2022 Free / Open Source Software Accomplishments

As 2022 draws to a close, it’s time to take a look back at some of the accomplishments I’ve made in terms of contributing to Free and Open Source Software.

This year, as usual, my contributions are widely varied. I made contributions in a number of programming languages from Ruby to Java to C#. In terms of types of projects, I contributed to many classifications from entertainment to cybersecurity to network libraries and build tools. And I of course kept up with my responsibility as a Gentoo Linux Developer. The motivation behind these contributions is also widely varied; some are due to issues I encountered at work, others are due to hobbyist type interest.

I reported many issues, but let’s focus on just contributions for this article. The following are the pull requests I submitted, all of which have been merged unless otherwise noted:

• Gentoo: Linux distribution built using the Portage package management system. Unlike a binary software distribution, the source code is compiled locally according to the user’s preferences and is often optimized for the specific type of computer. Precompiled binaries are available for some larger packages or those with no available source code.
  • Maintainer for more than 130 packages
  • Made more than 150 commits
• Trivy: comprehensive security scanner
  • feat(report): add location.message to SARIF output
  • feat(report): Use understandable value for shortDescription in SARIF reports
• GitLab Advisory Database
  • Update CVE-2022-31197 (PostgreSQL JDBC Driver java.sql.ResultRow.refreshRow sql injection) to fix false positive
  • Update CVE-2022-36944 (Scala JAR File deserialization) to fix false positive
  • Delete CVE-2021-44832.yml for log4j-api to fix false positive
• GitLab: open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. Self-host GitLab on your own servers, in a container, or on a cloud provider
  • Use PURL type “maven” for Gradle specified dependencies
  • Use docker image to merge CycloneDX SBOMs
  • Update cyclonedx/cyclonedx-cli reference to 0.24.0
  • Use printf instead of echo because echo flags are undefined
  • Use `openssl base64 -A` to encode instead of `base64`
• Renovate: Automated dependency updates. Multi-platform and multi-language.
  • chore: Don’t re-specify image name for GitLab CI variables
  • fix(maven): Use correct snapshot URL in getDependencyInfo
  • refactor(maven): move createUrlForDependencyPom from index.ts to util.ts
• mdx-mermaid: Plug and play Mermaid in MDX
  • Upgrade unist-util-visit to 4.1.0
• LittleProxy: high performance HTTP proxy written in Java atop Netty
  • Bump log4j-core from 2.16.0 to 2.17.1
  • Bump netty from 4.1.71 to 4.1.72
  • Bump slf4j from 1.7.30 to 1.7.32
• Sonar: continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells on 29 programming languages.
  • Remove obsolete java bin dir from $PATH
• Transmission: fast, easy, and free BitTorrent client.
  • daemon: deny memory wx in transmission-daemon.service
• Gradle: build tool with a focus on build automation and support for multi-language development.
  • Suppress ignorable shellcheck warnings
• Spring Boot: helps you to create Spring-powered, production-grade applications and services with absolute minimum fuss. It takes an opinionated view of the Spring platform so that new and existing users can quickly get to the bits they need.
  • MustacheAutoConfiguration in a Servlet web application fails with a ClassNotFoundException when Spring MVC is not on the classpath
• valfirst/browserup-proxy: The BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it is especially useful when embedded in Selenium tests.
  • Use the CONNECT method URI as host fallback
  • README.md: Update groupId to point this project
  • Upgrade Gradle Wrapper to 7.4.2
  • Add missing import for ProxyManagerTest to ProxyPortAssignmentTest
  • Remove IDE files that shouldn’t be in source control
• Dependency-Check: Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
  • Use exit codes between 0 and 255 (inclusive)
• Jellyfin: Free Software Media System that puts you in control of managing and streaming your media.
  • Add Gentoo installation instructions
  • Move transcodes to be under CachePath
• Netdata: high-fidelity infrastructure monitoring and troubleshooting. Open-source, free, preconfigured, opinionated, and always real-time.
  • netdata.service: Update PIDFile to avoid systemd legacy path warning
• Fortify SSC: enables management, development, and security teams to work together to triage, track, validate, automate, and manage software security activities.
  • fix: set Java target version to 1.8
  • feat: use security-severity property to determine priority
  • feat: use location.message if available as the file name; use shortDescription if available as the category
  • feat: display help if available
• cyclonedx-cli: supports BOM analysis, modification, diffing, merging, format conversion, signing and verification.
  • Dockerfile: add path containing cyclonedx to PATH
  • Set serialNumber when merging
• appthreat/cdxgen: creates a valid and compliant CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in XML and JSON format.
  • Check for non-zero status instead of status = 1
  • Introduce fail-on-error argument to fail on errors
  • maven: Do not fall back to methods that can produce incomplete results when failOnError is set
  • Improve Gradle dependency parsing to catch transitive dependencies
• CycloneDX/cyclonedx-javascript-library: Core functionality of CycloneDX for JavaScript (Node.js or WebBrowsers), written in TypeScript and compiled for the target.
  • tsconfig: default esModuleInterop & allowSyntheticDefaultImports
• Snyk CLI: scans and monitors your projects for security vulnerabilities.
  • feat: add “sbom” command that produces a CycloneDX 1.4 JSON SBOM (not yet merged)
    Check out Creating SBOMs with the Snyk CLI for the interesting tale on this contribution
  • chore: upgrade to typescript 4.8 (not yet merged)
• Pre-Liquibase: Companion to Spring Boot Liquibase module which allows to execute some SQL script file prior to executing Liquibase ChangeSets.
  • Autoconfiguration file for Spring Boot 2.7+ / Required by Spring Boot 3

I’m already looking forward to seeing how I can do my tiny part to improve the world via free software contributions in 2023.

2022 Free / Open Source Software Accomplishments by Craig Andrews is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.