July 11th | Open Source Gardening | Live Stream

:wave: We’re trying something new!

A weekly “Office Hours” YouTube Live Stream. We talk about Syft, Grype and the rest of the family. We will also answer your questions review contributions across our Open Source projects.

Post questions below, or join us live with your questions, comments, & pet bugs :lady_beetle:

:alarm_clock: Starts at 2024-07-11T19:00:00Z for about an hour.

  • Intro (10m)
  • News/Updates (10m)
  • Questions (10m)
  • Office Hours (30-40) (bug and PR work)

2024-07-11 Open Source Gardening summary

Here’s a summary of what was discussed. Partly :robot: generated, and :technologist: edited. Timestamps and links to issues included so you can jump directly in at the right point.

Summary of: Open Source Repository Issue Gardening Session

Video Link: Watch here


Introduction

  • The video is a live gardening session where a team of developers discusses and resolves various issues from open-source repositories.
  • Participants introduce themselves: Alan, Christopher, Alex, Keith, and Will.
  • The session is streamed to answer questions and provide insights into the development process.

General Updates

Issues Discussed

00:06:11 grant #101: No way to deny all licenses while allowing specific ones

  • Description: Problem with the pattern ** for denying all licenses.
  • Discussion: The team acknowledges the issue and plans to test and fix it by adding a new test case and updating the integration.
  • Outcome: Alex self-assigns the issue for investigation and resolution.

00:10:22 sbom-action #425: old maven dependencies that have moved to a new group are reported incorrectly

  • Description: Misidentification of MySQL connector’s group ID in a Kotlin project.
  • Discussion: The problem might stem from outdated group IDs in manifests. The team suggests checking if the latest versions solve the issue.
  • Outcome: Will assigns himself to follow up on this.

00:22:28 sbom-action #422: Expose dependency-snapshot-correlator input

  • Description: SBOM action does not uniquely identify artifacts in matrix builds.
  • Discussion: The current action should support matrix builds, but further confirmation is needed.
  • Outcome: Christopher volunteers to check if this is already resolved.

00:24:57 scan-action #312: Having the action report only certain level of vulnerabilities and above

  • Description: Request to reduce output by only reporting vulnerabilities above a certain severity level.
  • Discussion: Current capabilities do not support this. The team considers adding this feature.
  • Outcome: Keith notes the need for a wider discussion on improving grype’s filtering and output capabilities.

00:39:30 scan-action #217: Add config as an option

  • Description: Adding the ability to pass a config file to the grype tool in the scan-action.
  • Discussion: The team agrees it would improve usability and flexibility.
  • Outcome: Issue is bumped to ready status for implementation.

00:44:04 scan-action #298: Scan action fails decode syft-json document

  • Description: Grype is unable to decode a json document produced by syft.
  • Discussion: The team believes this may be fixed in a newer release, but this does indicate a problem when releases of syft and grype get out of sync.
  • Outcome: Further testing required, we believe this is already resolved.

Final Comments

  • The session was productive, with developers gaining insights and planning actionable steps for various issues.
  • Emphasis on the importance of continuous gardening to keep the projects well-maintained.