halnasri-Resolve_TT_CONFIDENCE_Feedback

[halnasri]

This PR is for resolving review comments from aschemmel in the PR Review TT-CONFIDENCE #118

[LucaFgr]

what exactly is reviewed here? is the description reviewed or how scores are accumulated?

[Erikhu1]

The description here is just copied from Mr. Schemmel's PR. I guess it is referring to the fact that we updated the concept section of the report.

We should remove the "reviewed" and just have "Description of the algorithm on how scores are calculated and accumulated"

[coveralls]

coverage: 99.186%. remained the same
when pulling a6da396 on halnasri-Resolve_TT_CONFIDANCE_Feedback
into 9cb5a39 on main.

[LucaFgr]

Can you explain why these are 3 different types of references here? especially the first and third link look really similar to me

[LucaFgr]

I dont really understand this statement or the idea behind it. Can you explain?

[Erikhu1]

I understand that you are trying to target this

However, I think the combination of JLS-08 and JLS-09 are already indirectly stating the same thing as this. Instead, I would reformulate it to something like
"High-level statements are broken down into smaller, recursive and definite expressions that can be proved to be either true or false."

[LucaFgr]

either website_content or web_content (line 8) is correct, but not both at the same time :)

[LucaFgr]

Here we need the information to which repos/libraries this statement should apply. In the references you name score-json and nlohmann/json - is the statement meant for both?

[Erikhu1]

Again, also needs to be more explicit or broken down into smaller statements.

What are the "responsibilities" and "competence based processes and guidelines"?

[LucaFgr]

What exactly is a "misbehavior"?

[Erikhu1]

Misbehaviour is an established term in TSF (defined as 'any behaviour of the software that deviates from the defined expectations').

However, I think this statement is still on a too high level. It needs to be more explicit (or broken down into further supporting statements). What are the manual activities? what are the defined criteria?

[Erikhu1]

For example:
"The manual activity of reviewing and addressing vulnerability/bug reports, is well-documented.. whatever"

Then reference to e.g., this https://github.com/nlohmann/json/security/advisories/new

[Erikhu1]

Maybe even better examples:

---

"The manual activity of issuing a vulnerability or bug report for the nlohmann/json library is a well-defined process."

• Reference: https://github.com/nlohmann/json/security/advisories/new

---

"All manual pull requests to the nlohmann/json repository are expected to describe the rationale behind any non-trivial changes, and link to an existing issue"

• Reference: https://github.com/nlohmann/json/blob/49026f799983840d7cf1a8109ffffe7eb4b1012c/.github/CONTRIBUTING.md?plain=1#L70 and https://github.com/nlohmann/json/blob/49026f799983840d7cf1a8109ffffe7eb4b1012c/.github/CONTRIBUTING.md?plain=1#L74

---

"Feature requests for the nlohmann/json library are actively investigated by Niels Lohmann"

• Reference: https://github.com/nlohmann/json/discussions/categories/ideas (showing that almost all feature requests are answered by Niels Lohmann)

[LucaFgr]

I think the reference proves the "defined" part, but maybe we need another reference for the "consistently followed" part. Only because there is a readme describing the process it may not be ultimately followed.

[Erikhu1]

Please link to the report of the target repo instead:
https://eclipse-score.github.io/inc_nlohmann_json/main/generated/trustable_report_for_Software.html#compliance-for-trustable

[Erikhu1]

Actually I'm not convinced if this reference should be included at all.

[halnasri]

yes good point, the statement is just about that each statement is scored and says nothing about the overall score. (I will delete this reference)

[halnasri]

yes good point. I had a look at it again and noticed that the statement is only about the fact, that each statement is scored and doesnt say anything about the overall score. (so I will delete this reference)

[Erikhu1]

I don't really think these references are sufficient for proving that each statement is indeed scored. Maybe you can use this link instead:
https://eclipse-score.github.io/inc_nlohmann_json/main/generated/dashboard.html#summary

Here you can see the number of reviewed/unreviewed items.

[halnasri]

corrected

[Erikhu1]

The description here is just copied from Mr. Schemmel's PR. I guess it is referring to the fact that we updated the concept section of the report.

We should remove the "reviewed" and just have "Description of the algorithm on how scores are calculated and accumulated"

[Erikhu1]

This sounds similar to JLS-06 and JLS-25.

I think we need to understand TA-METHODOLOGIES better

[Erikhu1]

please use relative path instead (i.e., without the "workspaces/json")

[Erikhu1]

I understand that you are trying to target this

However, I think the combination of JLS-08 and JLS-09 are already indirectly stating the same thing as this. Instead, I would reformulate it to something like
"High-level statements are broken down into smaller, recursive and definite expressions that can be proved to be either true or false."

[Erikhu1]

Misbehaviour is an established term in TSF (defined as 'any behaviour of the software that deviates from the defined expectations').

However, I think this statement is still on a too high level. It needs to be more explicit (or broken down into further supporting statements). What are the manual activities? what are the defined criteria?

[Erikhu1]

Again, also needs to be more explicit or broken down into smaller statements.

What are the "responsibilities" and "competence based processes and guidelines"?

[Erikhu1]

Please always use the report of the inc_nlohmann_json repo