GSoC 2023: Start Here

[terriko]

CVE Binary Tool is hoping to participate in GSoC 2023 under the Python Software Foundation umbrella. We won't know if we've been accepted until Feburary 2023. You can view the GSoC 2023 dates and deadlines on Google's page This issue will be updated with more info as we know it.

About CVE Binary Tool

The CVE Binary Tool is a free, open source tool to help you find known vulnerabilities in software, using data from the National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs).

The tool has two main modes of operation:

1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are around 170 checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, and several Software Bill of Materials (SBOM) formats.

It is intended to be used as part of your continuous integration system to enable regular vulnerability scanning and give you early warning of known issues in your supply chain. We expect the SBOM use case to become a lot more popular as people who work with the US government start needing to provide SBOMs as a matter of course, starting in 2023.

Dates:

• Organizations apply usually circa February. We won't know for sure if we're in until after applications close. We'll be listed as part of "Python Software Foundation"

Project ideas:

1. Introduce support for EPSS (GSOC 2023) #2619
2. GSoC 2023 Project idea: Improved product representation & meta-info about products. #2633
3. GSoC 2023 Project Idea: Integration of new formats into triage workflow #2639
4. GSoC 2023 Idea: add github actions with "fancy" reporting #2756

Related:

• The project idea brainstorming thread: GSoC 2023 brainstorming thread #2354

Not all ideas will be viable because of the constraints of the program and the software, but all ideas are welcome for discussion even if we can't make them into gsoc projects.

Getting started:

• Getting started guide for GSoC contributors
  (cut and pasted below)

It can be really overwhelming figuring out how to start in a new project, so here's some steps we recommend:

Getting Started:

1. Follow the README and make sure you can run the tool. Try running it against random things on your hard drive and see if it finds anything. On a Linux system, your /bin directory usually yields some interesting results.
2. Run the tests. The CVE Binary tool has a number of unit tests. Make sure you know how to run them, and if you've never used pytest before, you might want to read up on it (we also have some tests still using python's unittest, but we're tending towrads pytest for new tests). Figure out how to run a single test!
3. Read the documentation. That should help you figure out what the tool is for and how people use it in more detail.
4. Read the new contributor guide

Some potential first contributions:

1. File issues. You might encounter a bug or something confusing in the documentation. Let us know if you do!
2. Update documentation. We especially appreciate documentation feedback from new users, since your "beginner mind" means you see things differently than experienced users, and will catch places where the documentation could be more detailed or improved.
3. Write a new test. Instructions for writing tests are here. This can be your first contribution!
4. Try fixing a bug. We have a few flagged as "good first issue". A number of those are new checkers, which although they might sound challenging are often pretty easy to write. Instructions on how to add a new checker are here.

We expect prospective GSoC students to have made at least one code contribution if they want their application to be considered, so now's a good time to get that going! You can ask for as much help as you need.

Got stuck?

1. Ask in the GSoC tagged issues! This "start here" issue is a good place for discussions.
2. We have a chat server on gitter. That allows for "live" chat but no one's actually sitting there 24/7 so you should expect to post your question and get an answer hours later when someone sees it.

[vivekatleap]

I was going through open source repos to find a repo where I could contribute.
Came across this repo on goodfirstissue.dev

This is the most extensively documented repo that I have come across as of now. Repos which are clearly documented help by reducing the "being overwhelmed" feeling that every newbie has. Kudos to you @terriko your replies on issues shows how welcoming and warm the open source community is. Keep up the good work!

Will surely try to contribute towards the repo and send some newbies here! :))

[alexanderritik]

It's look nice project to start I am starting my path a open source developer .
I hope I will make valuable contribution as open source developer.

[rootxrishabh]

Hey @terriko the link to new contributor guide in the guide above is not working.

[metabiswadeep]

You can view the contributor guide by clicking here

[terriko]

Thanks @rootxrishabh and @metabiswadeep -- I'd forgotten that we changed to match the expectations of github so the doc link would have changed since last year! It's fixed in the main post now.

[m4ckk]

GSOC 2023 Project Idea: Add support for looking up on Snyk since a plethora of dependency introduced vulnerabilities are tracked in Snyk with appropriate CVE rating and additional parameters.

[terriko]

@m4ckk Does Snyk have a license for their data that would allow this usage? I'd be sort of surprised if this was allowed since their improved data is part of the value they bring to encourage people to pay them and buy enterprise license.

[terriko]

Some notes for folk who weren't in yesterday's meeting:

• If you're interested in applying to GSoC, please go ahead and upload a proposal ASAP to https://summerofcode.withgoogle.com/ even if it's not perfect yet
  • You can replace your PDF right up until the deadline
  • You don't need to get feedback before uploading
  • We have enough mentors for at least two GSoC contributors, but we actually did have one year where we only took one contributor because we only had one viable applicant!
• Make sure that you have cve-bin-tool in the title that's displayed in the summerofcode.withgoogle.com system
  • Python as a whole can get 150-250 applicants, and your mentors will likely need to find proposals by searching for 'cve-bin-tool' or scanning a very long list of applications. you can definitely get missed by accident if your title isn't clear.
• If you're available for 350 hours, please choose the longer project size. You get paid twice as much (because there's twice as many hours) and we can absolutely find other stuff for you to work on if you finish early
  • Add some "stretch goals" of things you'd like to work on after you're done. You might also use these as things to swap to when you get stuck, need a break, or are waiting on code review/test results/etc.
• Ask as many questions as you can in public on the github issues related to the project. We tend to get a lot of the same questions and it's better if we can make the answers clear for everyone, unless it's specific to your proposal
• I prefer if people ping me for proposal review in gitter because things get lost in my email. Our other mentors might prefer other methods.
• You do need to have at least one pull request / code sample available as part of your application.
  • It doesn't have to be big, a single line easy fix is enough to show that you know how to make a pull request.
  • It doesn't have to be merged.
  • If you're running out of time, it's ok to complete the pull request during the selection period and just get your application in without it. Make sure you have your github username in your application so we can look up what you've done later if you don't have a URL to add when you're making your PDF.

GSoC mentors: if you're up for doing proposal review this week and next, please post here so people know your usernames and can ping you.

[XDRAGON2002]

For anyone wanting to get a review regarding their GSoC proposals, feel free to ping me up, I go by the same name on Gitter as well.