-
Notifications
You must be signed in to change notification settings - Fork 9
SLIM Open Source Developers Meeting
Rishi Verma edited this page Jun 26, 2024
·
23 revisions
-
Continuous Testing Pull Request @yunks128
- Performed experiments on automated retrieval + LLM approach and that did not show promise
- Unity SDS use case: https://github.com/unity-sds/unity-sps/tree/develop/unity-test
- Will work to infuse aspects of guide in above repository
- OPERA SDS use case: https://github.com/nasa/opera-sds-pcm
- ACTION ITEM: @riverma will help with infusing aspects of guide to above repository as a test
-
[New Website Feature]: Improved Standards Infusion Process: Self-Service Model and Better Docs @riverma
- Overview of a potential tool called "slim-cli": a way to apply SLIM best practices to your own repository more easily
- Feedback:
- Useful, but can inner source repos use the tool? YES.
- Do we need a license to use the LLM tool age? NO - if we support llama framework as well
-
[New Process Improvement Need]: LocalStack starter kit @ddalton-swe
- Need some better scope on this ticket - requires discussion
- ACTION ITEM: @riverma will help identify infusion target projects for Metrics guide
-
[DRAFT] Guide on Code Security Scanning @ingyhere
- Some renaming / rebranding to more SCRUB-centric rather than CodeQL centric language
- Review and modify PR to ensure it conforms to contributing guidelines
- Examine how quickly/easily this can be made into PR
- Push back for re-review
- Open Discussion
- Rishi will present SLIM to NASA SMD Software conference
- KS will present to Might Devs community on continuous testing best practices (Thursday, May 16, 11:00 am – 12:00 pm PT)
-
[DRAFT] Guide on Code Security Scanning @ingyhere
- The PR is no longer in draft status, open for reviews.
- Question came up: should we store the GitHub workflow file as a separate file or inline in the guide?
- @riverma suggests both if possible. Store as a downloadable file (helps infusion work) and perhaps use a Docusaurus plugin to preview the file in the guide itself. Not suggesting to duplicate the contents though, as that conflicts with DRY principles.
- Discussed need to coordinate with @lylebarner and @lewismc on whether we should combine efforts for static / security scanning across tickets
- ACTION ITEM: @riverma set up brainstorm chat with @ingyhere, @lylebarner and @lewismc
-
Continuous Testing Pull Request @yunks128
-
ACTION ITEM FROM 4/25: @riverma will help with infusing aspects of guide to OPERA SDS repository as a test
- Communication with OPERA team concluded. Progress has begun
-
ACTION ITEM FROM 4/25: @riverma will help with infusing aspects of guide to OPERA SDS repository as a test
-
[New Website Feature]: Improved Standards Infusion Process: Self-Service Model and Better Docs @riverma
- Code template / draft committed to: https://github.com/nasa-ammos/slim-cli
- Successful test of OpenAI API invocation
-
[New Process Improvement Need]: LocalStack starter kit @ddalton-swe
-
ACTION ITEM FROM 4/25: @riverma will help identify infusion target projects for Metrics guide
- Unity SDS project. Chosen from existing SLIM community members.
-
ACTION ITEM FROM 4/25: @riverma will help identify infusion target projects for Metrics guide
- KS will present to Might Devs community on continuous testing best practices (Thursday, May 16, 11:00 am – 12:00 pm PT)
- Continuous Testing Pull Request @yunks128
- New guide on container security best practices @riverma
- [New Process Improvement Need]: LocalStack starter kit @ddalton-swe
- ...
- ACTION ITEM: @riverma set up brainstorm chat with @ingyhere, @lylebarner and @lewismc
- ACTION ITEM FROM 4/25: @ddalton - work with @riverma to run through Metrics guide for a sample project. Let's start with SLIM and publish the report to the website?
- ...
-
Continuous Testing Pull Request @yunks128
- ACTION ITEM: @yunks128 to fix build error
- ACTION ITEM: @riverma to review and merge + publish release once fixed!
-
[New Website Feature]: Improved Standards Infusion Process: Self-Service Model and Better Docs @riverma @yunks128
- Feedback:
- @jpl-engelke: GitHub CLI is a tool to reuse making PRs more automatically
- @hookhua: consider the distribution of GitHub / GitLab to make your decision
- ACTION ITEM: @yunks128 breakout meeting on next steps for this ticket (share on #slim channel)
- Feedback:
-
Guide on Code Security Scanning @jpl-jengelke
- Working on making advice better on auto versus manual builds
- Thinking of ways to make the guide work with languages other than Python, like C++
- ACTION ITEM: @jpl-engelke breakout meeting on next steps for this ticket (share on #slim channel)
-
New guide on container security best practices - comment @riverma
- Suggestion to recommend
grypeas an OCI complaint tool for Docker, Podman, others, including file-system directories - @lylebarner:
- grype has been evaluated by his team, it is easy and effective. Utilizes package definition files.
- grype only has access to free databases, not proprietary databases. Has difficulty reviewing forked dependencies.
- Difference between Dependabot and grype is more like a Venn diagram, rather than Dependabot being much more capable
- ACTION ITEM: @riverma to add @lylebarner as reviewer for this ticket
- Suggestion to recommend
- Software Bill of Materials (SBOM) @lylebarner
- Use of SBOMs:
- Vulnerability assessment
- License compatibility
- Security reviews
- Future of SBOMs: there will come a day where SBOMs will be required by all projects (gov't mandate)
- Use of SBOMs: