Skip to content

halnasri-Resolve_TT_CONFIDENCE_Feedback #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
halnasri wants to merge 7 commits into
base: main
Choose a base branch
from
Open

halnasri-Resolve_TT_CONFIDENCE_Feedback #132

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e0c2f91
Resolve some of the TT-CONFIDENCE review comments
halnasri Nov 13, 2025
571e525
added more statments to TA-METHODOLOGIES
halnasri Nov 13, 2025
f23dbc7
changed references type
halnasri Nov 13, 2025
427a6ab
edited the type of references and added the https validator
halnasri Nov 14, 2025
dcc7e50
more clarified statments
halnasri Nov 14, 2025
b9cfa22
corrected JLS-08 reference
halnasri Nov 14, 2025
a6da396
modified the statement of JLS-8
halnasri Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .dotstop.dot
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ digraph G {
"JLS-25" [sha="8bb517191450f370679dbafd85342e1bbcf797cc84f2a6f1fc119568b534d5e0"];
"JLS-26" [sha=cf1b73b375697ee56d9788aab79ed01b2730b126a2cc4d7041c9525113e7ed7c];
"JLS-27" [sha="efd4b438331c155eebaec96cd1eda337567794f8696b327562aaaed5fa8ded69"];
"JLS-36" [sha="1a9abf2ab101af32cc6490d9ed5218df96a06b31cc2aeaff07f769ebf4ba98bb"];
"JLS-37" [sha="fb19166fd1d71acbe8a852fd1bfced3874efdc687cbf95b03f3201a722fdef8f"];
"JLS-40" [sha="8a6c2a7c6888f0c13fc4045535125d90a4866858e40ac11910f05eace9ff179a"];
"JLS-41" [sha="f7cc07fd06ed4605d4207a5f59d60f8b7da48152c76b94132e4ad80a4512975a"];
"NJF-01" [sha="548dc86014e093974f68660942daa231271496a471885bbed092a375b3079bd8"];
"NJF-02" [sha="6ea015646d696e3f014390ff41612eab66ac940f20cf27ce933cbadf8482d526"];
"NJF-03" [sha="4bd1f8210b7bba9a248055a437f377d9da0b7576c5e3ed053606cf8b5b2febe3"];
Expand Down Expand Up @@ -362,6 +366,7 @@ digraph G {
"TA-CONFIDENCE" -> "JLS-09" [sha="80bbde95fc14f89acf3dad10b3831bc751943fe4a1d79d5cbf4702416c27530f"];
"TA-CONFIDENCE" -> "AOU-10_COMBINED" [sha="5e5d7dc606d53423fbb1f2d5755780c98839bdc2d108704af5ee1aed50403f5e"];
"TA-CONFIDENCE" -> "JLS-20" [sha="1bfd214ab8186a3c095262ae503451b8d71ada8db5b13ecc7b906739a05bc102"];
"TA-CONFIDENCE" -> "JLS-37" [sha="6b51cec18399ec3a56ac00d26b552da891e57dc20e56ee8d8fb23bbe78c78885"];
"TA-CONSTRAINTS" -> "AOU-04" [sha=d945870431e9311e317c6ddcac094825c2a9cbcecad961f4e283114db91cf27e];
"TA-CONSTRAINTS" -> "AOU-05" [sha=f741ce87385dbed50a6582443907645d70790b5fd0d423b18c3a109d400c7ef1];
"TA-CONSTRAINTS" -> "AOU-06" [sha=bb3ac58ca7f67d9676503a6c71660abd650268e02d6773cb57dfa07d0743fb40];
Expand All @@ -385,6 +390,9 @@ digraph G {
"TA-ITERATIONS" -> "JLS-19" [sha="9bc13b823f8b49d742b92a8aaf18b8aeb2bb9b0749f4b6dead241af85aea876c"];
"TA-METHODOLOGIES" -> "AOU-10_COMBINED" [sha="2aac71e987a5b6a5d88700e08fe197fbec1e57681f0c3d3f51e59c705b4a0549"];
"TA-METHODOLOGIES" -> "JLS-13" [sha="4e2fb7871a608c98d11b10f4ca4391d69b360419c6a9e1baf7cb40b980fc9e94"];
"TA-METHODOLOGIES" -> "JLS-36" [sha="b957bfeb0797afcc3f0f59890bbb551daaa98f4148c00c13b1651c6f9ca04a88"];
"TA-METHODOLOGIES" -> "JLS-40" [sha="22baa2a3b32e04d4659d095fd0b12100cd85f0942612ba91790a57400c7234f0"];
"TA-METHODOLOGIES" -> "JLS-41" [sha="00f8a2dce919f04c04be03fbc9a7d987e112b9e66a8d0b0763bccf114953c5a4"];
"TA-MISBEHAVIOURS" -> "JLS-02" [sha="532ddabfefb6664d9731084a44df220d1ebdb9f840760d7c471cf04dfc8e96ef"];
"TA-MISBEHAVIOURS" -> "JLS-24" [sha=e8de01ff7c316debcd96afa4b3b6b62be73522e4531214c18b3ad7eec826275e];
"TA-MISBEHAVIOURS" -> "JLS-25" [sha="56ba396580f90e5a10fd5adfe33864921537d47e21b215a8faf531855af40ecd"];
Expand Down
6 changes: 5 additions & 1 deletion TSF/trustable/statements/JLS-08.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
---
level: 1.1
normative: true
references:
- type: web_content
url: "https://eclipse-score.github.io/inc_nlohmann_json/main/generated/dashboard.html#summary"
description: "Dashboard showing distributions of evidence scores and SME (subject-matter expert) scores."
---

Each statement is scored based on SME reviews or automatic validation functions. (TODO)
Each leaf node in the Trustable Graph is scored either based on an SME review alone or on a combination of an SME review and an automatic validation function.
6 changes: 5 additions & 1 deletion TSF/trustable/statements/JLS-09.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
---
level: 1.1
normative: true
references:
- type: web_content
url: "https://score-json.github.io/json/main/concept.html#scoring"
description: "Description of the algorithm how scores are accumulated, reviewed."
Copy link

@LucaFgr LucaFgr Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what exactly is reviewed here? is the description reviewed or how scores are accumulated?

Copy link
Collaborator

@Erikhu1 Erikhu1 Nov 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description here is just copied from Mr. Schemmel's PR. I guess it is referring to the fact that we updated the concept section of the report.

We should remove the "reviewed" and just have "Description of the algorithm on how scores are calculated and accumulated"

---

Scores are reasonably, systematically and repeatably accumulated. (TODO)
Scores are reasonably, systematically and repeatably accumulated.
23 changes: 20 additions & 3 deletions TSF/trustable/statements/JLS-13.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,29 @@
level: 1.1
normative: true
references:
- type: project_website
Copy link

@LucaFgr LucaFgr Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why these are 3 different types of references here? especially the first and third link look really similar to me

url: "https://github.com/nlohmann/json/blob/develop/.github/CODEOWNERS"
description: "CODEOWNERS file specifying that changes to any file requests @nlohmann for code review in case of a pull request"
- type: project_website
url: "https://github.com/nlohmann/json?tab=contributing-ov-file#readme"
description: "nlohmann/json contribution guidelines"
- type: website
url: https://eclipse-score.github.io/process_description/main/general_concepts/score_review_concept.html
description: "Documentation of S-CORE methodologies"
url: "https://github.com/nlohmann/json/actions?query=event%3Apush+branch%3Amaster"
description: "GitHub reviews of nlohmann/json filtered for push to master"
- type: verbose_file
path: "/workspaces/json/ChangeLog.md"
description: "A mirror of the Changelog of nlohmann/json's Changelog"
evidence:
type: https_response_time
configuration:
target_seconds: 2
urls:
- "https://github.com/nlohmann/json/actions?query=event%3Apush+branch%3Amaster"
- "https://github.com/nlohmann/json?tab=contributing-ov-file#readme"
- "https://github.com/nlohmann/json/blob/develop/.github/CODEOWNERS"
score:
Jonas-Kirchhoff: 1.0
Erikhu1: 1.0
---

The S-Core methodologies are followed.
All contributions to the nlohmann/json repository are reviewed according to the project’s documented contribution and review process.
Copy link
Collaborator

@Erikhu1 Erikhu1 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds similar to JLS-06 and JLS-25.

I think we need to understand TA-METHODOLOGIES better

10 changes: 10 additions & 0 deletions TSF/trustable/statements/JLS-36.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
level: 1.1
normative: true
references:
- type: verbose_file
path: "/workspaces/json/TSF/README.md"
Copy link
Collaborator

@Erikhu1 Erikhu1 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please use relative path instead (i.e., without the "workspaces/json")

description: "release management and update process description"
---

Releases and updates of the score-json repository are carried out in accordance with defined and documented release and update process.
10 changes: 10 additions & 0 deletions TSF/trustable/statements/JLS-37.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
level: 1.1
normative: true
references:
- type: web_content
url: "https://score-json.github.io/json/main/generated/trustable_report_for_Software.html#compliance-for-ta"
Copy link
Collaborator

@Erikhu1 Erikhu1 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please always use the report of the inc_nlohmann_json repo

description: "Trustable Compliance Report showing scores for different TA items."
---

The confidence in the nlohmann/json library also incorporates confidence scores derived from other TA items.
Copy link

@LucaFgr LucaFgr Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont really understand this statement or the idea behind it. Can you explain?

Copy link
Collaborator

@Erikhu1 Erikhu1 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that you are trying to target this
image

However, I think the combination of JLS-08 and JLS-09 are already indirectly stating the same thing as this. Instead, I would reformulate it to something like
"High-level statements are broken down into smaller, recursive and definite expressions that can be proved to be either true or false."

26 changes: 26 additions & 0 deletions TSF/trustable/statements/JLS-40.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
level: 1.1
normative: true
references:
- type: project_website
url: "https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md"
description: "nlohmann/json contribution guidelines describing analysis, testing, and review expectations"
- type: project_website
url: "https://github.com/nlohmann/json/tree/develop/.github"
description: "Project workflows and configuration supporting automated analysis and testing for nlohmann/json"
- type: file
path: "TSF/scripts/generate_list_of_misbehaviours.py"
description: "Script generating a report of known misbehaviours of the nlohmann/json library based on GitHub issues"
- type: verbose_file
path: "TSF/README.md"
description: "TSF-related description of analysis, verification processes, and update concepts for score-json"
evidence:
type: https_response_time
configuration:
target_seconds: 2
urls:
- "https://github.com/nlohmann/json/blob/develop/.github/CODE_OF_CONDUCT.md"
- "https://github.com/nlohmann/json/tree/develop/.github"
---

Manual verification activities that complement automated analysis for the nlohmann/json library are documented, reviewed against defined criteria, and considered for their impact on identifying and addressing misbehaviours.
Copy link

@LucaFgr LucaFgr Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What exactly is a "misbehavior"?

Copy link
Collaborator

@Erikhu1 Erikhu1 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Misbehaviour is an established term in TSF (defined as 'any behaviour of the software that deviates from the defined expectations').

However, I think this statement is still on a too high level. It needs to be more explicit (or broken down into further supporting statements). What are the manual activities? what are the defined criteria?

Copy link
Collaborator

@Erikhu1 Erikhu1 Nov 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example:
"The manual activity of reviewing and addressing vulnerability/bug reports, is well-documented.. whatever"

Then reference to e.g., this https://github.com/nlohmann/json/security/advisories/new

Copy link
Collaborator

@Erikhu1 Erikhu1 Nov 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe even better examples:

"The manual activity of issuing a vulnerability or bug report for the nlohmann/json library is a well-defined process."

"All manual pull requests to the nlohmann/json repository are expected to describe the rationale behind any non-trivial changes, and link to an existing issue"

"Feature requests for the nlohmann/json library are actively investigated by Niels Lohmann"

27 changes: 27 additions & 0 deletions TSF/trustable/statements/JLS-41.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
level: 1.1
normative: true
references:
- type: project_website
url: "https://github.com/nlohmann/json/blob/develop/.github/CODEOWNERS"
description: "Definition of responsible owners and reviewers for the nlohmann/json repository"
- type: project_website
url: "https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md"
description: "nlohmann/json contribution guidelines describing contribution, testing, and review expectations"
- type: project_website
url: "https://github.com/nlohmann/json/blob/develop/.github/CODE_OF_CONDUCT.md"
description: "Code of Conduct defining behavioural expectations during collaboration and review"
- type: verbose_file
path: "TSF/README.md"
description: "TSF documentation describing responsibilities, verification processes, and change control for score-json"
evidence:
type: https_response_time
configuration:
target_seconds: 2
urls:
- "https://github.com/nlohmann/json/blob/develop/.github/CODE_OF_CONDUCT.md"
- "https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md"
- "https://github.com/nlohmann/json/blob/develop/.github/CODEOWNERS"
---

Responsibilities for manual verification and review follow documented, competence-based processes and guidelines, and the associated processes and checks are regularly reviewed and updated under defined change control.
Copy link

@LucaFgr LucaFgr Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we need the information to which repos/libraries this statement should apply. In the references you name score-json and nlohmann/json - is the statement meant for both?

Copy link
Collaborator

@Erikhu1 Erikhu1 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, also needs to be more explicit or broken down into smaller statements.

What are the "responsibilities" and "competence based processes and guidelines"?

Loading