Closed mrutkows closed 9 months ago
For convenience, I copied the Q&A captured from the 11/2 meeting minutes:
Q: How are you consuming all the software that exists to compute genes? A: Existing software repos, feeds. Provide a search engine for code, search by hash, go beyond.
Q: Have you considered how the fingerprint relates to dependencies? Connecting/mapping dependencies via a gene. A: Actually building a large graph behind the scene, including relationships between binaries and dependencies.
Q: What is the granularity? What about reordering positioning? A: Based on functionality. The hope is that it’s resilient to obfustication. File level could be too coarse, lines could be too fine.
Q: How are you handing obfustication generally? What’s the threat model? A: (long answer omitted from Jiyong)
Q: This seems to apply to malware, have you explored that? A: Main focus is SBOM and open source
Is this tool planning to be OSS?
Recording of the presentation at the 11/2/2022 WG meeting: https://www.youtube.com/watch?v=LsshIbsD6oY&list=PLVl2hFL_zAh_VfsvGMCrkPSS1z2VFFy-r
Demo at LF Member Summit 2022 (keynote) at the 52 minute mark "Code Genome" project by JR Rao: https://www.youtube.com/watch?v=BltvpGfqz14
Thanks for posting this! I'm going to mark this issue as closed, but we can continue to refer to the content here.
Attached to this issue is the PDF of the presentation given during the Wed. Nov. 2nd meeting (APAC friendly) for review and comment...
OpenSSF Repository WG Presentation.pdf