Conversation
|
|
||
| Pull requests in the nlohmann/json repository are merged only after code review. | ||
|
|
||
| aschemmel-tech: taken over score from "OpenSSF Scorecard Report" |
There was a problem hiding this comment.
You can find the report by opening the full JLS-06.md file, as the link is provided in the reference.
There was a problem hiding this comment.
https://scorecard.dev/viewer/?uri=github.com%2Fnlohmann%2Fjson (as documented)
|
|
||
| The develop branch of nlohmann/json is protected, i.e. no direct commits are possible. | ||
|
|
||
| aschemmel-tech: no other pushes as from nlohman are observable |
There was a problem hiding this comment.
codeowner is defined, only nlohman is allowed to merge
| @@ -1,8 +1,8 @@ | |||
| # This file is automatically generated by dotstop and should not be edited manually. | |||
| # Generated using trustable 2025.10.22. | |||
| # Generated using trustable 2025.9.16. | |||
There was a problem hiding this comment.
It is a problem, if different version are used here? Why not always the same version, latest, is applied?
There was a problem hiding this comment.
It is indeed strongly recommended to be consistent with the trudag version. This is enforced if one uses the dev container when editing or adding SME scores.
As can be seen, the script which installs trudag in the dev container is currently pinned to version 2025.10.22: https://github.com/eclipse-score/inc_nlohmann_json/blob/f61e53be2bba6d0e091a9bbe4252190e5e5f8019/.devcontainer/S-CORE/post_create_script.sh#L8
@aschemmel-tech Please reopen the project in the dev container as such:
There was a problem hiding this comment.
I have problems updating my local trudag version. Cannot update at the moment.
| Known bugs, misbehaviours and CVEs are analyzed and either fixed or mitigated in the nlohmann/json repository. No newline at end of file | ||
| Known bugs, misbehaviours and CVEs are analyzed and either fixed or mitigated in the nlohmann/json repository. | ||
|
|
||
| aschemmel-tech: evidences support bugs and CVE fixing, no mitigation actions are offered. No newline at end of file |
There was a problem hiding this comment.
Could not find any mitigation to a CVE report? Would not rate this so high, do you have evidences, beside some CVEs reported?
There was a problem hiding this comment.
All CVEs were fixed or mitigated in nlohmann/json. As shown in the second reference in this statement, the are "0 existing vulnerabilities detected": https://scorecard.dev/viewer/?uri=github.com%2Fnlohmann%2Fjson#section-Vulnerabilities
| --- | ||
|
|
||
| Outstanding CVEs are analyzed within eclipse-score/inc_nlohmann_json to determine whether they can be dismissed, and/or are relevant for S-CORE's use cases of the nlohmann/json library. No newline at end of file | ||
| Outstanding CVEs are analyzed within eclipse-score/inc_nlohmann_json to determine whether they can be dismissed, and/or are relevant for S-CORE's use cases of the nlohmann/json library. |
There was a problem hiding this comment.
Could not find any analysis, only empty tickets reporting something, where are the analyzed?
There was a problem hiding this comment.
The analysis comprises determining whether outstanding CVEs can be dismissed and/or are relevant for S-CORE.
The first reference in this statement shows that 0 CVEs are outstanding in nlohmann/json. The second reference shows which security alerts were dismissed as "false positive" or "used in test".
Within our development repo, the same steps were taken, to dismiss e.g., any false positives raised by code scanning tools. None are remaining now:
The same steps are to be taken for any security alerts raised by code scanning tools in https://github.com/eclipse-score/inc_nlohmann_json/security. So far, every single alert raised can be dismissed as false positive or used in test. Please however note that the detailed security page on github is only viewable by committers or administrators of the repo (I think). As such, I am not able to do so myself as I do not have the necessary permissions in eclipse-score.
There was a problem hiding this comment.
Many thanks for the SME scores. Just 2 remarks from my side:
-
It is highly recommended to use the dev container when performing the SME review. Doing so ensures that the correct version of trudag is being used. See my comment on .dotstop.dot below for more details on this.
-
To my understanding, the SME reviewer is not expected to motivate their scoring, especially not directly in the statement, as this would be displayed in the generated report:
- Instead, any feedback to the contributors of the TSF documentation (e.g., me), can be given directly, or as review comments to the contributors' PR, or proposed as merge requests. The feedback to the contributors shall however be separated from the SME scoring.
- Furthermore, if one SME does not agree with the SME score of another reviewer, they shall not try to convince the other party to change or edit their score. Instead, the opinion of the SME reviewer who disagrees with the existing scores should be reflected by simply putting their own scores.
- The point (that SMEs are not expected to motivate their scoring) might however be subject to change. CodeThink is currently looking at alternatives to allow SME reviewers to document the reasoning behind their scores (see tracked issue here https://gitlab.com/CodethinkLabs/trustable/trustable/-/issues/371).
|
|
||
| Pull requests in the nlohmann/json repository are merged only after code review. | ||
|
|
||
| aschemmel-tech: taken over score from "OpenSSF Scorecard Report" |
There was a problem hiding this comment.
You can find the report by opening the full JLS-06.md file, as the link is provided in the reference.
| @@ -1,8 +1,8 @@ | |||
| # This file is automatically generated by dotstop and should not be edited manually. | |||
| # Generated using trustable 2025.10.22. | |||
| # Generated using trustable 2025.9.16. | |||
There was a problem hiding this comment.
It is indeed strongly recommended to be consistent with the trudag version. This is enforced if one uses the dev container when editing or adding SME scores.
As can be seen, the script which installs trudag in the dev container is currently pinned to version 2025.10.22: https://github.com/eclipse-score/inc_nlohmann_json/blob/f61e53be2bba6d0e091a9bbe4252190e5e5f8019/.devcontainer/S-CORE/post_create_script.sh#L8
@aschemmel-tech Please reopen the project in the dev container as such:
| Known bugs, misbehaviours and CVEs are analyzed and either fixed or mitigated in the nlohmann/json repository. No newline at end of file | ||
| Known bugs, misbehaviours and CVEs are analyzed and either fixed or mitigated in the nlohmann/json repository. | ||
|
|
||
| aschemmel-tech: evidences support bugs and CVE fixing, no mitigation actions are offered. No newline at end of file |
There was a problem hiding this comment.
All CVEs were fixed or mitigated in nlohmann/json. As shown in the second reference in this statement, the are "0 existing vulnerabilities detected": https://scorecard.dev/viewer/?uri=github.com%2Fnlohmann%2Fjson#section-Vulnerabilities
| --- | ||
|
|
||
| Outstanding CVEs are analyzed within eclipse-score/inc_nlohmann_json to determine whether they can be dismissed, and/or are relevant for S-CORE's use cases of the nlohmann/json library. No newline at end of file | ||
| Outstanding CVEs are analyzed within eclipse-score/inc_nlohmann_json to determine whether they can be dismissed, and/or are relevant for S-CORE's use cases of the nlohmann/json library. |
There was a problem hiding this comment.
The analysis comprises determining whether outstanding CVEs can be dismissed and/or are relevant for S-CORE.
The first reference in this statement shows that 0 CVEs are outstanding in nlohmann/json. The second reference shows which security alerts were dismissed as "false positive" or "used in test".
Within our development repo, the same steps were taken, to dismiss e.g., any false positives raised by code scanning tools. None are remaining now:
The same steps are to be taken for any security alerts raised by code scanning tools in https://github.com/eclipse-score/inc_nlohmann_json/security. So far, every single alert raised can be dismissed as false positive or used in test. Please however note that the detailed security page on github is only viewable by committers or administrators of the repo (I think). As such, I am not able to do so myself as I do not have the necessary permissions in eclipse-score.
|
Erikhu1
left a comment
Erikhu1
left a comment
There was a problem hiding this comment.
The points in my previous review comment were discussed in baselibs meeting 12/3/2025.
- The current comments in the statements for motivating the SME score are to be kept as a temporary solution, while we monitor the progress of https://gitlab.com/CodethinkLabs/trustable/trustable/-/issues/371 .
- While it is recommended to use the dev container to be consistent with the trudag version pinned, these specific version updates did not affect scoring or hashing, so ok for this time.
5 participants
No description provided.