Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

discussion: Planning for 3.5 / 4.0 releases #4594

Open
terriko opened this issue Nov 27, 2024 · 1 comment
Open

discussion: Planning for 3.5 / 4.0 releases #4594

terriko opened this issue Nov 27, 2024 · 1 comment
Labels
discussion Discussion thread or meeting minutes that may not have any trivially fixable code issues associated
Milestone

Comments

@terriko
Copy link
Contributor

terriko commented Nov 27, 2024

Thanks everyone who made it out to our last monthly meeting of 2024!

User survey

Per our discussion: we already have an issue about surveying users, so I'll add notes from our discussion into there:

GSoC planning

GSoC 2025 hasn't been announced yet (it's late which sometimes means program changes or they're waiting to announce alongside something else, but the folk at mentor summit didn't seem concerned about things getting cancelled entirely). So we're going to wait on more specific planning until after the program is announced, but a lot of the upcoming feature ideas could potentially be worked into GSoC project sized pieces.

Upcoming features/improvements

  1. Improving the accuracy of our SBOM scans, especially around false positives. We've started some of that with the PURL work and mismatch database but need to handle a few more cases and we want to make better use of PURL data in OSV and elsewhere. @anthonyharrison expects this will be particularly helpful for SBOM users in Europe.
  2. Database architecture changes: cve-bin-tool was designed around NVD data, but funding and political changes mean that might not be the best choice long term. We may need to redesign what data we store to make sure we're using PURLs instead of CPEs and have the option of using a different database as our "primary" source.
  3. Overall architecture changes: we also have had a lot of discussion about properly separating the component identification parts of cve-bin-tool (the binary scanner, the language scanners, and the sbom interpretation) and the vulnerability data parts so that you could use it for SBOM generation or similar without scanning. (FIXME: link previous discussion about disabling NVD, previous discussion about architecture) This doesn't have to happen at the same time as the database changes but we should design the two changes to work together. Once those changes are made we would be talking 4.0 rather than 3.5.
  4. Accessibility: @terriko is doing some work on accessibility in December, starting with review of our docs but potentially also working on reports and command line interface. Some fixes may be immediate and some may be potential gsoc projects or enhancements in next release.
  5. Training materials: We'd like to have some training for cve-bin-tool, starting with a focus on improving our docs and potentially building small courses / presentation materials. We had a discussion about potentially getting involved in the Season of Docs or similar events and whether there might be options to fund a contributor to work on this. There's also been some interest in things like videos, but probably the docs need to come first.
  6. Test grouping: @terriko is currently seeing an issue where our long tests time out early at around 45 minutes, likely because of the cloud servers they're running on. Unfortunately, the full long tests can now take 1.5hrs. We'll need to divide our test jobs up differently and potentially have some of them run significantly less frequently. This may have to happen well before the release if it keeps blocking merging of pull requests (which it has been doing for a few weeks).
  7. Test Coverage: we had a big push to improve our test coverage as part of gsoc a few years ago, but have slowly regressed a little (in part because some of our tests had to be moved out due to being too slow) and also I'm having some problems with our codecov setup. Now would probably be a good time to see if we need to fix codecov configs, try other coverage tools, and improve our coverage again.
@terriko terriko added the discussion Discussion thread or meeting minutes that may not have any trivially fixable code issues associated label Nov 27, 2024
@terriko terriko added this to the future milestone Nov 27, 2024
@terriko
Copy link
Contributor Author

terriko commented Nov 27, 2024

Please feel free to add anything I forgot from the meeting or any new ideas you have! This thread is more wishlist/brainstorm style, so you don't need to worry too much about feasibility at this stage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discussion Discussion thread or meeting minutes that may not have any trivially fixable code issues associated
Projects
None yet
Development

No branches or pull requests

1 participant