Caleb Brown
Caleb Brown
I agree with everything - except for naming of (2) `FooFromString`. Usually methods for returning a type from a string are named `Parse` (i.e when the package is named `foo`)...
I'd also add that implementing `ParseFoo()`, `encoding.TextMarshaler` and `encoding.TextUnmarshaler` could be _optional_. But if an enum is used in a flag it must implement all three.
Thanks @lehors for this contribution. Unfortunately the project has switched to using Go, however the ability to consume lists of repos from a file has been included (see ./cmd/criticality_score/README.md)
The new `./cmd/criticality_score` binary supports a file containing a list of repos, one per each line. Format can be changed using `-format={text,csv,json}` as well.
Hi @rhit-swartwba, I'd be happy to help! Please reach out on [email protected] and we can discuss this further.
Ecosystems like Python, NPM, Ruby support creating CLI scripts during install (e.g. `scripts` in `package.json`). A dynamic analysis step could invoke each of these scripts. This is more important for...
This would need to be an additional "phase" for dynamic analysis.
This should be added as a new "phase" to the NPM ecosystem.
I think this is important, but needs to come after [milestone 5](https://github.com/ossf/package-analysis/milestone/5) when we have a more formal data structure.
Doing this via dynamic analysis will be hard as it requires instrumenting various runtimes to intercept the request. This is quicker achieved by using static analysis. However, eventually we may...