
create
a
new
one
every
time.
B
A
B
Before
before
they
before
they
get
merged
yeah,
I
think
that's
it
for
my
demo
and
my
questions
and
I'm
always
welcome
to
any
feedbacks
or
advices
on
that.
You
can
leave
a
comment
in
the
cross
button,
pr
in
the
scorecard
ripple
or
scorecard
actual
people
yeah
all
right,
yeah,
I'm
gonna
take
up
my
sharing
yeah.
Thank
you.
A
Okay,
so,
okay,
right
now
we
don't
have
any
other
agenda
items,
it's
open.
We
we
certainly
have
about
another
17
minutes.
Does
anyone
else
have
any
other
questions
that
they
want
to
or
or
do
they
want
to
share
anything
else
updates
anything.
A
Okay
looks
like
we
don't
have
any
other
questions
or
comments,
anything
on
that
we
usually
pick
who's
gonna
who's
gonna.
Do
it
next
time
I've
been
running
this
facilitation
for
probably
oh
quite
a
few
times.
Does
anyone
else
want
to
take?
A
A
A
Yeah
right
yeah
yeah,
if
he's
not
around
I'll
I'll
figure
it
out,
but
that's
where
it
is
all
right.
Thanks
thanks,
everyone
see
you
all
in
the
next.