-
Notifications
You must be signed in to change notification settings - Fork 138
MeetingMinutes
We meet online on Mondays at 16:00 UTC as a reference. See https://www.timeanddate.com/worldclock/meeting.html to get the time in your timezone.
Join us at https://meet.jit.si/AboutCode
Old meeting notes been moved to:
- https://github.com/nexB/aboutcode/wiki/MeetingMinutes2021
- https://github.com/nexB/aboutcode/wiki/MeetingMinutes2022
Here are the running meeting notes:
Participants and Agenda
- Jay: update on GSoC
- Jono: updating skeleton merge skeleton
- Ziad: detecting PURL, NLP
- Tushar, Keshav, Ayan, Omkar: no topic
- Philippe: github using clearlydefined data (i.e. scancode)
- Hritik: Vulntotal updates
Discussions:
- Jay: update on project - ahocode and bitcode implementation complete. - lxml fallback dependency WIP: https://github.com/nexB/sanexml - will open PR for SCTK integration for ahocode
- Ziad: - Following PackageURL page, how to subscribe? Email or something like a feed - more to be discussed on vulnerablecode call tomorrow
- Jono: - Merge conflicts in docs from skeleton in license-expression
- Phillipe: - https://github.blog/2009-02-13-this-github-is-going-to-the-boids/
Participants and Agenda
- Jay: update on your project
- Jono: feedback on how display history on packages in purlDB
- Ziad: safe HTML in Django
- Tushar, Keshav: no topic
- Ayan: absent, excused
- Philippe: Skeleton
- Omkar: queries on testing and depenencies
Discussions
- Jay: update on project - Some issues in sanexml wrt. lxml to fix - Next up will be integration in ScanCode and run the tests, making then pass
- Jono: feedback on how display history on packages in purlDB - History is simple text field. Each line is a timestamp and message - Should we return the history all times with a purl or have a different a different end-point? - A different a different end-point makes most sense
- Ziad: safe HTML in Django - Need review of how to get the content of a file in git - Need to discuss purl-sync vocabulary - We discussed the data for following PackageURL
- Philippe: Skeleton - The https://github.com/nexB/skeleton needs to be updated to remove Ubuntu 18 - We need a script to automate the base skeleton in many repos. Jono will give it a shot
- Omkar: queries on testing and displaying dependencies - We discussed the display of the dependencies summary and provided feedback - We need an issue in SCTK so that it returns a name and icon for each package type or data_source - We discussed testing including tests that are data-driven
Participants:
- Tushar @tg1999
- Keshav @keshavspace
- Ayan @AyanSinhaMahapatra
- swastik sharma @swastkk
- Jay @35C4n0r
- Akhil @lf32
- Omkar @OmkarPh
Agenda:
- GSoC
- Misc
Discussion:
- purldb still has to be updated with latest scancode and in a stable state for us to start adding good first issues there, so maybe this is better to do a month later. Meanwhile we can mark good first issues in other repositories, in vulnerablecode, scancode-toolkit, scancode.io etc for first time contributors.
- Conclusions pipeline: Conclusions/alerts/review/to-do items in scancode.io is a workflow where we can review detections which are incorrect or needs careful manual review and where the data can be updated in place. This was asked as a tentative GSoC project but we are still finalizing the project ideas and it is advised to start looking at the project ideas list after aboutcode is selected at GSoC.
- https://github.com/nexB/python-inspector/pull/119 was opened by swastik which was failing tests, as live packages are used for python-inspector tests and we need to regen these, we will also add this to the documentation.
- Akhil has updated https://github.com/nexB/scancode.io/pull/450 with binary file support and replaced the Scan Text button with a Utilities drop down with the Detect License option which goes to /scantext/.
- Phillipe needs to review https://github.com/nexB/scancode-workbench/pull/532, and please use scancode v31 with this as v32 is not supported yet here, see https://scancode-toolkit.readthedocs.io/en/latest/explanations/license-detection-reference.html for more updates there.
Participants:
- Tushar @tg1999
- phillipe @pombredanne
- Keshav @keshavspace
- Ayan @AyanSinhaMahapatra
- swastik sharma @swastkk
- Jay @35C4n0r
- Shrey Parekh
- Shrijal Acharya
Agenda:
- GSoC
- corrupted advisories
- yaml output
- scancode toolkit reference scans
- packaging and operating system support
- cylconedx input in scancode.io
Discussion:
- Need to review swastik's PR: https://github.com/nexB/python-inspector/pull/119
- should we use both cyclonedx libraries from the cyclonedx-python and the hoppr library? - Keshav links: https://gitlab.com/hoppr/hoppr-cyclonedx-models/ and https://github.com/CycloneDX/cyclonedx-python short term: working with these projects to merge features We don't use XML and don't care about old versions. The hoppr library does for the last 2 cyclonedx versions, and it uses the JSON schema to create the models. We can start using hoppr/hoppr-cyclonedx-models in scancode.io and then maybe later we can use it in scancode-toolkit too.
- JSON to XML conversion for cyclonedx -> library exists which works as a single executable in linux/windows/mac.
- advisories which were imported by previous importers, which aren't compatible to current models. We can delete everything from a importer, when we are reimporting from the same. There's a problem of stale and outdated data, and there's a problem of not discarding data that is used elsewhere also. We can consider archiving for this, or consider adding a deprecated flag.
- more people running non-intel architechture, which doesn't work The key thing would be a single executable: like Jono's work on a scancode.io appimage. We should also have app archives for all python versions which is python 3.7-3.11 and in linux/mac/windows. No arm for now, but would be nice. Another thing would be https://github.com/nexB/scancode-toolkit/issues/3205 If we are using other libraries, we have to write wrappers on them to match the same API. Serializing is another problem. Pyahocorasick is going to be the hardest, as this is a trie structure and saving/loading from disk is not simple.
- https://github.com/nexB/aboutcode/wiki/GSOC-2023 GSoC project ideas were discussed, and we need to further edit this and make all the projects have a clear goal and some detailed instructions to explain them better, Ideas related to vulnerablecode will be discussed in the vulnerabelcode call tomorrow see https://github.com/nexB/vulnerablecode/wiki/WeeklyMeetings.
- We uncovered that the scancode yaml output does not produce valid yaml in certain cases where there are license references and/or matched text in the yaml output and the license text has whitespaces/blank lines. for example, happens in the case of apache-2.0 license text. The solution can't be just to remove whitespaces as they are important, but the check has to be done at saneyaml and we have to produce valid yaml there.
- scancode-toolkit-reference-scan scripts are not working because of the dependency issues present while pip installing older versions, and maybe we should be using git checkout instead of pip install here.
Participants:
- Tushar @tg1999
- Jay @35C4n0r
- phillipe @pombredanne
- swastik sharma @swastkk
- Keshav @keshavspace
- Ayan @AyanSinhaMahapatra
- Jono @jyang
- Akhil @lf32
- Heet Dhorajiya
Agenda:
- scancode.io appimage
- dependency issues
- scancode-toolkit release
- GSoC project ideas
- skeleton
Discussion:
- https://github.com/nexB/scancode.io/tree/scancode.io-appimage/etc/scripts/appimage-build
- https://github.com/nexB/skeleton#usage
- Tushar Goel says:assert req is None or isinstance(req, Requirement), req
- https://github.com/nexB/python-inspector/pull/115
- https://github.com/nexB/packvers/issues/2
- https://www.tdcommons.org/dpubs_series/5632/
Participants:
- Tushar @tg1999
- Hritik @Hritik14
- Jay @35C4n0r
- phillipe @pombredanne
- swastik sharma @swastkk
- Keshav @keshavspace
Agenda:
-
Hritik - nothing
-
Swastik Sharma - SCIO: Issue on SCIO problem with installing with LegacyVersion and SPDX
These are due to https://github.com/pypa/packaging/issues/530 solved with https://github.com/nexB/packvers/ and the SPDX tools uypdates https://github.com/nexB/scancode-toolkit/pull/3173
-
Keshav - VCIO: discuss https://hex.pm/ and Exlixir advisory
-
Philippe - SCIO/SCTK: SPDX library issues - Get ready for planning next week
-
Tushar: - VCIO: About a day away to get all importers migrated for VC - VCIO: made release for VC 31 - VCIO: Will need hex in GH importer alright
-
35C/Ajay - FetchCode: made 2 pr in FetchCode - question wrt. https://github.com/nexB/scancode-toolkit/issues/3138
A: there are some likely updates in https://github.com/nexB/scancode-toolkit/pull/3150
- Question: what are scancode toolkit plugins?