popey
July 10, 2024, 4:04pm
1
We’re trying something new!
A weekly “Office Hours” YouTube Live Stream. We talk about Syft , Grype and the rest of the family . We will also answer your questions review contributions across our Open Source projects.
Post questions below, or join us live with your questions, comments, & pet bugs
Starts at 2024-07-11T19:00:00Z for about an hour.
Intro (10m)
News/Updates (10m)
Questions (10m)
Office Hours (30-40) (bug and PR work)
popey
July 22, 2024, 2:15pm
2
2024-07-11 Open Source Gardening summary
Here’s a summary of what was discussed. Partly generated, and edited. Timestamps and links to issues included so you can jump directly in at the right point.
Summary of: Open Source Repository Issue Gardening Session
Video Link: Watch here
Introduction
The video is a live gardening session where a team of developers discusses and resolves various issues from open-source repositories.
Participants introduce themselves: Alan, Christopher, Alex, Keith, and Will.
The session is streamed to answer questions and provide insights into the development process.
General Updates
Subscribe and Follow : Viewers are encouraged to subscribe and follow the repositories on GitHub and social media.
New Releases : Mention of new versions and updates, including a new version of Syft 1.9.0 and updates to quill v0.4.2 .
Issues Discussed
00:06:11 grant #101 : No way to deny all licenses while allowing specific ones
Description : Problem with the pattern **
for denying all licenses.
Discussion : The team acknowledges the issue and plans to test and fix it by adding a new test case and updating the integration.
Outcome : Alex self-assigns the issue for investigation and resolution.
00:10:22 sbom-action #425 : old maven dependencies that have moved to a new group are reported incorrectly
Description : Misidentification of MySQL connector’s group ID in a Kotlin project.
Discussion : The problem might stem from outdated group IDs in manifests. The team suggests checking if the latest versions solve the issue.
Outcome : Will assigns himself to follow up on this.
Description : SBOM action does not uniquely identify artifacts in matrix builds.
Discussion : The current action should support matrix builds, but further confirmation is needed.
Outcome : Christopher volunteers to check if this is already resolved.
00:24:57 scan-action #312 : Having the action report only certain level of vulnerabilities and above
Description : Request to reduce output by only reporting vulnerabilities above a certain severity level.
Discussion : Current capabilities do not support this. The team considers adding this feature.
Outcome : Keith notes the need for a wider discussion on improving grype’s filtering and output capabilities.
Description : Adding the ability to pass a config file to the grype tool in the scan-action.
Discussion : The team agrees it would improve usability and flexibility.
Outcome : Issue is bumped to ready status for implementation.
Description : Grype is unable to decode a json document produced by syft.
Discussion : The team believes this may be fixed in a newer release, but this does indicate a problem when releases of syft and grype get out of sync.
Outcome : Further testing required, we believe this is already resolved.
Final Comments
The session was productive, with developers gaining insights and planning actionable steps for various issues.
Emphasis on the importance of continuous gardening to keep the projects well-maintained.